ghsa

### Impact Affected configurations: - Single-origin JupyterHub deployments - JupyterHub deployments with user-controlled applications running on subdomains or peer subdomains of either the Hub or a single-user server. By tricking a user into visiting a malicious subdomain, the attacker can achieve an XSS directly affecting the former's session. More precisely, in the context of JupyterHub, this XSS could achieve the following: - Full access to JupyterHub API and user's single-user server, e.g. - Create and exfiltrate an API Token - Exfiltrate all files hosted on the user's single-user server: notebooks, images, etc. - Install malicious extensions. They can be used as a backdoor to silently regain access to victim's session anytime. ### Patches To prevent cookie-tossing: - Upgrade to JupyterHub 4.1 (both hub and user environment) - enable per-user domains via `c.JupyterHub.subdomain_host = "https://mydomain.example.org"` - set `c.JupyterHub.cookie_host_prefix_enabled = True...

### Impact ZITADEL users can upload their own avatar image and various image types are allowed. Due to a missing check, an attacker could upload HTML and pretend it is an image to gain access to the victim's account in certain scenarios. A possible victim would need to directly open the supposed image in the browser, where a session in ZITADEL needs to be active for this exploit to work. The exploit could only be reproduced if the victim was using Firefox. Chrome, Safari as well as Edge did not execute the code. ### Patches 2.x versions are fixed on >= [2.48.3](https://github.com/zitadel/zitadel/releases/tag/v2.48.3) 2.47.x versions are fixed on >= [2.47.8](https://github.com/zitadel/zitadel/releases/tag/v2.47.8) 2.46.x versions are fixed on >= [2.46.5](https://github.com/zitadel/zitadel/releases/tag/v2.46.5) 2.45.x versions are fixed on >= [2.45.5](https://github.com/zitadel/zitadel/releases/tag/v2.45.5) 2.44.x versions are fixed on >= [2.44.7](https://github.com/zitadel/zitadel/...

### Impact Under certain circumstances an action could set [reserved claims](https://zitadel.com/docs/apis/openidoauth/claims#reserved-claims) managed by ZITADEL. For example it would be possible to set the claim `urn:zitadel:iam:user:resourceowner:name` ```json {"urn:zitadel:iam:user:resourceowner:name": "ACME"} ``` if it was not set by ZITADEL itself. To compensate for this we introduced a protection that does prevent actions from changing claims that start with `urn:zitadel:iam` ### Patches 2.x versions are fixed on >= [2.48.3](https://github.com/zitadel/zitadel/releases/tag/v2.48.3) 2.47.x versions are fixed on >= [2.47.8](https://github.com/zitadel/zitadel/releases/tag/v2.47.8) 2.46.x versions are fixed on >= [2.46.5](https://github.com/zitadel/zitadel/releases/tag/v2.46.5) 2.45.x versions are fixed on >= [2.45.5](https://github.com/zitadel/zitadel/releases/tag/v2.45.5) 2.44.x versions are fixed on >= [2.44.7](https://github.com/zitadel/zitadel/releases/tag/v2.44.7) 2.43.x ve...

### Impact: The mergeDeep() function in the web3-utils package has been identified for Prototype Pollution vulnerability. An attacker has the ability to modify an object's prototype, which could result in changing the behavior of all objects that inherit from the impacted prototype by providing carefully crafted input to function. ### Patches: It has been fixed in web3-utils version 4.2.1 so all packages and apps depending on web3-utils >=4.0.1 and <=4.2.0 should upgrade to web3-utils 4.2.1. ### Workarounds: None

Incorrect Authorization issue exists in the API key based security model for Remote Cluster Security, which is currently in Beta, in Elasticsearch 8.10.0 and before 8.13.0. This allows a malicious user with a valid API key for a remote cluster configured to use the new Remote Cluster Security to read arbitrary documents from any index on the remote cluster, and only if they use the Elasticsearch custom transport protocol to issue requests with the target index ID, the shard ID and the document ID. None of Elasticsearch REST API endpoints are affected by this issue.

A flaw was discovered in Elasticsearch, where processing a document in a deeply nested pipeline on an ingest node could cause the Elasticsearch node to crash.

Previously, it was possible to exfiltrate secrets in Gradio's CI, but this is now fixed.

A vulnerability in the Eclipse Vert.x toolkit results in a memory leak due to using Netty FastThreadLocal data structures. Specifically, when the Vert.x HTTP client establishes connections to different hosts, triggering the memory leak. The leak can be accelerated with intimate runtime knowledge, allowing an attacker to exploit this vulnerability. For instance, a server accepting arbitrary internet addresses could serve as an attack vector by connecting to these addresses, thereby accelerating the memory leak.

The /proxy route allows a user to proxy arbitrary urls including potential internal endpoints.

An issue in Ignite Realtime Openfire v.4.8.0 and before allows a remote attacker to escalate privileges via the admin.authorizedJIDs system property component.