ghsa

### Impact Auth DB login form default cache directives allows browser to locally store sensitive data. This can be an issue on environments using shared computer resources. ### Patches Upgrade flask-appbuilder to version 4.5.1 ### Workarounds If upgrading is not possible configure your web server to send the following HTTP headers for /login: "Cache-Control": "no-store, no-cache, must-revalidate, max-age=0" "Pragma": "no-cache" "Expires": "0"

### Summary The Email Templating feature uses Jinja2 without proper input sanitization or rendering environment restrictions, allowing for Server-Side Template Injection that grants Remote Code Execution to privileged users. A privileged user refers to an Admin UI user with the default `Owner` or `Contributor` role, who can escalate their access and execute code on the underlying Fides Webserver container where the Jinja template rendering function is executed. ### Details The application enables the creation of message templates that are sent via email to Fides Privacy Center users (data subjects) who raise privacy requests such as data subject access requests or consent management requests via the Privacy Center. These emails are triggered at various points in the request processing flow, for example when a request is denied or approved. The messages are defined using Jinja2 templates, allowing the use of statement and expression directives to craft more complex messages that includ...

A timing-based username enumeration vulnerability has been identified in Fides Webserver authentication. This vulnerability allows an unauthenticated attacker to determine the existence of valid usernames by analyzing the time it takes for the server to respond to login requests. The discrepancy in response times between valid and invalid usernames can be leveraged to enumerate users on the system. ### Impact This vulnerability enables a timing-based username enumeration attack. An attacker can systematically guess and verify which usernames are valid by measuring the server's response time to authentication requests. This information can be used to conduct further attacks on authentication such as password brute-forcing and credential stuffing. ### Patches The vulnerability has been patched in Fides version `2.44.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. ### Workarounds There are no workarounds. ### Proof of Concept 1....

## Summary A vulnerability has been identified in Nuclei's template signature verification system that could allow an attacker to bypass the signature check and possibly execute malicious code via custom code template. ## Affected Component The vulnerability is present in the template signature verification process, specifically in the `signer` package. ## Description The vulnerability stems from a discrepancy between how the signature verification process and the YAML parser handle newline characters, combined with the way multiple signatures are processed. This allows an attacker to inject malicious content into a template while maintaining a valid signature for the benign part of the template. ### Affected Users 1. **CLI Users:** Those executing **custom code templates** from unverified sources. This includes templates authored by third parties or obtained from unverified repositories. 2. **SDK Users:** Developers integrating Nuclei into their platforms, particularly if they perm...

### Impact There is a Cross-Site-Scripting vulnerability during account creation when redirecting after the account has been successfully created. Exploitation requires the user to initiate the account creation process with a maliciously crafted link, and then finalize the signup process. Because of this, it can only target newly created (and thus unprivileged) Indico users so the benefits of exploiting it are very limited. ### Patches You should to update to [Indico 3.3.4](https://github.com/indico/indico/releases/tag/v3.3.4) as soon as possible. See [the docs](https://docs.getindico.io/en/stable/installation/upgrade/) for instructions on how to update. ### Workarounds - If you build the Indico package yourself and cannot upgrade for some reason, you can simply update the `flask-multipass` dependency to `>=0.5.5` which fixes the vulnerability. You would do that by editing `requirements.txt` before building the package (see commit 7dcb573837), or possibly cherry-picking that particul...

A flaw was found in Aardvark-dns versions 1.12.0 and 1.12.1. They contain a denial of service vulnerability due to serial processing of TCP DNS queries. This flaw allows a malicious client to keep a TCP connection open indefinitely, causing other DNS queries to time out and resulting in a denial of service for all other containers using aardvark-dns.

pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 37.0.0-43.0.0 are vulnerable to a security issue. More details about the vulnerability itself can be found in https://openssl-library.org/news/secadv/20240903.txt. If you are building cryptography source ("sdist") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.

A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.

After several cryptographic vulnerabilities in `libolm` were disclosed publicly, the Matrix Foundation has [officially deprecated the library](https://matrix.org/blog/2024/08/libolm-deprecation/). `olm-sys` is a thin wrapper around `libolm` and is now deprecated and potentially vulnerable in kind. Users of `olm-sys` and its higher-level abstraction, `olm-rs`, are highly encouraged to switch to [`vodozemac`](https://crates.io/crates/vodozemac) as soon as possible. It is the successor effort to `libolm` and is written in Rust.

### Details The `/api/v2/simulation` [POST handler](https://github.com/spectolabs/hoverfly/blob/15d6ee9ea4e0de67aec5a41c28d21dc147243da0/core/handlers/v2/simulation_handler.go#L87) allows users to create new simulation views from the contents of a user-specified file. This feature can be abused by an attacker to read arbitrary files from the Hoverfly server. ```go # https://github.com/spectolabs/hoverfly/blob/15d6ee9ea4e0de67aec5a41c28d21dc147243da0/core/hoverfly_funcs.go#L186 func (hf *Hoverfly) readResponseBodyFile(filePath string) (string, error) { if filepath.IsAbs(filePath) { return "", fmt.Errorf("bodyFile contains absolute path (%s). only relative is supported", filePath) } fileContents, err := ioutil.ReadFile(filepath.Join(hf.Cfg.ResponsesBodyFilesPath, filePath)) if err != nil { return "", err } return string(fileContents[:]), nil } ``` Note that, although the code prevents absolute paths from being specified, an attacker can escape out of the `hf.Cfg.ResponsesB...