Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-3pjv-r7w4-2cf5: Grails data binding causes JVM crash and/or DoS

### Impact A specially crafted web request can lead to a JVM crash or denial of service. Any Grails framework application using Grails data binding is vulnerable. ### Patches Patches are available for Grails 3 and later. ### Workarounds No workaround is possible except to avoid data binding to request data. ### References - [Blog post](https://grails.org/blog/2023-12-20-cve-data-binding-dos.html) - [Discussion](https://github.com/grails/grails-core/issues/13302) - [Mitre CVD record](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46131)

ghsa
Open in Source
#web#dos#git
GHSA-mhpq-9638-x6pw: Denial of service when decrypting attack controlled input in github.com/dvsekhvalnov/jose2go

An attacker controlled input of a PBES2 encrypted JWE blob can have a very large p2c value that, when decrypted, produces a denial-of-service.

GHSA-v68g-wm8c-6x7j: transformers has a Deserialization of Untrusted Data vulnerability

Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.

GHSA-87fg-9x5w-j3rm: MainWP Dashboard SQL Command Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in MainWP MainWP Dashboard – WordPress Manager for Multiple Websites Maintenance.This issue affects MainWP Dashboard – WordPress Manager for Multiple Websites Maintenance: from n/a through 4.4.3.3.

GHSA-83q5-whqp-r8jr: Apache Pulsar WebSocket Proxy contains an Improper Authentication vulnerability

Improper Authentication vulnerability in Apache Pulsar WebSocket Proxy allows an attacker to connect to the /pingpong endpoint without authentication. This issue affects Apache Pulsar WebSocket Proxy: from 2.8.0 through 2.8.*, from 2.9.0 through 2.9.*, from 2.10.0 through 2.10.4, from 2.11.0 through 2.11.1, 3.0.0. The known risks include a denial of service due to the WebSocket Proxy accepting any connections, and excessive data transfer due to misuse of the WebSocket ping/pong feature. 2.10 Pulsar WebSocket Proxy users should upgrade to at least 2.10.5. 2.11 Pulsar WebSocket Proxy users should upgrade to at least 2.11.2. 3.0 Pulsar WebSocket Proxy users should upgrade to at least 3.0.1. 3.1 Pulsar WebSocket Proxy users are unaffected. Any users running the Pulsar WebSocket Proxy for 2.8, 2.9, and earlier should upgrade to one of the above patched versions.

GHSA-59v3-898r-qwhj: MLflow Server-Side Request Forgery (SSRF)

A malicious user could use this issue to access internal HTTP(s) servers and in the worst case (ie: aws instance) it could be abuse to get a remote code execution on the victim machine.

GHSA-hh8p-p8mp-gqhm: MLFlow Path Traversal Vulnerability

A malicious user could use this issue to get command execution on the vulnerable machine and get access to data & models information.

GHSA-wv8q-4f85-2p8p: MLflow Path Traversal Vulnerability

This vulnerability is capable of writing arbitrary files into arbitrary locations on the remote filesystem in the context of the server process.

GHSA-qg8p-32gr-gh6x: MLflow Local File Disclosure Vulnerability

This vulnerability enables malicious users to read sensitive files on the server.

GHSA-5r3q-93q3-f978: MLflow Path Traversal Vulnerability

Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.