Source
ghsa
### Impact Malicious users may try to get access to resources they are not allowed to see, by creating resources with integers as names. One example where this is a risk, is when users define which users are allowed to run algorithms on their node. This may be defined by username or user id. Now, for example, if user id 13 is allowed to run tasks, and an attacker creates a username with username '13', they would be wrongly allowed to run an algorithm. There may also be other places in the code where such a mixup of resource ID or name leads to issues. The best solution we see is therefore to check when resources are created or modified, that the resource name always starts with a character. ### Patches To be done, probably in v3.9 ### Workarounds None
### Impact The endpoint /api/collaboration/{id}/task is used to collect all tasks from a certain collaboration. To get such tasks, a user should have permission to view the collaboration and to view the tasks in it. However, currently it is only checked if the user has permission to view the collaboration. ### Patches No ### Workarounds None ### References None ### For more information If you have any questions or comments about this advisory: * Email us at [vantage6@iknl.nl](mailto:vantage6@iknl.nl)
### What We are using pickle as default serialization module but that has known security issues (see e.g. https://medium.com/ochrona/python-pickle-is-notoriously-insecure-d6651f1974c9). In summary, it is not advisable to open Pickles that you create yourself locally. In vantage6, algorithms use pickles to send aggregated data around and to pack algorithm input or output. All of the Python algorithms that use the wrappers with default serialization are therefore vulnerable to this issue. Solution: we should use JSON instead ### Impact All users of vantage6 that post tasks with algorithms that use the default serialization. The default serialization is used by default with all algorithm wrappers. ### Patches Not yet ### Workarounds Specify JSON serialization
Cross-site Scripting (XSS) - Stored in GitHub repository froxlor/froxlor prior to 2.0.22.
Allocation of Resources Without Limits or Throttling in GitHub repository vriteio/vrite prior to 0.3.0.
Server-Side Request Forgery (SSRF) in GitHub repository vriteio/vrite prior to 0.3.0.
Improper Input Validation in GitHub repository vriteio/vrite prior to 0.3.0.
Cross-site Scripting (XSS) - Stored in GitHub repository froxlor/froxlor prior to 2.1.0-dev1.
Denial of Service in JSON-Java versions prior to 20230618. A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used.
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; s...