Source
ghsa
An attacker with an HTTP/2 connection to an affected endpoint can send a steady stream of invalid frames to force the generation of reset frames on the victim endpoint. By closing their recv window, the attacker could then force these resets to be queued in an unbounded fashion, resulting in Out Of Memory (OOM) and high CPU usage. This fix is corrected in [hyperium/h2#737](https://github.com/hyperium/h2/pull/737), which limits the total number of internal error resets emitted by default before the connection is closed.
### Impact RSA PKCS#1.5 or RSAOAEP ciphertexts may be decrypted by this Marvin attack vulnerability. ### Patches update to jsrsasign 11.0.0. ### Workarounds Find and replace RSA and RSAOAEP decryption with other crypto library. ### References https://people.redhat.com/~hkario/marvin/ https://github.com/kjur/jsrsasign/issues/598
### Impact Installations of jupyter-lsp running in environments without configured file system access control (on the operating system level), and with jupyter-server instances exposed to non-trusted network are vulnerable to unauthorised access and modification of file system beyond the jupyter root directory. Please note this vulnerability is in the extension and is patched in version 2.2.2 of that extension. This extension has been updated in jupyterlab-lsp version 5.0.2. ### Patches Version 2.2.2 has been patched. ### Workarounds Users of jupyterlab who do not use jupyterlab-lsp can uninstall jupyter-lsp. ### Credits We would like to credit Bary Levy, researcher of pillar.security research team, for the discovery and responsible disclosure of this vulnerability.
In some specific instances, the SurrealQL parser will attempt to recursively parse nested statements or idioms (i.e. nested `IF` and `RELATE` statements, nested basic idioms and nested access to attributes) without checking if the depth limit established by default or in the `SURREAL_MAX_COMPUTATION_DEPTH` environment variable is exceeded. This can lead to the stack overflowing when the nesting surpasses certain levels of depth. ### Impact An attacker that is authorized to run queries on a SurrealDB server may be able to run a query using the affected statements and idioms with very deep nesting in order to crash the server, leading to denial of service. ### Patches - Version 1.1.0 and later are not affected by this issue. ### Workarounds Concerned users unable to update may want to limit the ability of untrusted users to run arbitrary SurrealQL queries in the affected versions of SurrealDB. To limit the impact of the denial of service, SurrealDB administrators may also want to e...
The `ID`, `DB` and `NS` headers accepted by the SurrealDB HTTP REST API would fail to parse when containing some special characters. This would cause a panic which would crash the SurrealDB server, leading to denial of service. This issue only affects the SurrealDB binary; it does not affect the SurrealDB library. ### Impact An unauthenticated client may issue an HTTP request to the SurrealDB HTTP REST API containing one of the affected headers with values containing special characters in order to crash the SurrealDB server. This does not require the SurrealDB server to be running with any specific capabilities other than exposing the affected interface. ### Patches - Version 1.1.0 and later are not affected by this issue. ### Workarounds Concerned users unable to update may want to limit untrusted access to the SurrealDB HTTP REST API unless such access is required by the application. To limit the impact of the denial of service, SurrealDB administrators may also want to ensure...
Although custom parameters and functions are only supported at the database level, it was allowed to invoke those entities at the root or namespace level. This would cause a panic which would crash the SurrealDB server, leading to denial of service. ### Impact A client that is authorized to run queries at the root or namespace level in a SurrealDB server is able to run a query invoking a parameter or a function at that level, which will cause a panic. This will crash the server, leading to denial of service. ### Patches - Version 1.1.1 and later are not affected by this issue. ### Workarounds Concerned users unable to update may want to limit the ability of untrusted users to run arbitrary SurrealQL queries in the affected versions of SurrealDB to the database level. To limit the impact of the denial of service, SurrealDB administrators may also want to ensure that the SurrealDB process is running so that it can be automatically re-started after a crash. ### References - #3297
A Cross-Frame Scripting vulnerability has been found on Plone CMS affecting version below 6.0.5. An attacker could store a malicious URL to be opened by an administrator and execute a malicios iframe element.
Avo is a framework to create admin panels for Ruby on Rails apps. In Avo 3 pre12 any HTML inside text that is passed to `error` or `succeed` in an `Avo::BaseAction` subclass will be rendered directly without sanitization in the toast/notification that appears in the UI on Action completion. A malicious user could exploit this vulnerability to trigger a cross site scripting attack on an unsuspecting user. This issue has been addressed in the 3.0.2 release of Avo. Users are advised to upgrade.
### Impact On some platforms, when an attacker can time decapsulation of Kyber on forged cipher texts, they could possibly learn (parts of) the secret key. ### Patches Patched in https://github.com/kudelskisecurity/crystals-go/pull/21 ### Note This library was written as part of a MsC student project in the Cybersecurity Team at Kudelski Security. It is not actively maintained anymore. It is only intended for research and testing. We discourage its use in any production environment. Kudelski Security does not use this library as part of their commercial offers or product. This has now been clarified on the project's README. ### References https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/ldX0ThYJuBo http://kyberslash.cr.yp.to/
The implementation of the [`Instrumented::into_inner`] method in affected versions of this crate contains undefined behavior due to incorrect use of [`std::mem::forget`] The function creates `*const` pointers to `self`, calls [`mem::forget(self)`][`std::mem::forget`], and then moves values out of those pointers using [`std::ptr::read`]. ```rust // To manually destructure `Instrumented` without `Drop`, we // move it into a ManuallyDrop and use pointers to its fields let span: *const Span = &this.span; let inner: *const ManuallyDrop<T> = &this.inner; mem::forget(self); // SAFETY: Those pointers are valid for reads, because `Drop` didn't // run, and properly aligned, because `Instrumented` isn't // `#[repr(packed)]`. let _span = unsafe { span.read() }; let inner = unsafe { inner.read() }; ``` However, the [`mem::forget` documentation][`std::mem::forget`] states: > Any resources the value manages, such as heap memory or a file handle, will > linger forever in an unreacha...