ghsa

# Microsoft Security Advisory CVE-2023-29331: .NET Denial of Service vulnerability ## <a name="executive-summary"></a>Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A vulnerability exists in .NET when processing X.509 certificates that may result in Denial of Service. Details: [KB5025823 ](https://support.microsoft.com/kb/5025823) ## Announcement Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/257 ### <a name="mitigation-factors"></a>Mitigation factors Microsoft has not identified any mitigating factors for this vulnerability. ## <a name="affected-software"></a>Affected software * Any .NET 7.0 application running on .NET 7.0.5 or earlier. * Any .NET 6.0 application running on .NET 6.0.16 or earlier. If your application uses ...

# Microsoft Security Advisory CVE-2023-24936: .NET Elevation of Privilege Vulnerability ## <a name="executive-summary"></a>Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A vulnerability exists in .NET when deserializing a DataSet or DataTable from XML which may result in elevation of privileges. ## Announcement Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/259 ### <a name="mitigation-factors"></a>Mitigation factors The default configuration of DataSet and DataTable is not susceptible to this vulnerability. This vulnerability only exists if the app developer or machine admin extends the DataSet and DataTable default allow-list [as specified here](https://learn.microsoft.com/en-us/dotnet/framework/data/adonet/dataset-datatable-da...

# Microsoft Security Advisory CVE-2023-24895: .NET Remote Code Execution Vulnerability ## <a name="executive-summary"></a>Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A vulnerability exists in how WPF applications load and render XPS documents which may result in remote code execution. ## Announcement Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/261 ### <a name="mitigation-factors"></a>Mitigation factors Microsoft has not identified any mitigating factors for this vulnerability. ## <a name="affected-software"></a>Affected software * Any .NET 7.0 application running on .NET 7.0.5 or earlier. * Any .NET 6.0 application running on .NET 6.0.16 or earlier. If your application uses the following package versions, ensure you upd...

# Microsoft Security Advisory CVE-2023-24897: .NET Remote Code Execution Vulnerability ## <a name="executive-summary"></a>Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. This security update addresses a vulnerability in the MSDIA SDK where corrupted PDBs can cause heap overflow, leading to a crash or remove code execution ## Announcement Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/260 ### <a name="mitigation-factors"></a>Mitigation factors Microsoft has not identified any mitigating factors for this vulnerability. ## <a name="affected-software"></a>Affected software * Any .NET 7.0 application running on .NET 7.0.5 or earlier. * Any .NET 6.0 application running on .NET 6.0.16 or earlier. If your application uses the followin...

### Description Microsoft is releasing this security advisory to provide information about a vulnerability in .NET and NuGet on Linux. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A vulnerability exists in .NET 6.0, .NET 7.0 and NuGet(nuget.exe, NuGet.Protocol, NuGet.Common, NuGet.CommandLine, NuGet.Commands, Microsoft.Build.NuGetSdkResolver, NuGet.PackageManagement) where a potential race condition that can lead to a symlink attack on Linux. Non-Linux platforms are not affected. ### Affected software This issue only affects Linux systems. #### NuGet & NuGet Packages - Any NuGet.exe, NuGet.Protocol, NuGet.Common, NuGet.CommandLine, NuGet.Commands, Microsoft.Build.NuGetSdkResolver, NuGet.PackageManagement 6.6.0 version or earlier. - Any NuGet.exe, NuGet.Protocol, NuGet.Common, NuGet.CommandLine, NuGet.Commands, Microsoft.Build.NuGetSdkResolver, NuGet.PackageManagement 6.5.0 version or earlier. - Any NuGet.e...

### Impact Path Traversal vulnerability in PHP LocalVolumeDriver connector. This vulnerability can be exploited by allowing untrusted users to write to the local file system. ### Patches This vulnerability has been fixed in elFinder 2.1.62. Installation managers should update to the latest version as soon as possible. ### Workarounds If you cannot update for some reason, you must stop using it or prohibit writing to untrusted users. ### References Awaiting CVE ID.

Langchain 0.0.171 is vulnerable to Arbitrary Code Execution via command injection in the `jira.run()` command

An issue was discovered jjson through 0.1.7 allows attackers to cause a denial of service or other unspecified impacts via crafted objects that deeply nested structures.

An issue was discovered htmlcleaner thru = 2.28 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

An issue was discovered hjson thru 3.0.0 allows attackers to cause a denial of service or other unspecified impacts via crafted objects that deeply nested structures.