ghsa

### Summary Grafana allows an attacker in the Viewer role, send alerts by API Alert - Test. The option is not available from the user panel UI for in the Viewer role. **Reason for the error**: The API does not check access to this function and allows it by users with the least rights, for example, the Viewer that does not see this option in the user panel. This enables malicious users to abuse the functionality by sending multiple alert messages (e-mail, slack, etc…), spamming users, prepare Phishing attack or blocked SMTP server / IP and automatically moved all message to spam folder, add to black list IP. ### Details The logged-in user, in the Viewer role, in the user panel, does not have access to the test option of sending an e-mail alert. View of the panel for the user in the Viewer role:  Admin role - View panel for admin role: ![image](https://user-images.github...

OAuth RFC 8252 says https://www.rfc-editor.org/rfc/rfc8252#section-8.6 > the authorization server SHOULD NOT process authorization requests automatically without user consent or interaction, except when the identity of the client can be assured. **This includes the case where the user has previously approved an authorization request for a given client id** But Doorkeeper automatically processes authorization requests without user consent for public clients that have been previous approved. Public clients are inherently vulnerable to impersonation, their identity cannot be assured. Issue https://github.com/doorkeeper-gem/doorkeeper/issues/1589 Fix https://github.com/doorkeeper-gem/doorkeeper/pull/1646

## Summary Currently, Ouroboros works internally by creating a struct where all uses of 'this are replaced by 'static. However, a recent addition to Miri checks that references passed to functions are valid during the entire execution of the function, even when those references are passed inside a struct. This poses an issue for dropping self-referencing values, as the reference becomes invalid during the dropping process. Effectively, since self-referencing structs are not allowed in vanilla Rust, there is no allowance for dropping dataduring a function that has also been given a reference to that data. There's usually no way to pass a and &a to the same function. A fix was attempted, where the struct would be turned in to a raw byte array and only transformed back into the underlying data type inside each function. This is allowable as a reference can be created and die over the body of a function, as long as the reference was created inside the function. However, this is also not ...

### Summary The `cuid` package used by `@keystone-6/*` and upstream dependencies is deprecated and [marked as insecure by the author](https://github.com/paralleldrive/cuid#status-deprecated-due-to-security-use-cuid2-instead). As reported by the author > Cuid and other k-sortable and non-cryptographic ids (Ulid, ObjectId, KSUID, all UUIDs) are all insecure. Use @paralleldrive/cuid2 instead. ### What are doing about this? - [We are waiting on Prisma](https://github.com/keystonejs/keystone/issues/8282) to add support for [`cuid2`](https://github.com/paralleldrive/cuid2) - Alternatively, we might default to a random string ourselves ### What if I need a `cuid`? The features marked as a security vulnerability by @paralleldrive are sometimes actually needed ([as written in the README of `cuid`](https://github.com/paralleldrive/cuid#motivation)) - the problem is the inherent risks that features like this can have. You might actually want the features of a monotonically increasing (auto-in...

### Impact This [vulnerability dubbed "Barberry" affects the Cosmos SDK framework](https://forum.cosmos.network/t/cosmos-sdk-security-advisory-barberry/10825) used by `cheqd-node` as base. It impacts the way Cosmos SDK handles vesting accounts, and can therefore be a high-impact vulnerability for any network running the framework. There is no vulnerability in the DID/resource modules for `cheqd-node`. ### Patches Node operators are requested to upgrade to [cheqd-node v1.4.4](https://github.com/cheqd/cheqd-node/releases/tag/v1.4.4). This is not a state-breaking release and does not require a coordinated upgrade across all node operators. This vulnerability was patched in [Cosmos SDK v0.46.13](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.46.13). Since this version switches to Go v1.19 and also changes the namespace of many Cosmos protobuf packages, the Barberry fix was [backported to cheqd's fork of Cosmos SDK](https://github.com/cheqd/cosmos-sdk/releases/tag/v0.46.10-barberr...

The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. The resolution validates the Database URL and rejects H2 JDBC locations. You are recommended to upgrade to version 1.22.0 or later which fixes this issue.

The JndiJmsConnectionFactoryProvider Controller Service, along with the ConsumeJMS and PublishJMS Processors, in Apache NiFi 1.8.0 through 1.21.0 allow an authenticated and authorized user to configure URL and library properties that enable deserialization of untrusted data from a remote location. The resolution validates the JNDI URL and restricts locations to a set of allowed schemes. You are recommended to upgrade to version 1.22.0 or later which fixes this issue.

The git-url-parse crate through 0.4.4 for Rust allows Regular Expression Denial of Service (ReDos) via a crafted URL to `normalize_url` in `lib.rs`, a similar issue to CVE-2023-32758 (Python).

All versions of the package progressbar.js are vulnerable to Prototype Pollution via the function extend() in the file utils.js.

The crypto-js package before 3.2.1 for Node.js generates random numbers by concatenating the string "0." with an integer, which makes the output more predictable than necessary.