ghsa

#### Impact Backoffice users with send for approval permission but not publish permission are able to publish in some scenarios.

### Impact contracts containing large arrays might underallocate the number of slots they need. prior to v0.3.8, the calculation to determine how many slots a storage variable needed used `math.ceil(type_.size_in_bytes / 32)`: https://github.com/vyperlang/vyper/blob/6020b8bbf66b062d299d87bc7e4eddc4c9d1c157/vyper/semantics/validation/data_positions.py#L197 the intermediate floating point step can produce a rounding error if there are enough bits set in the IEEE-754 mantissa. roughly speaking, if `type_.size_in_bytes` is large (> 2**46), and slightly less than a power of 2, the calculation can overestimate how many slots are needed. if `type_.size_in_bytes` is slightly more than a power of 2, the calculation can underestimate how many slots are needed. the following two example contracts can result in overwriting of the variable `vulnerable`: ```vyper large_array: address[2**64 + 1] # type_.size_in_bytes == 32 * (2**64 + 1); math.ceil(type_.size_in_bytes / 32) < 2**64 + 1 vulnerable:...

#### Impact A user with access to a specific part of the backoffice is able to inject HTML code into a form where it is not intended.

Path Traversal in GitHub repository mlflow/mlflow prior to 2.9.2.

Just open this exr file through openexr-viewer. ( poc send by email ) This is windbg log file. [ POC 2 ] (8660.7e44): Access violation - code c0000005 (!!! second chance !!!) openexr_viewer+0x27be4: 00007ff7`13ff7be4 c744880c0000803f mov dword ptr [rax+rcx*4+0Ch],3F800000h ds:0000020a`3ac8000c=???????? Attempt to write the value 1.0 to the memory address 0x20A3AC8000C [ POC 1 ] (1404.9264): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. openexr_viewer+0x27be4: 00007ff7`13ff7be4 c744880c0000803f mov dword ptr [rax+rcx*4+0Ch],3F800000h ds:0000029c`b371600c=???????? Attempt to write the value 1.0 to the memory address 0x29CB371600C Credits Team : ZeroPointer 이동하 ( Lee Dong Ha of ZeroPointer Lab ) 정지민    ( Jeong Jimin of ZeroPointer Lab ) 박우진    ( Park Woojin of ZeroPointer Lab ) 전우진    ( Jeon Woojin of ZeroPointer Lab )

Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository mlflow/mlflow prior to 2.9.2.

## Overview: A moderate security vulnerability has been identified in Uptime Kuma platform that poses a significant threat to the confidentiality and integrity of user accounts. When a user changes their login password in Uptime Kuma, a previously logged-in user retains access without being logged out. This behaviour persists consistently, even after system restarts or browser restarts. This vulnerability allows unauthorized access to user accounts, compromising the security of sensitive information. The same vulnerability was partially fixed in https://github.com/louislam/uptime-kuma/security/advisories/GHSA-g9v2-wqcj-j99g but logging existing users out of their accounts was forgotten. ## Impact: The impact of this vulnerability is moderate, as it enables attackers or unauthorized individuals to maintain access to user accounts even after the account password has been changed. This can lead to unauthorized data access, manipulation, or compromise of user accounts, posing a threa...

### Impact S3 credentials are logged in plain text ``` S3Creds:{Key:AKIAIOSFODNN7EXAMPLE Secret:wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY ``` appears as part of the log message: ``` time="2023-05-12T13:51:52Z" level=error msg="failed to perform diff" func="pkg/plugins/diff.(*Service).RunDiff" file="build/pkg/plugins/diff/service.go:124" error="rpc error: code = Canceled desc = stream terminated by RST_STREAM with error code: CANCEL" host="localhost:8000" method=GET operation_id=OtfDiff params="{TablePaths:{Left:{Ref:data_load@ Path:aggs/agg_variety/} Right:{Ref:data_load Path:aggs/agg_variety/} Base:{Ref: Path:}} S3Creds:{Key:AKIAIOSFODNN7EXAMPLE Secret:wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY Endpoint:http://0.0.0.0:8000} Repo:example}" path="/api/v1/repositories/example/otf/refs/data_load%40/diff/data_load?table_path=aggs%2Fagg_variety%2F&type=delta" request_id=d3b6fdc7-2544-4c12-8e05-376f16e35a80 service_name=rest_api type=delta user=docker ``` Discovered when investigating [#5...

### Impact When lakeFS is configured with **ALL** of the following: - Configuration option `auth.encrypt.secret_key` passed through environment variable - Actions enabled via configuration option `actions.enabled` (default enabled) then a user who can configure an action can impersonate any other user. ### Patches _Has the problem been patched? What versions should users upgrade to?_ ### Workarounds **ANY ONE** of these is sufficient to prevent the issue: * Do not pass `auth.encrypt.secret_key` through an environment variable. For instance, Kubernetes users can generate the entire configuration as a secret and mount that. This is described [here](https://kubernetes.io/docs/concepts/configuration/secret/#using-a-secret). * Disable actions. * Limit users allowed to configure actions.

### Summary `nuxt-api-party` allows developers to proxy requests to an API without exposing credentials to the client. [A previous vulnerability](https://huntr.dev/bounties/4c57a3f6-0d0e-4431-9494-4a1e7b062fbf/) allowed an attacker to change the baseURL of the request, potentially leading to credentials being leaked or SSRF. This vulnerability is similar, and was caused by a recent change to the detection of absolute URLs, which is no longer sufficient to prevent SSRF. ### Details `nuxt-api-party` attempts to check if the user has passed an absolute URL to prevent the aforementioned attack. This has been recently changed to [use a regular expression](https://github.com/johannschopplich/nuxt-api-party/blob/777462e1e3af1d9f8938aa33f230cd8cb6e0cc9a/src/runtime/server/handler.ts#L31) `^https?://`. This regular expression can be bypassed by an absolute URL with leading whitespace. For example `\nhttps://whatever.com` has a leading newline. According to the fetch specification, before...