ghsa

A deserialization vulnerability in Jupiter v1.3.1 allows attackers to execute arbitrary commands via sending a crafted RPC request.

### Impact Environment variables can be read from procfs unless a new process is started. ### PoC ``` use birdcage::{Birdcage, Sandbox}; use std::{env, fs}; fn main() { Birdcage::new().lock().unwrap(); assert_eq!(env::var_os("SECRET"), None); let environ = fs::read_to_string("/proc/self/environ").unwrap(); assert!(!environ.contains("SECRET"), "ENVIRON CONTAINS SECRET:\n{environ}"); } ``` ``` $ SECRET=test cargo run thread 'main' panicked at src/main.rs:10:5: ENVIRON CONTAINS SECRET: [truncated] ``` ### Possible Solutions The simplest solution would be relying on the ptrace isolation and **always** spawning a new process by changing birdcage's API to create a new command. With an additional PID namespace the guarantees could be even further reinforced.

### Impact This only impacts apps that have the `embeddedAsarIntegrityValidation` and `onlyLoadAppFromAsar` [fuses](https://www.electronjs.org/docs/latest/tutorial/fuses) enabled. Apps without these fuses enabled are not impacted. This issue is specific to macOS as these fuses are only currently supported on macOS. Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the `.app` bundle on macOS which these fuses are supposed to protect against. ### Workarounds There are no app side workarounds, you must update to a patched version of Electron. ### Fixed Versions * `27.0.0-alpha.7` * `26.2.1` * `25.8.1` * `24.8.3` * `23.3.14` * `22.3.24` ### For more information If you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org)

### Impact In the implementation of version `0.0.1`, requests from different user clients are processed using a shared `httpx.AsyncClient`. However, one oversight is that the `httpx.AsyncClient` will persistently store cookies based on the `set-cookie` response header sent by the target server and share these cookies across different user requests. This results in a cookie leakage issue among all user clients sharing the same `httpx.AsyncClient`. ### Patches It's fixed in `0.1.0` ### Workarounds If you insist `0.0.1`: - Do not use `ForwardHttpProxy` at all. - Do not use `ReverseHttpProxy` or `ReverseWebSocketProxy` for any servers that may potentially send a `set-cookie` response. **However, it's best to upgrade to the latest version.** ### References fixed in [#10](https://github.com/WSH032/fastapi-proxy-lib/pull/10)

### Impact A flaw was discovered in OpenSearch, affecting the `_search` API that allowed a specially crafted query string to cause a Stack Overflow and ultimately a Denial of Service. The issue was identified by Elastic Engineering and corresponds to security advisory [ESA-2023-14](https://discuss.elastic.co/t/elasticsearch-8-9-1-7-17-13-security-update/343297) (CVE-2023-31419). ### Mitigation Versions 1.3.14 and 2.11.1 contain a fix for this issue. ### For more information If you have any questions or comments about this advisory, please contact AWS/Amazon Security via our issue reporting page (https://aws.amazon.com/security/vulnerability-reporting/) or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.

### Impact A security vulnerability has been identified in the expires parameter of the dpaste API, allowing for a POST Reflected XSS attack. This vulnerability can be exploited by an attacker to execute arbitrary JavaScript code in the context of a user's browser, potentially leading to unauthorized access, data theft, or other malicious activities. ### Patches - A patch has been applied to the dpaste GitHub repository to address the specific content value injection vulnerability. - Users are strongly advised to upgrade to dpaste release v3.8 or later versions, as dpaste versions older than v3.8 are susceptible to the identified security vulnerability. - The patch can be viewed and applied from the following link: [dpaste Commit Patch](https://github.com/DarrenOfficial/dpaste/commit/44a666a79b3b29ed4f340600bfcf55113bfb7086.patch) ### Workarounds At this time, the recommended course of action is to apply the provided patch to the affected systems. No known workarounds have been ident...

RuoYi up to v4.6 was discovered to contain a SQL injection vulnerability via /system/dept/edit.

### Impact xml files like ".project" are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with a vulnerable file (for example for review a foreign repository or patch). Vulnerablility was found by static code analysis (SonarLint). Example `.project` file: ``` <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE price [ <!ENTITY xxe SYSTEM "http://127.0.0.1:49416/evil">]> <projectDescription> <name>p</name> <comment>&xxe;</comment> </projectDescription> ``` ### Patches Similar patches including junit test that shows the vulnerability have already applied to PDE (see https://github.com/eclipse-pde/eclipse.pde/pull/667). A solution to platform should be the same: just reject parsing any XML that contains any `DOCTYPE`. ### Workarounds No known workaround. User can only avoid to get/open any foreign files with eclipse. Firewall rules against loss of data (but not against XML bomb). ### References https://cwe.mit...

### Impact @adobe/css-tools version 4.3.1 and earlier are affected by an Improper Input Validation vulnerability that could result in a denial of service while attempting to parse CSS. ### Patches The issue has been resolved in 4.3.2. ### Workarounds None ### References N/A

A Path traversal vulnerability has been reported in elijaa/phpmemcachedadmin affecting version 1.3.0. This vulnerability allows an attacker to delete files stored on the server due to lack of proper verification of user-supplied input.