ghsa

### Impact Affected versions of Laminas Diactoros accepted a single line feed (LF / `\n` ) character at the end of a header name. When serializing such a header name containing a line-feed into the on-the-wire representation of a HTTP/1.x message, the resulting message would be syntactically invalid, due to the header line being terminated too early. An attacker that is able to control the header names that are passed to Laminas Diactoros would be able to intentionally craft invalid messages, possibly causing application errors or invalid HTTP requests being sent out with an PSR-18 HTTP client. The latter might present a denial of service vector if a remote service’s web application firewall bans the application due to the receipt of malformed requests. ### Patches The problem has been patched in the following versions: - 2.18.1 - 2.19.1 - 2.20.1 - 2.21.1 - 2.22.1 - 2.23.1 - 2.24.2 - 2.25.2 ### Workarounds Validate HTTP header keys and/or values, and if using user-supplied values...

### Impact Frederic Linn (@FredericLinn) has reported a series of vulnerabilities that can result in directory traversal, file write, and potential remote code execution on Jellyfin instances. The general process involves chaining several exploits including a stored XSS vulnerability and can be used by an unprivileged user. The general process is (using the example of setting an intro video as the payload): * Create a session as a low-priviledged user with a crafted authorization header * Upload an executable that contains a malicious plugin inline via /ClientLog/Document * (Admin hovers over our device in dashboard -> XSS payload gets triggered) * XSS Payload tries to set encoder path to our uploaded "log" file via /System/MediaEncoder/Path * The request fails, but in the process our executable actually runs (I guess for verifying if the path points to a valid ffmpeg version) * The executable will create a plugin folder and place the inlined plugin DLL inside it * The XSS payload sh...

### Impact A failure in the update logic of Rancher's admission Webhook may lead to the misconfiguration of the Webhook. This component enforces validation rules and security checks before resources are admitted into the Kubernetes cluster. When the Webhook is operating in a degraded state, it no longer validates any resources, which may result in severe privilege escalations and data corruption. The issue only affects users that upgrade from `2.6.x` or `2.7.x` to `2.7.2`. Users that did a fresh install of 2.7.2 (and did not follow an upgrade path) are not affected. The command below can be executed on the `local` cluster to determine whether the cluster is affected by this issue: ```sh $ kubectl get validatingwebhookconfigurations.admissionregistration.k8s.io rancher.cattle.io NAME WEBHOOKS AGE rancher.cattle.io 0 19h ``` If the resulting webhook quantity is `0`, the Rancher instance is affected. ### Patches Patched versions include release `2.7.3` ...

### Background During the audit of [Lido's Gate Seals](https://github.com/lidofinance/gate-seals) code [statemind](https://statemind.io) team identified a weird behavior of the code that uses `raw_call`: https://github.com/lidofinance/gate-seals/blob/051593e74df01a4131c485b4fda52e691cd4b7d8/contracts/GateSeal.vy#L164 . Construction like this: ```vyper success = raw_call( sealable, _abi_encode(SEAL_DURATION_SECONDS, method_id=method_id("pauseFor(uint256)")), revert_on_failure=False ) ``` was not fully documented: https://docs.vyperlang.org/en/v0.3.7/built-in-functions.html#raw_call . The documentation says that: if `max_outsize=0` it should return nothing and then it says that if `revert_on_failure=False` it should return a `success` flag in the tuple of response, but what if `max_outsize=0` and `revert_on_failure=False`. <img width="715" alt="image" src="https://user-images.githubusercontent.com/22330612/232125364-d2b3bbac-0b4f-40cb-80ff-f55d8eafef44.png"> So the team...

## Summary The `embano1/wip` action uses the `github.event.pull_request.title` parameter in an insecure way. The title parameter is used in a run statement - resulting in a command injection vulnerability due to string interpolation. ## Details and Impact This vulnerability can be triggered by any user on GitHub. They just need to create a pull request with a commit message containing an exploit. (Note that first-time PR requests will not be run - but the attacker can submit a valid PR before submitting an invalid PR). The commit can be genuine, but the commit message can be malicious. This can be used to execute code on the GitHub runners (potentially use it for crypto-mining, and waste your resources) and can be used to exfiltrate any secrets that you use in the CI pipeline (including repository tokens). [Here](https://securitylab.github.com/research/github-actions-untrusted-input/) is a set of blog posts by Github's security team explaining this issue. ## How to update existing...

Drupal core form API evaluates form element access incorrectly. This can lead to a user being able to alter data they should not have access to.

broccoli-compass v0.2.4 was discovered to contain a remote code execution (RCE) vulnerability via the child_process function.

dawnsparks-node-tesseract before 0.4.1 was discovered to contain a remote code execution (RCE) vulnerability via the child_process function.

Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config.

The macro relied on an expression of the form `Enum::Variant` always being a variant of the enum. However, it may also be an associated integer constant, in which case there's no guarantee that the value of said constant consists only of bits valid for this bitflag type. Thus, code like this could create an invalid `BitFlags<Test>`, which would cause iterating over it to trigger undefined behavior. As the debug formatter internally iterates over the value, it is also affected. ```rust use enumflags2::{bitflags, make_bitflags}; #[bitflags] #[repr(u8)] #[derive(Copy, Clone, Debug)] enum Test { A = 1, B = 2, } impl Test { const C: u8 = 69; } fn main() { let x = make_bitflags!(Test::{C}); // printing or iterating over x is UB } ```