Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-3x49-g6rc-c284: LiteDB may deserialize bad JSON on object type using _type

### Impact LiteDB use a special field in JSON documents to cast diferent types from `BsonDocument` do POCO classes. When instance of an object are not the same of class, `BsonMapper` use a special field `_type` string info with full class name with assembly to be loaded and fit in your model. If your end-user can send to your app a plain JSON string, deserialization can load an unsafe object to fit in your model. ### Patches Version >= 5.0.13 add some basic fixes to avoid this, but is not 100% guaranteed when using `Object` type Next major version will contains a allow-list to select what king of Assembly can be loaded ### Workarounds - Avoid users send to your app a JSON string to be direct insert/update into database - Avoid use classes with `Object` type - try use an interface when possible If your app send a plain JSON string to be insert/update into database, prefer this: ``` // Bad public class Customer { public int Id { get; set; } public string Name { get; set; } ...

ghsa
Open in Source
#js#git
GHSA-w695-p3j5-hrj9: Apache Airflow AWS Provider Generates Error Message Containing Sensitive Information

Generation of Error Message Containing Sensitive Information vulnerability in the Apache Airflow AWS Provider. This issue affects Apache Airflow AWS Provider versions before 7.2.1.

GHSA-9mwf-mw74-9cv5: Apache Airflow Hive Provider Improper Input Validation vulnerability

Improper Input Validation vulnerability in the Apache Airflow Hive Provider. This issue affects Apache Airflow Hive Provider versions before 5.1.3.

GHSA-8g23-2q5p-8866: Apache Airflow Google Provider Improper Input Validation vulnerability

Improper Input Validation vulnerability in the Apache Airflow Google Provider. This issue affects Apache Airflow Google Provider versions before 8.10.0.

GHSA-h8p2-8g72-qpgh: Apache Airflow Google Provider Improper Input Validation vulnerability

Improper Input Validation vulnerability in the Apache Airflow Google Provider. This issue affects Apache Airflow Google Provider versions before 8.10.0.

GHSA-j69x-v4wc-3fpf: Apache Airflow Sqoop Provider Improper Input Validation vulnerability

Improper Input Validation vulnerability in the Apache Airflow Sqoop Provider. This issue affects Apache Airflow Sqoop Provider versions before 3.1.1.

GHSA-65rp-mhqf-8gj3: rangy vulnerable to Prototype Pollution

All versions of the package rangy are vulnerable to Prototype Pollution when using the `extend()` function in file `rangy-core.js`.The function uses recursive merge which can lead an attacker to modify properties of the Object.prototype.

GHSA-q8gg-vj6m-hgmj: @braintree/sanitize-url Cross-site Scripting vulnerability

sanitize-url (aka @braintree/sanitize-url) before 6.0.1 allows XSS via HTML entities.

GHSA-prjg-28jg-m3p5: RosarioSIS Improper Access Control vulnerability

Improper Access Control in GitHub repository francoisjacquet/rosariosis prior to 10.8.2.

GHSA-9fh3-j99m-f4v7: Code injection in pdf_info

pdf_info 0.5.3 is vulnerable to Command Execution. An attacker using a specially crafted payload may execute OS commands by using command chaining because during object initalization there is no validation performed and the user provided path is used.