ghsa

### Summary Missing check vulnerability in the static file handler allows any client to access the files in the server's file system ### Details When `staticFiles` is set in the `serve` settings in the configuration file, the following handler doesn't check if `absolutePath` is still under the directory provided as `staticFiles`; ```ts if (staticFiles) { router.get('/:relativePath+', async request => { let { relativePath } = request.params; if (!relativePath) { relativePath = 'index.html'; } const absolutePath = path.join(baseDir, staticFiles, relativePath); if (absolutePath.includes(staticFiles) && (await pathExists(absolutePath))) { const readStream = fs.createReadStream(absolutePath); return new Response(readStream as any, { status: 200, }); } return undefined; }); ``` ### Example scenario To reproduce it, set `staticFiles` to the relative path of a directory in `.meshrc.yml`; ```yml s...

### Impact When importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service. ### Patches This bug has been fixed in containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue. ### Workarounds Ensure that only trusted images are used and that only trusted users have permissions to import images. ### Credits The containerd project would like to thank [David Korczynski](https://github.com/DavidKorczynski) and [Adam Korczynski](https://github.com/AdamKorcz) of ADA Logics for responsibly disclosing this issue in accordance with the [containerd security policy](https://github.com/containerd/project/blob/main/SECURITY.md) during a security fuzzing audit sponsored by CNCF. ### For more information If you have any questions or comments about this advisory: * Open an issue in [containerd](https://github.com/containerd/...

### Impact An attacker with read-only access to a Strongbox secret could craft a valid encrypted secret (same id/version). It also makes the audit logs from KMS less useful. The issue is caused by a bug in the underlying AWS Encryption SDK. By default, the encrypted secrets are stored in DynamoDB and an attacker with read-only access would not be able to write the encrypted secret to DynamoDB. So in practice the impact should be limited for most users. Strongbox supports storing data in files as an alternative to DynamoDB. If the attacker had write access to where the files are stored they could make the attack work end-to-end. Similarly, any custom storage backend could also be affected. In order to be backwards compatible Strongbox will not make use of key commitments (another improvement to the AWS Encryption SDK). Strongbox enforces that only one KMS key can be used, and it must match the expected one. This means that an attacker needs write access to both KMS and DynamoDB (or o...

### Impact A bug was found in containerd where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well. ### Patches This bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd's client library should check that application for a separate advisory and instructions. ### Workarounds Ensure that the `"USER $USERNAME"` Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to `ENTRYPOINT ["su", "-",...

Improper Restriction of Excessive Authentication Attempts in GitHub repository modoboa/modoboa-installer prior to 2.0.4.

Cross Site Scripting (XSS) vulnerability in kevinpapst kimai2 in /src/Twig/Runtime/MarkdownExtension.php, allows attackers to gain escalated privileges.

### Impact An attacker can use XSS to send a malicious script to an unsuspecting user. ### Patches Update to version 10.5.17 or apply this patch manually https://github.com/pimcore/pimcore/pull/14301.patch ### Workarounds Apply https://github.com/pimcore/pimcore/pull/14301.patch manually. ### References https://huntr.dev/bounties/75bc7d07-46a7-4ed9-a405-af4fc47fb422/

### Impact Previous versions of Kiwi TCMS do not impose rate limits which makes it easier to attempt brute-force attacks against the login page. ### Patches Users should upgrade to v12.0 or later. ### Workarounds Users may install and configure a rate-limiting proxy in front of Kiwi TCMS. For example nginx. ### References [Disclosed by spyata](https://huntr.dev/bounties/2b1a9be9-45e9-490b-8de0-26a492e79795/)

### Impact Previous versions of Kiwi TCMS do not impose rate limits which makes it easier to attempt denial-of-service attacks against the Password reset page. An attacker could potentially send a large number of emails if they know the email addresses of users in Kiwi TCMS. Additionally that may strain SMTP resources. ### Patches Users should upgrade to v12.0 or later. ### Workarounds Users may install and configure a rate-limiting proxy in front of Kiwi TCMS such as Nginx and/or configure rate limits on their email server when possible. ### References [Disclosed by Ahmed Rabeaa Mosaa](https://huntr.dev/bounties/3b712cb6-3fa3-4f71-8562-7a7016c6262e)

### Summary The request body parsing in `starlite` allows a potentially unauthenticated attacker to consume a large amount of CPU time and RAM. ### Details The multipart body parser processes an unlimited number of file parts. The multipart body parser processes an unlimited number of field parts. ### Impact This is a remote, potentially unauthenticated Denial of Service vulnerability. This vulnerability affects applications with a request handler that accepts a `Body(media_type=RequestEncodingType.MULTI_PART)`. The large amount of CPU time required for processing requests can block all available worker processes and significantly delay or slow down the processing of legitimate user requests. The large amount of RAM accumulated while processing requests can lead to Out-Of-Memory kills. Complete DoS is achievable by sending many concurrent multipart requests in a loop.