ghsa

In rdiffweb prior to version 2.4.6, the `cookie` session_id does not have a secure attribute when the URL is invalid. Version 2.4.6 contains a fix for the issue.

rdiffweb prior to 2.4.6 is vulnerable to Cross-Site Request Forgery (CSRF), which could lead to disabling notifications in a user's profile.

### Impact A potential unsafe deserialization issue exists within the `autogluon.multimodal` module, where YAML files are loaded via `yaml.load()` instead of `yaml.safe_load()`. The deserialization of untrusted data may allow an unprivileged third party to cause remote code execution, denial of service, and impact to both confidentiality and integrity. Impacted versions: `>=0.4.0;<0.4.3`, `>=0.5.0;<0.5.2`. ### Patches The patches are included in `autogluon.multimodal==0.4.3`, `autogluon.multimodal==0.5.2` and Deep Learning Containers `0.4.3` and `0.5.2`. ### Workarounds Do not load data which originated from an untrusted source, or that could have been tampered with. **Only load data you trust.** ### References * https://cwe.mitre.org/data/definitions/502.html * https://www.cvedetails.com/cve/CVE-2017-18342/

### Impact By sending specially crafted headers an attacker can bypass the source image domain allowlist, causing the handler to load and return arbitrary images. Because the response is cached globally, this image will then be served to visitors without requiring those headers to be set. XSS can be achieved by requesting a malicious SVG with embedded scripts, which would then be served from the site domain. Note that this does not apply to images loaded in `<img>` tags, as scripts do not execute in this context. The image URL can be set in the header independently of the request URL, meaning any site images that have not previously been cached can have their cache poisoned. ### Patches This problem has been fixed in version 1.2.3 ### Workarounds The problem is no longer exploitable on Netlify as the CDN now sanitizes the relevant header. Cached content can be cleared by re-deploying the site.

### Impact An attacker who obtains a JWT can arbitrarily forge its contents without knowing the secret key. Depending on the application, this may for example enable the attacker to spoof other user's identities, hijack their sessions, or bypass authentication. ### Patches Users should upgrade to version 3.3.4 Fixed by: https://github.com/davedoesdev/python-jwt/commit/88ad9e67c53aa5f7c43ec4aa52ed34b7930068c9 ### Workarounds None ### References Found by [Tom Tervoort](Tom.Tervoort@secura.com) https://github.com/pypa/advisory-database/blob/main/vulns/python-jwt/PYSEC-2022-259.yaml ### More information The vulnerability allows an attacker, who possesses a single valid JWT, to create a new token with forged claims that the verify_jwt function will accept as valid. The issue is caused by an inconsistency between the JWT parsers used by python-jwt and its dependency jwcrypto. By mixing compact and JSON representations, an attacker can trick jwcrypto of parsing different claims than tho...

### Impact Validation of the authentication adapter app ID for _Facebook_ and _Spotify_ may be circumvented. This fixes a vulnerability that affects configurations which allow users to authenticate using the Parse Server authentication adapter for _Facebook_ or _Spotify_ and where the server-side authentication adapter configuration `appIds` is set as a string (e.g. `abc`) instead of an array of strings (e.g. `["abc"]`). The vulnerability makes it possible to authenticate requests which are coming from a _Facebook_ or _Spotify_ app with a different app ID than the one specified in the `appIds` configuration. Both adapters still validate the access token with the respective authentication provider. An app ID is automatically assigned by the authentication provider. For this vulnerability to be exploited, an attacker would have to be assigned an app ID by the authentication provider which is a sub-set of the server-side configured app ID. The documentation did not explicitly specify ...

### Impact This issue allows a client of the API to retrieve more information than the client’s OAuth scope permits when making “search-type” requests. This issue would not allow a client to retrieve information about individuals other than those the client was already authorized to access. ### Patches We recommend that users of fhir-works-on-aws-authz-smart 3.1.1 or 3.1.2 upgrade to version 3.1.3 or higher immediately. Versions 3.1.0 and below are unaffected. ### Workarounds There is no workaround for this issue. Please upgrade fhir-works-on-aws-authz-smart to version 3.1.3 or higher. ### References https://github.com/awslabs/fhir-works-on-aws-deployment https://github.com/awslabs/fhir-works-on-aws-authz-smart ### For more information If you have any questions or comments about this advisory: Email us at [fhir-works-on-aws-dev@amazon.com](mailto:fhir-works-on-aws-dev@amazon.com)

### Impact A foreign user can write to the session object of another user if the session object ID is known. For example, a foreign user can assign the session object to their own user by writing to the `user` field and then read any custom fields of that session object. Note that assigning a session to a foreign user does not usually change the privileges of neither of the two users, according to how Parse Server uses session objects internally. However, if custom logic is used to relate specific session objects to privileges this vulnerability may have a higher level of severity. The vulnerability does not allow a foreign user to assign a session object to themselves, read the session token, and then reassign the session object to the original user to then authenticate as that user with the known session token. The vulnerability only exists for foreign session objects, a user cannot assign their own session to another user. While it is unlikely that the session object ID of anoth...

### Impact CommonMarker uses `cmark-gfm` for rendering [Github Flavored Markdown](https://github.github.com/gfm/). A polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service. ### Patches This vulnerability has been patched in the following CommonMarker release: - v0.23.6 ### Workarounds Disable use of the autolink extension. ### References https://github.com/gjtorikian/commonmarker/pull/190 https://github.com/github/cmark-gfm/security/advisories/GHSA-cgh3-p57x-9q7q https://en.wikipedia.org/wiki/Time_complexity ### For more information If you have any questions or comments about this advisory: * Open an issue in [github/cmark-gfm](https://github.com/github/cmark-gfm) ### Acknowledgements We would like to thank [Legit Security](https://www.legitsecurity.com) for reporting this vulnerability.

### Impact Arbitrary shell execution is possible when using RPM::File#files and RPM::File#extract if the RPM contains a malicious "payload compressor" field. This vulnerability impacts the `extract` and `files` methods of the `RPM::File` class in the affected versions of this library. ### Patches Version 0.0.12 is available with a fix for these issues. ### Workarounds When using an affected version of this library (arr-pm), ensure any RPMs being processed contain valid/known payload compressor values. Such values include: gzip, bzip2, xz, zstd, and lzma. You can check the payload compressor field in an rpm by using the rpm command line tool. For example: ``` % rpm -qp example-1.0-1.x86_64.rpm --qf "%{PAYLOADCOMPRESSOR}\n" gzip ``` ### Impact on known dependent projects This library is used by [fpm](https://github.com/jordansissel/fpm). The vulnerability may impact fpm only when using the flag `-s rpm` or `--input-type rpm` to convert a malicious rpm to another format. It does...