ghsa

CsrfComponent fails to invalidate requests that are missing both the CSRF token, and CSRF post data.

The crate has several unsafe sections that don't perform proper pointer validation. An example can be found in the following function: ``` fn section_header_raw(&self) -> &[ET::SectionHeader] { let sh_off = self.elf_header().section_header_offset() as usize; let sh_num = self.elf_header().section_header_entry_num() as usize; unsafe { let sh_ptr = self.content().as_ptr().add(sh_off); from_raw_parts(sh_ptr as *const ET::SectionHeader, sh_num) } } ``` While this will work perfectly fine *if* the ELF header is valid, malicious or malformed input can contain a section header offset of an arbitrary size, meaning that the resultant pointer in the unsafe block can point to an artibrary address in the address space of the process. This can result in unpredictable behaviour, and in our fuzz testing, we discovered that it's trivial to cause SIGABRT (signal 6), or SEGV (signal 11). The function should either be marked as unsafe, with a note that the caller is r...

### Impact When the scs-library-client is used to pull a container image, with authentication, the HTTP Authorization header sent by the client to the library service may be incorrectly leaked to an S3 backing storage provider. This occurs in a specific flow, where the library service redirects the client to a backing S3 storage server, to perform a multi-part concurrent download. Depending on site configuration, the S3 service may be provided by a third party. An attacker with access to the S3 service may be able to extract user credentials, allowing them to impersonate the user. The vulnerable multi-part concurrent download flow, with redirect to S3, is only used when communicating with a Singularity Enterprise 1.x installation, or third party server implementing this flow. Interaction with Singularity Enterprise 2.x, and Singularity Container Services (cloud.sylabs.io), does not trigger the vulnerable flow. We encourage all users to update. Users who interact with a Singularity...

In affected versions of this crate, the lifetime of the iterator produced by `Vec::into_iter()` is not constrained to the lifetime of the `Bump` that allocated the vector's memory. Using the iterator after the `Bump` is dropped causes use-after-free accesses. The following example demonstrates memory corruption arising from a misuse of this unsoundness. ```rust use bumpalo::{collections::Vec, Bump}; fn main() { let bump = Bump::new(); let mut vec = Vec::new_in(&bump); vec.extend([0x01u8; 32]); let into_iter = vec.into_iter(); drop(bump); for _ in 0..100 { let reuse_bump = Bump::new(); let _reuse_alloc = reuse_bump.alloc([0x41u8; 10]); } for x in into_iter { print!("0x{:02x} ", x); } println!(); } ``` The issue was corrected in version 3.11.1 by adding a lifetime to the `IntoIter` type, and updating the signature of `Vec::into_iter()` to constrain this lifetime.

### Impact Arbitrary code execution can occur when running `exiftool` against files with hostile metadata payloads ### Patches ExifTool has already been patched in version 12.24. `exiftool_vendored.rb`, which vendors ExifTool, includes this patch in [v12.25.0](https://github.com/exiftool-rb/exiftool_vendored.rb/releases/tag/v12.25.0). ### Workarounds No ### References https://twitter.com/wcbowling/status/1385803927321415687 https://nvd.nist.gov/vuln/detail/CVE-2021-22204 ### For more information If you have any questions or comments about this advisory: Open an issue in [exiftool_vendored.rb](https://github.com/exiftool-rb/exiftool_vendored.rb/issues)

kraken <= 0.1.4 has an arbitrary file read vulnerability via the component `testfs`.

### Impact The log module contains all kind of sent mails. It is possible to see the password reset email of customers and admin users to gain probably more access. ### Patches Update to the latest 6.4.18.1 version. ### Workarounds - For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. - Remove from all users the log module ACL rights - [Disable logging](https://developer.shopware.com/docs/guides/hosting/performance/performance-tweaks#logging) ### References https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates

### Impact The `Cake\Database\Query::limit()` and `Cake\Database\Query::offset()` methods are vulnerable to SQL injection if passed un-sanitized user request data. ### Patches This issue has been fixed in 4.2.12, 4.3.11, 4.4.10 ### Workarounds Using CakePHP's Pagination library will mitigate this issue, as will validating or casting parameters to these methods. ### References https://bakery.cakephp.org/2023/01/06/cakephp_4211_4311_4410_released.html

### Impact Multi-threaded programs were able to spoof interactive permission prompt by rewriting the prompt to suggest that program is waiting on user confirmation to unrelated action. A malicious program could clear the terminal screen after permission prompt was shown and write a generic message like so: ``` // Expected prompt ⚠️ ┌ Deno requests read access to "./log.txt". ├ Requested by `Deno.open()` API ├ Run again with --allow-read to bypass this prompt. └ Allow? [y/n] (y = yes, allow; n = no, deny) > // Prompt that users would see Do you want to continue? ``` This situation impacts users who use Web Worker API and relied on interactive permission prompt. The reproduction is very timing sensitive and can’t be reliably reproduced on every try. This problem can not be exploited on systems that do not attach an interactive prompt (for example headless servers). ### Patches The problem has been fixed in Deno v1.29.3; it is recommended all users update to this versio...

### Impact The vulnerability is capable of resulting in stolen user cookies. #### Proof of Concept ``` Login with dev account https://11.x-dev.pimcore.fun/admin/?_dc=1670962076&perspective= Go to setting --> data objects --> classes --> events Click media under genaral settings Add payload in title field. Go to data objects module and open events, xss will trigger // PoC.js "><iMg SrC="x" oNeRRor="alert(xss);"> ``` ### Patches Update to version 10.5.14 or apply this patch manually https://github.com/pimcore/pimcore/pull/13916.patch ### Workarounds Apply https://github.com/pimcore/pimcore/pull/13916.patch manually. ### References https://huntr.dev/bounties/129d6a4b-0504-4de1-a72c-3f12c4552343/