ghsa

Hyper is an HTTP library for Rust and h2 is an HTTP 2.0 client & server implementation for Rust. An issue was discovered in hyper v0.13.7 and h2 v0.2.4 when proessing header frames. Both packages incorrectly process the HTTP2 `RST_STREAM` frames by not always releasing the memory immediately upon receiving the reset frame, leading to stream stacking. As a result, the memory and CPU usage are high which can lead to a Denial of Service (DoS). As of time of publication of this advisory, there is no evidence of a fix having been incorporated into hyper or h2.

answerdev/answer is an open-source knowledge-based community software. Answer prior to 1.0.8 does not strip EXIF geolocation data from user-uploaded logos. As a result, anyone can get sensitive information like a user's device ID, geolocation, system information, system version, etc.

answerdev/answer is an open-source knowledge-based community software. Answer prior to 1.0.8 may expose sensitive information, such as EXIF data and GPS coordatinates, via image metadata.

answerdev/answer is an open-source knowledge-based community software. Answer prior to 1.0.6 is vulnerable to account takeover because the password reset link does not expire.

All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper sanitization of its parameter content.

All versions of the package safe-eval are vulnerable to Sandbox Bypass due to improper input sanitization. The vulnerability is derived from prototype pollution exploitation. Exploiting this vulnerability might result in remote code execution (RCE). **Vulnerable functions:** __defineGetter__, stack(), toLocaleString(), propertyIsEnumerable.call(), valueOf().

### Impact Lack of rate limiting will allow an attacker to brute-force user credentials. ### Patches Ability to enable rate limiting on Flask-AppBuilder >= 4.3.0. Use `AUTH_RATE_LIMITED = True` and `RATELIMIT_ENABLED = True` set the limit itself by using `AUTH_RATE_LIMIT`. Will apply only to database authentication. ### Workarounds Implement rate limiting using a reverse proxy or other strategies.

In Apache Linkis <=1.3.1, because the parameters are not effectively filtered, the attacker can use the MySQL data source and malicious parameters to configure a new data source to trigger a deserialization vulnerability, eventually leading to remote code execution. Users should upgrade their version of Linkis to version 1.3.2.

In Apache Linkis <=1.3.1, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in JDBC EngineConn Module will trigger a deserialization vulnerability and eventually lead to remote code execution. Therefore, the parameters in the Mysql JDBC URL should be blacklisted. Users should upgrade their version of Linkis to version 1.3.2.

XXL-JOB (`com.xuxueli:xxl-job`) versions 2.4.0 and earlier are vulnerable to cross-site scripting (XSS). An HTML uploaded payload can be executed successfully through `/xxl-job-admin/user/add` and `/xxl-job-admin/user/update`.