ghsa

### Summary Vite Server Options (`server.fs.deny`) can be bypassed using double forward-slash (//) allows any unauthenticated user to read file from the Vite root-path of the application including the default [`fs.deny` settings](https://vitejs.dev/config/server-options.html#server-fs-deny) (`['.env', '.env.*', '*.{crt,pem}']`) ### Impact Only users explicitly exposing the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) are affected, and only files in the immediate Vite project root folder could be exposed. ### Patches Fixed in vite@4.3.9, vite@4.2.3, vite@4.1.5, vite@4.0.5 And in the latest minors of the previous two majors: vite@3.2.7, vite@2.9.16 ### Details Vite serve the application with under the root-path of the project while running on the dev mode. By default, vite using server options fs.deny to protected the sensitive information of the file. But, with simply double forward-slash, ...

### Impact A vulnerability has been identified which enables [Standard users](https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/manage-role-based-access-control-rbac/global-permissions) or above to elevate their permissions to Administrator in the `local` cluster. The `local` cluster means the cluster where Rancher is installed. It is named `local` inside the list of clusters in the Rancher UI. Standard users could leverage their existing permissions to manipulate Kubernetes secrets in the `local` cluster, resulting in the secret being deleted, but their read-level permissions to the secret being preserved. When this operation was followed-up by other specially crafted commands, it could result in the user gaining access to tokens belonging to service accounts in the `local` cluster. Users that have custom global roles which grant `create` and `delete` permissions on `secrets` would also be able to exploit this...

### Impact Multiple Cross-Site Scripting (XSS) vulnerabilities have been identified in the Rancher UI. Cross-Site scripting allows a malicious user to inject code that is executed within another user's browser, allowing the attacker to steal sensitive information, manipulate web content, or perform other malicious activities on behalf of the victims. This could result in a user with write access to the affected areas being able to act on behalf of an administrator, once an administrator opens the affected web page. The affected areas include the Projects/Namespaces and Auth Provider sections. The attacker needs to be authenticated and have write access to those features in order to exploit the vulnerabilities. Some of the permissions (roles) required are: - Project Owner. - Restricted Admin. - Configure Authentication. - Administrator. - Custom RBAC Role that provides write access on Projects or External Authentication Providers. For users that suspect this vulnerability may have t...

### Impact A vulnerability was identified in which users with update privileges on a namespace, can move that namespace into a project they don't have access to. After the namespace transfer is completed, their previous permissions are still preserved, which enables them to gain access to project-specific resources (such as [project secrets](https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/kubernetes-resources-setup/secrets#creating-secrets-in-projects)). In addition, resources in the namespace will now count toward the [quota limit](https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/manage-projects/manage-project-resource-quotas/about-project-resource-quotas) of the new project, potentially causing availability issues. User with roles `Project Owner` and `Project Member` on the source project can exploit this vulnerability; however, this would also apply to custom roles with similar privileges. The patched version include an improved RBA...

Affected versions of the crate have a bug where attacker-controlled input can result in the use of an out-of-bound array index. Rust detects the use of the out-of-bound index and causes the application to panic. An attacker may be able to use this to cause a denial-of-service. However, it is not possible for an attacker to read from or write to the application's address space.

Affected versions of the crate have several bugs where attacker-controlled input can result in the use of an out-of-bound array index. Rust detects the use of the out-of-bound index and causes the application to panic. An attacker may be able to use this to cause a denial-of-service. However, it is not possible for an attacker to read from or write to the application's address space.

### Impact A path traversal vulnerability exists in the CMS, which allows an attacker to overwrite or modify sensitive files by manipulating the `pimcore_log` parameter.This can lead to potential denial of service---key file overwrite. The impact of this vulnerability allows attackers to: - Overwrite or modify sensitive files, potentially leading to unauthorized access, privilege escalation, or disclosure of confidential information. - Tamper with system settings by modifying key files, such as the hosts file in Windows or configuration files for other services. - Cause a denial of service (DoS) if critical system files are overwritten or deleted. The consequences of exploiting this vulnerability can be detrimental to the confidentiality, integrity, and availability of the affected system. It's crucial to address this vulnerability to protect sensitive data and ensure the proper functioning of the system. ### Patches Update to version 10.5.22 or apply this patch manually https:/...

### Impact In 4.18.0, the network handling of inventories was completely revamped. Due to this, a bug was introduced which allowed players to request that the server drop more of an item than they had available in their hotbar. This did not lead to any duplication issues, but instead led to a server crash, and is believed to have been exploited in the wild. ### Patches This was fixed in 58974765a68f63a9968a7ff3a06f584ff2ee08d2, which was released in 4.18.1. ### Workarounds Handle `InventoryTransactionPacket` in `DataPacketReceiveEvent`, and verify that the item count dropped isn't more than the available item count. However, it's complicated to do this, so it's not recommended.

### Impact An attacker could crash the server by sending malformed JWT JSON in `LoginPacket` due to a security vulnerability in [`netresearch/jsonmapper`](https://github.com/cweiske/JsonMapper), due to improper checking for mapping JSON arrays and objects onto scalar model properties such as strings. ### Patches The problem was fixed in a fork of JsonMapper in dktapps/JsonMapper@a31902a31f5b6fdb832f57c0e3a3f16a3b41c012. PocketMine-MP releases 4.20.5 and 4.21.1 have been released with the fix. ### Workarounds - Users of PocketMine-MP source installations may manually install the patched version of JsonMapper by backporting commit pmmp/PocketMine-MP@09668a37d66c6023685a948b7550c918620e98f2. - A plugin may also be able to workaround this issue by using `DataPacketReceiveEvent` to attempt detection of suspicious payloads. An `ErrorException` will be thrown in the crash case, which can be caught by plugins. ### References cweiske/jsonmapper#210

### Impact A new user can privilege escalation to admin role which least config ### Patches Update to version 10.5.23 or apply this patches manually https://github.com/pimcore/pimcore/commit/c8f37b19c99cd82e4e558857d3e4d5476ea7228a.patch ### Workarounds Apply patches manually: https://github.com/pimcore/pimcore/commit/c8f37b19c99cd82e4e558857d3e4d5476ea7228a.patch ### References https://huntr.dev/bounties/6b2f33d3-2fd0-4d2d-ad7b-2c1e2417eeb1/