ghsa

### Impact A Path Traversal Vulnerability found in the apoc.export.* procedures of apoc plugins in Neo4j Graph database. The issue allows a malicious actor to potentially break out of the expected directory. The vulnerability is such that files could only be created but not overwritten. For the vulnerability to be exploited, an attacker would need access to execute an arbitrary query, either by having access to an authenticated Neo4j client, or a Cypher injection vulnerability in an application. The procedure would need to have been allow listed in the neo4j configuration as well as having the apoc config `apoc.export.file.enabled` set to true. On a UNIX based system the following query allows arbitrary write access to the tmp folder: CALL apoc.export.csv.query('RETURN 1', 'file:///..//..//..//..//tmp/test.txt', {}) ### Patches The users should aim to use the latest released version compatible with their Neo4j version. The minimum versions containing patch for this vulnerability a...

A flaw was found in Keycloak. This flaw allows impersonation and lockout due to the email trust not being handled correctly in Keycloak. An attacker can shadow other users with the same email and lockout or impersonate them.

wildfly-elytron: possible timing attacks via use of unsafe comparator. A flaw was found in Wildfly-elytron. Wildfly-elytron uses `java.util.Arrays.equals` in several places, which is unsafe and vulnerable to timing attacks. To compare values securely, use `java.security.MessageDigest.isEqual` instead. This flaw allows an attacker to access secure information or impersonate an authed user.

Versions of the package global-modules-path before 3.0.0 are vulnerable to Command Injection due to missing input sanitization or other checks and sandboxes being employed to the getPath function.

When a service account with the create-client or manage-clients role can use the client-registration endpoints to create/manage clients with an access token. If the access token is leaked, there is an option to revoke the specific token. However, the check is not performed in client-registration endpoints.

Uncontrolled Search Path Element in GitHub repository bits-and-blooms/bloom prior to 3.3.1.

Versions of the package `com.fasterxml.util:java-merge-sort` before 1.1.0 are vulnerable to Insecure Temporary File in the `StdTempFileProvider()` function in `StdTempFileProvider.java`, which uses the permissive `File.createTempFile()` function, exposing temporary file contents.

Pyload 0.5.0b3.dev35 has an Insufficient Session Expiration vulnerability. A patch is available and anticipated to be part of version 0.5.0b3.dev36.

Abusing the `$method` argument of Client::send, it was possible to force the client to _access local files_ or _connect to undesired urls_ instead of the intended target server's url (the one used in the Client constructor). This weakness only affects installations where all the following conditions apply, at the same time: - the xmlrpc Client is used, ie. not xmlrpc servers - untrusted data (eg. data from remote users) is used as value for the `$method` argument of method `Client::send()`, in conjunction with conditions which trigger usage of curl as http transport (ie. either using the https, http11 or http2 protocols, or calling `Client::setUseCurl()` beforehand) - either have set the Clients `return_type` property to 'xml', or make the resulting Response's object `httpResponse` member, which is intended to be used for debugging purposes only, available to 3rd parties, eg. by displaying it to the end user or serializing it in some storage (note that the same data can also be acces...

In order for this weakness to be exploited, the following conditions have to apply, at the same time: - method `Wrapper::buildClientWrapperCode`, or any methods which depend on it, such as `Wrapper::wrapXmlrpcServer`, `Wrapper::wrapXmlrpcMethod` or `Wrapper::buildWrapMethodSource` must be in use. Note that they are _not_ used by default in either the Client or Server classes provided by the library; the developer has to specifically make use of them in his/her own code - the `$client` argument to either of those methods should have been built with malicious data, ie. data controlled by a 3rd party, passed to its constructor call This is most likely an uncommon usage scenario, and as such the chances of exploitation may be low. *NB* the graphical debugger which is shipped as part of the library is vulnerable to this, when used with the option "Generate stub for method call" selected. In that case, the debugger will _display_ but not _execute_ the malicious code, which would have to b...