ghsa

The bzip2 crate before 0.4.4 for Rust allow attackers to cause a denial of service via a large file that triggers an integer overflow in `mem.rs`. NOTE: this is unrelated to the https://crates.io/crates/bzip2-rs product.

### Impact Due to a workaround for an old client bug (which has since been fixed), very large JSON payloads in `ModalFormResponsePacket` were able to cause the server to spend a significant amount of time processing the packet. Large numbers of these packets were able to hog CPU time so as to prevent the server from processing other connections in a timely manner. ### Patches The problem has been addressed in 3baa5ab71214f96e6e7ab12cb9beef08118473b5 by removing the workaround code. ### Workarounds Plugins could cancel `DataPacketReceiveEvent` for this packet, decode the data their way, and then call `Player->onFormSubmit()` directly, bypassing the vulnerable code.

### Summary API interfaces with unauthorized access will leak sensitive information /api/v1/clusters/kubeconfig/<clusterName> ### Details Routes using v1 without any restrictions <img width="930" alt="image" src="https://user-images.githubusercontent.com/35884266/211258033-84aa14fb-01d5-459c-af81-e48b7552fabf.png"> Directly pass in `downloadKubeconfig` according to the cluster name <img width="960" alt="image" src="https://user-images.githubusercontent.com/35884266/211258011-d885fda6-06c3-4603-be4a-38d9c9b918b4.png"> pkg/router/v1/white.go no restrictions ```go func downloadKubeconfig(ctx context.Context) { clusterName := ctx.Params().GetString("name") ctx.Header("Content-Disposition", "attachment") ctx.Header("filename", fmt.Sprintf("%s-config", clusterName)) ctx.Header("Content-Type", "application/download") clusterService := service.NewClusterService() str, err := clusterService.GetKubeconfig(clusterName) if err != nil { _, _ = ctx.JSON(err) ctx.StatusCode(http.StatusI...

### Summary A session fixation attack allows an attacker to hijack a legitimate user session. The attack investigates a flaw in how the online application handles the session ID, especially the susceptible web application. ### Affected Version <= v1.6.3 ### For more information If you have any questions or comments about this advisory, please [open an issue](https://github.com/KubeOperator/KubePi/issues). This vulnerability is reported by [sachinh09](https://huntr.dev/users/sachinh09/) from [huntr.dev](https://huntr.dev/).

### Summary API interfaces with unauthorized access will leak sensitive information /kubepi/api/v1/systems/operation/logs/search /kubepi/api/v1/systems/login/logs/search This vulnerability also exists in https://github.com/KubeOperator/KubeOperator ### Details The vulnerability is located in KubePi/internal/api/v1/v1.go <img width="855" alt="image" src="https://user-images.githubusercontent.com/35884266/211234101-8c325e46-bf65-44ee-9fcb-7a1dc3a39c03.png"> `sp.Post("/login/logs/search", handler.LoginLogsSearch())` directly uses the v1 route without middleware authentication <img width="961" alt="image" src="https://user-images.githubusercontent.com/35884266/211234091-fe8cf249-8806-4124-92d0-4fd58753fa48.png"> Follow up found no role based authentication <img width="919" alt="image" src="https://user-images.githubusercontent.com/35884266/211234162-0a6cbaa1-1f83-4361-aa26-a72cd117d64d.png"> `sp.Post("/operation/logs/search", handler.OperationLogsSearch())` the same as above <img w...

### Impact Any users of Mercurius until version v11.5.0 are subjected to a denial of service attack by sending a malformed packet over WebSocket to `/graphql`. ### Patches This was patched in https://github.com/mercurius-js/mercurius/pull/940. ### Workarounds Disable subscriptions. ### References Reported publicly as https://github.com/mercurius-js/mercurius/issues/939. The same problem was solved in https://github.com/fastify/fastify-websocket/pull/228

The git gem, between versions 1.2.0 and 1.12.0, incorrectly parsed the output of the `git ls-files` command using `eval()` to unescape quoted file names. If a file name was added to the git repository contained special characters, such as `\n`, then the `git ls-files` command would print the file name in quotes and escape any special characters. If the `Git#ls_files` method encountered a quoted file name it would use `eval()` to unquote and unescape any special characters, leading to potential remote code execution. Version 1.13.0 of the git gem was released which correctly parses any quoted file names.

### Impact `DyeColorIdMap->fromId()` did not account for the possibility that it might be given invalid input. This means that an undefined offset error would occur whenever this happened. This code is indirectly called during [`Banner->deserializeCompoundTag()`](https://github.com/pmmp/PocketMine-MP/blob/38d6284671e8b657ba557e765a6c29b24a7705f5/src/item/Banner.php#L104), which is invoked when deserializing any item NBT, whether from network or disk. An attacker could use this bug to crash a server by providing NBT with invalid values for pattern colours in an inventory transaction, or by using `/give` to obtain an item with NBT like this. ### Patches 08b9495bce2d65a6d1d3eeb76e484499a00765eb ### Workarounds This is quite difficult to work around via a plugin. Theoretically, it's possible to override the `Banner` item class from a plugin and validate the data before it reaches `deserializeCompoundTag()`. ### For more information If you have any questions or comments about this advi...

An open redirect vulnerability exists in Okta OIDC Middleware prior to version 5.0.0 allowing an attacker to redirect a user to an arbitrary URL. **Affected products and versions** Okta OIDC Middleware prior to version 5.0.0. **Resolution** The vulnerability is fixed in OIDC Middleware 5.0.0. To remediate this vulnerability, upgrade Okta OIDC Middleware to this version or later. **CVE details** **CVE ID:** [CVE-2022-3145](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-3145) **Published Date:** 01/05/2023 **Vulnerability Type:** Open Redirect **CWE:** CWE-601 **CVSS v3.1 Score:** 4.3 **Severity:** Medium **Vector string:** AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N **Severity Details** To exploit this issue, an attacker would need to send a victim a malformed URL containing a target server that they control. Once a user successfully completed the login process, the victim user would then be redirected to the attacker controlled site. **References** https://github.com/okta/okta-oi...

### Impact Due to a vulnerability in `jackson-databind <= 2.12.6.0`, an authenticated attacker could craft an Apiman policy configuration which, when saved, may cause a denial of service on the Apiman Manager API. This does **not** affect the Apiman Gateway. ### Patches Upgrade to Apiman 3.0.0.Final or later. If you are using an older version of Apiman and need to remain on that version, contact your Apiman [support provider](https://www.apiman.io/support.html) for advice/long-term support. ### Workarounds If all users of the Apiman Manager are trusted then you may assess this is low risk, as an account is required to exploit the vulnerability. ### References * Apiman maintainer and security contact: marc@blackparrotlabs.io * https://nvd.nist.gov/vuln/detail/CVE-2020-36518 * https://github.com/FasterXML/jackson-databind/issues/2816