Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-6j58-grhv-2769: ansible-runner vulnerable to shell command injection

A flaw was found in ansible-runner. An improper escaping of the shell command, while calling the ansible_runner.interface.run_command, can lead to parameters getting executed as host's shell command. A developer could unintentionally write code that gets executed in the host rather than the virtual environment.

ghsa
Open in Source
#git
GHSA-mw9h-hcp7-fgc6: Exposure of Sensitive Information in OPCFoundation.NetStandard.Opc.Ua.Server

OPC UA .NET Standard Reference Server 1.04.368 allows a remote attacker to cause the application to access sensitive information.

GHSA-mfpj-3qhm-976m: Uncontrolled Resource Consumption in asyncua and opcua

All versions of package opcua; all versions of package asyncua are vulnerable to Denial of Service (DoS) due to a missing limitation on the number of received chunks - per single session or in total for all concurrent sessions. An attacker can exploit this vulnerability by sending an unlimited number of huge chunks (e.g. 2GB each) without sending the Final closing chunk.

GHSA-qpgc-xh7j-52q8: node-opcua DoS vulnerability via message with memory allocation that exceeds v8's memory limit

The package node-opcua before 2.74.0 are vulnerable to Denial of Service (DoS) by sending a specifically crafted OPC UA message with a special OPC UA NodeID, when the requested memory allocation exceeds the v8’s memory limit.

GHSA-4hr4-pjjh-2q2w: Uncontrolled Resource Consumption in node-opcua

The package node-opcua before 2.74.0 are vulnerable to Denial of Service (DoS) due to a missing limitation on the number of received chunks - per single session or in total for all concurrent sessions. An attacker can exploit this vulnerability by sending an unlimited number of huge chunks (e.g. 2GB each) without sending the Final closing chunk.

GHSA-8mx2-gqx9-rm7f: Uncontrolled Resource Consumption in opcua

The package opcua from 0.0.0 are vulnerable to Denial of Service (DoS) due to a missing limitation on the number of received chunks - per single session or in total for all concurrent sessions. An attacker can exploit this vulnerability by sending an unlimited number of huge chunks (e.g. 2GB each) without sending the Final closing chunk.

GHSA-xc4w-28g8-vqm5: Path Traversal in Gravitee API Management

HTML injection combined with path traversal in the Email service in Gravitee API Management before 1.25.3 allows anonymous users to read arbitrary files via a /management/users/register request.

GHSA-5rf4-f24c-hpvh: SQL injection in jflyfox jfinal

JFinal CMS 5.1.0 is vulnerable to SQL Injection via /jfinal_cms/system/user/list.

GHSA-wv39-f3vx-3v6q: SQL injection in jflyfox jfinal

JFinal CMS 5.1.0 is vulnerable to SQL Injection via /jfinal_cms/system/role/list.

GHSA-cv6r-h2fm-pvrp: HTML Injection in ActiveMQ Artemis Web Console

In Apache ActiveMQ Artemis prior to 2.24.0, an attacker could show malicious content and/or redirect users to a malicious URL in the web console by using HTML in the name of an address or queue.