#git

### Summary When assert statements are bypassed, an infinite loop can occur, resulting in a DoS attack when processing a POST body. ### Impact If optimisations are enabled (`-O` or `PYTHONOPTIMIZE=1`), and the application includes a handler that uses the `Request.post()` method, then an attacker may be able to execute a DoS attack with a specially crafted message. ------ Patch: https://github.com/aio-libs/aiohttp/commit/bc1319ec3cbff9438a758951a30907b072561259

### Summary Path normalization for static files prevents path traversal, but opens up the ability for an attacker to ascertain the existence of absolute path components. ### Impact If an application uses `web.static()` (not recommended for production deployments), it may be possible for an attacker to ascertain the existence of path components. ------ Patch: https://github.com/aio-libs/aiohttp/commit/f2a86fd5ac0383000d1715afddfa704413f0711e

### Summary The parser allows non-ASCII decimals to be present in the Range header. ### Impact There is no known impact, but there is the possibility that there's a method to exploit a request smuggling vulnerability. ---- Patch: https://github.com/aio-libs/aiohttp/commit/c7b7a044f88c71cefda95ec75cdcfaa4792b3b96

### Summary The Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. ### Impact If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. ------ Patch: https://github.com/aio-libs/aiohttp/commit/32677f2adfd907420c078dda6b79225c6f4ebce0

### Summary A zip bomb can be used to execute a DoS against the aiohttp server. ### Impact An attacker may be able to send a compressed request that when decompressed by aiohttp could exhaust the host's memory. ------ Patch: https://github.com/aio-libs/aiohttp/commit/2b920c39002cee0ec5b402581779bbaaf7c9138a

### Impact For sites that allow users to supply untrusted user input, malicious use of an internal function (not part of the [public API](https://vega.github.io/vega/docs/expressions/)) could be used to run unintentional javascript (XSS). ### Patches Fixed in vega-functions `6.1.1` ### Workarounds There is no workaround besides upgrading. Using `vega.expressionInterpreter` as described in [CSP safe mode](https://vega.github.io/vega/usage/interpreter/) does not prevent this issue. ### Exploit Proof of Concept Vega's expression `modify()` [function](https://github.com/vega/vega/blob/d8add5819346e5af597d82ef8253742acc0283ba/packages/vega-functions/src/functions/modify.js#L40), used by setdata, allows attacker to control both the method called and the values supplied, which results to XSS . This was a previous POC: ```json { "$schema": "https://vega.github.io/schema/vega/v6.json", "data": [ { "name": "table", "values": [ {"category": "A", "amount": 2...

## Impact Applications meeting these two conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" [expressionInterpreter](https://vega.github.io/vega/usage/interpreter/) is used. 1. Use `vega` in an application that attaches both `vega` library and a `vega.View` instance similar to the Vega [Editor](https://github.com/vega/editor) to the global `window`, or has any other satisfactory function gadgets in the global scope 2. Allow user-defined Vega `JSON` definitions (vs JSON that was is only provided through source code) ## Patches - With Vega v6, use `vega-selections@6.1.2` (requires ESM) - With Vega v5, use `vega-selections@5.6.3` (No ESM needed) ## Workarounds - Do not attach `vega` or `vega.View` instances to global variables or the window as the editor used to do [here](https://github.com/vega/editor/blob/e102355589d23cdd0dbfd607a2cc5f9c5b7a4c55/src/components/renderer/renderer.tsx#L239) . This is a development-only debugging practice that should n...

### Impact The primary impact is allowing users to fetch data from a remote URL. This data can be then injected into Spinnaker pipelines via helm or other methods to extract things LIKE idmsv1 authentication data. This ALSO includes calling INTERNAL Spinnaker API's via a get and similar endpoints. Further, depending upon the artifact configuration, auth data may be exposed to arbitrary endpoints (e.g. GitHub auth headers) leading to credentials exposure. To trigger this, a Spinnaker installation MUST have: * An artifact enabled that allows user input. This includes GitHub file artifacts, BitBucket, GitLab, HTTP artifacts and similar artifact providers. JUST enabling the http artifact provider will add a "no-auth" http provider that could be used to extract link local data (e.g. AWS Metadata information). * A system that can consume the output of these artifacts. E.g. Rosco helm can use this to fetch values data. K8s account manifests if the API returns JSON can be used to in...

### Impact Projects using the SUSE Virtualization (Harvester) environment are vulnerable to this exploit if they are using the 1.5.x or 1.6.x interactive installer to either create a new cluster or add new hosts to an existing cluster. The environment is not affected if the [PXE boot mechanism](https://docs.harvesterhci.io/v1.7/install/pxe-boot-install/) is utilized along with the [Harvester configuration](https://docs.harvesterhci. io/v1.7/install/harvester-configuration) setup. A critical vulnerability has been identified within the SUSE Virtualization interactive installer. This vulnerability allows an attacker to gain unauthorized network access to the host via a remote shell (SSH). The SUSE Virtualization operating system includes a default administrative login credential intended solely for out-of-band cluster management tasks (for example, perform troubleshooting, device management and system recovery over serial ports). When the interactive installer is used to create or ex...

### Summary Authenticated users with backup permissions can read arbitrary files within the webroot via path traversal in the Backup addon's file export functionality. <img width="664" height="899" alt="image" src="https://github.com/user-attachments/assets/fd1ca69e-b275-4daf-9a62-621cde6525f5" /> <img width="2358" height="445" alt="image" src="https://github.com/user-attachments/assets/fad81152-9e1b-413e-9823-09540a23e2fb" /> ### Details The Backup addon does not validate the `EXPDIR` POST parameter against the UI-generated allowlist of permitted directories. An attacker can supply relative paths containing `../` sequences (or even absolute paths inside the document root) to include any readable file in the generated `.tar.gz` archive. Vulnerable code: - `redaxo/src/addons/backup/pages/export.php` (lines 72-76) – directly uses `$_POST['EXPDIR']` - `redaxo/src/addons/backup/lib/backup.php` (lines ~413 & ~427) – concatenates unsanitized user input with base path This allows disclo...