Source
ghsa
### Impact A vulnerability in Multer versions >=1.4.4-lts.1 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. This request causes an unhandled exception, leading to a crash of the process. ### Patches Users should upgrade to `2.0.0` ### Workarounds None ### References - https://github.com/expressjs/multer/issues/1176 - https://github.com/expressjs/multer/commit/2c8505f207d923dd8de13a9f93a4563e59933665
### Impact Multer <2.0.0 is vulnerable to a resource exhaustion and memory leak issue due to improper stream handling. When the HTTP request stream emits an error, the internal `busboy` stream is not closed, violating Node.js stream safety guidance. This leads to unclosed streams accumulating over time, consuming memory and file descriptors. Under sustained or repeated failure conditions, this can result in denial of service, requiring manual server restarts to recover. All users of Multer handling file uploads are potentially impacted. ### Patches Users should upgrade to `2.0.0` ### Workarounds None ### References - https://github.com/expressjs/multer/pull/1120 - https://github.com/expressjs/multer/commit/2c8505f207d923dd8de13a9f93a4563e59933665
### Impact A maliciously modified message can be passed to either `openpgp.verify` or `openpgp.decrypt`, causing these functions to return a valid signature verification result while returning data that was not actually signed. This flaw allows signature verifications of inline (non-detached) signed messages (using `openpgp.verify`) and signed-and-encrypted messages (using `openpgp.decrypt` with `verificationKeys`) to be spoofed, since both functions return extracted data that may not match the data that was originally signed. Detached signature verifications are not affected, as no signed data is returned in that case. In order to spoof a message, the attacker needs a single valid message signature (inline or detached) as well as the plaintext data that was legitimately signed, and can then construct an inline-signed message or signed-and-encrypted message with any data of the attacker's choice, which will appear as legitimately signed by affected versions of OpenPGP.js. In other w...
A security vulnerability was discovered in the `gardenlet` component of Gardener. It could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster(s) where their shoot clusters are managed. ### Am I Vulnerable? This CVE affects all Gardener installations where https://github.com/gardener/gardener-extension-provider-gcp is in use. ### Affected Components - `gardener/gardener` (`gardenlet`) ### Affected Versions - < v1.116.4 - < v1.117.5 - < v1.118.2 - < v1.119.0 ### Fixed Versions - >= v1.116.4 - >= v1.117.5 - >= v1.118.2 - >= v1.119.0 ### How do I mitigate this vulnerability? Update to a fixed version.
A security vulnerability was discovered in Gardener that could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster(s) where their shoot clusters are managed. ### Am I Vulnerable? This CVE affects all Gardener installations no matter of the public cloud provider(s) used for the seed clusters/shoot clusters. ### Affected Components - `gardener/gardener` ### Affected Versions - < v1.116.4 - < v1.117.5 - < v1.118.2 - < v1.119.0 ### Fixed Versions - >= v1.116.4 - >= v1.117.5 - >= v1.118.2 - >= v1.119.0 ### How do I mitigate this vulnerability? Update to a fixed version.
A security vulnerability was discovered in Gardener that could allow a user with administrative privileges for a Gardener project or a user with administrative privileges for a shoot cluster, including administrative privileges for a single namespace of the shoot cluster, to obtain control over the seed cluster where the shoot cluster is managed. ### Am I Vulnerable? This CVE affects all Gardener installations no matter of the public cloud provider(s) used for the seed clusters/shoot clusters. ### Affected Components - `gardener/external-dns-management` ### Affected Versions - < 0.23.6 ### Fixed Versions - >= 0.23.6 ### Important The `external-dns-management` component may also be deployed on the seeds by the https://github.com/gardener/gardener-extension-shoot-dns-service extension when the extension is enabled. In this case, all versions of the `shoot-dns-service` extension `<= v1.60.0` are affected by this vulnerability. ### How do I mitigate this vulnerability? Updat...
### Summary A path traversal vulnerability in `PackageIndex` was fixed in setuptools version 78.1.1 ### Details ``` def _download_url(self, url, tmpdir): # Determine download filename # name, _fragment = egg_info_for_url(url) if name: while '..' in name: name = name.replace('..', '.').replace('\\', '_') else: name = "__downloaded__" # default if URL has no path contents if name.endswith('.[egg.zip](http://egg.zip/)'): name = name[:-4] # strip the extra .zip before download --> filename = os.path.join(tmpdir, name) ``` Here: https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88 `os.path.join()` discards the first argument `tmpdir` if the second begins with a slash or drive letter. `name` is derived from a URL without sufficient sanitization. While there is some attempt to sanitize by replacing instanc...
### Summary A command echoing feature in the framework allows users to indirectly trigger privileged behavior by injecting special platform tags. Specifically, an unauthorized user can use the `/echo <qqbot-at-everyone />` command to cause the bot to send a message that mentions all members in the chat, bypassing any permission controls. This can lead to spam, disruption, or abuse of notification systems. ### Details The framework provides a command `/echo` that causes the bot to repeat any user-provided message verbatim in the group chat. However, the bot fails to sanitize or filter platform-specific control elements such as `<qqbot-at-everyone />`, which, when included in a message, mentions everyone (i.e., @全体成员). While normal users are forbidden from using this tag in normal chats, the bot, which has higher privileges, is allowed to do so. Since the `/echo` command blindly echoes any content, a user can exploit this by sending: ``` /echo <qqbot-at-everyone /> ``` The bo...
### LibreNMS v25.4.0 suffers from Stored Cross-Site Scripting (XSS) Vulnerability in the 'group name' parameter of the 'http://localhost/poller/groups' form. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users. ## ---------------------------------POC----------------------------- Before Setting: Enable 'distributed_poller' in http://localhost/settings/poller/distributed 1. Attacker creates a new poller group and injects the payload in the 'group name' parameter ``` payload: <script>alert('XSS')</script> ``` 2. Victim navigates to the 'http://localhost/addhost' to add a new host 3. The payload is executed code sink: https://github.com/librenms/librenms/blob/25.4.0/includes/html/pages/addhost.inc.php#L284
A vulnerability in the `preprocess_string()` function of the `transformers.testing_utils` module in huggingface/transformers version v4.48.3 allows for a Regular Expression Denial of Service (ReDoS) attack. The regular expression used to process code blocks in docstrings contains nested quantifiers, leading to exponential backtracking when processing input with a large number of newline characters. An attacker can exploit this by providing a specially crafted payload, causing high CPU usage and potential application downtime, effectively resulting in a Denial of Service (DoS) scenario.