     stdlib 1.22.5 (golang)
pkg:golang/stdlib@1.22.5
| Affected range | <1.22.7 | | Fixed version | 1.22.7 | | EPSS Score | 0.04% | | EPSS Percentile | 17th percentile |
Description
Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.
| Affected range | <1.22.7 | | Fixed version | 1.22.7 | | EPSS Score | 0.04% | | EPSS Percentile | 17th percentile |
Description
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
| Affected range | <1.22.7 | | Fixed version | 1.22.7 | | EPSS Score | 0.19% | | EPSS Percentile | 57th percentile |
Description
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
| Affected range | <1.22.7 | | Fixed version | 1.22.7 | | EPSS Score | 0.04% | | EPSS Percentile | 17th percentile |
Description
Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.
|
stdlib 1.21.12 (golang)
pkg:golang/stdlib@1.21.12
| Affected range | <1.22.7 | | Fixed version | 1.22.7 | | EPSS Score | 0.04% | | EPSS Percentile | 17th percentile |
Description
Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.
| Affected range | <1.22.7 | | Fixed version | 1.22.7 | | EPSS Score | 0.04% | | EPSS Percentile | 17th percentile |
Description
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
| Affected range | <1.22.7 | | Fixed version | 1.22.7 | | EPSS Score | 0.19% | | EPSS Percentile | 57th percentile |
Description
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
| Affected range | <1.22.7 | | Fixed version | 1.22.7 | | EPSS Score | 0.04% | | EPSS Percentile | 17th percentile |
Description
Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.
|
 dset 3.1.3 (npm)
pkg:npm/dset@3.1.3
 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
| Affected range | <3.1.4 | | Fixed version | 3.1.4 | | CVSS Score | 8.2 | | CVSS Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N | | EPSS Score | 0.04% | | EPSS Percentile | 10th percentile |
Description
Versions of the package dset before 3.1.4 are vulnerable to Prototype Pollution via the dset function due improper user input sanitization. This vulnerability allows the attacker to inject malicious object property using the built-in Object property proto, which is recursively assigned to all the objects in the program.
|
path-to-regexp 1.8.0 (npm)
pkg:npm/path-to-regexp@1.8.0
 Inefficient Regular Expression Complexity
| Affected range | >=0.2.0
<1.9.0
| | Fixed version | 1.9.0 | | CVSS Score | 7.5 | | CVSS Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P | | EPSS Score | 0.04% | | EPSS Percentile | 17th percentile |
Description
Impact
A bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b.
Patches
For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.
These versions add backtrack protection when a custom regex pattern is not provided:
They do not protect against vulnerable user supplied capture groups. Protecting against explicit user patterns is out of scope for old versions and not considered a vulnerability.
Version 7.1.0 can enable strict: true and get an error when the regular expression might be bad.
Version 8.0.0 removes the features that can cause a ReDoS.
Workarounds
All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change /:a-:b to /:a-:b([^-/]+).
If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length. For example, halving the attack string improves performance by 4x faster.
Details
Using /:a-:b will produce the regular expression /^\/([^\/]+?)-([^\/]+?)\/?$/. This can be exploited by a path such as /a${'-a'.repeat(8_000)}/a. OWASP has a good example of why this occurs, but the TL;DR is the /a at the end ensures this route would never match but due to naive backtracking it will still attempt every combination of the :a-:b on the repeated 8,000 -a.
Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and can lead to a DoS. In local benchmarks, exploiting the unsafe regex will result in performance that is over 1000x worse than the safe regex. In a more realistic environment using Express v4 and 10 concurrent connections, this translated to average latency of ~600ms vs 1ms.
References
|
body-parser 1.20.2 (npm)
pkg:npm/body-parser@1.20.2
 Asymmetric Resource Consumption (Amplification)
| Affected range | <1.20.3 | | Fixed version | 1.20.3 | | CVSS Score | 7.5 | | CVSS Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N | | EPSS Score | 0.05% | | EPSS Percentile | 18th percentile |
Description
Impact
body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service.
Patches
this issue is patched in 1.20.3
References
|
path-to-regexp 0.1.7 (npm)
pkg:npm/path-to-regexp@0.1.7
Inefficient Regular Expression Complexity
| Affected range | <0.1.10 | | Fixed version | 0.1.10 | | CVSS Score | 7.5 | | CVSS Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P | | EPSS Score | 0.04% | | EPSS Percentile | 17th percentile |
Description
Impact
A bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b.
Patches
For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.
These versions add backtrack protection when a custom regex pattern is not provided:
They do not protect against vulnerable user supplied capture groups. Protecting against explicit user patterns is out of scope for old versions and not considered a vulnerability.
Version 7.1.0 can enable strict: true and get an error when the regular expression might be bad.
Version 8.0.0 removes the features that can cause a ReDoS.
Workarounds
All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change /:a-:b to /:a-:b([^-/]+).
If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length. For example, halving the attack string improves performance by 4x faster.
Details
Using /:a-:b will produce the regular expression /^\/([^\/]+?)-([^\/]+?)\/?$/. This can be exploited by a path such as /a${'-a'.repeat(8_000)}/a. OWASP has a good example of why this occurs, but the TL;DR is the /a at the end ensures this route would never match but due to naive backtracking it will still attempt every combination of the :a-:b on the repeated 8,000 -a.
Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and can lead to a DoS. In local benchmarks, exploiting the unsafe regex will result in performance that is over 1000x worse than the safe regex. In a more realistic environment using Express v4 and 10 concurrent connections, this translated to average latency of ~600ms vs 1ms.
References
|
   krb5 1.19.2-2ubuntu0.3 (deb)
pkg:deb/ubuntu/krb5@1.19.2-2ubuntu0.3?os_distro=jammy&os_name=ubuntu&os_version=22.04
| Affected range | <1.19.2-2ubuntu0.4 | | Fixed version | 1.19.2-2ubuntu0.4 | | CVSS Score | 9.1 | | CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H | | EPSS Score | 0.09% | | EPSS Percentile | 38th percentile |
Description
In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.
| Affected range | <1.19.2-2ubuntu0.4 | | Fixed version | 1.19.2-2ubuntu0.4 | | CVSS Score | 7.5 | | CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | | EPSS Score | 0.09% | | EPSS Percentile | 38th percentile |
Description
In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.
| Affected range | >=0 | | Fixed version | Not Fixed | | EPSS Score | 0.04% | | EPSS Percentile | 10th percentile |
Description
Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.
| Affected range | >=0 | | Fixed version | Not Fixed | | EPSS Score | 0.04% | | EPSS Percentile | 10th percentile |
Description
Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.
| Affected range | >=0 | | Fixed version | Not Fixed | | EPSS Score | 0.04% | | EPSS Percentile | 10th percentile |
Description
Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.
|
  openssl 3.0.2-0ubuntu1.17 (deb)
pkg:deb/ubuntu/openssl@3.0.2-0ubuntu1.17?os_distro=jammy&os_name=ubuntu&os_version=22.04
| Affected range | <3.0.2-0ubuntu1.18 | | Fixed version | 3.0.2-0ubuntu1.18 | | EPSS Score | 0.04% | | EPSS Percentile | 17th percentile |
Description
Issue summary: Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process. Impact summary: Abnormal termination of an application can a cause a denial of service. Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address when comparing the expected name with an otherName subject alternative name of an X.509 certificate. This may result in an exception that terminates the application program. Note that basic certificate chain validation (signatures, dates, ...) is not affected, the denial of service can occur only when the application also specifies an expected DNS name, Email address or IP address. TLS servers rarely solicit client certificates, and even when they do, they generally don't perform a name check against a reference identifier (expected identity), but rather extract the presented identity after checking the certificate chain. So TLS servers are generally not affected and the severity of the issue is Moderate. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.
| Affected range | >=0 | | Fixed version | Not Fixed | | EPSS Score | 0.04% | | EPSS Percentile | 17th percentile |
Description
Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.
|
gcc-12 12.3.0-1ubuntu1~22.04 (deb)
pkg:deb/ubuntu/gcc-12@12.3.0-1ubuntu1~22.04?os_distro=jammy&os_name=ubuntu&os_version=22.04
| Affected range | >=0 | | Fixed version | Not Fixed | | CVSS Score | 4.8 | | CVSS Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N | | EPSS Score | 0.06% | | EPSS Percentile | 26th percentile |
Description
DISPUTEDA failure in the -fstack-protector feature in GCC-based toolchains that target AArch64 allows an attacker to exploit an existing buffer overflow in dynamically-sized local variables in your application without this being detected. This stack-protector failure only applies to C99-style dynamically-sized local variables or those created using alloca(). The stack-protector operates as intended for statically-sized local variables. The default behavior when the stack-protector detects an overflow is to terminate your application, resulting in controlled loss of availability. An attacker who can exploit a buffer overflow without triggering the stack-protector might be able to change program flow control to cause an uncontrolled loss of availability or to go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.
| Affected range | >=0 | | Fixed version | Not Fixed | | CVSS Score | 5.5 | | CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H | | EPSS Score | 0.09% | | EPSS Percentile | 39th percentile |
Description
libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.
|
libgcrypt20 1.9.4-3ubuntu3 (deb)
pkg:deb/ubuntu/libgcrypt20@1.9.4-3ubuntu3?os_distro=jammy&os_name=ubuntu&os_version=22.04
| Affected range | >=0 | | Fixed version | Not Fixed | | EPSS Score | 0.04% | | EPSS Percentile | 10th percentile |
Description
A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.
|
curl 7.81.0-1ubuntu1.17 (deb)
pkg:deb/ubuntu/curl@7.81.0-1ubuntu1.17?os_distro=jammy&os_name=ubuntu&os_version=22.04
| Affected range | <7.81.0-1ubuntu1.18 | | Fixed version | 7.81.0-1ubuntu1.18 | | EPSS Score | 0.04% | | EPSS Percentile | 17th percentile |
Description
When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate.
|
express 4.19.2 (npm)
pkg:npm/express@4.19.2
 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Affected range | <4.20.0 | | Fixed version | 4.20.0 | | CVSS Score | 5 | | CVSS Vector | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L | | EPSS Score | 0.05% | | EPSS Percentile | 18th percentile |
Description
Impact
In express <4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code
Patches
this issue is patched in express 4.20.0
Workarounds
users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist
Details
successful exploitation of this vector requires the following:
- The attacker MUST control the input to response.redirect()
- express MUST NOT redirect before the template appears
- the browser MUST NOT complete redirection before:
- the user MUST click on the link in the template
|
send 0.18.0 (npm)
pkg:npm/send@0.18.0
 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Affected range | <0.19.0 | | Fixed version | 0.19.0 | | CVSS Score | 5 | | CVSS Vector | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L | | EPSS Score | 0.05% | | EPSS Percentile | 18th percentile |
Description
Impact
passing untrusted user input - even after sanitizing it - to SendStream.redirect() may execute untrusted code
Patches
this issue is patched in send 0.19.0
Workarounds
users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist
Details
successful exploitation of this vector requires the following:
- The attacker MUST control the input to response.redirect()
- express MUST NOT redirect before the template appears
- the browser MUST NOT complete redirection before:
- the user MUST click on the link in the template
|
webpack 5.83.0 (npm)
pkg:npm/webpack@5.83.0
 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Affected range | >=5.0.0-alpha.0
<5.94.0
| | Fixed version | 5.94.0 | | CVSS Score | 6.4 | | CVSS Vector | CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N | | EPSS Score | 0.06% | | EPSS Percentile | 26th percentile |
Description
Summary
We discovered a DOM Clobbering vulnerability in Webpack’s AutoPublicPathRuntimeModule. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.
We found the real-world exploitation of this gadget in the Canvas LMS which allows XSS attack happens through an javascript code compiled by Webpack (the vulnerable part is from Webpack). We believe this is a severe issue. If Webpack’s code is not resilient to DOM Clobbering attacks, it could lead to significant security vulnerabilities in any web application using Webpack-compiled code.
Details
Backgrounds
DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:
[1] https://scnps.co/papers/sp23_domclob.pdf
[2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/
Gadgets found in Webpack
We identified a DOM Clobbering vulnerability in Webpack’s AutoPublicPathRuntimeModule. When the output.publicPath field in the configuration is not set or is set to auto, the following code is generated in the bundle to dynamically resolve and load additional JavaScript files:
/******/ /* webpack/runtime/publicPath */
/******/ (() => {
/******/ var scriptUrl;
/******/ if (__webpack_require__.g.importScripts) scriptUrl = __webpack_require__.g.location + "";
/******/ var document = __webpack_require__.g.document;
/******/ if (!scriptUrl && document) {
/******/ if (document.currentScript)
/******/ scriptUrl = document.currentScript.src;
/******/ if (!scriptUrl) {
/******/ var scripts = document.getElementsByTagName("script");
/******/ if(scripts.length) {
/******/ var i = scripts.length - 1;
/******/ while (i > -1 && (!scriptUrl || !/^http(s?):/.test(scriptUrl))) scriptUrl = scripts[i--].src;
/******/ }
/******/ }
/******/ }
/******/ // When supporting browsers where an automatic publicPath is not supported you must specify an output.publicPath manually via configuration
/******/ // or pass an empty string ("") and set the __webpack_public_path__ variable from your code to use your own logic.
/******/ if (!scriptUrl) throw new Error("Automatic publicPath is not supported in this browser");
/******/ scriptUrl = scriptUrl.replace(/#.*$/, "").replace(/\?.*$/, "").replace(/\/[^\/]+$/, "/");
/******/ __webpack_require__.p = scriptUrl;
/******/ })();
However, this code is vulnerable to a DOM Clobbering attack. The lookup on the line with document.currentScript can be shadowed by an attacker, causing it to return an attacker-controlled HTML element instead of the current script element as intended. In such a scenario, the src attribute of the attacker-controlled element will be used as the scriptUrl and assigned to __webpack_require__.p. If additional scripts are loaded from the server, __webpack_require__.p will be used as the base URL, pointing to the attacker's domain. This could lead to arbitrary script loading from the attacker's server, resulting in severe security risks.
PoC
Please note that we have identified a real-world exploitation of this vulnerability in the Canvas LMS. Once the issue has been patched, I am willing to share more details on the exploitation. For now, I’m providing a demo to illustrate the concept.
Consider a website developer with the following two scripts, entry.js and import1.js, that are compiled using Webpack:
// entry.js
import('./import1.js')
.then(module => {
module.hello();
})
.catch(err => {
console.error('Failed to load module', err);
});
// import1.js
export function hello () {
console.log('Hello');
}
The webpack.config.js is set up as follows:
const path = require('path');
module.exports = {
entry: './entry.js', // Ensure the correct path to your entry file
output: {
filename: 'webpack-gadgets.bundle.js', // Output bundle file
path: path.resolve(__dirname, 'dist'), // Output directory
publicPath: "auto", // Or leave this field not set
},
target: 'web',
mode: 'development',
};
When the developer builds these scripts into a bundle and adds it to a webpage, the page could load the import1.js file from the attacker's domain, attacker.controlled.server. The attacker only needs to insert an img tag with the name attribute set to currentScript. This can be done through a website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page.
<!DOCTYPE html>
<html>
<head>
<title>Webpack Example</title>
<!-- Attacker-controlled Script-less HTML Element starts--!>
<img name="currentScript" src="https://attacker.controlled.server/"></img>
<!-- Attacker-controlled Script-less HTML Element ends--!>
</head>
<script src="./dist/webpack-gadgets.bundle.js"></script>
<body>
</body>
</html>
Impact
This vulnerability can lead to cross-site scripting (XSS) on websites that include Webpack-generated files and allow users to inject certain scriptless HTML tags with improperly sanitized name or id attributes.
Patch
A possible patch to this vulnerability could refer to the Google Closure project which makes itself resistant to DOM Clobbering attack: https://github.com/google/closure-library/blob/b312823ec5f84239ff1db7526f4a75cba0420a33/closure/goog/base.js#L174
/******/ /* webpack/runtime/publicPath */
/******/ (() => {
/******/ var scriptUrl;
/******/ if (__webpack_require__.g.importScripts) scriptUrl = __webpack_require__.g.location + "";
/******/ var document = __webpack_require__.g.document;
/******/ if (!scriptUrl && document) {
/******/ if (document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT') // Assume attacker cannot control script tag, otherwise it is XSS already :>
/******/ scriptUrl = document.currentScript.src;
/******/ if (!scriptUrl) {
/******/ var scripts = document.getElementsByTagName("script");
/******/ if(scripts.length) {
/******/ var i = scripts.length - 1;
/******/ while (i > -1 && (!scriptUrl || !/^http(s?):/.test(scriptUrl))) scriptUrl = scripts[i--].src;
/******/ }
/******/ }
/******/ }
/******/ // When supporting browsers where an automatic publicPath is not supported you must specify an output.publicPath manually via configuration
/******/ // or pass an empty string ("") and set the __webpack_public_path__ variable from your code to use your own logic.
/******/ if (!scriptUrl) throw new Error("Automatic publicPath is not supported in this browser");
/******/ scriptUrl = scriptUrl.replace(/#.*$/, "").replace(/\?.*$/, "").replace(/\/[^\/]+$/, "/");
/******/ __webpack_require__.p = scriptUrl;
/******/ })();
Please note that if we do not receive a response from the development team within three months, we will disclose this vulnerability to the CVE agent.
|
serve-static 1.15.0 (npm)
pkg:npm/serve-static@1.15.0
 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Affected range | <1.16.0 | | Fixed version | 1.16.0 | | CVSS Score | 5 | | CVSS Vector | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L | | EPSS Score | 0.05% | | EPSS Percentile | 22nd percentile |
Description
Impact
passing untrusted user input - even after sanitizing it - to redirect() may execute untrusted code
Patches
this issue is patched in serve-static 1.16.0
Workarounds
users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist
Details
successful exploitation of this vector requires the following:
- The attacker MUST control the input to response.redirect()
- express MUST NOT redirect before the template appears
- the browser MUST NOT complete redirection before:
- the user MUST click on the link in the template
|
ncurses 6.3-2ubuntu0.1 (deb)
pkg:deb/ubuntu/ncurses@6.3-2ubuntu0.1?os_distro=jammy&os_name=ubuntu&os_version=22.04
| Affected range | >=0 | | Fixed version | Not Fixed | | CVSS Score | 6.5 | | CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H | | EPSS Score | 0.05% | | EPSS Percentile | 21st percentile |
Description
NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().
| Affected range | >=0 | | Fixed version | Not Fixed | | EPSS Score | 0.04% | | EPSS Percentile | 17th percentile |
Description
ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinfo/lib_termcap.c.
|
libzstd 1.4.8+dfsg-3build1 (deb)
pkg:deb/ubuntu/libzstd@1.4.8%2Bdfsg-3build1?os_distro=jammy&os_name=ubuntu&os_version=22.04
| Affected range | >=0 | | Fixed version | Not Fixed | | CVSS Score | 7.5 | | CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | | EPSS Score | 0.18% | | EPSS Percentile | 56th percentile |
Description
A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun.
|
shadow 1:4.8.1-2ubuntu2.2 (deb)
pkg:deb/ubuntu/shadow@1:4.8.1-2ubuntu2.2?os_distro=jammy&os_name=ubuntu&os_version=22.04
| Affected range | >=0 | | Fixed version | Not Fixed | | CVSS Score | 3.3 | | CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N | | EPSS Score | 0.04% | | EPSS Percentile | 17th percentile |
Description
In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account.
|
cookie 0.6.0 (npm)
pkg:npm/cookie@0.6.0
 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
| Affected range | <0.7.0 | | Fixed version | 0.7.0 | | EPSS Score | 0.04% | | EPSS Percentile | 17th percentile |
Description
Impact
The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, serialize("userName=<script>alert('XSS3')</script>; Max-Age=2592000; a", value) would result in "userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test", setting userName cookie to <script> and ignoring value.
A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie.
Patches
Upgrade to 0.7.0, which updates the validation for name, path, and domain.
Workarounds
Avoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input.
References
|
gnupg2 2.2.27-3ubuntu2.1 (deb)
pkg:deb/ubuntu/gnupg2@2.2.27-3ubuntu2.1?os_distro=jammy&os_name=ubuntu&os_version=22.04
| Affected range | >=0 | | Fixed version | Not Fixed | | CVSS Score | 3.3 | | CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L | | EPSS Score | 0.05% | | EPSS Percentile | 18th percentile |
Description
GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.
|
pcre2 10.39-3ubuntu0.1 (deb)
pkg:deb/ubuntu/pcre2@10.39-3ubuntu0.1?os_distro=jammy&os_name=ubuntu&os_version=22.04
| Affected range | >=0 | | Fixed version | Not Fixed | | CVSS Score | 7.5 | | CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | | EPSS Score | 0.09% | | EPSS Percentile | 37th percentile |
Description
Integer overflow vulnerability in pcre2test before 10.41 allows attackers to cause a denial of service or other unspecified impacts via negative input.
|
cookie 0.4.2 (npm)
pkg:npm/cookie@0.4.2
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
| Affected range | <0.7.0 | | Fixed version | 0.7.0 | | EPSS Score | 0.04% | | EPSS Percentile | 17th percentile |
Description
Impact
The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, serialize("userName=<script>alert('XSS3')</script>; Max-Age=2592000; a", value) would result in "userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test", setting userName cookie to <script> and ignoring value.
A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie.
Patches
Upgrade to 0.7.0, which updates the validation for name, path, and domain.
Workarounds
Avoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input.
References
|
glibc 2.35-0ubuntu3.8 (deb)
pkg:deb/ubuntu/glibc@2.35-0ubuntu3.8?os_distro=jammy&os_name=ubuntu&os_version=22.04
| Affected range | >=0 | | Fixed version | Not Fixed | | CVSS Score | 7.5 | | CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | | EPSS Score | 0.18% | | EPSS Percentile | 56th percentile |
Description
sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.
|
pcre3 2:8.39-13ubuntu0.22.04.1 (deb)
pkg:deb/ubuntu/pcre3@2:8.39-13ubuntu0.22.04.1?os_distro=jammy&os_name=ubuntu&os_version=22.04
| Affected range | >=0 | | Fixed version | Not Fixed | | CVSS Score | 7.5 | | CVSS Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | | EPSS Score | 0.37% | | EPSS Percentile | 73rd percentile |
Description
In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.
|
systemd 249.11-0ubuntu3.12 (deb)
pkg:deb/ubuntu/systemd@249.11-0ubuntu3.12?os_distro=jammy&os_name=ubuntu&os_version=22.04
| Affected range | >=0 | | Fixed version | Not Fixed | | CVSS Score | 5.9 | | CVSS Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N | | EPSS Score | 0.06% | | EPSS Percentile | 28th percentile |
Description
A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.
|
coreutils 8.32-4.1ubuntu1.2 (deb)
pkg:deb/ubuntu/coreutils@8.32-4.1ubuntu1.2?os_distro=jammy&os_name=ubuntu&os_version=22.04
| Affected range | >=0 | | Fixed version | Not Fixed | | CVSS Score | 6.5 | | CVSS Vector | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N | | EPSS Score | 0.04% | | EPSS Percentile | 5th percentile |
Description
chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.
|
