Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
|
Description: Nette Database through 3.2.4 allows SQL injection in certain situations involving an untrusted filter that is directly passed to the where method.
References
https://nvd.nist.gov/vuln/detail/CVE-2024-55586
https://github.com/CSIRTTrizna/CVE-2024-55586
https://github.com/nette/database/releases
https://www.csirt.sk/nette-framework-vulnerability-permits-sql-injection.html
https://github.com/advisories/GHSA-f626-677r-j5vq
December 10th, 2024 (4 months ago)
|
|
|
Description: The Federal Trade Commission (FTC) is distributing over $72 million in Epic Game Fortnite refunds for the company's use of dark patterns to trick players into making unwanted purchases. [...]
December 10th, 2024 (4 months ago)
|
|
|
Description: CWA-2024-009
Severity
Low (Marginal + Likely)[^1]
Affected versions:
wasmd < 0.53.1
Patched versions:
wasmd 0.53.2 (please note that wasmd 0.53.1 is broken and must not be used)
Description of the bug
(Blank for now. We'll add more detail once chains had a chance to upgrade.)
Mitigations
Apart from upgrading, it is recommended to not open the gRPC and REST APIs of validator nodes to the public internet. Use isolated and resource-constrained environments for running separate public RPC nodes instead.
These can then easily be thrown away and replaced with new instances in case of problems.
Applying the patch
Official Wasmd patch
The patch will be shipped in a wasmd release. You will also have to update libwasmvm if you build statically.
If you already use the latest / close to latest wasmd, you can update more or less as follows:
Check the current wasmd version: go list -m github.com/CosmWasm/wasmd
Bump the github.com/CosmWasm/wasmd dependency in your go.mod to 0.53.2 (Cosmos SDK 0.50 compatible); go mod tidy; commit.
If you use the static libraries libwasmvm_muslc.aarch64.a/libwasmvm_muslc.x86_64.a, make sure that you use the same version as your wasmvm version.
Check the updated wasmd version: go list -m github.com/CosmWasm/wasmd and ensure you see 0.53.2.
Follow your regular practices to deploy chain upgrades.
To double check if the correct library version is loaded at runtime, use this query:
<appd> query wasm libwasmvm-version. It must show 2.1.4.
The patch is not...
December 10th, 2024 (4 months ago)
|
|
|
Description: CWA-2024-008
Severity
Medium (Moderate + Likely)[^1]
Affected versions:
wasmvm >= 2.1.0, < 2.1.3
wasmvm >= 2.0.0, < 2.0.4
wasmvm < 1.5.5
cosmwasm-vm >= 2.1.0, < 2.1.4
cosmwasm-vm >= 2.0.0, < 2.0.7
cosmwasm-vm < 1.5.8
Patched versions:
wasmvm 1.5.5, 2.0.4, 2.1.3
cosmwasm-vm 1.5.8, 2.0.7, 2.1.4
Description of the bug
(Blank for now. We'll add more detail once chains had a chance to upgrade.)
Patch
1.5: https://github.com/CosmWasm/cosmwasm/commit/edcdbc520d4f5521eed42de6e2869658278e91fd
2.0: https://github.com/CosmWasm/cosmwasm/commit/f63429ca59eb44dd5d780c1572016581337091e4
2.1: https://github.com/CosmWasm/cosmwasm/commit/108e7dcbf9c21df0fa83f355ad3a7355d7f220cb
Applying the patch
The patch will be shipped in releases of wasmvm. You can update more or less as follows:
Check the current wasmvm version: go list -m github.com/CosmWasm/wasmvm
Bump the github.com/CosmWasm/wasmvm dependency in your go.mod to 1.5.5, 2.0.4, 2.1.3 depending on which minor version you are; go mod tidy; commit.
If you use the static libraries libwasmvm_muslc.aarch64.a/libwasmvm_muslc.x86_64.a, update them accordingly.
Check the updated wasmvm version: go list -m github.com/CosmWasm/wasmvm and ensure you see 1.5.5, 2.0.4, 2.1.3.
Follow your regular practices to deploy chain upgrades.
To double check if the correct library version is loaded at runtime, use this query:
<appd> query wasm libwasmvm-version. It must show 1.5.5, 2.0.4 or 2.1.3.
The patch is consensus breaking and requires a coordinate...
December 10th, 2024 (4 months ago)
|
|
|
Description: CWA-2024-008
Severity
Medium (Moderate + Likely)[^1]
Affected versions:
wasmvm >= 2.1.0, < 2.1.3
wasmvm >= 2.0.0, < 2.0.4
wasmvm < 1.5.5
cosmwasm-vm >= 2.1.0, < 2.1.4
cosmwasm-vm >= 2.0.0, < 2.0.7
cosmwasm-vm < 1.5.8
Patched versions:
wasmvm 1.5.5, 2.0.4, 2.1.3
cosmwasm-vm 1.5.8, 2.0.7, 2.1.4
Description of the bug
(Blank for now. We'll add more detail once chains had a chance to upgrade.)
Patch
1.5: https://github.com/CosmWasm/cosmwasm/commit/edcdbc520d4f5521eed42de6e2869658278e91fd
2.0: https://github.com/CosmWasm/cosmwasm/commit/f63429ca59eb44dd5d780c1572016581337091e4
2.1: https://github.com/CosmWasm/cosmwasm/commit/108e7dcbf9c21df0fa83f355ad3a7355d7f220cb
Applying the patch
The patch will be shipped in releases of wasmvm. You can update more or less as follows:
Check the current wasmvm version: go list -m github.com/CosmWasm/wasmvm
Bump the github.com/CosmWasm/wasmvm dependency in your go.mod to 1.5.5, 2.0.4, 2.1.3 depending on which minor version you are; go mod tidy; commit.
If you use the static libraries libwasmvm_muslc.aarch64.a/libwasmvm_muslc.x86_64.a, update them accordingly.
Check the updated wasmvm version: go list -m github.com/CosmWasm/wasmvm and ensure you see 1.5.5, 2.0.4, 2.1.3.
Follow your regular practices to deploy chain upgrades.
To double check if the correct library version is loaded at runtime, use this query:
<appd> query wasm libwasmvm-version. It must show 1.5.5, 2.0.4 or 2.1.3.
The patch is consensus breaking and requires a coordinate...
December 10th, 2024 (4 months ago)
|
|
|
Description: CWA-2024-007
Severity
Medium (Moderate + Likely)[^1]
Affected versions:
wasmvm >= 2.1.0, < 2.1.3
wasmvm >= 2.0.0, < 2.0.4
wasmvm < 1.5.5
cosmwasm-vm >= 2.1.0, < 2.1.4
cosmwasm-vm >= 2.0.0, < 2.0.7
cosmwasm-vm < 1.5.8
Patched versions:
wasmvm 1.5.5, 2.0.4, 2.1.3
cosmwasm-vm 1.5.8, 2.0.7, 2.1.4
Description of the bug
(Blank for now. We'll add more detail once chains had a chance to upgrade.)
Patch
1.5: https://github.com/CosmWasm/cosmwasm/commit/16eabd681790508b13dac8e67f9e6e61045240ea
2.0: https://github.com/CosmWasm/cosmwasm/commit/0e70bd83119b02f99a2c0397f0913e0803750fd9
2.1: https://github.com/CosmWasm/cosmwasm/commit/f5bf24f3acadca2892afd58cc3ce5fdeb932d492
Applying the patch
The patch will be shipped in releases of wasmvm. You can update more or less as follows:
Check the current wasmvm version: go list -m github.com/CosmWasm/wasmvm
Bump the github.com/CosmWasm/wasmvm dependency in your go.mod to 1.5.5, 2.0.4, 2.1.3 depending on which minor version you are; go mod tidy; commit.
If you use the static libraries libwasmvm_muslc.aarch64.a/libwasmvm_muslc.x86_64.a, update them accordingly.
Check the updated wasmvm version: go list -m github.com/CosmWasm/wasmvm and ensure you see 1.5.5, 2.0.4, 2.1.3.
Follow your regular practices to deploy chain upgrades.
To double check if the correct library version is loaded at runtime, use this query:
<appd> query wasm libwasmvm-version. It must show 1.5.5, 2.0.4 or 2.1.3.
The patch is consensus breaking and requires a coordinate...
December 10th, 2024 (4 months ago)
|
|
|
Description: CWA-2024-007
Severity
Medium (Moderate + Likely)[^1]
Affected versions:
wasmvm >= 2.1.0, < 2.1.3
wasmvm >= 2.0.0, < 2.0.4
wasmvm < 1.5.5
cosmwasm-vm >= 2.1.0, < 2.1.4
cosmwasm-vm >= 2.0.0, < 2.0.7
cosmwasm-vm < 1.5.8
Patched versions:
wasmvm 1.5.5, 2.0.4, 2.1.3
cosmwasm-vm 1.5.8, 2.0.7, 2.1.4
Description of the bug
(Blank for now. We'll add more detail once chains had a chance to upgrade.)
Patch
1.5: https://github.com/CosmWasm/cosmwasm/commit/16eabd681790508b13dac8e67f9e6e61045240ea
2.0: https://github.com/CosmWasm/cosmwasm/commit/0e70bd83119b02f99a2c0397f0913e0803750fd9
2.1: https://github.com/CosmWasm/cosmwasm/commit/f5bf24f3acadca2892afd58cc3ce5fdeb932d492
Applying the patch
The patch will be shipped in releases of wasmvm. You can update more or less as follows:
Check the current wasmvm version: go list -m github.com/CosmWasm/wasmvm
Bump the github.com/CosmWasm/wasmvm dependency in your go.mod to 1.5.5, 2.0.4, 2.1.3 depending on which minor version you are; go mod tidy; commit.
If you use the static libraries libwasmvm_muslc.aarch64.a/libwasmvm_muslc.x86_64.a, update them accordingly.
Check the updated wasmvm version: go list -m github.com/CosmWasm/wasmvm and ensure you see 1.5.5, 2.0.4, 2.1.3.
Follow your regular practices to deploy chain upgrades.
To double check if the correct library version is loaded at runtime, use this query:
<appd> query wasm libwasmvm-version. It must show 1.5.5, 2.0.4 or 2.1.3.
The patch is consensus breaking and requires a coordinate...
December 10th, 2024 (4 months ago)
|
|
|
Description: CWA-2024-008
Severity
Medium (Moderate + Likely)[^1]
Affected versions:
wasmvm >= 2.1.0, < 2.1.3
wasmvm >= 2.0.0, < 2.0.4
wasmvm < 1.5.5
cosmwasm-vm >= 2.1.0, < 2.1.4
cosmwasm-vm >= 2.0.0, < 2.0.7
cosmwasm-vm < 1.5.8
Patched versions:
wasmvm 1.5.5, 2.0.4, 2.1.3
cosmwasm-vm 1.5.8, 2.0.7, 2.1.4
Description of the bug
(Blank for now. We'll add more detail once chains had a chance to upgrade.)
Patch
1.5: https://github.com/CosmWasm/cosmwasm/commit/edcdbc520d4f5521eed42de6e2869658278e91fd
2.0: https://github.com/CosmWasm/cosmwasm/commit/f63429ca59eb44dd5d780c1572016581337091e4
2.1: https://github.com/CosmWasm/cosmwasm/commit/108e7dcbf9c21df0fa83f355ad3a7355d7f220cb
Applying the patch
The patch will be shipped in releases of wasmvm. You can update more or less as follows:
Check the current wasmvm version: go list -m github.com/CosmWasm/wasmvm
Bump the github.com/CosmWasm/wasmvm dependency in your go.mod to 1.5.5, 2.0.4, 2.1.3 depending on which minor version you are; go mod tidy; commit.
If you use the static libraries libwasmvm_muslc.aarch64.a/libwasmvm_muslc.x86_64.a, update them accordingly.
Check the updated wasmvm version: go list -m github.com/CosmWasm/wasmvm and ensure you see 1.5.5, 2.0.4, 2.1.3.
Follow your regular practices to deploy chain upgrades.
To double check if the correct library version is loaded at runtime, use this query:
<appd> query wasm libwasmvm-version. It must show 1.5.5, 2.0.4 or 2.1.3.
The patch is consensus breaking and requires a coordinate...
December 10th, 2024 (4 months ago)
|
|
|
Description: CWA-2024-007
Severity
Medium (Moderate + Likely)[^1]
Affected versions:
wasmvm >= 2.1.0, < 2.1.3
wasmvm >= 2.0.0, < 2.0.4
wasmvm < 1.5.5
cosmwasm-vm >= 2.1.0, < 2.1.4
cosmwasm-vm >= 2.0.0, < 2.0.7
cosmwasm-vm < 1.5.8
Patched versions:
wasmvm 1.5.5, 2.0.4, 2.1.3
cosmwasm-vm 1.5.8, 2.0.7, 2.1.4
Description of the bug
(Blank for now. We'll add more detail once chains had a chance to upgrade.)
Patch
1.5: https://github.com/CosmWasm/cosmwasm/commit/16eabd681790508b13dac8e67f9e6e61045240ea
2.0: https://github.com/CosmWasm/cosmwasm/commit/0e70bd83119b02f99a2c0397f0913e0803750fd9
2.1: https://github.com/CosmWasm/cosmwasm/commit/f5bf24f3acadca2892afd58cc3ce5fdeb932d492
Applying the patch
The patch will be shipped in releases of wasmvm. You can update more or less as follows:
Check the current wasmvm version: go list -m github.com/CosmWasm/wasmvm
Bump the github.com/CosmWasm/wasmvm dependency in your go.mod to 1.5.5, 2.0.4, 2.1.3 depending on which minor version you are; go mod tidy; commit.
If you use the static libraries libwasmvm_muslc.aarch64.a/libwasmvm_muslc.x86_64.a, update them accordingly.
Check the updated wasmvm version: go list -m github.com/CosmWasm/wasmvm and ensure you see 1.5.5, 2.0.4, 2.1.3.
Follow your regular practices to deploy chain upgrades.
To double check if the correct library version is loaded at runtime, use this query:
<appd> query wasm libwasmvm-version. It must show 1.5.5, 2.0.4 or 2.1.3.
The patch is consensus breaking and requires a coordinate...
December 10th, 2024 (4 months ago)
|
|
|
Description: Impact
An attacker can write a malicious expression that escapes the sandbox to execute arbitrary code on the system.
Example of vulnerable code:
const expressions = require("angular-expressions");
const result = expressions.compile("__proto__.constructor")({}, {});
// result should be undefined, however for versions <=1.4.2, it returns an object.
With a more complex (undisclosed) payload, one can get full access to Arbitrary code execution on the system.
Patches
The problem has been patched in version 1.4.3 of angular-expressions.
Workarounds
There is one workaround if it not possible for you to update :
Make sure that you use the compiled function with just one argument : ie this is not vulnerable :
const result = expressions.compile("__proto__.constructor")({}); : in this case you lose the feature of locals if you need it.
Credits
Credits go to JorianWoltjer who has found the issue and reported it to use. https://jorianwoltjer.com/
References
https://github.com/peerigon/angular-expressions/security/advisories/GHSA-5462-4vcx-jh7j
https://github.com/peerigon/angular-expressions/commit/97f7ad94006156eeb97fc942332578b6cfbf8eef
https://github.com/advisories/GHSA-5462-4vcx-jh7j
December 10th, 2024 (4 months ago)
|