Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
[zhmcclient] Python package "zhmcclient" stores passwords in clear text in its HMC and API logs
Description: Impact The Python package "zhmcclient" writes password-like properties in clear text into its HMC and API logs in the following cases: The 'boot-ftp-password' and 'ssc-master-pw' properties when creating or updating a partition in DPM mode, in the zhmcclient API and HMC logs The 'ssc-master-pw' and 'zaware-master-pw' properties when updating an LPAR in classic mode, in the zhmcclient API and HMC logs The 'ssc-master-pw' and 'zaware-master-pw' properties when creating or updating an image activation profile in classic mode, in the zhmcclient API and HMC logs The 'password' property when creating or updating an HMC user, in the zhmcclient API log The 'bind-password' property when creating or updating an LDAP server definition, in the zhmcclient API and HMC logs This issue affects only users of the zhmcclient package that have enabled the Python loggers named "zhmcclient.api" (for the API log) or "zhmcclient.hmc" (for the HMC log) and that use the functions listed above. Patches Has been fixed in zhmcclient version 1.18.1 Workarounds Not applicable, since fix is available. References None References https://github.com/zhmcclient/python-zhmcclient/security/advisories/GHSA-p57h-3cmc-xpjq https://nvd.nist.gov/vuln/detail/CVE-2024-53865 https://github.com/zhmcclient/python-zhmcclient/commit/ad32781e782d0f604c6da4680fce48e4cc1f4433 https://github.com/advisories/GHSA-p57h-3cmc-xpjq
Source: Github Advisory Database (PIP)
December 3rd, 2024 (5 months ago)
[pyspider] pyspider Cross-site Scripting vulnerability
Description: pyspider through 0.3.10 allows /update XSS. NOTE: This vulnerability only affects products that are no longer supported by the maintainer References https://nvd.nist.gov/vuln/detail/CVE-2024-39162 https://docs.pyspider.org/en/latest https://github.com/binux/pyspider https://www.sonarsource.com/blog/basic-http-authentication-risk-uncovering-pyspider-vulnerabilities https://github.com/advisories/GHSA-x4x5-jx9j-mmv7
Source: Github Advisory Database (PIP)
December 3rd, 2024 (5 months ago)
[python-multipart] Denial of service (DoS) via deformation `multipart/form-data` boundary
Description: Summary When parsing form data, python-multipart skips line breaks (CR \r or LF \n) in front of the first boundary and any tailing bytes after the last boundary. This happens one byte at a time and emits a log event each time, which may cause excessive logging for certain inputs. An attacker could abuse this by sending a malicious request with lots of data before the first or after the last boundary, causing high CPU load and stalling the processing thread for a significant amount of time. In case of ASGI application, this could stall the event loop and prevent other requests from being processed, resulting in a denial of service (DoS). Impact Applications that use python-multipart to parse form data (or use frameworks that do so) are affected. Original Report This security issue was reported by: GitHub security advisory in Starlette on October 30 by @Startr4ck Email to python-multipart maintainer on October 3 by @mnqazi References https://github.com/Kludex/python-multipart/security/advisories/GHSA-59g5-xgcq-4qw3 https://nvd.nist.gov/vuln/detail/CVE-2024-53981 https://github.com/Kludex/python-multipart/commit/c4fe4d3cebc08c660e57dd709af1ffa7059b3177 https://github.com/advisories/GHSA-59g5-xgcq-4qw3
Source: Github Advisory Database (PIP)
December 3rd, 2024 (5 months ago)
[simplesamlphp/saml2] SimpleSAMLphp xml-common XXE vulnerability
Description: Summary When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE. Mitigation: Remove the LIBXML_DTDLOAD | LIBXML_DTDATTR options from $options is in: https://github.com/simplesamlphp/saml2/blob/717c0adc4877ebd58428637e5626345e59fa0109/src/SAML2/DOMDocumentFactory.php#L41 Background / details To be published on Dec 8. References https://github.com/simplesamlphp/xml-common/security/advisories/GHSA-2x65-fpch-2fcm https://github.com/simplesamlphp/xml-common/commit/fa4ade391c3194466acf5fbfd5d2ecdbf5e831f5 https://nvd.nist.gov/vuln/detail/CVE-2024-52596 https://lists.debian.org/debian-lts-announce/2024/12/msg00001.html https://github.com/advisories/GHSA-2x65-fpch-2fcm
Source: Github Advisory Database (Composer)
December 3rd, 2024 (5 months ago)
[simplesamlphp/saml2-legacy] SimpleSAMLphp xml-common XXE vulnerability
Description: Summary When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE. Mitigation: Remove the LIBXML_DTDLOAD | LIBXML_DTDATTR options from $options is in: https://github.com/simplesamlphp/saml2/blob/717c0adc4877ebd58428637e5626345e59fa0109/src/SAML2/DOMDocumentFactory.php#L41 Background / details To be published on Dec 8. References https://github.com/simplesamlphp/xml-common/security/advisories/GHSA-2x65-fpch-2fcm https://github.com/simplesamlphp/xml-common/commit/fa4ade391c3194466acf5fbfd5d2ecdbf5e831f5 https://nvd.nist.gov/vuln/detail/CVE-2024-52596 https://lists.debian.org/debian-lts-announce/2024/12/msg00001.html https://github.com/advisories/GHSA-2x65-fpch-2fcm
Source: Github Advisory Database (Composer)
December 3rd, 2024 (5 months ago)
[simplesamlphp/xml-security] SimpleSAMLphp xml-common XXE vulnerability
Description: Summary When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE. Mitigation: Remove the LIBXML_DTDLOAD | LIBXML_DTDATTR options from $options is in: https://github.com/simplesamlphp/saml2/blob/717c0adc4877ebd58428637e5626345e59fa0109/src/SAML2/DOMDocumentFactory.php#L41 Background / details To be published on Dec 8. References https://github.com/simplesamlphp/xml-common/security/advisories/GHSA-2x65-fpch-2fcm https://github.com/simplesamlphp/xml-common/commit/fa4ade391c3194466acf5fbfd5d2ecdbf5e831f5 https://nvd.nist.gov/vuln/detail/CVE-2024-52596 https://lists.debian.org/debian-lts-announce/2024/12/msg00001.html https://github.com/advisories/GHSA-2x65-fpch-2fcm
Source: Github Advisory Database (Composer)
December 3rd, 2024 (5 months ago)
[simplesamlphp/xml-common] SimpleSAMLphp SAML2 has an XXE in parsing SAML messages
Description: Summary When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE. Mitigation: Remove the LIBXML_DTDLOAD | LIBXML_DTDATTR options from $options is in: https://github.com/simplesamlphp/saml2/blob/717c0adc4877ebd58428637e5626345e59fa0109/src/SAML2/DOMDocumentFactory.php#L41 Background / details To be published on Dec 8th References https://github.com/simplesamlphp/saml2/security/advisories/GHSA-pxm4-r5ph-q2m2 https://github.com/simplesamlphp/saml2/commit/5fd4ce4596656fb0c1278f15b8305825412e89f7 https://nvd.nist.gov/vuln/detail/CVE-2024-52806 https://github.com/advisories/GHSA-pxm4-r5ph-q2m2
Source: Github Advisory Database (Composer)
December 3rd, 2024 (5 months ago)
[simplesamlphp/xml-security] SimpleSAMLphp SAML2 has an XXE in parsing SAML messages
Description: Summary When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE. Mitigation: Remove the LIBXML_DTDLOAD | LIBXML_DTDATTR options from $options is in: https://github.com/simplesamlphp/saml2/blob/717c0adc4877ebd58428637e5626345e59fa0109/src/SAML2/DOMDocumentFactory.php#L41 Background / details To be published on Dec 8th References https://github.com/simplesamlphp/saml2/security/advisories/GHSA-pxm4-r5ph-q2m2 https://github.com/simplesamlphp/saml2/commit/5fd4ce4596656fb0c1278f15b8305825412e89f7 https://nvd.nist.gov/vuln/detail/CVE-2024-52806 https://github.com/advisories/GHSA-pxm4-r5ph-q2m2
Source: Github Advisory Database (Composer)
December 3rd, 2024 (5 months ago)
[simplesamlphp/saml2-legacy] SimpleSAMLphp SAML2 has an XXE in parsing SAML messages
Description: Summary When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE. Mitigation: Remove the LIBXML_DTDLOAD | LIBXML_DTDATTR options from $options is in: https://github.com/simplesamlphp/saml2/blob/717c0adc4877ebd58428637e5626345e59fa0109/src/SAML2/DOMDocumentFactory.php#L41 Background / details To be published on Dec 8th References https://github.com/simplesamlphp/saml2/security/advisories/GHSA-pxm4-r5ph-q2m2 https://github.com/simplesamlphp/saml2/commit/5fd4ce4596656fb0c1278f15b8305825412e89f7 https://nvd.nist.gov/vuln/detail/CVE-2024-52806 https://github.com/advisories/GHSA-pxm4-r5ph-q2m2
Source: Github Advisory Database (Composer)
December 3rd, 2024 (5 months ago)
[simplesamlphp/saml2] SimpleSAMLphp SAML2 has an XXE in parsing SAML messages
Description: Summary When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE. Mitigation: Remove the LIBXML_DTDLOAD | LIBXML_DTDATTR options from $options is in: https://github.com/simplesamlphp/saml2/blob/717c0adc4877ebd58428637e5626345e59fa0109/src/SAML2/DOMDocumentFactory.php#L41 Background / details To be published on Dec 8th References https://github.com/simplesamlphp/saml2/security/advisories/GHSA-pxm4-r5ph-q2m2 https://github.com/simplesamlphp/saml2/commit/5fd4ce4596656fb0c1278f15b8305825412e89f7 https://nvd.nist.gov/vuln/detail/CVE-2024-52806 https://github.com/advisories/GHSA-pxm4-r5ph-q2m2
Source: Github Advisory Database (Composer)
December 3rd, 2024 (5 months ago)