Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
[python-multipart] Denial of service (DoS) via deformation `multipart/form-data` boundary
Description: Summary When parsing form data, python-multipart skips line breaks (CR \r or LF \n) in front of the first boundary and any tailing bytes after the last boundary. This happens one byte at a time and emits a log event each time, which may cause excessive logging for certain inputs. An attacker could abuse this by sending a malicious request with lots of data before the first or after the last boundary, causing high CPU load and stalling the processing thread for a significant amount of time. In case of ASGI application, this could stall the event loop and prevent other requests from being processed, resulting in a denial of service (DoS). Impact Applications that use python-multipart to parse form data (or use frameworks that do so) are affected. Original Report This security issue was reported by: GitHub security advisory in Starlette on October 30 by @Startr4ck Email to python-multipart maintainer on October 3 by @mnqazi References https://github.com/Kludex/python-multipart/security/advisories/GHSA-59g5-xgcq-4qw3 https://nvd.nist.gov/vuln/detail/CVE-2024-53981 https://github.com/Kludex/python-multipart/commit/c4fe4d3cebc08c660e57dd709af1ffa7059b3177 https://github.com/advisories/GHSA-59g5-xgcq-4qw3
Source: Github Advisory Database (PIP)
December 3rd, 2024 (5 months ago)
[simplesamlphp/saml2] SimpleSAMLphp xml-common XXE vulnerability
Description: Summary When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE. Mitigation: Remove the LIBXML_DTDLOAD | LIBXML_DTDATTR options from $options is in: https://github.com/simplesamlphp/saml2/blob/717c0adc4877ebd58428637e5626345e59fa0109/src/SAML2/DOMDocumentFactory.php#L41 Background / details To be published on Dec 8. References https://github.com/simplesamlphp/xml-common/security/advisories/GHSA-2x65-fpch-2fcm https://github.com/simplesamlphp/xml-common/commit/fa4ade391c3194466acf5fbfd5d2ecdbf5e831f5 https://nvd.nist.gov/vuln/detail/CVE-2024-52596 https://lists.debian.org/debian-lts-announce/2024/12/msg00001.html https://github.com/advisories/GHSA-2x65-fpch-2fcm
Source: Github Advisory Database (Composer)
December 3rd, 2024 (5 months ago)
[simplesamlphp/saml2-legacy] SimpleSAMLphp xml-common XXE vulnerability
Description: Summary When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE. Mitigation: Remove the LIBXML_DTDLOAD | LIBXML_DTDATTR options from $options is in: https://github.com/simplesamlphp/saml2/blob/717c0adc4877ebd58428637e5626345e59fa0109/src/SAML2/DOMDocumentFactory.php#L41 Background / details To be published on Dec 8. References https://github.com/simplesamlphp/xml-common/security/advisories/GHSA-2x65-fpch-2fcm https://github.com/simplesamlphp/xml-common/commit/fa4ade391c3194466acf5fbfd5d2ecdbf5e831f5 https://nvd.nist.gov/vuln/detail/CVE-2024-52596 https://lists.debian.org/debian-lts-announce/2024/12/msg00001.html https://github.com/advisories/GHSA-2x65-fpch-2fcm
Source: Github Advisory Database (Composer)
December 3rd, 2024 (5 months ago)
[simplesamlphp/xml-security] SimpleSAMLphp xml-common XXE vulnerability
Description: Summary When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE. Mitigation: Remove the LIBXML_DTDLOAD | LIBXML_DTDATTR options from $options is in: https://github.com/simplesamlphp/saml2/blob/717c0adc4877ebd58428637e5626345e59fa0109/src/SAML2/DOMDocumentFactory.php#L41 Background / details To be published on Dec 8. References https://github.com/simplesamlphp/xml-common/security/advisories/GHSA-2x65-fpch-2fcm https://github.com/simplesamlphp/xml-common/commit/fa4ade391c3194466acf5fbfd5d2ecdbf5e831f5 https://nvd.nist.gov/vuln/detail/CVE-2024-52596 https://lists.debian.org/debian-lts-announce/2024/12/msg00001.html https://github.com/advisories/GHSA-2x65-fpch-2fcm
Source: Github Advisory Database (Composer)
December 3rd, 2024 (5 months ago)
[simplesamlphp/xml-common] SimpleSAMLphp SAML2 has an XXE in parsing SAML messages
Description: Summary When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE. Mitigation: Remove the LIBXML_DTDLOAD | LIBXML_DTDATTR options from $options is in: https://github.com/simplesamlphp/saml2/blob/717c0adc4877ebd58428637e5626345e59fa0109/src/SAML2/DOMDocumentFactory.php#L41 Background / details To be published on Dec 8th References https://github.com/simplesamlphp/saml2/security/advisories/GHSA-pxm4-r5ph-q2m2 https://github.com/simplesamlphp/saml2/commit/5fd4ce4596656fb0c1278f15b8305825412e89f7 https://nvd.nist.gov/vuln/detail/CVE-2024-52806 https://github.com/advisories/GHSA-pxm4-r5ph-q2m2
Source: Github Advisory Database (Composer)
December 3rd, 2024 (5 months ago)
[simplesamlphp/xml-security] SimpleSAMLphp SAML2 has an XXE in parsing SAML messages
Description: Summary When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE. Mitigation: Remove the LIBXML_DTDLOAD | LIBXML_DTDATTR options from $options is in: https://github.com/simplesamlphp/saml2/blob/717c0adc4877ebd58428637e5626345e59fa0109/src/SAML2/DOMDocumentFactory.php#L41 Background / details To be published on Dec 8th References https://github.com/simplesamlphp/saml2/security/advisories/GHSA-pxm4-r5ph-q2m2 https://github.com/simplesamlphp/saml2/commit/5fd4ce4596656fb0c1278f15b8305825412e89f7 https://nvd.nist.gov/vuln/detail/CVE-2024-52806 https://github.com/advisories/GHSA-pxm4-r5ph-q2m2
Source: Github Advisory Database (Composer)
December 3rd, 2024 (5 months ago)
[simplesamlphp/saml2-legacy] SimpleSAMLphp SAML2 has an XXE in parsing SAML messages
Description: Summary When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE. Mitigation: Remove the LIBXML_DTDLOAD | LIBXML_DTDATTR options from $options is in: https://github.com/simplesamlphp/saml2/blob/717c0adc4877ebd58428637e5626345e59fa0109/src/SAML2/DOMDocumentFactory.php#L41 Background / details To be published on Dec 8th References https://github.com/simplesamlphp/saml2/security/advisories/GHSA-pxm4-r5ph-q2m2 https://github.com/simplesamlphp/saml2/commit/5fd4ce4596656fb0c1278f15b8305825412e89f7 https://nvd.nist.gov/vuln/detail/CVE-2024-52806 https://github.com/advisories/GHSA-pxm4-r5ph-q2m2
Source: Github Advisory Database (Composer)
December 3rd, 2024 (5 months ago)
[simplesamlphp/saml2] SimpleSAMLphp SAML2 has an XXE in parsing SAML messages
Description: Summary When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE. Mitigation: Remove the LIBXML_DTDLOAD | LIBXML_DTDATTR options from $options is in: https://github.com/simplesamlphp/saml2/blob/717c0adc4877ebd58428637e5626345e59fa0109/src/SAML2/DOMDocumentFactory.php#L41 Background / details To be published on Dec 8th References https://github.com/simplesamlphp/saml2/security/advisories/GHSA-pxm4-r5ph-q2m2 https://github.com/simplesamlphp/saml2/commit/5fd4ce4596656fb0c1278f15b8305825412e89f7 https://nvd.nist.gov/vuln/detail/CVE-2024-52806 https://github.com/advisories/GHSA-pxm4-r5ph-q2m2
Source: Github Advisory Database (Composer)
December 3rd, 2024 (5 months ago)
[ibexa/admin-ui] Ibexa Admin UI vulnerable to Cross-site Scripting in a field that is used in the Content name pattern
Description: Impact The Content name pattern is used to build Content names from one or more fields. An XSS vulnerability has been found in this mechanism. Content edit permission is required to exploit it. After the fix, any existing injected XSS will not run. Patches See "Patched versions. https://github.com/ibexa/admin-ui/commit/8ec824a8cf06c566ed88e4c21cc66f7ed42649fc Workarounds None. References Advisory: https://developers.ibexa.co/security-advisories/ibexa-sa-2024-006-vulnerabilities-in-content-name-pattern-commerce-shop-and-varnish-vhost-templates Release notes: https://doc.ibexa.co/en/latest/update_and_migration/from_4.6/update_from_4.6/#v4614 References https://github.com/ibexa/admin-ui/security/advisories/GHSA-8w3p-gf85-qcch https://nvd.nist.gov/vuln/detail/CVE-2024-53864 https://github.com/ibexa/admin-ui/commit/8ec824a8cf06c566ed88e4c21cc66f7ed42649fc https://developers.ibexa.co/security-advisories/ibexa-sa-2024-006-vulnerabilities-in-content-name-pattern-commerce-shop-and-varnish-vhost-templates https://doc.ibexa.co/en/latest/update_and_migration/from_4.6/update_from_4.6/#v4614 https://github.com/advisories/GHSA-8w3p-gf85-qcch
Source: Github Advisory Database (Composer)
December 3rd, 2024 (5 months ago)
[ezsystems/ezplatform-http-cache] ezsystems/ezplatform-http-cache affected by Breach with Varnish VCL
Description: Impact This is not a vulnerability in the code per se, but included Varnish VCL templates enable compression of API and JSON messages. This is a potential case of the BREACH vulnerability, which affects HTTP compression, where secrets can be extracted through carefully crafted requests. The fix disables compression in these templates. Please make sure to make the same change in your configuration files, see the release notes for specific instructions. Please check your web server configuration as well. Patches See "Patched versions". https://github.com/ezsystems/ezplatform-http-cache/commit/ca8a5cf69b2c14fbec90412aeeef5c755c51457b Workarounds Make sure HTTP compression is disabled for REST API requests and other communication that might contain secrets. References Advisory: https://developers.ibexa.co/security-advisories/ibexa-sa-2024-006-vulnerabilities-in-content-name-pattern-commerce-shop-and-varnish-vhost-templates Release notes: https://doc.ibexa.co/en/latest/update_and_migration/from_3.3/update_from_3.3/#v3341 https://github.com/ibexa/post-install/security/advisories/GHSA-4h8f-c635-25p7 https://github.com/ibexa/http-cache/security/advisories/GHSA-fh7v-q458-7vmw https://www.breachattack.com/ References https://github.com/ezsystems/ezplatform-http-cache/security/advisories/GHSA-mgfg-7533-7jf6 https://github.com/ibexa/http-cache/security/advisories/GHSA-fh7v-q458-7vmw https://github.com/ibexa/post-install/security/advisories/GHSA-4h8f-c635-25p7 https://github.com/e...
Source: Github Advisory Database (Composer)
December 3rd, 2024 (5 months ago)