mat2 (aka metadata anonymisation toolkit) before 0.13.0 allows ../ directory traversal during the ZIP archive cleaning process. This primarily affects mat2 web instances, in which clients could obtain sensitive information via a crafted archive.
Refere…
[shiva] Tooxie Shiva 0.10.0 allows absolute path traversal because Flask send_file function used unsafely
The tooxie/shiva-server repository through 0.10.0 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-31558
https://github.com/tooxie/shiva-server/issues/…
[chainerrl-visualizer] ChainerRL Visualizer 0.1.1 vulnerable to Path Traversal via unsafe use of send_file function
The chainer/chainerrl-visualizer repository through 0.1.1 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-31573
https://github.com/github/securitylab/…
[microweber/microweber] Microweber before 1.2.21 allows attacker to bypass IP detection to brute-force password
In the login API, an IP address will by default be blocked when the user tries to login incorrectly more than 5 times. However, a bypass to this mechanism is possible by abusing a X-Forwarded-For header to bypass IP detection and perform a password bru…
[opendiamond] SatyaLab opendiamond 10.1.1 vulnerable to path traversal because Flask send_file function used unsafely
The cmusatyalab/opendiamond repository through 10.1.1 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. A patch is available on the master branch of the repository.
References
https://nvd.nist.gov/vuln/det…
[github.com/kubeedge/kubeedge] DoS in KubeEdge’s Websocket Client in package Viaduct
Impact
A large response received by the viaduct WSClient can cause a DoS from memory exhaustion. The entire body of the response is being read into memory which could allow an attacker to send a request that returns a response with a large body.
The co…
[github.com/kubeedge/kubeedge] Uncontrolled Resource Consumption in KubeEdge Cloud Stream and Edge Stream
Impact
The Cloud Stream server and the Edge Stream server reads the entire message into memory without imposing a limit on the size of this message. An attacker can exploit this by sending a large message to exhaust memory and cause a DoS. The Cloud St…
[github.com/kubeedge/kubeedge] Uncontrolled Resource Consumption in KubeEdge CloudCore Router
Impact
The CloudCore Router does not impose a limit on the size of responses to requests made by the REST handler. An attacker could use this weakness to make a request that will return an HTTP response with a large body and cause DoS of CloudCore. In …
[github.com/kubeedge/kubeedge] DoS in KubeEdge when signing the CSR from EdgeCore
Impact
EdgeCore may be susceptible to a DoS attack on CloudHub if an attacker was to send a well-crafted HTTP request to /edge.crt.
If an attacker can send a well-crafted HTTP request to CloudHub, and that request has a very large body, that request co…
[github.com/kubeedge/kubeedge] Uncontrolled Resource Consumption in KubeEdge Cloud AdmissionController component
Impact
Several endpoints including /devicemodels, /rules, /ruleendpoints, /offlinemigration in the Cloud Admissioncontroller may be susceptible to a DoS attack if an HTTP request containing a very large Body is sent to it.
Only an authenticated user ca…