GitHub

Impact
A vulnerability in an upstream library means an authenticated attacker can abuse locale input to execute arbitrary commands from a file that has previously been uploaded using the file upload functionality in the post editor.
Patches
Fixed in 5….

Impact
The /api/v2/config endpoint exposes message bus credentials to local unauthenticated users. In security-enabled mode, message bus credentials are supposed to be kept in the EdgeX secret store and require authentication to access. This vulnerab…

Impact
A malicious actor with the ability to register entities in the Software Catalog is able to write files to arbitrary paths on the techdocs backend host instance when techdocs.publisher.type is set to local.
This vulnerability is mitigated by the …

Impact
A path traversal issue was found in the (g *GitArtifactReader).Read() API. Read() calls into (g *GitArtifactReader).readFromRepository() that opens and reads the file that contains the trigger resource definition:
func (g *GitArtifactReader) rea…

Impact
Several HandleRoute endpoints make use of the deprecated ioutil.ReadAll(). ioutil.ReadAll() reads all the data into memory. As such, an attacker who sends a large request to the Argo Events server will be able to crash it and cause denial of ser…

Description
Undici.ProxyAgent never verifies the remote server’s certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy’s URL is HTTP then it also …

Impact
The paper Cryptanalysis of Aggregate Γ-Signature and Practical Countermeasures in Application to Bitcoin defines a way to forge valid Γ-signatures, an algorithm that is used in the Biscuit specification version 1.
It would allow an attacker to c…

Duplicate Advisory
This advisory is a duplicate of GHSA-c5hx-w945-j4pq. This link is preserved to maintain external references.
Original Description
Affected versions of this crate did not implement Drop when #[zeroize(drop)] was used on an enum.
This …

Affected versions of this crate did not require event handlers to have Send bound despite there being no guarantee of them being called on any particular thread, which can potentially lead to data races and undefined behavior.
The flaw was corrected in…

Affected versions of this crate claimed to construct a const Vec with nonzero length and capacity, but that cannot be done because such a Vec requires a pointer from an allocator.
The implementation was later changed to just construct a std::borrow::Co…