GitHub

Impact
Twisted web servers that utilize the optional HTTP/2 support suffer from the following flow-control related vulnerabilities:
Ping flood: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512
Reset flood: https://cve.mitre.org/cgi-bin/cven…

If the path to the temporary directory on Linux or macOS contained a space, this would break removal of the temporary image file after im.show() (and related actions), and potentially remove an unrelated file. This been present since PIL.
References

h…

An Access Control vunerabiity exists in Gerapy v 0.9.7 via the spider parameter in project_configure function.
References

https://nvd.nist.gov/vuln/detail/CVE-2021-44597
https://github.com/Gerapy/Gerapy/issues/219
https://github.com/Gerapy/Gerapy/rele…

calibreweb prior to version 0.6.17 is vulnerable to server-side request forgery (SSRF). This is due to an incomplete fix for CVE-2022-0339. The blacklist does not check for 0.0.0.0, which would result in a payload of 0.0.0.0 resolving to localhost.
Ref…

calibreweb prior to version 0.6.17 is vulnerable to server-side request forgery (SSRF). This is a result of incomplete SSRF protection that can be bypassed via an HTTP redirect. An HTTP server set up to respond with a 302 redirect may redirect a reques…

In the IsolatedRazorEngine component of Antaris RazorEngine through 4.5.1-alpha001, an attacker can execute arbitrary .NET code in a sandboxed environment (if users can externally control template contents). NOTE: This vulnerability only affects produc…

PyTorch Lightning version 1.5.10 and prior is vulnerable to code injection. An attacker could execute commands on the target OS running the operating system by setting the PL_TRAINER_GPUS when using the Trainer module. A patch is included in the 1.6.0 …

jQuery Cookie 1.4.1 is affected by prototype pollution, which can lead to DOM cross-site scripting (XSS).
References

https://nvd.nist.gov/vuln/detail/CVE-2022-23395
https://snyk.io/test/npm/jquery.cookie/1.4.1?tab=issues
https://security.netapp.com/ad…

In JetBrains Kotlin before 1.6.0, it was not possible to lock dependencies for Multiplatform Gradle Projects.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-24329
https://blog.jetbrains.com/blog/2022/02/08/jetbrains-security-bulletin-q4-2021/
ht…

CVE-2022-0609: Use after free in Animation

https://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop_14.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0609

Google is aware of reports that exploits for CVE-2022-0609…