An issue was discovered in the sodiumoxide crate before 0.2.5 for Rust. generichash::Digest::eq compares itself to itself and thus has degenerate security properties.
References
https://nvd.nist.gov/vuln/detail/CVE-2019-25002
https://github.com/sodium…
Impact
An attacker can craft a TFLite model that would trigger a null pointer dereference, which would result in a crash and denial of service:
This is caused by the MLIR optimization of L2NormalizeReduceAxis operator. The implementation unconditionall…
ripgrep before 13 on Windows allows attackers to trigger execution of arbitrary programs from the current working directory via the -z/–search-zip or –pre flag.
References
https://nvd.nist.gov/vuln/detail/CVE-2021-3013
https://github.com/BurntSushi/…
Impact
Affected versions of lettre allowed SMTP command injection through an attacker’s controlled message body. The module for escaping lines starting with a period wouldn’t catch a period that was placed after a double CRLF sequence, allowing the att…
Multiple path traversal vulnerabilities exist in smbserver.py in Impacket before 0.9.23. An attacker that connects to a running smbserver instance can list and write to arbitrary files via ../ directory traversal. This could potentially be abused to ac…
The dashboard component of StackLift LocalStack allows attackers to inject arbitrary shell commands via the functionName parameter.
References
https://nvd.nist.gov/vuln/detail/CVE-2021-32090
https://blog.sonarsource.com/hack-the-stack-with-localstack
…
django-celery-results prior to 2.4.0 stores task results in the database. Among the data it stores are the variables passed into the tasks. The variables may contain sensitive cleartext information that does not belong unencrypted in the database.
In v…
Impact
A security-sensitive bug was discovered by Open Source Developer Erik Sundell of Sundell Open Source Consulting AB.
The functions RandomAlphaNumeric(int) and CryptoRandomAlphaNumeric(int) are not as random as they should be. Small values of int …
This affects all versions of package github.com/u-root/u-root/pkg/uzip. It is vulnerable to both leading and non-leading relative path traversal attacks in zip file extraction.
References
https://nvd.nist.gov/vuln/detail/CVE-2020-7665
https://github.c…
This affects the package pwntools before 4.3.1. The shellcraft generator for affected versions of this module are vulnerable to Server-Side Template Injection (SSTI), which can lead to remote code execution.
References
https://nvd.nist.gov/vuln/detail…
