Gitlab advisory database Nov 18, 2024 · Detect and mitigate CVE-2024-38828 with GitLab Dependency Scanning. dev33/sa-token-core › CVE-2023-43961; CVE-2023-43961: SaToken authentication bypass vulnerability. July 15, 2024. Aug 5, 2024 · CVE-2023-42809 Redisson vulnerable to Deserialization of Untrusted Data: Redisson is a Java Redis client that uses the Netty framework. npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. Extensions. 8 HIGH Injection Vulnerability. Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Directory Traversal vulnerability in DotNetZip v. 2. 2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs. When the register_argc_argv php directive is set to on, and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request. pandas can unserialize and execute commands from an untrusted file that is passed to the read_pickle() function, if __reduce__ makes an os. The package redirected requests to third-party websites if escaped URLs followed by a trailing / were appended at the end. The database contains information about security issues in software dependencies that you might be using in your projects. 0 and before 3. This practice introduces a security risk because anyone with access to the database file can retrieve the secret. Jul 11, 2024 · Advisory Database. prototype. Learn more about Dependency Scanning → Jan 22, 2024 · pypi › ecdsa › CVE-2024-23342; CVE-2024-23342: Covert Timing Channel. 3 are vulnerable to Denial of Service (DoS) … Oct 29, 2024 · pypi › langchain-community › CVE-2024-8309; CVE-2024-8309: Langchain SQL Injection vulnerability. A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3. 2024. Jan 8, 2025 · npm › tough-cookie › CVE-2023-26136; 9. May 15, 2020 · pypi › pandas › CVE-2020-13091; CVE-2020-13091: Deserialization of Untrusted Data. Zetetic SQLCipher has a NULL pointer dereferencing issue related to sqlcipher_export in crypto. 9. Sep 25, 2024 · npm › ckeditor5 › CVE-2024-45613; CVE-2024-45613: Cross-site scripting (XSS) in the clipboard package. Sep 9, 2024 · Detect and mitigate CVE-2024-44902 with GitLab Dependency Scanning. Memory may be exposed to a hostile input which may lead them to be susceptible to hash flooding attacks resulting in denial of service. A flaw was found in the vLLM library. Jun 16, 2021 · Detect and mitigate CVE-2021-26291 with GitLab Dependency Scanning. Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. May 5, 2021 (updated June 4, 2022). The database is an essential component of both Dependency Scanning and Container Scanning. Oct 27, 2023 · This advisory has been marked as a false positive. 17. php. Text. 6 days ago · nuget › ProDotNetZip › CVE-2024-48510; 9. Jan 10, 2025 · npm › apostrophe › GMS-2020-704; Open Redirect in apostrophe. 8 CRITICAL Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') SQL Injection vulnerability exists in ThinkPHP5 via the parseOrder function in Builder. 7. Oct 3, 2024 · Detect and mitigate CVE-2024-9266 with GitLab Dependency Scanning. 5 days ago · pypi › vllm › CVE-2024-8768; 7. Jun 4, 2024 · Detect and mitigate CVE-2024-32871 with GitLab Dependency Scanning. Advisories; Dependency Scanning; maven Detect and mitigate CVE-2022-22978 with GitLab Dependency Scanning. apache. Mar 25, 2021 · conan › sqlcipher › CVE-2021-3119; CVE-2021-3119: SQL Injection. GitLab Advisory Database (Open Source Edition) Read more 1,345 Commits; 3 Branches; 0 Tags; README Explore GitLab’s vulnerability advisory database, offering detailed information on known security risks and mitigations for proactive software protection. 3 days ago · Advisories for Npm/Pdfjs-Dist package. October 29, 2019 (updated October 31, 2019). October 18, 2023 (updated February 1, 2024). system call. Jul 12, 2024 · Detect and mitigate CVE-2024-39903 with GitLab Dependency Scanning. Learn more about Dependency Scanning → Sep 4, 2024 · CVE-2024-8418 Missing connection timeout in Aardvark-dns: A flaw was found in Aardvark-dns versions 1. SwaggerUI. 0 and Aug 7, 2024 · CVE-2024-42005 Django SQL injection vulnerability: An issue was discovered in Django 5. Learn more about Dependency Scanning → Dec 2, 2024 · maven › io. 0 was discovered to contain a prototype pollution in the Parser. January 29, 2024 (updated November 18, 2024). npm › pdfjs-dist › CVE-2024-4367; PDF. tomcat/tomcat › CVE-2020-1938; CVE-2020-1938: Improper Input Validation. Nov 13, 2024 · Detect and mitigate CVE-2024-48510 with GitLab Dependency Scanning. May 2, 2024 · npm › libxmljs2 › CVE-2024-34393; CVE-2024-34393: libxmljs2 type confusion vulnerability when parsing specially crafted XML. 16. 2 before 4. 8 CRITICAL Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') Versions of the package tough-cookie before 4. 4 and up until 10. May 15, 2020 (updated May 19, 2020). Aug 15, 2024 · CVE-2024-42681 Improper Preservation of Permissions in xxl-job: Insecure Permissions vulnerability in xxl-job v. Explore the GitLab Advisory Database for security advisories related to software dependencies in your projects. Learn more about Dependency Scanning → Aug 20, 2024 · Detect and mitigate CVE-2024-6322 with GitLab Dependency Scanning. October 30, 2024. This issue may allow an attacker to create a specially crafted container that, when configured to … Aug 6, 2022 · CVE-2022-31197 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using standard, database … Jan 7, 2025 · gem › dependabot-core › CVE-2020-26222; 8. Note: i’m reporting this in this way purely because it’s private and i don’t want to broadcast vulnerabilities. May 16, 2024 · npm › njwt › CVE-2024-34273; CVE-2024-34273: njwt Prototype Pollution vulnerability. July 31, 2024. 4. 5 allows for SQL injection through prompt injection. May 14, 2024 (updated August 28, 2024). 3 to v8. Learn more about Dependency Scanning → Nov 29, 2023 · CVE-2023-6378 logback serialization vulnerability: A serialization vulnerability in logback receiver component part of logback allows an attacker to mount a Denial-Of-Service attack … If you know about a vulnerability that isn't listed in this repo, you can contribute to the GitLab Advisory Database database by opening an issue, or even submit the vulnerability as a YAML file in a merge request. 8 and 4. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. Advisories; Dependency Scanning; npm Detect and mitigate CVE-2024-7774 with GitLab Dependency Scanning. Learn more about Dependency Scanning → May 29, 2024 · Detect and mitigate CVE-2024-36107 with GitLab Dependency Scanning. 1 allows for remote code execution via its download functions. c. Contributions welcome! Search the database at https://advisories. Learn more about Dependency Scanning → Jan 7, 2025 · npm › npm › CVE-2022-29244; 7. Jul 1, 2024 · npm › ag-grid-enterprise › CVE-2024-39001; CVE-2024-39001: ag-grid packages vulnerable to Prototype Pollution. A completions API request with an empty prompt will crash the vLLM API server, resulting in a denial of service. February 24, 2020 (updated July 21, 2021). The JWT secret is critical for the authentication and authorization system. 10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Aug 12, 2024 · npm › axios › CVE-2024-39338; CVE-2024-39338: Server-Side Request Forgery in axios. jsonApply. pypi › cryptography › CVE-2018-10903; 7. 0-beta2 allows remote attackers to bypass intended access restrictions via crafted data. js. 0 are vulnerable to Open Redirect. 4 is affected by a Remote Code Execution (RCE) vulnerability through the validate binary path API. Apr 4, 2024 · pgAdmin <= 8. ag-grid-enterprise v31. 0 before 5. 8. ext. 0 and <2. njwt up to v0. 92. parse method. Learn more about Dependency Scanning → Dec 11, 2024 · Advisory Database Advisories; Dependency Scanning Oct 15, 2024 · Detect and mitigate CVE-2024-9506 with GitLab Dependency Scanning. Improperly configuring static resource resolution in aiohttp when used as a web server can result in the unauthorized reading of arbitrary files on the system. mysql/mysql-connector-java › CVE-2023-22102; CVE-2023-22102: MySQL Connectors takeover vulnerability. xlsx document that is mishandled when read by xlsx. Learn more about Dependency Scanning → Oct 18, 2023 · conan › libcurl › CVE-2023-38545; CVE-2023-38545: Out-of-bounds Write. October 29, 2024 (updated November 12, 2024). CH SLF4J before 1. Sep 24, 2024 · Detect and mitigate CVE-2024-38809 with GitLab Dependency Scanning. 8 is vulnerable to Regular Expression Denial of Service (ReDoS). php of Thinkphp v6. The pie chart below illustrates the advisory distribution for the package types we support by providing their total number and percentages. NET, Elm and Go. May 24, 2022 · maven › org. 5 HIGH Exposure of Sensitive Information to an Unauthorized Actor. g. Web › CVE-2022-41089; CVE-2022-41089: False Positive. This vulnerability allows attackers to execute arbitrary code on the server hosting PGAdmin, posing a severe risk to the database management system’s integrity and the security of the underlying data. The database is an essential part of the Dependency Scanning feature, which is available in GitLab Ultimate self-managed and GitLab Ultimate SaaS. 0 is vulnerable to hidden functionality that was introduced by the maintainer. sweetalert2 versions 9. References Jan 9, 2025 · npm › ckeditor4 › CVE-2020-27193; 6. January 22, 2024 (updated January 23, 2024). js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF Oct 17, 2024 · Detect and mitigate CVE-2024-48924 with GitLab Dependency Scanning. Oct 18, 2023 · maven › com. Advisories; Dependency Scanning; npm Detect and mitigate CVE-2024-6531 with GitLab Dependency Scanning. npm pack ignores root-level . 7, from 3. 3 could allow authenticated users to execute commands with elevated privileges. Oct 18, 2024 · CVE-2024-38820 Spring Framework DataBinder Case Sensitive Match Exception: The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. Learn more about Dependency Scanning → Oct 29, 2024 · Advisory Database. Sequelize all versions prior are vulnerable to SQL Injection due to JSON path keys not being properly escaped for the MySQL/MariaDB dialects. Jul 15, 2024 · pypi › setuptools › CVE-2024-6345; CVE-2024-6345: setuptools vulnerable to Command Injection via package URL. This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. Aug 2, 2024 · npm › elliptic › CVE-2024-42461; CVE-2024-42461: Elliptic allows BER-encoded signatures. 15. Advisories; Dependency Scanning; maven Detect and mitigate CVE-2023-22102 with GitLab Dependency Scanning. 8 CRITICAL DotNetZip Directory Traversal vulnerability. . October 25, 2023 (updated September 11, 2024). EventData in the slf4j-ext module in QOS. Advisory Database Detect and mitigate CVE-2022-41678 with GitLab Dependency Scanning. js, ECDSA signature malleability occurs because BER-encoded signatures are allowed. slf4j. September 25, 2024 (updated October 15, 2024). It is updated on an hourly basis with the latest security advisories. Oct 14, 2024 · CVE-2024-6763 Eclipse Jetty URI parsing of invalid authority: Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . 1 MEDIUM Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') A vulnerability, which was classified as problematic, was found in SiteServer CMS up to 7. An issue in Dromara SaToken version 1. Navidrome stores the JWT secret in plaintext in the navidrome. The GitLab Advisory Database serves as a repository for security advisories related to software dependencies. Sep 19, 2024 · CVE-2024-7254 protobuf-java has potential Denial of Service issue: When parsing unknown fields in the Protobuf Java Lite and Full library, a maliciously crafted message can cause a StackOverflow … Sep 9, 2024 · The GitLab Advisory Database, used in GitLab Ultimate Dependency Scanning and Container Scanning. com. Oct 14, 2024 · CVE-2024-8184 Eclipse Jetty's ThreadLimitHandler. November 15, 2024. Learn more about Dependency Scanning → Nov 15, 2024 · composer › librenms/librenms › CVE-2024-51092; CVE-2024-51092: LibreNMS has an Authenticated OS Command Injection. During a recent internal audit, we identified a Cross-Site Scripting (XSS) vulnerability in the CKEditor 5 clipboard package. Security. SwaggerUI › GMS-2021-470; Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Swashbuckle. org. Oct 19, 2024 · CVE-2024-21536 Denial of service in http-proxy-middleware: Versions of the package http-proxy-middleware before 2. 1. Cose, System. In the Elliptic package 6. Learn more about Dependency Scanning → Nov 19, 2024 · Detect and mitigate CVE-2024-31141 with GitLab Dependency Scanning. A vulnerability in the package_index module of pypa/setuptools versions up to 69. If you have recently signed in with a password, you may disregard this email. cxf/cxf-core › CVE-2022-46364; CVE-2022-46364: Server-Side Request Forgery (SSRF) December 13, 2022 (updated November 9, 2023). Learn more about Dependency Scanning → Nov 18, 2024 · Detect and mitigate CVE-2024-48901 with GitLab Dependency Scanning. Memory. Learn more about Dependency Scanning → 3 days ago · npm › xlsx › CVE-2021-32013; 5. A vulnerability in the GraphCypherQAChain class of langchain-ai/langchain version 0. In Highcharts, the chart options structure was not systematically filtered for XSS vectors. –delim, –buf-size, –manpath) are passed through python's eval, … Nov 6, 2014 · npm › sweetalert2 › GMS-2022-7152; sweetalert2 v9. Dependabot is a set of packages for automated dependency management for Ruby, JavaScript, Python, PHP, Elixir, Rust, Java, . A failure in resetting the security context in some transaction actions in Neo4j Graph Database 4. 5 HIGH vLLM denial of service vulnerability. Versions of apostrophe prior to 2. Packaging, Microsoft. Aug 23, 2024 · Detect and mitigate CVE-2024-38807 with GitLab Dependency Scanning. 3 is vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. neo4j/neo4j-kernel › CVE-2021-34802; CVE-2021-34802: Improper Privilege Management. 4 and above contains hidden functionality. Thanks, Acme team May 3, 2024 · CVE-2024-34062 tqdm CLI arguments injection attack: Any optional non-boolean CLI arguments (e. getRemote() vulnerable to remote DoS attacks: There exists a security vulnerability in Jetty's ThreadLimitHandler. Learn more about Dependency Scanning → Oct 18, 2023 · Advisory Database. 0. –workspaces, –workspace=<name>). Learn more about Dependency Scanning → Aug 2, 2024 · CVE-2024-3056 Podman vulnerable to memory-based denial of service: A flaw was found in Podman. Jan 8, 2025 · nuget › Swashbuckle. 6 for Node. It includes a utility class, HttpURI, … The GitLab Advisory Database, used in GitLab Ultimate Dependency Scanning and Container Scanning. They contain a denial of service vulnerability due to serial … Oct 31, 2024 · Detect and mitigate CVE-2024-48307 with GitLab Dependency Scanning. Dec 2, 2024 · Detect and mitigate CVE-2024-38827 with GitLab Dependency Scanning. May 20, 2022 · Advisory Database. May 13, 2022 (updated June 29, 2022). December 2, 2024. Learn more about Dependency Scanning → composer › topthink/framework › CVE-2021-44350; 9. 2 days ago · nuget › SSCMS › CVE-2023-2862; 6. slf4j/slf4j-ext › CVE-2018-8088; CVE-2018-8088: Improper Access Control in SLF4J. Cryptography. getRemote() which can be exploited by unauthorized users to … May 14, 2024 · npm › micromatch › CVE-2024-4067; CVE-2024-4067: Regular Expression Denial of Service (ReDoS) in micromatch. August 12, 2024 (updated October 3, 2024). Learn more about Dependency Scanning → Oct 29, 2024 · pypi › langchain › CVE-2024-8309; CVE-2024-8309: Langchain SQL Injection vulnerability. August 2, 2024 (updated August 5, 2024). 1 allows a remote attacker to execute arbitrary code via the Sub-Task ID … May 5, 2021 · npm › highcharts › CVE-2021-29489; CVE-2021-29489: Cross-site Scripting. gitignore and . gitlab. 4 days ago · GitLab Advisory Database This site offers a simple way to search for advisories in the GitLab Advisory Database . c and sqlite3StrICmp in sqlite3. Number of CVEs The pie chart below illustrates how many advisories in the database are originating from NVD. 5 MEDIUM Uncontrolled Resource Consumption. A flaw was found in python-cryptography versions between >=1. Oct 29, 2024 · Advisory Database. libxmljs2 is vulnerable to type confusion when parsing a specially crafted XML while invoking a function on the result of attrs() that was called on a parsed node. Jan 29, 2024 · pypi › aiohttp › CVE-2024-23334; CVE-2024-23334: aiohttp is vulnerable to directory traversal. Learn more about Dependency Scanning → Oct 30, 2024 · composer › topthink/thinkphp › CVE-2024-48112; CVE-2024-48112: ThinkPHP deserialization vulnerability. Oct 29, 2019 · npm › sequelize › CVE-2019-10748; CVE-2019-10748: SQL Injection. The ecdsa PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). This advisory has been marked as False Positive and has been removed. db database file under the property table. axios 1. 5. lettuce/lettuce-core › GHSA-q4h9-7rxj-7gx2; GHSA-q4h9-7rxj-7gx2: Netty vulnerability included in redis lettuce. 0, some of the messages received from the … Oct 25, 2023 · maven › cn. November 6, 2024. Apr 15, 2024 · Detect and mitigate CVE-2024-32489 with GitLab Dependency Scanning. Jan 19, 2024 · Detect and mitigate CVE-2024-23331 with GitLab Dependency Scanning. 0 and 1. If you don’t recognize the above action, you should immediately change your Acme account password. When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Nov 27, 2024 · Detect and mitigate CVE-2024-49203 with GitLab Dependency Scanning. Highcharts JS is a JavaScript charting library based on SVG. Apr 13, 2021 · GitLab Advisory Database Open Source Edition Project information. 5 and 3. SheetJS and SheetJS Pro allows attackers to cause a denial of service (memory consumption) via a crafted . Feb 16, 2022 · The GitLab Advisory Database covers security advisories in software packages that have a CVE identifier, as well as malicious packages marked as such by their ecosystem . May 2, 2024 (updated November 25, 2024). Advisories; Dependency Scanning; npm Detect and mitigate CVE-2024-7042 with GitLab Dependency Scanning. AspNetCore. An authenticated attacker can create dangerous directory names on the system and alter sensitive configuration parameters through the web portal. March 25, 2021 (updated May 3, 2022). 22. May 24, 2022 (updated June 21, 2022). Encodings. 50RC and before when using Spring dynamic controllers, a specially crafted request may cause an authentication bypass. Sep 25, 2024 · Detect and mitigate CVE-2024-23454 with GitLab Dependency Scanning. Jun 18, 2024 · Hello, Just to let you know that someone has logged in to your Acme account using a password while you already have OAuth2 GitLab auth linked. Nov 6, 2024 · composer › symfony/symfony › CVE-2024-50340; CVE-2024-50340: Symfony allows changing the environment through a query. Dec 13, 2022 · maven › org. 2 was discovered to contain a prototype pollution via the component _ModuleSupport. values() and values_list() methods on models … Oct 8, 2024 · Microsoft is releasing this security advisory to provide information about a vulnerability in System. 5 HIGH PyCA Cryptography vulnerable to GCM tag forgery. Learn more about Dependency Scanning → Feb 24, 2020 · maven › org. It is possible for an attacker to craft malicious Urls that certain functions in IdentityServer will incorrectly treat as local and trusted. A cross-site scripting (XSS) vulnerability in the Color Dialog plugin for CKEdit allows remote attackers to run arbitrary web script after persuading a user to copy and paste crafted HTML code into one of editor inputs. IO. 2 and 4. 3. July 1, 2024 (updated July 12, 2024). Please review the contribution guidelines. QuerySet. A deserialization vulnerability in the component \controller\Index. October 18, 2023 (updated November 18, 2024). Jul 31, 2024 · nuget › identityserver4 › CVE-2024-39694; CVE-2024-39694: IdentityServer Open Redirect vulnerability. Advisories; Dependency Scanning; npm Detect and mitigate CVE-2024-6484 with GitLab Dependency Scanning. The NPM package micromatch prior to version 4. December 13, 2022 (updated January 1, 9999). 4 allows attackers to execute arbitrary code. 12. Learn more about Dependency Scanning → Sep 19, 2020 · Detect and mitigate CVE-2020-5421 with GitLab Dependency Scanning. 1 MEDIUM Cross-site Scripting. Caching. May 13, 2022 · maven › org. Learn more about Dependency Scanning → Mar 27, 2024 · Detect and mitigate CVE-2024-23450 with GitLab Dependency Scanning. Jan 8, 2025 · This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. The GitLab Advisory Database, used in GitLab Ultimate Dependency Scanning and Container Scanning. Learn more about Dependency Scanning → Dec 13, 2022 · nuget › System. System. Prior to version 3. May 16, 2024 (updated November 18, 2024). hpqm gulfi xaqyqz ixtutrf oyxgbr xgeike fevk qlsjo ekbsuag rxkq