Vulnerabilities we've disclosed
GitHub Security Lab researchers find vulnerabilities in key, widely-used open source projects. We then coordinate the disclosure of those vulnerabilities to security teams at those projects. We only publish vulnerabilities here after they’ve been announced by the affected projects' development teams and patches are available. See our disclosure policy below for more information.
GHSL-2020-142: Heap memory corruption in png-img - CVE-2020-28248
The NAN bindings provided by png-img for libpng are vulnerable to an integer overflow which results in an underallocation of heap memory and subsequent heap memory corruption.
Bas AlbertsGHSL-2020-138, GHSL-2020-139: Remote code execution (RCE) and elevation of privileges (EoP) in SmartStoreNET - CVE-2020-27996, CVE-2020-27997
SmartStoreNET 4.0.0 is vulnerable to Remote code execution (RCE) and elevation of privileges (EoP)
Jaroslav LobačevskiGHSL-2020-202: Local Privilege Escalation (LPE) in Ubuntu gdm3 - CVE-2020-16125
gdm3 can be tricked into launching `gnome-initial-setup`, enabling an unprivileged user to create a new user account for themselves. The new account is a member of the `sudo` group, so this enables the unprivileged user to obtain admin privileges
Kevin BackhouseGHSL-2020-187: Denial of Service (DoS) in Ubuntu accountsservice - CVE-2020-16126 - CVE-2020-16127
The accountsservice daemon drops privileges to perform certain operations, but in some cases gives unprivileged users permission to send signals. This means that the unprivileged user can send accounts-daemon a `SIGSTOP` signal, which stops the process and causes a denial of service
Kevin BackhouseGHSL-2020-158: Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) in AspNetCoreMvcSharedLocalization
AspNetCoreMvcSharedLocalization is vulnerable to Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) that may lead to the elevation of privileges and per-user denial of service (DoS)
Jaroslav LobačevskiGHSL-2020-156: Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) in IdentityWithoutEF
IdentityWithoutEF is vulnerable to Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) that may lead to the elevation of privileges and per-user denial of service (DoS)
Jaroslav LobačevskiGHSL-2020-155: Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) in reactjs-ts-identityserver
reactjs-ts-identityserver is vulnerable to Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) that may lead to the elevation of privileges and per-user denial of service (DoS)
Jaroslav LobačevskiGHSL-2020-154: Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) in OnionArch
OnionArch is vulnerable to Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) that may lead to the elevation of privileges and per-user denial of service (DoS).
Jaroslav LobačevskiGHSL-2020-153: Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) in dapper-identity
dapper-identity is vulnerable to Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) that may lead to the elevation of privileges and per-user denial of service (DoS)
Jaroslav LobačevskiGHSL-2020-152: Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) in DualAuthCore
DualAuthCore is vulnerable to Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) that may lead to the elevation of privileges and per-user denial of service (DoS)
Jaroslav LobačevskiGHSL-2020-151: Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) in little-aspnetcore-todo
little-aspnetcore-todo is vulnerable to Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) that may lead to the elevation of privileges and per-user denial of service (DoS)
Jaroslav LobačevskiGHSL-2020-149: Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) in Angular-Core-IdentityServer
Angular-Core-IdentityServer is vulnerable to Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) that may lead to the elevation of privileges and per-user denial of service (DoS)
Jaroslav LobačevskiGHSL-2020-141: Arbitrary code execution in DatabaseSchemaReader - CVE-2020-26207
DatabaseSchemaReader's tool DatabaseSchemaViewer is vulnerable to arbitrary code execution if a user is tricked into opening a specially crafted .dbschema file
Jaroslav LobačevskiGHSL-2020-143: Arbitrary Code Execution in FastReports - CVE-2020-27998
FastReports is vulnerable to arbitrary code execution because it compiles and runs C# code from a report template
Jaroslav LobačevskiGHSL-2020-157: Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) in IdentityManager
IdentityManager is vulnerable to Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) that may lead to the elevation of privileges and per-user denial of service (DoS).
Jaroslav LobačevskiGHSL-2020-134: NULL dereference in Samba - CVE-2020-14323
An unprivileged local user may trigger a NULL dereference bug in Samba's Winbind service leading to Denial of Service (DoS)
Bas AlbertsGHSL-2020-074, 077, 078: Memory corruptions in HPLIP - CVE-2020-6923
HPLIP contains two memory corruption vulnerabilities which can be triggered by a malicious device or computer that is connected to the same network.
Kevin BackhouseGHSL-2020-113: Command injection vulnerability in limdu - CVE-2020-4066
The `trainBatch` function has a command injection vulnerability. Clients of the Limdu library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability
Kevin BackhouseGHSL-2020-097: Missing hostname validation in twitter-stream - CVE-2020-24392
Missing hostname validation allows an attacker to perform a monster in the middle attack against users of the library.
Agustin GianniGHSL-2020-096: Missing hostname validation in tweetstream - CVE-2020-24393
Missing hostname validation allows an attacker to perform a monster in the middle attack against users of tweetstream
Agustin GianniGHSL-2020-145: Command injection on Windows in Opener
Although code execution is part of the intended purpose of Opener, a crafted url can run an arbitrary shell command rather than just launching a browser.
GitHub Security Lab TeamGHSL-2020-140: Open redirect in Traefik - CVE-2020-15129
There exists a potential open redirect vulnerability in Traefik's handling of the `X-Forwarded-Prefix` header.
GitHub Security Lab TeamGHSL-2020-132: SQL Injection in Mailtrain - CVE-2020-24617
SQL injection and missing CSRF protection may lead to Remote Code Execution (RCE) or arbitrary file read.
Jaroslav LobačevskiGHSL-2020-126: Open URL redirect in Orange Forum 1.x.x
There exists an `Open URL redirect` vulnerability in the 1.x.x branch of Orange Forum. An attacker can send an Orange Forum user a crafted link targeting the login page of Orange Forum, redirecting to a malicious site.
GitHub Security Lab TeamGHSL-2020-133: Path traversal vulnerability in Adobe git-server - CVE-2020-9708
Malicious users may access any Git repository on the server even if it is outside the served root directory
Jaroslav LobačevskiGHSL-2020-109: Command injection in codecov
The `upload` method has a command injection vulnerability. Clients of the `codecov-node` library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.
GitHub Security Lab TeamGHSL-2020-095 : Monster in the middle attack in em-imap - CVE-2020-13163
Missing hostname validation allows an attacker to perform a monster in the middle attack against users of the library.
Agustin GianniGHSL-2020-076: Server-Side Template Injection in Cascade CMS
A user with privileges to edit templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running Cascade CMS.
Alvaro MuñozGHSL-2020-046: Server-Side Template Injection in XWiki
A user with privileges to edit wiki content may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running XWiki.
Alvaro MuñozGHSL-2020-042: Server-Side Template Injection in Crafter CMS
A user with privileges to edit a FreeMarker template may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running Crafter CMS.
Alvaro MuñozGHSL-2020-086, 087, 088, 089 - Server-Side Template Injection in Apache Camel - CVE-2020-11994
Apache Camel FreeMarker, Velocity, MVEL and Moustache components are vulnerable to Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE) or Arbitrary File Disclosure.
Alvaro MuñozGHSL-2020-069: Unsafe deserialization of XMLRPC arguments in ApacheOfBiz - CVE-2020-9496
Apache OfBiz is vulnerable to pre-auth Remote Code Execution (RCE) via unsafe deserialization.
Alvaro MuñozGHSL-2020-068: Cross-Site Scripting in Apache OfBiz - CVE-2020-9496
Apache OfBiz is vulnerable to Reflected Cross-Site Scripting through POST request
Alvaro MuñozGHSL-2020-111: Command injection vulnerability in standard-version
The GitHub Security Lab team has identified a potential security vulnerability in standard-version.
Kevin BackhouseGHSL-2020-072: Arbitrary file disclosure in JinJava - CVE-2020-12668
A user with privileges to write JinJava templates, for example in a CMS context, will be able to read arbitrary files from the file system.
Alvaro MuñozGHSL-2020-071: Server-side template injection in Lithium CMS
A user with privileges to edit a FreeMarker template may execute arbitrary Java code or run arbitrary system commands with escalated privileges.
Alvaro MuñozGHSL-2020-047: Server-side template injection in dotCMS
A user with privileges to edit templates may execute arbitrary Java code or run arbitrary system commands with escalated privileges.
Alvaro MuñozGHSL-2020-045: Server-side template injection in Atlassian Confluence - CVE-2020-4027
A user with privileges to edit User macros may execute arbitrary Java code or run arbitrary system commands with escalated privileges.
Alvaro MuñozGHSL-2020-043: Server-side template injection in Liferay - CVE-2020-13445
A user with privileges to edit FreeMarker or Velocity templates may execute arbitrary Java code or run arbitrary system commands with escalated privileges.
Alvaro MuñozGHSL-2020-039: Server-side template injection in Alfresco - CVE-2020-12873
A user with privileges to edit a FreeMarker template may execute arbitrary Java code or run arbitrary system commands with escalated privileges.
Alvaro MuñozGHSL-2020-058: OOB read in Apache Guacamole prior to 1.2.0 - CVE-2020-9497
The GitHub Security Lab uncovered an OOB read vulnerability in Apache Guacamole prior to version 1.2.0 which may lead to information leak.
Nico WaismanGHSL-2020-128: OOB read vulnerability in FreeRDP RLEDECOMPRESS - CVE-2020-4033
The GitHub Security Lab team has uncovered an OOB read vulnerability in FreeRDP's RLEDECOMPRESS function.
Antonio MoralesGHSL-2020-125: integer signedness mismatch vulnerability in FreeRDP leads to OOB read - CVE-2020-4032
The GitHub Security Lab team has uncovered an integer signedness mismatch vulnerability in FreeRDP's update_recv_secondary_order function which leads to an OOB read vulnerability.
Antonio MoralesGHSL-2020-124: OOB read vulnerability in FreeRDP update_recv_primary_order - CVE-2020-11095
The GitHub Security Lab team has uncovered an OOB read vulnerability in FreeRDP's update_recv_primary_order function.
Antonio MoralesGHSL-2020-107: OOB read vulnerability in FreeRDP update_read_cache_bitmap_v3_order - CVE-2020-11096
The GitHub Security Lab team uncovered an OOB read vulnerability in FreeRDP's update_read_cache_bitmap_v3_order function.
Antonio MoralesGHSL-2020-106: integer signedness mismatch leading to OOB read in FreeRDP - CVE-2020-4030
The GitHub Security Lab team has uncovered an integer signedness mismatch vulnerability in FreeRDP leading to OOB read.
Antonio MoralesGHSL-2020-105: OOB read vulnerability in FreeRDP glyph_cache_put - CVE-2020-11098
The GitHub Security Lab team uncovered an OOB read vulnerability in FreeRDP's glyph_cache_put function
Antonio MoralesGHSL-2020-104: OOB read vulnerability in FreeRDP ntlm_av_pair_get - CVE-2020-11097
The GitHub Security Lab team uncovered an OOB read vulnerability in FreeRDP's ntlm_av_pair_get function.
Antonio MoralesGHSL-2020-103: OOB read vulnerability in FreeRDP license_read_new_or_upgrade_license_packet - CVE-2020-11099
The GitHub Security Lab team uncovered an OOB read vulnerability in FreeRDP's license_read_new_or_upgrade_license_packet function.
Antonio MoralesGHSL-2020-122: Command injection in git-diff-apply
The GitHub Security Lab team has identified a potential remote code execution in git-diff-apply.
Kevin BackhouseGHSL-2020-110: Command Injection in mversion
The GitHub Security Lab team has identified a potential remote code execution in mversion
Kevin BackhouseGHSL-2020-119: command injection vulnerability in node-dns-sync resolve method - CVE-2020-11079
The Github team has identified a command injection vulnerability in the resolve method of the node-dns-sync library.
Kevin BackhouseGHSL-2020-102: Heap overflow in FreeRDP crypto_rsa_common - CVE-2020-13398
The GitHub Security Lab team has identified a heap overflow in FreeRDP's crypto_rsa_common function.
Antonio MoralesGHSL-2020-101: NULL dereference in FreeRDP FIPS routines - CVE-2020-13397
The GitHub Security Lab team identified a NULL dereference in FreeRDP's libfreerdp.
Antonio MoralesGHSL-2020-100: Out of Bounds (OOB) read vulnerability in FreeRDP - CVE-2020-13396
The GitHub Security Lab team has identified an Out of Bounds read vulnerability in FreeRDP's ntlm_read_ChallengeMessage function.
Antonio MoralesGHSL-2020-099: mXSS vulnerability in AngularJS
The GitHub Security Lab team has found a potential mXSS vulnerabulity in AngularJS.
Alvaro MuñozGHSL-2020-094: Missing SSL/TLS certificate hostname validation in em-http-request - CVE-2020-13482
The GitHub Security Lab team uncovered a missing hostname validation vulnerability in the em-http-request library that allows an attacker to perform a Person In The Middle (PITM) attack against users of the library.
Agustin GianniGHSL-2020-075, GHSL-2020-079, GHSL-2020-080, GHSL-2020-081, GHSL-2020-082, GHSL-2020-083, GHSL-2020-084: Multiple vulnerabilities in SANE Backends (DoS, RCE)
The GitHub Security Lab team identified multiple memory corruption vulnerabilities in SANE Backends which may lead to Denial of Service (DoS) and Remote Code Execution (RCE).
Kevin BackhouseGHSL-2020-064: integer overflow in LibVNCClient HandleCursorShape resulting in remote heap overflow - CVE-2019-20788
The GitHub Security Lab team detected an integer overflow in LibVNCClient HandleCursorShape RFB event handler.
Bas AlbertsGHSL-2020-057: dbus file descriptor leak (DoS) - CVE-2020-12049
The GitHub Security Lab team has identified a file descriptor leak in dbus that can lead to local Denial of Service.
Kevin BackhouseGHSL-2020-073: Path traversal in Jooby - CVE-2020-7647
The GitHub Security Lab team has identified a path traversal vulnerability in Jooby that can lead to information disclosure.
Alvaro MuñozGHSL-2020-055: Server-Side Template Injection in Apache Syncope (RCE) - CVE-2019-17557
The GitHub Security Lab team has identified several potential security vulnerabilities in Apache Syncope, including RCE and XSS.
Alvaro MuñozGHSL-2020-054: XSS in Apache Syncope - CVE-2020-1961
The GitHub Security Lab team has identified a XSS vulnerability in Apache Syncope.
Alvaro MuñozGHSL-2020-029: Server-Side template injection in Apache Syncope (RCE) - CVE-2020-1959
The GitHub Security Labs team has identified a Server-Side template injection vulnerability in Apache Syncope, which leads to RCE.
Alvaro MuñozGHSL-2020-020: EL expression input sanitation bypass in Hibernate Validator - CVE-2020-10693
The GitHub Security Labs team has identified an EL expression input sanitation bypass vulnerability in Hibernate Validator.
Alvaro MuñozGHSL-2020-085: Open redirect vulnerability in Sourcegraph - CVE-2020-12283
By exploiting an open redirect vulnerability, an attacker could potentially redirect a victim to any arbitrary URL and access their OAUTH token.
Alvaro MuñozGHSL-2020-051, GHSL-2020-052: Multiple vulnerabilities in NTOP nDPI
The GitHub Security Lab team has identified several potential security vulnerabilities in NTOP nDPI, including RCE and DoS.
Bas AlbertsGHSL-2020-010: Out-Of-Bounds write in Android Open Source Project - CVE-2020-0070
An OOB write in AOSP allows an attacker within NFC range to obtain remote code execution on android device's NFC daemon.
Man Yue MoGHSL-2020-008: Out-Of-Bounds write in Android Open Source Project - CVE-2020-0071
An OOB write in AOSP allows an attacker within NFC range to obtain remote code execution on android device's NFC daemon.
Man Yue MoGHSL-2020-007: Out-of-bounds write in Android Open Source Project - CVE-2020-0072
An OOB write in AOSP allows an attacker within NFC range to obtain remote code execution on android device's NFC daemon.
Man Yue MoGHSL-2020-006: Out-Of-Bounds write in Android Open Source Project - CVE-2020-0073
An OOB write in AOSP allows an attacker within NFC range to obtain remote code execution on android device's NFC daemon.
Man Yue MoGHSL-2020-031: SQL injection in PureFTPd
Improper sanitization of SQL queries lead to SQL injection via a configuration file.
Antonio MoralesGHSL-2020-053: Use After Free in Chrome WebAudio
The GitHub Security Labs team has identified a Use after free in Chrome WebAudio.
Man Yue MoGHSL-2020-041: Use After Free in Chrome WebAudio
The GitHub Security Labs team has identified a Use after free in Chrome WebAudio.
Man Yue MoGHSL-2020-040: Use After Free in Chrome WebAudio
The GitHub Security Labs team has identified a Use after free in Chrome WebAudio.
Man Yue MoGHSL-2020-038: Use after free in Chrome WebAudio
The GitHub Security Labs team has identified a Use after free in Chrome WebAudio.
Man Yue MoGHSL-2020-037: Use after free in Chrome WebAudio
The GitHub Security Labs team has identified a Use after free in Chrome WebAudio.
Man Yue MoGHSL-2020-035: Use after free in Chrome WebAudio
The GitHub Security Labs team has identified a Use after free in Chrome WebAudio.
Man Yue MoGHSL-2020-030: Server-Side Template Injection in Dropwizard
Server-Side Template Injection in Dropwizard leading to Remote Code Execution (RCE).
Alvaro MuñozGHSL-2020-015: Remote Code Execution - Bypass of CVE-2018-16621 mitigations in Nexus Repository Manager
High privileged users can bypass the existing mitigations and inject arbitrary Java EL expressions in Nexus Repository Manager, leading to a Remote Code Execution (RCE) vulnerability.
Alvaro MuñozGHSL-2020-014: Remote Code execution - Dynamic Code Evaluation via Scheduled Tasks in Nexus Repository Manager
It is possible for a user with the right permissions to execute arbitrary groovy or javascript scripts resulting in remote code execution.
Alvaro MuñozGHSL-2020-013: Remote Code Execution - Dynamic Code Evaluation via Scripts in Nexus Repository Manager
It is possible for a user with the right permissions to execute arbitrary groovy or javascript scripts resulting in remote code execution.
Alvaro MuñozGHSL-2020-012: Remote Code Execution - JavaEL Injection (high privileged accounts) in Nexus Repository Manager
High privileged users can inject arbitrary Java EL expressions in Nexus Repository Manager, leading to a Remote Code Execution (RCE) vulnerability.
Alvaro MuñozGHSL-2020-009: UAF leads to RCE in ProFTPD
A use-after-free vulnerability in ProFTPD could allow a remote attacker to execute arbitrary code on the affected system.
Antonio MoralesGHSL-2020-016: Persistent Cross-Site scripting in Nexus Repository Manager
An attacker with elevated privileges can create content selectors with a specially crafted name using the REST API, which when viewed by another user can execute arbitrary JavaScript in the context of the NXRM application.
Alvaro MuñozGHSL-2020-011: Remote Code Execution - JavaEL Injection (low privileged accounts) in Nexus Repository Manager
Attackers can inject arbitrary Java EL expressions in Nexus Repository Manager, leading to a Remote Code Execution (RCE) vulnerability.
Alvaro MuñozGHSL-2020-056: Double free in OpenSSL client
The GitHub Security Labs team has identified a security issue in OpenSSL in which an attacker can force a client into freeing the same memory twice.
Agustin GianniGHSL-2020-028: Server-Side Template Injection in Netflix Titus
A Server-Side Template Injection was identified in Netflix Titus enabling attackers to inject arbitrary Java EL expressions, leading to a pre-auth Remote Code Execution (RCE) vulnerability.
Alvaro MuñozGHSL-2020-027: Server-Side Template Injection in Netflix Conductor
A Server-Side Template Injection was identified in Netflix Conductor enabling attackers to inject arbitrary Java EL expressions, leading to a pre-auth Remote Code Execution (RCE) vulnerability.
Alvaro MuñozGHSL-2020-032: out-of-bounds (OOB) read vulnerability in PureFTPd
An out-of-bounds (OOB) read vulnerability has been detected in PureFTPd's pure_strcmp function.
Antonio MoralesGHSL-2020-026: Person in the middle attacks with lua-openssl
Several security issues have been found in the way X509 certificate validation functions are exposed to LUA. Clients using certain functions in lua-openssl are exposed to person-in-the-middle attacks.
Agustin GianniGHSL-2020-025: OOB read and DoS in PureFTPd
An uninitialized pointer vulnerability in PureFTPd results in Out-of-Bounds reads and Denial of Service.
Antonio MoralesGHSL-2020-003, GHSL-2020-004, GHSL-2020-005: Person in the middle attack on openfortivpn clients
Several security issues have been found in the way openfortivpn deals with TLS. These issues can lead to situations in which an attacker can perform a person-in-the-middle attack on clients.
Agustin GianniGHSL-2020-002: out-of-bounds (OOB) read in ProFTPD
An out-of-bounds (OOB) read vulnerability detected in mod_cap.
Antonio MoralesGHSL-2020-001: Off-by-one heap overflow in Bftpd
Under certain circumstances, an off-by-one heap overflow can occur in the command_retr function.
Antonio MoralesDisclosure policy
Last updated: April 9th, 2019
The GitHub Security Lab research team is dedicated to working closely with the open source community and with projects that are affected by a vulnerability, in order to protect users and ensure a coordinated disclosure. When we identify a vulnerability in a project, we will report it by contacting the publicly-listed security contact for the project if one exists; otherwise we will attempt to contact the project maintainers directly.
If the project team responds and agrees the issue poses a security risk, we will work with the project security team or maintainers to communicate the vulnerability in detail, and agree on the process for public disclosure. Responsibility for developing and releasing a patch lies firmly with the project team, though we aim to facilitate this by providing detailed information about the vulnerability.
Our disclosure deadline for publicly disclosing a vulnerability is: 90 days after the first report to the project team.
We appreciate the hard work maintainers put into fixing vulnerabilities and understand that sometimes more time is required to properly address an issue. We want project maintainers to succeed and because of that we are always open to discuss our disclosure policy to fit your specific requirements, when warranted.
Please contact us at securitylab@github.com if you have any questions about our disclosure policy or our security research.