CodeQL Wall of Fame
The GitHub Security Lab uses CodeQL to perform variant analysis, an important technique for identifying new types of security vulnerabilities of a given class. The Security Lab and its community shares its knowledge with developers, to benefit both open source and commercial organizations.
The CodeQL Wall of Fame is a (non-exhaustive) list of vulnerabilities that the GitHub Security Lab and our community have found using CodeQL. In most cases these vulnerabilities were detected as a direct result of a query launch. In other cases, CodeQL was used to explore the codebase faster and accelerate the manual audit.
Did you find a new CVE thanks to CodeQL? To see your work displayed on the CodeQL Wall of Fame open a submission.
Want to join us in our mission to improve open source security for all? Choose your own adventure to get started:
- You are one click away to benefit from the power of CodeQL on your open source codebase: enable code scanning. For private code, contact sales.
- Learn CodeQL with our Capture the Flag exercises
- Write a CodeQL query to help secure open source and get rewarded for it via our CodeQL Bounty program
Featured
GHSL-2023-114: SSRF vulnerability in the Bitbucket Push and Pull Request Jenkins Plugin - CVE-2023-41937
Bitbucket Push and Pull Request Plugin provides a webhook endpoint at /bitbucket-hook/ that can be used to trigger builds of jobs configured to use a specified repository.In Bitbucket Plugin 2.8.3 and earlier, when a build is triggered in this way, attackers can force a connection to an arbitrary URL using the configured Bitbucket credentials.
Alvaro Munoz
GHSL-2023-181: Expression injection in the GitHub Action workflow of Pytorch
The pytorch/pytorch filter-test-configs workflow is vulnerable to an expression injection in Actions, allowing an attacker to potentially leak secrets and alter the repository using the workflow.
Jorge Rosillo
GHSL-2023-084: Cross-site scripting (XSS) in Pay - CVE-2023-30614
Pay, a payments engine for Ruby on Rails, comes with a payment info page which is susceptible to Cross-site scripting.
Peter Stöckli
GHSL-2023-080: Unauthenticated data exfiltration in Decidim - CVE-2023-34090
Decidim, a platform for digital citizen participation, is vulnerable to non-public data exfiltration.
Peter Stöckli
GHSL-2023-006: Cross-site scripting (XSS) in Decidim leading to potential endorsement manipulation - CVE-2023-32693
Decidim, a platform for digital citizen participation is vulnerable to Cross-site scripting. An attacker could impersonate other users and endorse or support proposals on their behalf.
Peter Stöckli
GHSL-2023-093: Server-Side Request Forgery (SSRF) in jenkinsci/maven-artifact-choicelistprovider-plugin - CVE-2023-40347
Several Server-Side Request Forgery (SSRF) vulnerabilities in jenkinsci/maven-artifact-choicelistprovider-plugin allow the leak of sensitive credentials to an attacker-controlled server.
Alvaro Munoz
GHSL-2023-067: Server-Side Request Forgery (SSRF) in jenkinsci/servicenow-devops-plugin - CVE-2023-3414, CVE-2023-3442
A Server-Side Request Forgery (SSRF) vulnerability in jenkinsci/servicenow-devops-plugin allows the leak of sensitive credentials to an attacker-controlled server.
Alvaro Munoz
GHSL-2023-061: Cross-Site Request Forgery (CSRF) and Server-Side Request Forgery (SSRF) in jenkinsci/blueocean-plugin - CVE-2023-40341
A CSRF/SSRF vulnerability in jenkinsci/blueocean-plugin allows the leak of sensitive credentials (including GitHub credentials) to an attacker-controlled server.
Alvaro Munoz
GHSL-2022-119: Arbitrary command execution in CasaOS - CVE-2023-37469
If an authenticated user using CasaOS is able to successfully connect to a controlled SMB server, they are able to execute arbitrary commands.
Kevin Stubbings
GHSL-2023-086_GHSL-2023-087: Expression injection in a GitHub Actions workflow of Airbyte
Potential injection from the github.event.comment.body context, which may be controlled by an external user.
Dan Shanahan, Nick Gonzalez
GHSL-2023-143_GHSL-2023-144: SAML signature validation bypass in OpenAM - CVE-2023-37471
Attackers can use an improper SAML signature validation to impersonate any OpenAM user, including the administrator.
Tony Torralba
GHSL-2023-109: GitHub Actions command injection in a TDesign Vue Next workflow
TDesign Vue Next repository is vulnerable to an Actions command injection in auto-release.yml.
Jorge Rosillo
GHSL-2023-079: Arbitrary File Exfiltration in Jenkins MathWorks Polyspace Plugin - CVE-2023-37960
Jenkins MathWorks Polyspace Plugin 1.0.5 and earlier does not restrict a file path in a job parameter, allowing attackers with the Job/Configure permission to exfiltrate arbitrary files from the Jenkins controller by sending them in an email notification.
Tony Torralba
GHSL-2023-074: Server-Side Request Forgery (SSRF) in miniorange-saml-sp-plugin - CVE-2023-32991, CVE-2023-32992
A Server-Side Request Forgery (SSRF) vulnerability was found in the miniorange-saml-sp-plugin. The vulnerability resides in the org.miniorange.saml.MoSAMLAddIdp#doValidateMetadataUrl method and can be exploited without authentication. An attacker can leverage this vulnerability to send requests to arbitrary hosts.
Alvaro Munoz
GHSL-2023-073: Server-Side Request Forgery (SSRF) in benchmark-evaluator-plugin - CVE-2023-37962, CVE-2023-37963
A Server-Side Request Forgery (SSRF) vulnerability was found in the benchmark-evaluator-plugin. The vulnerability resides in the io.jenkins.plugins.benchmark.BenchmarkBuilder#doCheckFilepath method and can be exploited without authentication. An attacker can leverage this vulnerability to send requests to arbitrary hosts.
Alvaro Munoz
GHSL-2023-071: Server-Side Request Forgery (SSRF) in sumologic-publisher-plugin - CVE-2023-37958, CVE-2023-37959
A Server-Side Request Forgery (SSRF) vulnerability was found in the sumologic-publisher-plugin. The vulnerability resides in the com.sumologic.jenkins.jenkinssumologicplugin.PluginDescriptorImpl#doTestURL method and can be exploited without authentication. An attacker can leverage this vulnerability to send requests to arbitrary hosts.
Alvaro Munoz
GHSL-2023-069: Server-Side Request Forgery (SSRF) in jenkinsci/elasticbox-plugin - CVE-2023-37964, CVE-2023-37965
A Server-Side Request Forgery (SSRF) vulnerability in jenkinsci/elasticbox-plugin allows the leak of sensitive credentials to an attacker-controlled server. The issue arises from a lack of proper input validation/sanitization of the endpointUrl parameter in multiple web methods such as SlaveConfiguration$DescriptorImpl#doGetInstances. These methods read arbitrary credentials from the credentials storage using hardcoded ACL.System permission and send them to attacker-controlled servers.
Alvaro Munoz
GHSL-2023-068: Server-Side Request Forgery (SSRF) in jenkinsci/datadog-plugin - CVE-2023-37944
A Server-Side Request Forgery (SSRF) vulnerability in jenkinsci/datadog-plugin allows the leak of sensitive credentials to an attacker-controlled server. The issue arises from a lack of proper input validation/sanitization of the targetApiURL parameter in the DatadogGlobalConfiguration#doTestConnection. These methods read arbitrary credentials from the credentials storage using hardcoded ACL.System permission and send them to attacker-controlled servers.
Alvaro Munoz
GHSL-2023-066: Server-Side Request Forgery (SSRF) in jenkinsci/macstadium-orka-plugin - CVE-2023-37949
A Server-Side Request Forgery (SSRF) vulnerability in jenkinsci/macstadium-orka-plugin allows the leak of sensitive credentials to an attacker-controlled server. The issue arises from a lack of proper input validation/sanitization of the orkaEndpoint parameter in the OrkaAgent#doFillNodeItems. This method hardcodes an ACL.System access to the credentials storage and leak the secrets to attacker-controlled servers.
Alvaro Munoz
GHSL-2023-065: Server-Side Request Forgery (SSRF) in jenkinsci/mabl-integration-plugin - CVE-2023-37952, CVE-2023-37953
Several Server-Side Request Forgery (SSRF) vulnerabilities in jenkinsci/mabl-integration-plugin allow the leak of sensitive credentials to an attacker-controlled server. The issue arises from a lack of proper input validation/sanitization of the apiBaseUrl parameter in the MablStepBuilder#doFillEnvironmentIdItems, MablStepBuilder#doFillApplicationIdItem and MablStepBuilder#doValidateForm. These methods use the ACL.System permission to access the credentials storage and can be abused to leak arbitrary secrets to attacker-controlled servers.
Alvaro Munoz
GHSL-2023-064: Cross-Site Request Forgery (CSRF) and Server-Side Request Forgery (SSRF) in jenkinsci/pipeline-restful-api-plugin - CVE-2023-37957
A Cross-Site Request Forgery (CSRF) and a Server-Side Request Forgery (SSRF) vulnerabilities in jenkinsci/pipeline-restful-api-plugin may allow an attacker to retrieve a token to impersonate its victim.
Alvaro Munoz
GHSL-2023-063: Server-Side Request Forgery (SSRF) in test-results-aggregator-plugin - CVE-2023-37955, CVE-2023-37956
A Server-Side Request Forgery (SSRF) vulnerability was found in the test-results-aggregator-plugin. The vulnerability resides in the com.jenkins.testresultsaggregator.TestResultsAggregator#doTestApiConnection method and can be exploited without authentication. An attacker can leverage this vulnerability to send requests to arbitrary hosts.
Alvaro Munoz
GHSL-2023-056: XML external entity (XXE) in Jenkins External Monitor Job Plugin - CVE-2023-37942
Jenkins External Monitor Job Plugin 203.v683c09d993b_9 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows authenticated attackers with Job Build permissions to send specific HTTP requests that force Jenkins to download and parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
Tony Torralba
GHSL-2023-120: Arbitrary File Read/Write during TAR extraction in Gradle
Gradle 8.1.1 does not ensure that paths constructed from TAR archive entries are validated. This allows attackers who are able to manipulate a TAR file which is unpacked by a Gradle script to overwrite arbitrary files. It also allows attackers who are able to manipulate a TAR file which is read by a Gradle script to read arbitrary files.
Tony Torralba, Jami Cogswell
GHSL-2023-044: Unsafe Deserialization in Aerospike Java client - CVE-2023-36480
The Aerospike Java client is a Java application that implements a network protocol to communicate with an Aerospike server. Some of the messages received from the server contain Java objects that the client deserializes when it encounters them without further validation. Attackers that manage to trick clients into communicating with a malicious server can include especially crafted objects in its responses that, once deserialized by the client, force it to execute arbitrary code. This can be abused to take control of the machine the client is running on.
Tony Torralba, Joseph Farebrother
GHSL-2023-107: GitHub Actions Command Injection in Jellyfin
The jellyfin/jellyfin repository is vulnerable to a command injection in Actions, allowing an attacker to take over the GitHub Actions runner and leak secrets.
Jorge Rosillo
GHSL-2023-050: Command Injection in Apache Doris repository's CI workflow
Apache Doris repository is vulnerable to a Command Injection in the CI workflow auto_trigger_teamcity.yml.
Jorge Rosillo
GHSL-2023-115: Cross-Site Scripting (XSS) in template-workflows-plugin - CVE-2023-35146
A stored Cross-Site Scripting (XSS) vulnerability was found in the template-workflows-plugin project.
Alvaro Munoz
GHSL-2023-110: Actions command injection in the CI workflow of winglang/wing
The winglang/wing repository is vulnerable to a command injection in Actions, allowing an attacker to take over the contents of the repository and leak secrets.
Jorge Rosillo
GHSL-2023-106: Actions command injection in a new issue workflow of textualize/rich
The textualize/rich repository is vulnerable to a command injection in Actions.
Jorge Rosillo
GHSL-2023-104: Actions command injection in the CI workflow of hashicorp/terraform-cdk
The hashicorp/terraform-cdk repository is vulnerable to a command injection in Actions, allowing an attacker to take over the contents of the repository and leak secrets.
Jorge Rosillo
GHSL-2023-101: Actions command injection in the CI workflow of zcash/zcash
The zcash/zcash repository is vulnerable to a command injection in Actions, allowing an attacker to take over the contents of the repository and leak secrets.
Jorge Rosillo
GHSL-2023-099: Actions command injection in the CI workflow of iluwatar/java-design-patterns
The iluwatar/java-design-patterns repository is vulnerable to a command injection in Actions, allowing an attacker to take over the contents of the repository and leak secrets.
Jorge Rosillo
GHSL-2023-097: Cross-Site Scripting (XSS) in maven-repository-plugin - CVE-2023-35143
A stored Cross-Site Scripting (XSS) vulnerability was found in the maven-repository-plugin project.
Alvaro Munoz
GHSL-2023-095: Cross-Site Scripting (XSS) in Jenkins Sonargraph - CVE-2023-35145
Multiple reflected Cross-Site Scripting (XSS) were found in the Jenkins Sonargraph integration plugin
Alvaro Munoz
GHSL-2023-070: Server-Side Request Forgery (SSRF) in jenkinsci/dimensionsscm-plugin - CVE-2023-32262
A Server-Side Request Forgery (SSRF) vulnerability in jenkinsci/dimensionsscm-plugin allows the leak of sensitive credentials to an attacker-controlled server. The issue arises from a lack of proper input validation/sanitization of the dimensionsscm.serverPlugin parameter in the DimensionsScm#doCheckServerConfig method and the ACL.System access to the credentials storage.
Alvaro Munoz
GHSL-2023-054: Unauthenticated arbitrary file read in Jenkins plugin 3.0.12 - CVE-2023-35147
AWS CodeCommit Trigger Jenkins Plugin 3.0.12 and earlier does not restrict a file name path parameter in an HTTP endpoint, allowing authenticated attackers to read arbitrary files on the Jenkins controller file system.
Tony Torralba
GHSL-2022-097: SQL injection in rudderlabs/rudder-server - CVE-2023-30625
Blind SQL injections are present in rudderlabs/rudder-server that allows unauthenticated users to achieve Remote Code Execution.
Kevin Stubbings
GHSL-2023-025: Drive-by command injection in SRS's api-server - CVE-2023-34105
SRS's 'api-server' server is vulnerable to a drive-by command injection.
Alvaro Munoz
GHSL-2022-065: Insufficient Path Validation in Omni-Notes Android App - CVE-2023-33188
The Omni-Notes Android app has an insufficient path validation vulnerability when displaying the details of a note received through an externally-provided intent. The paths of the note's attachments are not properly validated, allowing malicious or compromised applications on the same device to force Omni-notes to copy files from its internal storage to its external storage directory, where they become accessible to any component with permission to read the external storage.
Tony Torralba
GHSL-2023-088: Arbitrary File Read in Ombi - CVE-2023-32322
Ombi, an application that allows users to request specific media from popular self-hosted streaming servers, contains a vulnerability that allows administrators to read arbitrary files on the Ombi host.
Kevin Stubbings
GHSL-2023-024: Drive-by command injection in Brook's tproxy server - CVE-2023-33965
Brook's tproxy server is vulnerable to a drive-by command injection.
Alvaro Munoz
GHSL-2023-022: Command Injection in an Apache Cloudstack CI workflow
Apache Cloudstack is vulnerable to a Command Injection in sonar-check.yml.
Jaroslav Lobacevski
GHSL-2023-077: Arbitrary file write in the File Parameters Jenkins Plugin - CVE-2023-32986
Jenkins File Parameters Plugin 285.v757c5b_67a_c25 and earlier does not restrict a file path in a job parameter, allowing attackers with the Job/Configure permission to upload arbitrary files to the Jenkins controller.
Tony Torralba
GHSL-2023-076: Information disclosure in the Sidebar Link Plug-in for Jenkins - CVE-2023-32985
Sidebar Link Plug-in for Jenkins 2.2.1 and earlier does not restrict a file path parameter in an HTTP endpoint, allowing authenticated attackers to enumerate arbitrary files on the Jenkins controller file system.
Tony Torralba
GHSL-2023-075: Server-Side Request Forgery (SSRF) in the AppSpider Jenkins plugin - CVE-2023-32998, CVE-2023-32999
A Server-Side Request Forgery (SSRF) vulnerability was found in the AppSpider Jenkins plugin. An unauthenticated attacker can leverage this vulnerability to send requests to arbitrary hosts.
Alvaro Munoz
GHSL-2023-072: Several Server-Side Request Forgery (SSRF) vulnerabilities in the Codedx Jenkins plugin - CVE-2023-2195, CVE-2023-2631
Several Server-Side Request Forgery (SSRF) vulnerabilities were found in the Codedx Jenkins plugin. An unauthenticated attacker can leverage this vulnerabilities to send requests to arbitrary hosts.
Alvaro Munoz
GHSL-2023-058_GHSL-2023-059: ZipSlip in Jenkins Pipeline Utility Steps Plugin - CVE-2023-32981
Jenkins Pipeline Utility Steps Plugin 2.15.1 and earlier allows attackers able to manipulate a TAR or ZIP file extracted by the plugin to create or replace any file on the file system.
Tony Torralba
GHSL-2023-055: XML external entity (XXE) or server-side request forgery (SSRF) in SAML SSO Jenkins Plugin - CVE-2023-32991, CVE-2023-32992
Authenticated attackers can send specific HTTP requests that force Jenkins to download and parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller, as well as server-side request forgery.
Tony Torralba
GHSL-2023-001: ReDoS in SQLparse - CVE-2023-30608
SQLparse has a ReDoS (regular expression denial of service) in the parser for SQL expressions.
Erik Krogh Kristensen
GHSL-2022-101_GHSL-2022-108: SQL injection in Archery - CVE-2023-30552, CVE-2023-30553, CVE-2023-30554, CVE-2023-30605, CVE-2023-30558, CVE-2023-30557, CVE-2023-30556, CVE-2023-30555
The Archery project contains multiple SQL injection vulnerabilities, that may allow an attacker to query the connected databases.
Sylwia Budzynska
GHSL-2023-051: Command Injection in React Native OneSignal SDK - CVE-2023-28430
React Native OneSignal SDK repository is vulnerable to a Command Injection in Zapier.yml.
Jorge Rosillo
GHSL-2023-027: Command Injection in Cocos - CVE-2023-26493
Cocos Engine is vulnerable to a Command Injection in web-interface-check.yml.
Jorge Rosillo
GHSL-2022-129: XML External Entity (XXE) injection in GeoNode - CVE-2023-26043
GeoNode is vulnerable to an XML External Entity (XXE) injection in the style upload functionality of GeoServer leading to Arbitrary File Read.
Jorge Rosillo
GHSL-2022-094: Remote Code Execution in discordrb - CVE-2023-28102
The encode_file method may lead to remote code execution if invoked with untrusted user-controlled data.
Erik Krogh Kristensen
GHSL-2021-110: ReDoS in validators
validators contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).
Erik Krogh Kristensen, Rasmus Petersen
GHSL-2021-109: ReDoS in textacy
textacy contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).
Erik Krogh Kristensen, Rasmus Petersen
GHSL-2022-131: XML External Entities (XXE) injection in OWSLib - CVE-2023-27476
OWSLib does not disable entity resolution for XML parsing, leading to XML External Entities (XXE) injection.
Jorge Rosillo
GHSL-2022-132_GHSL-2022-133: Server-Side Request Forgery (SSRF) and Path Injection in Metersphere - CVE-2022-23544, CVE-2022-23512
Metersphere is vulnerable to Server-Side Request Forgery and Path Injection.
Jorge Rosillo
GHSL-2022-074: Arithmetic overflow in sysstat - CVE-2022-39377
On 32 bit systems, an arithmetic overflow present in allocate_structures can be triggered when displaying activity data files and may lead to a variety of exploit primitives due to an incorrectly sized buffer.
Kevin Stubbings
GHSL-2020-295: ReDoS (Regular Expression Denial of service) in is.js - CVE-2020-26302
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
Erik Krogh Kristensen
GHSL-2022-070_GHSL-2022-072: SQL injection in Arches - CVE-2022-41892
The Arches project contains multiple blind SQL injection vulnerabilities, that allow an attacker to query the underlying database.
Sylwia Budzynska
GHSL-2022-028: Copy/paste cross-site scripting (XSS) in codex-team
codex-team/editor.js is vulnerable to XSS attacks when copy/pasting specially crafted input into the editor.
Stephan Brandauer, Erik Krogh Kristensen, Daniel Santos
GHSL-2022-073: Denial of Service (DoS) in Fat Free CRM - CVE-2022-39281
A denial of service vulnerability existed in Fat Free CRM where an authenticated attacker could have prevented the web application from handling any requests.
Peter Stöckli
GHSL-2022-069: Remote Code Execution (RCE) in CircuitVerse - CVE-2022-36038
A remote code execution (RCE) vulnerability in CircuitVerse allowed authenticated attackers to execute arbitrary code via specially crafted JSON payloads.
Peter Stöckli
GHSL-2022-063: Remote Code Execution (RCE) in Arvados Workbench - CVE-2022-36006
A remote code execution (RCE) vulnerability in the Arvados Workbench allowed authenticated attackers to execute arbitrary code via specially crafted JSON payloads.
Peter Stöckli
GHSL-2022-062: Arbitrary File Read in Tasks.org Android app - CVE-2022-39349
A malicious or compromised application in the same device could force Tasks.org to copy files from its internal storage to the external storage directory, where they become accessible to any component with permission to read the external storage.
Tony Torralba
GHSL-2022-033_GHSL-2022-034: SpEL Injection in Nepxion/Discovery - CVE-2022-23463, CVE-2022-23464
Nepxion/Discovery is vulnerable to SpEL Injection in discovery-commons and a potential SSRF in discovery-plugin-admin-center.
Jorge Rosillo
GHSL-2022-030: Cross-Site Scripting (XSS) in Jodit Editor 3 - CVE-2022-23461
Jodit Editor 3 is vulnerable to XSS attacks when pasting specially constructed input.
Erik Krogh Kristensen, Stephan Brandauer, Daniel Santos
GHSL-2022-025: Regular Expression Denial of Service (ReDoS) in Apache OFBiz - CVE-2022-29158
Apache OFBiz up to version 18.12.05 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles URLs provided by external, unauthenticated users. Specially crafted URLs may cause catastrophic backtracking, taking exponential time to complete.
Tony Torralba, Joseph Farebrother
GHSL-2022-029: XSS in Toast UI Grid - CVE-2022-23458
The nhn/tui.grid component is vulnerable to XSS attacks when pasting specially crafted content into editable cells.
Erik Krogh Kristensen, Stephan Brandauer, Daniel Santos
GHSL-2022-024: Regular Expression Denial of Service (ReDoS) in the Azure SDK for Java.
The Azure SDK for Java up to version 1.5.0-beta2 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it validates tenant IDs. Specially crafted IDs may cause catastrophic backtracking, taking exponential time to complete.
Tony Torralba, Joseph Farebrother
GHSL-2022-023: Regular Expression Denial of Service (ReDoS) in Apache Ignite
Apache Ignite up to version 2.12.0 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles table names when requesting primary keys through its JDBC driver. Specially crafted table names may cause catastrophic backtracking, taking exponential time to complete.
Tony Torralba, Joseph Farebrother
GHSL-2022-022: Regular Expression Denial of Service (ReDoS) in Tapestry - CVE-2022-31781
Apache Tapestry up to version 5.8.1 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles Content Types. Specially crafted Content Types may cause catastrophic backtracking, taking exponential time to complete.
Tony Torralba, Joseph Farebrother
GHSL-2022-021: Regular Expression Denial of Service (ReDoS) in Apache Tika - CVE-2022-30126, CVE-2022-33879
Apache Tika up to version 1.28.1 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles standard references in text files. Specially crafted files may cause catastrophic backtracking, taking exponential time to complete.
Tony Torralba, Joseph Farebrother, Jaroslav Lobačevski
GHSL-2022-001: Deserialization vulnerability in Orckestra C1 CMS - CVE-2022-24789
Deserialization of untrusted data allows for Server Side Request Forgery (SSRF) or arbitrary file truncation.
Jaroslav Lobacevski
GHSL-2022-046: Arbitrary Intent in WordPress for Android leads to read and write access
The WordPress for Android app has a security issue by which a malicious application installed on the same device can send it an arbitrary Intent that gets reflected back, unintentionally giving read and write access to non-exported Content Providers in WordPress for Android.
Tony Torralba
GHSL-2021-111: ReDoS (Regular Expression Denial of Service) in Dependency Parser - CVE-2022-39280
Dependency Parser contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).
Erik Krogh Kristensen, Rasmus Petersen
GHSL-2021-1005: Copy-paste XSS in Microweber text editor - CVE-2021-32856
Copy-paste XSS in Microweber text editor
Erik Krogh Kristensen, Daniel Santos
GHSL-2021-1035: Cross-Site Scripting (XXS) in Cockpit Next - CVE-2021-32857
Bad HTML sanitization in htmleditor.js may lead to cross-site scripting (XSS) issues.
Erik Krogh Kristensen
GHSL-2021-1034: HTML sanitizer bypass leading to XSS in esdoc-publish-html-plugin - CVE-2021-32858
The esdoc-publish-html-plugin HTML sanitizer can be bypassed which may lead to cross-site scripting (XSS) issues.
Erik Krogh Kristensen
GHSL-2021-1006: Copy-paste XSS in vditor text editor - CVE-2021-32855
Copy-paste XSS in vditor text editor
Erik Krogh Kristensen, Daniel Santos
GHSL-2021-1001: Copy-paste XSS in textAngular text editor - CVE-2021-32854
Copy-paste XSS in textAngular text editor
Erik Krogh Kristensen, Daniel Santos
GHSL-2021-070: Command injection in react-dev-utils - CVE-2020-1920
There exists a command injection in the react-dev-utils npm package, which is a part of Facebook's facebook/create-react-app repository.
Erik Krogh Kristensen
GHSL-2021-1007: SQL Injection and insufficient permission control in Nextcloud Android app - CVE-2021-43863, CVE-2021-41166
The Nextcloud Android app uses content providers to manage its data. The providers FileContentProvider and DiskLruImageCacheFileProvider have security issues (an SQL injection, and an insufficient permission control, respectively) that allow malicious apps in the same device to access Nextcloud's data bypassing the permission control system.
GitHub Security Lab
GHSL-2021-1033: Intent URI permission manipulation in Nextcloud News for Android - CVE-2021-41256
The Nextcloud News for Android app has a security issue by which a malicious application installed on the same device can send it an arbitrary Intent that gets reflected back, unintentionally giving read and write access to non-exported Content Providers in Nextcloud News for Android.
GitHub Security Lab
GHSL-2021-100: ReDoS (Regular Expression Denial of Service) in Octobox - CVE-2021-32848
A user of the system can provide a specifically crafted search query string that will trigger a ReDoS vulnerability.
Nick Rolfe
Remote Linux Kernel Heap Overflow | TIPC Module Allows Arbitrary Code Execution - CVE-2021-43267
SentinelLabs discovered a heap overflow vulnerability in the TIPC module of the Linux Kernel.
Max Van Amerongen
GHSL-2021-102: ReDoS (Regular Expression Denial of Service) in Fluentd - CVE-2021-41186
parser_apache2 plugin in Fluentd v0.14.14 to v1.14.1 suffers from a regular expression denial of service (ReDoS) vulnerability. A broken apache log with a certain pattern of string can spend too much time in a regular expression, resulting in the potential for a DoS attack.
Nick Rolfe
GHSL-2021-118: ReDoS (Regular Expression Denial of Service) in Zulip - CVE-2021-41115
Zulip contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).
Erik Krogh Kristensen, Rasmus Petersen
GHSL-2020-348: ReDoS (Regular Expression Denial of Service) in DevExtreme
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
Erik Krogh Kristensen
GHSL-2020-304: ReDoS (Regular Expression Denial of Service) in CyberChef
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
Erik Krogh Kristensen
GHSL-2020-292: ReDoS (Regular Expression Denial of Service) in CKEditor 5 - CVE-2021-21254
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
Erik Krogh Kristensen
GHSL-2021-051: Unauthenticated file read in Emby Server - CVE-2021-32833
Emby Server allows unauthenticated file read.
Jaroslav Lobacevski
GHSL-2021-098: ReDoS in OpenProject - CVE-2021-32763
A user of the system can post a message on a forum containing a specifically crafted string that will trigger a ReDoS vulnerability.
Nick Rolfe
GHSL-2020-310: ReDoS (Regular Expression Denial of Service) in Rocket Chat - CVE-2021-32832
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
Erik Krogh Kristensen
GHSL-2020-258: ZipSlip vulnerability in bblfshd - CVE-2021-32825
The unsafe handling of symbolic links in an unpacking routine may enable attackers to read and/or write to arbitrary locations outside the designated target folder.
Chris Smowton
GHSL-2021-034_043: Multiple pre-auth RCEs in Apache Dubbo - CVE-2021-25641, CVE-2021-30179, CVE-2021-30180, CVE-2021-30181, CVE-2021-32824
Multiple vulnerabilities have been found in Apache Dubbo enabling attackers to compromise and run arbitrary system commands on both Dubbo consumers and providers.
Alvaro Munoz
GHSL-2021-075: Path injection in Django - CVE-2021-33203
A Path Injection issue was found in django that allows a malicious admin user to disclose the presence of files on the file-system if the module django.contrib.admindocs is enabled.
Rasmus Lerchedahl Petersen, Rasmus Wriedt Larsen
GHSL-2020-293: Regular expression Denial of Service in react-native - CVE-2020-1920
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
Erik Krogh Kristensen
GHSL-2020-345: Regular expression Denial of Service in mootools - CVE-2021-32821
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
Erik Krogh Kristensen
GHSL-2021-032: Template object injection in Mailtrain - CVE-2021-27136
Dangerous usage of the template rendering API may lead to Cross Site Scripting (XSS), file disclosure, and Remote Code Execution (RCE).
Agustin Gianni
GHSL-2020-373: Command injection in node-notifier
node-notifier recently addressed a command injection vulnerability with an insufficient fix, resulting in command injection through malicious input still being possible.
Erik Krogh Kristensen
GHSL-2020-357: ReDoS (Regular Expression Denial of Service) in amazeui
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
Erik Krogh Kristensen
GHSL-2020-352: ReDoS (Regular Expression Denial of Service) in revalidator
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
Erik Krogh Kristensen
GHSL-2020-350: ReDoS (Regular Expression Denial of Service) in ng2-validation
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
Erik Krogh Kristensen
GHSL-2020-339: Command Injection vulnerability in OMF
A Command Injection vulnerability has been found in Open Modeling Framework (OMF)
GitHub Security Lab
GHSL-2020-336: reflected Cross-Site scripting (XSS) in analytics-quarry-web - CVE-2020-36324
A reflected Cross-Site scripting (XSS) vulnerability has been found in analytics-quarry-web
Rasmus Wriedt Larsen
GHSL-2021-050: Unauthenticated arbitrary file read in Jellyfin - CVE-2021-21402
Jellyfin allows unauthenticated arbitrary file read.
Jaroslav Lobacevski
GHSL-2020-358: Regular expression Denial of Service in Schema-Inspector
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
Erik Krogh Kristensen
GHSL-2020-349: ReDoS (Regular Expression Denial of Service) in date-and-time - CVE-2020-26289
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
Erik Krogh Kristensen
GHSL-2020-343: ReDoS (Regular Expression Denial of Service) in Vant
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
Erik Krogh Kristensen
GHSL-2020-359: ReDoS (Regular Expression Denial of Service) in etherpad-lite
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
Erik Krogh Kristensen
GHSL-2021-030: ReDoS (Regular expression Denial of Service in CodeMirror
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
Erik Krogh Kristensen
GHSL-2020-257: The unsafe handling of symbolic links in an unpacking routine in oras - CVE-2021-21272
The unsafe handling of symbolic links in an unpacking routine may enable attackers to read and/or write to arbitrary locations outside the designated target folder.
Chris Smowton
GHSL-2020-308: ReDoS (Regular Expression Denial of Service) in TinyMCE
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
Erik Krogh Kristensen
GHSL-2020-299: ReDoS (Regular Expression Denial of Service) in simple-markdown
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
Erik Krogh Kristensen
GHSL-2020-294: ReDoS (Regular Expression Denial of Service) in jquery.validation - CVE-2021-21252
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
Erik Krogh Kristensen
GHSL-2020-311: Regular Expression Denial of Service in SquadCal
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
Erik Krogh Kristensen
GHSL-2020-309: Regular Expression Denial of Service in Fast-csv - CVE-2020-26256
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
Erik Krogh Kristensen
GHSL-2020-307: Regular Expression Denial of Service in CodeMirror
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
Erik Krogh Kristensen
GHSL-2020-306: Regular Expression Denial of Service in highlight.js
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
Erik Krogh Kristensen
GHSL-2020-300: Regular Expression Denial of Service in markdown-to-jsx
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
Erik Krogh Kristensen
GHSL-2020-298: Regular Expression Denial of Service in Metro-UI-CSS
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
Erik Krogh Kristensen
GHSL-2020-262: Unsafe handling of symbolic links in go-slug unpacking routine - CVE-2020-29529
The unsafe handling of symbolic links in an unpacking routine may enable attackers to read and/or write to arbitrary locations outside the designated target folder.
Chris Smowton
GHSL-2020-261: Unsafe handling of symbolic links in oc unpacking routine - CVE-2020-27833
The unsafe handling of symbolic links in an unpacking routine may enable attackers to read and/or write to arbitrary locations outside the designated target folder.
Chris Smowton
GHSL-2020-256: Unsafe handling of symbolic links in dbdeployer unpacking routine - CVE-2020-26277
The unsafe handling of symbolic links in an unpacking routine may enable attackers to read and/or write to arbitrary locations outside the designated target folder.
Chris Smowton
GHSL-2020-252: Unsafe handling of symbolic links in archiver unpacking routine
The unsafe handling of symbolic links in an unpacking routine may enable attackers to read and/or write to arbitrary locations outside the designated target folder.
Chris Smowton
Variant analysis of the ‘Sequoia’ bug
Variant analysis of the Sequoia bug discovered by the Qualys Research team, identified by CVE-2021-33909.
Jordy Zomer
GHSL-2020-212: Template injection in Cron-utils - CVE-2020-26238
A Template Injection was identified in Cron-Utils enabling attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability
Alvaro Munoz
GHSL-2020-204: Server-Side Template Injection in Corona Warn App Server
A Server-Side Template Injection was identified in Corona Warn App Server enabling attackers to inject arbitrary Java EL expressions, leading to un-auth Remote Code Execution (RCE) vulnerability
Alvaro Munoz
GHSL-2020-145: Command injection on Windows in Opener
Although code execution is part of the intended purpose of Opener, a crafted url can run an arbitrary shell command rather than just launching a browser.
GitHub Security Lab
GHSL-2020-126: Open URL redirect in Orange Forum 1.x.x
There exists an `Open URL redirect` vulnerability in the 1.x.x branch of Orange Forum. An attacker can send an Orange Forum user a crafted link targeting the login page of Orange Forum, redirecting to a malicious site.
GitHub Security Lab
GHSL-2020-109: Command injection in codecov
The `upload` method has a command injection vulnerability. Clients of the `codecov-node` library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.
GitHub Security Lab
GHSL-2020-086, 087, 088, 089 - Server-Side Template Injection in Apache Camel - CVE-2020-11994
Apache Camel FreeMarker, Velocity, MVEL and Moustache components are vulnerable to Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE) or Arbitrary File Disclosure.
Alvaro Munoz
GHSL-2020-069: Unsafe deserialization of XMLRPC arguments in ApacheOfBiz - CVE-2020-9496
Apache OfBiz is vulnerable to pre-auth Remote Code Execution (RCE) via unsafe deserialization.
Alvaro Munoz
GHSL-2020-068: Cross-Site Scripting in Apache OfBiz - CVE-2020-9496
Apache OfBiz is vulnerable to Reflected Cross-Site Scripting through POST request
Alvaro Munoz
GHSL-2020-055: Server-Side Template Injection in Apache Syncope (RCE) - CVE-2019-17557
The GitHub Security Lab team has identified several potential security vulnerabilities in Apache Syncope, including RCE and XSS.
Alvaro Munoz
GHSL-2020-029: Server-Side template injection in Apache Syncope (RCE) - CVE-2020-1959
The GitHub Security Labs team has identified a Server-Side template injection vulnerability in Apache Syncope, which leads to RCE.
Alvaro Munoz
GHSL-2020-085: Open redirect vulnerability in Sourcegraph - CVE-2020-12283
By exploiting an open redirect vulnerability, an attacker could potentially redirect a victim to any arbitrary URL and access their OAUTH token.
Alvaro Munoz
GHSL-2020-030: Server-Side Template Injection in Dropwizard
Server-Side Template Injection in Dropwizard leading to Remote Code Execution (RCE).
Alvaro Munoz
GHSL-2020-015: Remote Code Execution - Bypass of CVE-2018-16621 mitigations in Nexus Repository Manager
High privileged users can bypass the existing mitigations and inject arbitrary Java EL expressions in Nexus Repository Manager, leading to a Remote Code Execution (RCE) vulnerability.
Alvaro Munoz
GHSL-2020-014: Remote Code execution - Dynamic Code Evaluation via Scheduled Tasks in Nexus Repository Manager
It is possible for a user with the right permissions to execute arbitrary groovy or javascript scripts resulting in remote code execution.
Alvaro Munoz
GHSL-2020-013: Remote Code Execution - Dynamic Code Evaluation via Scripts in Nexus Repository Manager
It is possible for a user with the right permissions to execute arbitrary groovy or javascript scripts resulting in remote code execution.
Alvaro Munoz
GHSL-2020-012: Remote Code Execution - JavaEL Injection (high privileged accounts) in Nexus Repository Manager
High privileged users can inject arbitrary Java EL expressions in Nexus Repository Manager, leading to a Remote Code Execution (RCE) vulnerability.
Alvaro Munoz
GHSL-2020-016: Persistent Cross-Site scripting in Nexus Repository Manager
An attacker with elevated privileges can create content selectors with a specially crafted name using the REST API, which when viewed by another user can execute arbitrary JavaScript in the context of the NXRM application.
Alvaro Munoz
GHSL-2020-011: Remote Code Execution - JavaEL Injection (low privileged accounts) in Nexus Repository Manager
Attackers can inject arbitrary Java EL expressions in Nexus Repository Manager, leading to a Remote Code Execution (RCE) vulnerability.
Alvaro Munoz
GHSL-2020-028: Server-Side Template Injection in Netflix Titus
A Server-Side Template Injection was identified in Netflix Titus enabling attackers to inject arbitrary Java EL expressions, leading to a pre-auth Remote Code Execution (RCE) vulnerability.
Alvaro Munoz
GHSL-2020-027: Server-Side Template Injection in Netflix Conductor
A Server-Side Template Injection was identified in Netflix Conductor enabling attackers to inject arbitrary Java EL expressions, leading to a pre-auth Remote Code Execution (RCE) vulnerability.
Alvaro Munoz