skip to content
/
Research Advisories CodeQL Wall of Fame Events Get Involved
CodeQL Wall of Fame

Join us in our mission to improve open source security for all

332
vulnerabilities found
with the help of CodeQL
The GitHub Security Lab uses CodeQL to perform variant analysis, an important technique for identifying new types of security vulnerabilities of a given class. The Security Lab and its community shares its knowledge with developers, to benefit both open source and commercial organizations.
The CodeQL Wall of Fame is a (non-exhaustive) list of vulnerabilities that the GitHub Security Lab and our community have found using CodeQL. In most cases these vulnerabilities were detected as a direct result of a query launch. In other cases, CodeQL was used to explore the codebase faster and accelerate the manual audit.

Take action

Want to join us in our mission to improve open source security for all? Choose your own adventure to get started:

Get featured
Did you find a new CVE thanks to CodeQL? Open a submission to see your work displayed on the CodeQL Wall of Fame.
Secure your code
You are one click away to benefit from the power of CodeQL on your open source codebase. For private code, contact sales.
Learn CodeQL
Dive into our Capture the Flag challenges designed to sharpen your abilities while mastering CodeQL.

All advisories

Since March 2020

2024

GHSL-2024-178: Possible full repository takeover for RSSHub through Artifact Poisoning - CVE-2024-47179

RSSHub's docker-test-cont.yml workflow is vulnerable to Artifact Poisoning which may lead to a full repository takeover.
Author avatar

GHSL-2024-150_GHSL-2024-157: Possible secret exfiltration and write access to Gradio through untrusted code execution

Gradio contains multiple Workflows vulnerables to Execution of untrusted code enabling an attacker to steal secret tokens and gain write access to the Gradio repository.
Author avatar

GHSL-2024-126: Potential account takeover in Kong through Actions expression injection

Kong is vulnerable to Actions expression injection allowing an attacker to takeover the repository and steal secrets.
Author avatar

GHSL-2023-220: Reflected Cross-Site Scripting (XSS) vulnerability in Alist - CVE-2024-47067

A reflected Cross-Site Scripting (XSS) vulnerability exists in Alist that may allow unauthenticated users to steal the JWT token of users that click on a specially crafted link. In the worst case, this may allow an unauthenticated user to copy, delete and read arbitrary files on connected services or locally.
Author avatar

GHSL-2024-169: Poisoned Pipeline Execution (PPE) leads to potential repository takeover in Arduino-ESP32 - CVE-2024-45798

Arduino-esp32 is vulnerable to Poisoned Pipeline Execution (PPE) allowing malicious actors to take over the repository.
Author avatar

GHSL-2024-120: Actions code injection in Milvus leading to potential repository takeover and secrets leak

Milvus is vulnerable to Actions code injection allowing an attacker to alter the repository and steal secrets.
Author avatar

GHSL-2024-171: Poisoned Pipeline Execution (PPE) leading to potential repository takeover in QGIS

The QGIS repository is vulnerable to Poisoned Pipeline Execution (PPE) which may allow a malicious actor to take over the repository.
Author avatar

GHSL-2024-093: Remote Code Execution (RCE) in Haven - CVE-2024-39906

A command injection vulnerability in the IndieAuth functionality of the Haven blog web application leads to code execution when an authenticated administrator is tricked to access a crafted link.
Author avatar

GHSL-2024-177: Environment Variable injection in an Actions workflow of Litestar - CVE-2024-42370

Litestar docs-preview.yml workflow is vulnerable to Environment Variable injection which may lead to secret exfiltration and repository manipulation.
Author avatar

GHSL-2024-159: Poisoned Pipeline Execution (PPE) in an Actions workflow of Element+

Element+ is vulnerable to Poisoned Pipeline Execution (PPE) which may allow an attacker to gain write acces to the repository and the CROWDIN_TOKEN token.
Author avatar

GHSL-2024-058_GHSL-2024-059: Actions expression injection in an Actions workflow of starrocks

starrocks is vulnerable to Actions expression injection allowing an attacker to take over the repository and steal secrets.
Author avatar

GHSL-2024-057: Actions expression injection in an Actions workflow of Infinispan

Infinispan is vulnerable to Actions expression injection allowing an attacker to take over the repository and steal secrets.
Author avatar

GHSL-2024-054: Actions expression injection in an Actions workflow of OpenIM

OpenIM is vulnerable to Actions expression injection allowing attackers to take over the GitHub Runner and steal the BOT_GITHUB_TOKEN secret.
Author avatar

GHSL-2024-052: Actions expression injection in an Actions workflow of AsyncAPI

An AsyncAPI organization-wide workflow is vulnerable to Actions expression injection allowing an attacker to take over the repositories and steal secrets.
Author avatar

GHSL-2024-050: Actions expression injection in an Actions workflow of Cromwell

Cromwell is vulnerable to an Actions expression injection allowing an attacker to take over the repository and steal secrets.
Author avatar

GHSL-2024-049: Actions expression injection in an Actions workflow of EVE

EVE is vulnerable to Actions expression injection allowing an attacker to take over the GitHub Runner and potentially approve any Pull Requests.
Author avatar

GHSL-2024-048: Actions expression injection in a Actions workflow of Infinispan

Infinispan is vulnerable to Actions expression injection allowing an attacker to take over the repository and steal secrets.
Author avatar

GHSL-2024-035_GHSL-2024-036: CORS misconfguration and Reflected XSS in Casdoor - CVE-2024-41657, CVE-2024-41658

Casdoor is vulnerable to a CORS misconfiguration and a reflected Cross-Site Scripting (XSS) vulnerability, both of which may allow an attacker to take actions on behalf of the signed-in user.
Author avatar

GHSL-2024-031_GHSL-2024-032: unauthorized repository modification or secrets exfiltration in Actions workflows of fabric.js

Insecure usage of pull_request_target and PR title make fabric.js repository vulnerable to an unauthorized repository modification or secrets exfiltration.
Author avatar

GHSL-2024-168: Poisoned Pipeline Execution (PPE) in Stencil's pack-and-comment.yml and tech-debt-burndown.yml

Stencil's pack-and-comment.yml and tech-debt-burndown.yml workflows are vulnerable to Poisoned Pipeline Execution (PPE).
Author avatar

GHSL-2024-167: Poisoned Pipeline Execution through Code Injection in Monkeytype - CVE-2024-41127

Monkeytype is vulnerable to Poisoned Pipeline Execution through Code Injection in its ci-failure-comment.yml GitHub Workflow, enabling attackers to gain pull-requests write access.
Author avatar

GHSL-2024-163: GitHub's workflow unit-tests.yml is vulnerable to arbitrary code execution

The unit-tests.yml GitHub's workflow is vulnerable to arbitrary code execution.
Author avatar

GHSL-2024-158: Poisoned Pipeline Execution (PPE) in Excalidraw

Excalidraw is vulnerable to Poisoned Pipeline Execution (PPE) on its autorelease-preview.yml workflow allowing an external attacker to gain write access to the repository.
Author avatar

GHSL-2024-121_GHSL-2024-122: Actions expression injection in Ant-Design

Ant-Design is vulnerable to Actions expression injection allowing an attacker to alter the repository and steal secrets.
Author avatar

GHSL-2024-144: Checkout and execution of untrusted code in the GitHub workflows of JupyterLab - CVE-2024-39700

JupyterLab is vulnerable to checkout and execution of untrusted code in the GitHub workflows allowing attacker to gain write access and read secrets from the repository.
Author avatar

GHSL-2024-124_GHSL-2024-125: Actions expression injection and artifact poisoning in Quarkus

Quarkus is vulnerable to Actions expression injection and Artifact Poisoning allowing an attacker to alter the repository and steal secrets.
Author avatar

GHSL-2024-145: Actions expression injection in Discord.js

Discord.js is vulnerable to Actions expression injection allowing an attacker to take over the repository and steal secrets.
Author avatar

GHSL-2024-069: Unsafe YAML Deserialization in ngrinder

A retest of GHSL-2023-239/CVE-2024-28212 uncovered that the endpoint /script/api/github/validate of ngrinder remained susceptible to unsafe YAML deserialization.
Author avatar

GHSL-2024-030: Potential secrets exfiltration from a Pull Request in docfx

Insecure usage of pull_request_target makes docfx repository vulnerable to secrets exfiltration.
Author avatar

GHSL-2024-025_GHSL-2024-026: Potential secret exfiltration from a Pull Request in AutoGen

Several GitHub workflow may leak secret API Keys (OpenAI, Azure, Bing, etc.) when triggered by any Pull Request.
Author avatar

GHSL-2023-238_GHSL-2023-244: unauthenticated remote code execution (RCE) and other vulnerabilities in ngrinder - CVE-2024-28211, CVE-2024-28212, CVE-2024-28213, CVE-2024-28214, CVE-2024-28215, CVE-2024-28216

Several vulnerabilities were discovered in the ngrinder web application from Naver, including two unauthenticated remote code execution (RCE) vulnerabilities.
Author avatar

GHSL-2024-037: GitHub Actions expression injection in BioDrop

BioDrop is vulnerable to Actions expression injection allowing an attacker to manipulate repository issues.
Author avatar

GHSL-2024-029: Denial of Service (DoS) in Zammad - CVE-2024-33667

A denial of service (DoS) vulnerability was found in the helpdesk software Zammad. An authenticated attacker could have prevented the web application from handling any requests.
Author avatar

GHSL-2024-013_GHSL-2024-014: SQL injection vulnerability in Meshery - CVE-2024-35181, CVE-2024-35182

A SQL injection vulnerability in Meshery up to v0.7.22 allows a remote attacker to obtain sensitive information, alter database registries, or create arbitrary files via the order and sort parameters of two HTTP endpoints.
Author avatar

GHSL-2024-055: GitHub Actions expression injection in DuckDB

DuckDB is vulnerable to Actions expression injection allowing attackers to take over the repository and steal secrets.
Author avatar

GHSL-2024-053: GitHub Actions expression injection in Hedy

Hedy is vulnerable to Actions expression injection allowing attackers to take over the repository and steal secrets.
Author avatar

GHSL-2024-051: GitHub Actions expression injection in Misskey

Misskey is vulnerable to Actions expression injection allowing an attacker to take over the repository and steal secrets.
Author avatar

GHSL-2024-044: GitHub Actions expression injection in Simple Icons

Simple Icons is vulnerable to an Actions expression injection, allowing an attacker to take over the repository and steal secrets.
Author avatar

GHSL-2024-041_GHSL-2024-042: GitHub Actions expression injection in KubeBlocks

KubeBlocks is vulnerable to Actions expression injection allowing an attacker to take over the repository and steal secrets.
Author avatar

GHSL-2024-038: GitHub Actions expression injection in Kolibri

Kolibri is vulnerable to Actions expression injection allowing an attacker to alter the repository and steal secrets.
Author avatar

GHSL-2024-033: Server-Side Request Forgery (SSRF) in open-webui - CVE-2024-30256

Open-webui is vulnerable to authenticated blind server-side request forgery.
Author avatar

GHSL-2023-257: Server-Side Request Forgery (SSRF) in Plane - CVE-2024-31461

Plane v0.13-dev is vulnerable to authenticated blind server-side request forgery vulnerability.
Author avatar

GHSL-2023-253: Cross-Site Scripting (XSS) in openrasp - CVE-2024-29183

A reflected XSS vulnerability exists in the openrasp cloud interface that allows an unauthenticated attacker to gain the session of users.
Author avatar

GHSL-2023-154_GHSL-2023-156: Server-Side Request Forgery (SSRF) and Cross-Site Scripting (XSS) in memos API - CVE-2024-29028, CVE-2024-29029, CVE-2024-29030

Multiple SSRF vulnerabilities exist in the memos API service that allow unauthenticated and authenticated users to enumerate and read from the internal network. In addition, one SSRF vulnerability leads to a reflected XSS vulnerability, which may allow an attacker complete control over the administrator account.
Author avatar

GHSL-2024-010: Limited file write in Stable-diffusion-webui - CVE-2024-31462

Stable-diffusion-webui 1.7.0 is vulnerable to a limited file write affecting Windows systems.
Author avatar

GHSL-2023-277: Arbitrary File Deletion (AFD) in Owncast - CVE-2024-31450

Owncast in version 0.1.2 allows remote attackers with administrator privileges to delete arbitrary files by making a malicious POST request to /api/admin/emoji/delete.
Author avatar

GHSL-2023-225, GHSL-2023-226, GHSL-2023-227, and GHSL-2023-228: Server-Side Request Forgery (SSRF) and Denial of Service (DoS) in Mealie - CVE-2024-31991, CVE-2024-31992, CVE-2024-31993, CVE-2024-31994

Mealie v1.0.0-RC1.1 is vulnerable to multiple SSRF and DoS vulnerabilities. These vulnerabilities can be leveraged to identify, map, and retrieve the contents of webservers on Mealie's local network as well as being the victim of, or launching point for, a denial of service attack against a target of the attacker's choice.
Author avatar

GHSL-2023-015: Unsafe deserialization in Apache Submarine - CVE-2023-46302

Apache Submarine is vulnerable to unsafe deserialization due to the use of SnakeYaml's default constructor when parsing user-supplied data.
Author avatar

GHSL-2023-249: SQL injection vulnerability in Meshery - CVE-2024-29031

A SQL injection vulnerability in Meshery up to v0.6.181 allows a remote attacker to obtain sensitive information via the order parameter of GetMeshSyncResources.
Author avatar

GHSL-2023-261: Cross origin request in Owncast allows for potential account takeover - CVE-2024-29026

A lenient CORS policy allows attackers to make a cross origin request, reading privileged information. This can be used to leak the admin password.
Author avatar

GHSL-2023-235_GHSL-2023-237,GHSL-2023-251_GHSL-2023-252: Pre-authentication RCE in OpenMetadata - CVE-2024-28253, CVE-2024-28254, CVE-2024-28255, CVE-2024-28845, CVE-2024-28848

OpenMetadata is vulnerable to several SpEL Expression Injections and an authentication bypass leading to pre-authentication Remote Code Execution (RCE).
Author avatar

GHSL-2024-027_GHSL-2024-028: API abuse in codeium-chrome - CVE-2024-28120

The service worker of the codeium-chrome extension doesn't check the sender when receiving an external message. This allows an attacker to host a website that will steal the user's Codeium api-key, and thus impersonate the user on the backend autocomplete server.
Author avatar

GHSL-2023-221: Path traversal vulnerability in digdag - CVE-2024-25125

Treasure Data's digdag workload automation system was susceptible to a path traversal vulnerability if it's configured to store log files locally.
Author avatar

Finding Gadgets for CPU Side-Channels with Static Analysis Tools - CVE-2023-0458, CVE-2023-0459

We have recently begun research on using static analysis tools to find Spectre-v1 gadgets. During this research, we discovered two gadgets, one in do_prlimit (CVE-2023-0458) and one in copy_from_user (CVE-2023-0459). In this writeup, we explain these issues and how we found them.
Author avatar

GHSL-2023-200: SQL injection vulnerability in FarmBot’s web app - CVE-2023-45674

A SQL injection vulnerability was found in FarmBot’s web app that allowed authenticated attackers to extract arbitrary data from its database (including the user table).
Author avatar

GHSL-2023-140:SQL injection vulnerability in TaxonWorks - CVE-2023-43640

A SQL injection vulnerability was found in TaxonWorks that allowed authenticated attackers to extract arbitrary data from the TaxonWorks database (including the user table).
Author avatar

GHSL-2023-258_GHSL-2023-259: Reflected XSS vulnerability and CORS issue in tamagui

A reflected XSS vulnerability and a CORS issue are present on the tamagui website, tamagui.dev. These vulnerabilities may allow an attacker to leak the cookies of users, and thus impersonate users on the website.
Author avatar

GHSL-2023-275: Arbitrary command execution in verify-changed-files

The tj-actions/verify-changed-files workflow allows for command injection in changed filenames, potentially allowing an attacker to leak secrets.
Author avatar

GHSL-2023-271: Arbitrary command execution in changed-files

The tj-actions/changed-files workflow allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets.
Author avatar

GHSL-2023-268_GHSL-2023-270: Arbitrary command execution and SQL injection in Nginx-UI

Nginx-UI is a web interface to manage Nginx configurations. It is vulnerable to arbitrary command execution by abusing the configuration settings, and is also vulnerable to SQL injection.
Author avatar

2023

GHSL-2023-208: Unsafe deserialization in MkDocs

MkDocs is vulnerable to an unsafe deserialization when parsing configuration files.
Author avatar

GHSL-2023-182_GHSL-2023-184: Server-side request forgery (SSRF), arbitrary file write and limited file write vulnerabilities in mindsdb/mindsdb - CVE-2023-49795, CVE-2023-50731, CVE-2023-49796

Three vulnerabilities that can be exploited by unauthenticated users were found in MindsDB: a Server-side request forgery (SSRF) vulnerability, an arbitrary file write vulnerability and a limited file write vulnerability.
Author avatar

GHSL-2023-192_GHSL-2023-194: Several vulnerabilities in bazarr - CVE-2023-50264, CVE-2023-50265, CVE-2023-50266

Bazarr is vulnerable to unauthenticated arbitrary file reads in two endpoints and a blind server-side request forgery (SSRF).
Author avatar

GHSL-2023-218_GHSL-2023-219: Cross-Site Scripting (XSS) in scrypted

Two reflected Cross-Site Scripting (XSS) vulnerabilities exist in scrypted that may allow an attacker to impersonate any user who clicks on specially crafted links. In the worst case, an attacker may be able to impersonate an administrator and run arbitrary commands.
Author avatar

GHSL-2023-203_GHSL-2023-204: Several vulnerabilities in audiobookshelf

Audiobookshelf is vulnerable to server-side request forgery (SSRF), arbitrary file read (AFR) and arbitrary file deletion (AFD) depending on the permissions of the user.
Author avatar

GHSL-2023-028: Remote Code Execution in jellyfin - CVE-2023-48702

A user with administrator permissions is able to run arbitrary code on the jellyfin server via the /System/MediaEncoder/Path endpoint.
Author avatar

GHSL-2023-190: Several vulnerabilities in Frigate - CVE-2023-45672, CVE-2023-45671, CVE-2023-45670

Unsafe deserialization, Reflected XSS, Cross-site request forgery, and Cross-site scripting vulnerabilities found in Frigate.
Author avatar

GHSL-2023-081_GHSL-2023-082: Tar Slip vulnerabilities in Autolab - CVE-2023-32676, CVE-2023-32317

Two Tar Slip vulnerabilities were found in Autolab. Those vulnerabilities could have allowed attackers to create or replace files on the file system that in the worst case could have been executed by the application or system itself.
Author avatar

GHSL-2022-100: Path traversal vulnerability and remote code execution (RCE) vulnerability in Autolab - CVE-2022-41955,CVE-2022-41956

Two vulnerabilities were found in Autolab: File disclosure due to path traversal (GHSL-2022-100) and Authenticated Remote Code Execution (GHSL-2022-124).
Author avatar

GHSL-2023-185: Server-Side Request Forgery (SSRF) in Posthog - CVE-2023-46746

A server-side request forgery (SSRF), which can only be exploited by authenticated users, was found in Posthog.
Author avatar

GHSL-2023-141: SQL injection in Nocodb - CVE-2023-43794

Nocodb contains SQL injection vulnerability, that allows an authenticated attacker with creator access to query the underlying database.
Author avatar

GHSL-2023-108: GitHub Actions command injection in Stash

Stash repository is vulnerable to an Actions command injection in e2e.yml.
Author avatar

GHSL-2023-052: Unsafe deserialization in XXL-RPC - CVE-2023-45146

Attackers may be able to connect to the server and provide malicious serialized objects that, once deserialized, force it to execute arbitrary code.
Author avatar

GHSL-2023-191: Arbitrary File Read in ShokoServer - CVE-2023-43662

An arbitrary file read exists in the /api/Image/WithPath endpoint that would allow unauthenticated attackers to read arbitrary files on Windows systems.
Author avatar

GHSL-2023-053: Unsafe deserialization in Redisson - CVE-2023-42809

Redisson is a Java Redis client that uses the Netty framework. Some of the messages received from the Redis server contain Java objects that the client deserializes without further validation. Attackers that manage to trick clients into communicating with a malicious server can include especially crafted objects in its responses that, once deserialized by the client, force it to execute arbitrary code. This can be abused to take control of the machine the client is running in.
Author avatar

GHSL-2023-114: SSRF vulnerability in the Bitbucket Push and Pull Request Jenkins Plugin - CVE-2023-41937

Bitbucket Push and Pull Request Plugin provides a webhook endpoint at /bitbucket-hook/ that can be used to trigger builds of jobs configured to use a specified repository.In Bitbucket Plugin 2.8.3 and earlier, when a build is triggered in this way, attackers can force a connection to an arbitrary URL using the configured Bitbucket credentials.
Author avatar

GHSL-2023-181: Expression injection in the GitHub Action workflow of Pytorch

The pytorch/pytorch filter-test-configs workflow is vulnerable to an expression injection in Actions, allowing an attacker to potentially leak secrets and alter the repository using the workflow.
Author avatar

GHSL-2023-084: Cross-site scripting (XSS) in Pay - CVE-2023-30614

Pay, a payments engine for Ruby on Rails, comes with a payment info page which is susceptible to Cross-site scripting.
Author avatar

GHSL-2023-080: Unauthenticated data exfiltration in Decidim - CVE-2023-34090

Decidim, a platform for digital citizen participation, is vulnerable to non-public data exfiltration.
Author avatar

GHSL-2023-006: Cross-site scripting (XSS) in Decidim leading to potential endorsement manipulation - CVE-2023-32693

Decidim, a platform for digital citizen participation is vulnerable to Cross-site scripting. An attacker could impersonate other users and endorse or support proposals on their behalf.
Author avatar

GHSL-2023-093: Server-Side Request Forgery (SSRF) in jenkinsci/maven-artifact-choicelistprovider-plugin - CVE-2023-40347

Several Server-Side Request Forgery (SSRF) vulnerabilities in jenkinsci/maven-artifact-choicelistprovider-plugin allow the leak of sensitive credentials to an attacker-controlled server.
Author avatar

GHSL-2023-067: Server-Side Request Forgery (SSRF) in jenkinsci/servicenow-devops-plugin - CVE-2023-3414, CVE-2023-3442

A Server-Side Request Forgery (SSRF) vulnerability in jenkinsci/servicenow-devops-plugin allows the leak of sensitive credentials to an attacker-controlled server.
Author avatar

GHSL-2023-061: Cross-Site Request Forgery (CSRF) and Server-Side Request Forgery (SSRF) in jenkinsci/blueocean-plugin - CVE-2023-40341

A CSRF/SSRF vulnerability in jenkinsci/blueocean-plugin allows the leak of sensitive credentials (including GitHub credentials) to an attacker-controlled server.
Author avatar

GHSL-2022-119: Arbitrary command execution in CasaOS - CVE-2023-37469

If an authenticated user using CasaOS is able to successfully connect to a controlled SMB server, they are able to execute arbitrary commands.
Author avatar

GHSL-2023-086_GHSL-2023-087: Expression injection in a GitHub Actions workflow of Airbyte

Potential injection from the github.event.comment.body context, which may be controlled by an external user.
Author avatar

GHSL-2023-143_GHSL-2023-144: SAML signature validation bypass in OpenAM - CVE-2023-37471

Attackers can use an improper SAML signature validation to impersonate any OpenAM user, including the administrator.
Author avatar

GHSL-2023-109: GitHub Actions command injection in a TDesign Vue Next workflow

TDesign Vue Next repository is vulnerable to an Actions command injection in auto-release.yml.
Author avatar

GHSL-2023-079: Arbitrary File Exfiltration in Jenkins MathWorks Polyspace Plugin - CVE-2023-37960

Jenkins MathWorks Polyspace Plugin 1.0.5 and earlier does not restrict a file path in a job parameter, allowing attackers with the Job/Configure permission to exfiltrate arbitrary files from the Jenkins controller by sending them in an email notification.
Author avatar

GHSL-2023-074: Server-Side Request Forgery (SSRF) in miniorange-saml-sp-plugin - CVE-2023-32991, CVE-2023-32992

A Server-Side Request Forgery (SSRF) vulnerability was found in the miniorange-saml-sp-plugin. The vulnerability resides in the org.miniorange.saml.MoSAMLAddIdp#doValidateMetadataUrl method and can be exploited without authentication. An attacker can leverage this vulnerability to send requests to arbitrary hosts.
Author avatar

GHSL-2023-073: Server-Side Request Forgery (SSRF) in benchmark-evaluator-plugin - CVE-2023-37962, CVE-2023-37963

A Server-Side Request Forgery (SSRF) vulnerability was found in the benchmark-evaluator-plugin. The vulnerability resides in the io.jenkins.plugins.benchmark.BenchmarkBuilder#doCheckFilepath method and can be exploited without authentication. An attacker can leverage this vulnerability to send requests to arbitrary hosts.
Author avatar

GHSL-2023-071: Server-Side Request Forgery (SSRF) in sumologic-publisher-plugin - CVE-2023-37958, CVE-2023-37959

A Server-Side Request Forgery (SSRF) vulnerability was found in the sumologic-publisher-plugin. The vulnerability resides in the com.sumologic.jenkins.jenkinssumologicplugin.PluginDescriptorImpl#doTestURL method and can be exploited without authentication. An attacker can leverage this vulnerability to send requests to arbitrary hosts.
Author avatar

GHSL-2023-069: Server-Side Request Forgery (SSRF) in jenkinsci/elasticbox-plugin - CVE-2023-37964, CVE-2023-37965

A Server-Side Request Forgery (SSRF) vulnerability in jenkinsci/elasticbox-plugin allows the leak of sensitive credentials to an attacker-controlled server. The issue arises from a lack of proper input validation/sanitization of the endpointUrl parameter in multiple web methods such as SlaveConfiguration$DescriptorImpl#doGetInstances. These methods read arbitrary credentials from the credentials storage using hardcoded ACL.System permission and send them to attacker-controlled servers.
Author avatar

GHSL-2023-068: Server-Side Request Forgery (SSRF) in jenkinsci/datadog-plugin - CVE-2023-37944

A Server-Side Request Forgery (SSRF) vulnerability in jenkinsci/datadog-plugin allows the leak of sensitive credentials to an attacker-controlled server. The issue arises from a lack of proper input validation/sanitization of the targetApiURL parameter in the DatadogGlobalConfiguration#doTestConnection. These methods read arbitrary credentials from the credentials storage using hardcoded ACL.System permission and send them to attacker-controlled servers.
Author avatar

GHSL-2023-066: Server-Side Request Forgery (SSRF) in jenkinsci/macstadium-orka-plugin - CVE-2023-37949

A Server-Side Request Forgery (SSRF) vulnerability in jenkinsci/macstadium-orka-plugin allows the leak of sensitive credentials to an attacker-controlled server. The issue arises from a lack of proper input validation/sanitization of the orkaEndpoint parameter in the OrkaAgent#doFillNodeItems. This method hardcodes an ACL.System access to the credentials storage and leak the secrets to attacker-controlled servers.
Author avatar

GHSL-2023-065: Server-Side Request Forgery (SSRF) in jenkinsci/mabl-integration-plugin - CVE-2023-37952, CVE-2023-37953

Several Server-Side Request Forgery (SSRF) vulnerabilities in jenkinsci/mabl-integration-plugin allow the leak of sensitive credentials to an attacker-controlled server. The issue arises from a lack of proper input validation/sanitization of the apiBaseUrl parameter in the MablStepBuilder#doFillEnvironmentIdItems, MablStepBuilder#doFillApplicationIdItem and MablStepBuilder#doValidateForm. These methods use the ACL.System permission to access the credentials storage and can be abused to leak arbitrary secrets to attacker-controlled servers.
Author avatar

GHSL-2023-064: Cross-Site Request Forgery (CSRF) and Server-Side Request Forgery (SSRF) in jenkinsci/pipeline-restful-api-plugin - CVE-2023-37957

A Cross-Site Request Forgery (CSRF) and a Server-Side Request Forgery (SSRF) vulnerabilities in jenkinsci/pipeline-restful-api-plugin may allow an attacker to retrieve a token to impersonate its victim.
Author avatar

GHSL-2023-063: Server-Side Request Forgery (SSRF) in test-results-aggregator-plugin - CVE-2023-37955, CVE-2023-37956

A Server-Side Request Forgery (SSRF) vulnerability was found in the test-results-aggregator-plugin. The vulnerability resides in the com.jenkins.testresultsaggregator.TestResultsAggregator#doTestApiConnection method and can be exploited without authentication. An attacker can leverage this vulnerability to send requests to arbitrary hosts.
Author avatar

GHSL-2023-056: XML external entity (XXE) in Jenkins External Monitor Job Plugin - CVE-2023-37942

Jenkins External Monitor Job Plugin 203.v683c09d993b_9 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows authenticated attackers with Job Build permissions to send specific HTTP requests that force Jenkins to download and parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
Author avatar

GHSL-2023-120: Arbitrary File Read/Write during TAR extraction in Gradle

Gradle 8.1.1 does not ensure that paths constructed from TAR archive entries are validated. This allows attackers who are able to manipulate a TAR file which is unpacked by a Gradle script to overwrite arbitrary files. It also allows attackers who are able to manipulate a TAR file which is read by a Gradle script to read arbitrary files.
Author avatar

GHSL-2023-044: Unsafe Deserialization in Aerospike Java client - CVE-2023-36480

The Aerospike Java client is a Java application that implements a network protocol to communicate with an Aerospike server. Some of the messages received from the server contain Java objects that the client deserializes when it encounters them without further validation. Attackers that manage to trick clients into communicating with a malicious server can include especially crafted objects in its responses that, once deserialized by the client, force it to execute arbitrary code. This can be abused to take control of the machine the client is running on.
Author avatar

GHSL-2023-107: GitHub Actions Command Injection in Jellyfin

The jellyfin/jellyfin repository is vulnerable to a command injection in Actions, allowing an attacker to take over the GitHub Actions runner and leak secrets.
Author avatar

GHSL-2023-050: Command Injection in Apache Doris repository's CI workflow

Apache Doris repository is vulnerable to a Command Injection in the CI workflow auto_trigger_teamcity.yml.
Author avatar

GHSL-2023-115: Cross-Site Scripting (XSS) in template-workflows-plugin - CVE-2023-35146

A stored Cross-Site Scripting (XSS) vulnerability was found in the template-workflows-plugin project.
Author avatar

GHSL-2023-110: Actions command injection in the CI workflow of winglang/wing

The winglang/wing repository is vulnerable to a command injection in Actions, allowing an attacker to take over the contents of the repository and leak secrets.
Author avatar

GHSL-2023-106: Actions command injection in a new issue workflow of textualize/rich

The textualize/rich repository is vulnerable to a command injection in Actions.
Author avatar

GHSL-2023-104: Actions command injection in the CI workflow of hashicorp/terraform-cdk

The hashicorp/terraform-cdk repository is vulnerable to a command injection in Actions, allowing an attacker to take over the contents of the repository and leak secrets.
Author avatar

GHSL-2023-101: Actions command injection in the CI workflow of zcash/zcash

The zcash/zcash repository is vulnerable to a command injection in Actions, allowing an attacker to take over the contents of the repository and leak secrets.
Author avatar

GHSL-2023-099: Actions command injection in the CI workflow of iluwatar/java-design-patterns

The iluwatar/java-design-patterns repository is vulnerable to a command injection in Actions, allowing an attacker to take over the contents of the repository and leak secrets.
Author avatar

GHSL-2023-097: Cross-Site Scripting (XSS) in maven-repository-plugin - CVE-2023-35143

A stored Cross-Site Scripting (XSS) vulnerability was found in the maven-repository-plugin project.
Author avatar

GHSL-2023-095: Cross-Site Scripting (XSS) in Jenkins Sonargraph - CVE-2023-35145

Multiple reflected Cross-Site Scripting (XSS) were found in the Jenkins Sonargraph integration plugin
Author avatar

GHSL-2023-070: Server-Side Request Forgery (SSRF) in jenkinsci/dimensionsscm-plugin - CVE-2023-32262

A Server-Side Request Forgery (SSRF) vulnerability in jenkinsci/dimensionsscm-plugin allows the leak of sensitive credentials to an attacker-controlled server. The issue arises from a lack of proper input validation/sanitization of the dimensionsscm.serverPlugin parameter in the DimensionsScm#doCheckServerConfig method and the ACL.System access to the credentials storage.
Author avatar

GHSL-2023-054: Unauthenticated arbitrary file read in Jenkins plugin 3.0.12 - CVE-2023-35147

AWS CodeCommit Trigger Jenkins Plugin 3.0.12 and earlier does not restrict a file name path parameter in an HTTP endpoint, allowing authenticated attackers to read arbitrary files on the Jenkins controller file system.
Author avatar

GHSL-2022-097: SQL injection in rudderlabs/rudder-server - CVE-2023-30625

Blind SQL injections are present in rudderlabs/rudder-server that allows unauthenticated users to achieve Remote Code Execution.
Author avatar

GHSL-2023-025: Drive-by command injection in SRS's api-server - CVE-2023-34105

SRS's 'api-server' server is vulnerable to a drive-by command injection.
Author avatar

GHSL-2022-065: Insufficient Path Validation in Omni-Notes Android App - CVE-2023-33188

The Omni-Notes Android app has an insufficient path validation vulnerability when displaying the details of a note received through an externally-provided intent. The paths of the note's attachments are not properly validated, allowing malicious or compromised applications on the same device to force Omni-notes to copy files from its internal storage to its external storage directory, where they become accessible to any component with permission to read the external storage.
Author avatar

GHSL-2023-088: Arbitrary File Read in Ombi - CVE-2023-32322

Ombi, an application that allows users to request specific media from popular self-hosted streaming servers, contains a vulnerability that allows administrators to read arbitrary files on the Ombi host.
Author avatar

GHSL-2023-022: Command Injection in an Apache Cloudstack CI workflow

Apache Cloudstack is vulnerable to a Command Injection in sonar-check.yml.
Author avatar

GHSL-2023-077: Arbitrary file write in the File Parameters Jenkins Plugin - CVE-2023-32986

Jenkins File Parameters Plugin 285.v757c5b_67a_c25 and earlier does not restrict a file path in a job parameter, allowing attackers with the Job/Configure permission to upload arbitrary files to the Jenkins controller.
Author avatar

GHSL-2023-076: Information disclosure in the Sidebar Link Plug-in for Jenkins - CVE-2023-32985

Sidebar Link Plug-in for Jenkins 2.2.1 and earlier does not restrict a file path parameter in an HTTP endpoint, allowing authenticated attackers to enumerate arbitrary files on the Jenkins controller file system.
Author avatar

GHSL-2023-075: Server-Side Request Forgery (SSRF) in the AppSpider Jenkins plugin - CVE-2023-32998, CVE-2023-32999

A Server-Side Request Forgery (SSRF) vulnerability was found in the AppSpider Jenkins plugin. An unauthenticated attacker can leverage this vulnerability to send requests to arbitrary hosts.
Author avatar

GHSL-2023-072: Several Server-Side Request Forgery (SSRF) vulnerabilities in the Codedx Jenkins plugin - CVE-2023-2195, CVE-2023-2631

Several Server-Side Request Forgery (SSRF) vulnerabilities were found in the Codedx Jenkins plugin. An unauthenticated attacker can leverage this vulnerabilities to send requests to arbitrary hosts.
Author avatar

GHSL-2023-058_GHSL-2023-059: ZipSlip in Jenkins Pipeline Utility Steps Plugin - CVE-2023-32981

Jenkins Pipeline Utility Steps Plugin 2.15.1 and earlier allows attackers able to manipulate a TAR or ZIP file extracted by the plugin to create or replace any file on the file system.
Author avatar

GHSL-2023-055: XML external entity (XXE) or server-side request forgery (SSRF) in SAML SSO Jenkins Plugin - CVE-2023-32991, CVE-2023-32992

Authenticated attackers can send specific HTTP requests that force Jenkins to download and parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller, as well as server-side request forgery.
Author avatar

GHSL-2023-001: ReDoS in SQLparse - CVE-2023-30608

SQLparse has a ReDoS (regular expression denial of service) in the parser for SQL expressions.
Author avatar

GHSL-2023-051: Command Injection in React Native OneSignal SDK - CVE-2023-28430

React Native OneSignal SDK repository is vulnerable to a Command Injection in Zapier.yml.
Author avatar

GHSL-2023-027: Command Injection in Cocos - CVE-2023-26493

Cocos Engine is vulnerable to a Command Injection in web-interface-check.yml.
Author avatar

GHSL-2022-129: XML External Entity (XXE) injection in GeoNode - CVE-2023-26043

GeoNode is vulnerable to an XML External Entity (XXE) injection in the style upload functionality of GeoServer leading to Arbitrary File Read.
Author avatar

GHSL-2022-094: Remote Code Execution in discordrb - CVE-2023-28102

The encode_file method may lead to remote code execution if invoked with untrusted user-controlled data.
Author avatar

GHSL-2021-110: ReDoS in validators

validators contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).
Author avatar

GHSL-2021-109: ReDoS in textacy

textacy contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).
Author avatar

GHSL-2022-131: XML External Entities (XXE) injection in OWSLib - CVE-2023-27476

OWSLib does not disable entity resolution for XML parsing, leading to XML External Entities (XXE) injection.
Author avatar

GHSL-2022-074: Arithmetic overflow in sysstat - CVE-2022-39377

On 32 bit systems, an arithmetic overflow present in allocate_structures can be triggered when displaying activity data files and may lead to a variety of exploit primitives due to an incorrectly sized buffer.
Author avatar

2022

GHSL-2020-295: ReDoS (Regular Expression Denial of service) in is.js - CVE-2020-26302

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
Author avatar

GHSL-2022-070_GHSL-2022-072: SQL injection in Arches - CVE-2022-41892

The Arches project contains multiple blind SQL injection vulnerabilities, that allow an attacker to query the underlying database.
Author avatar

GHSL-2022-028: Copy/paste cross-site scripting (XSS) in codex-team

codex-team/editor.js is vulnerable to XSS attacks when copy/pasting specially crafted input into the editor.
Author avatar

GHSL-2022-073: Denial of Service (DoS) in Fat Free CRM - CVE-2022-39281

A denial of service vulnerability existed in Fat Free CRM where an authenticated attacker could have prevented the web application from handling any requests.
Author avatar

GHSL-2022-069: Remote Code Execution (RCE) in CircuitVerse - CVE-2022-36038

A remote code execution (RCE) vulnerability in CircuitVerse allowed authenticated attackers to execute arbitrary code via specially crafted JSON payloads.
Author avatar

GHSL-2022-063: Remote Code Execution (RCE) in Arvados Workbench - CVE-2022-36006

A remote code execution (RCE) vulnerability in the Arvados Workbench allowed authenticated attackers to execute arbitrary code via specially crafted JSON payloads.
Author avatar

GHSL-2022-062: Arbitrary File Read in Tasks.org Android app - CVE-2022-39349

A malicious or compromised application in the same device could force Tasks.org to copy files from its internal storage to the external storage directory, where they become accessible to any component with permission to read the external storage.
Author avatar

GHSL-2022-033_GHSL-2022-034: SpEL Injection in Nepxion/Discovery - CVE-2022-23463, CVE-2022-23464

Nepxion/Discovery is vulnerable to SpEL Injection in discovery-commons and a potential SSRF in discovery-plugin-admin-center.
Author avatar

GHSL-2022-025: Regular Expression Denial of Service (ReDoS) in Apache OFBiz - CVE-2022-29158

Apache OFBiz up to version 18.12.05 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles URLs provided by external, unauthenticated users. Specially crafted URLs may cause catastrophic backtracking, taking exponential time to complete.
Author avatar

GHSL-2022-029: XSS in Toast UI Grid - CVE-2022-23458

The nhn/tui.grid component is vulnerable to XSS attacks when pasting specially crafted content into editable cells.
Author avatar

GHSL-2022-024: Regular Expression Denial of Service (ReDoS) in the Azure SDK for Java.

The Azure SDK for Java up to version 1.5.0-beta2 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it validates tenant IDs. Specially crafted IDs may cause catastrophic backtracking, taking exponential time to complete.
Author avatar

GHSL-2022-023: Regular Expression Denial of Service (ReDoS) in Apache Ignite

Apache Ignite up to version 2.12.0 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles table names when requesting primary keys through its JDBC driver. Specially crafted table names may cause catastrophic backtracking, taking exponential time to complete.
Author avatar

GHSL-2022-022: Regular Expression Denial of Service (ReDoS) in Tapestry - CVE-2022-31781

Apache Tapestry up to version 5.8.1 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles Content Types. Specially crafted Content Types may cause catastrophic backtracking, taking exponential time to complete.
Author avatar

GHSL-2022-021: Regular Expression Denial of Service (ReDoS) in Apache Tika - CVE-2022-30126, CVE-2022-33879

Apache Tika up to version 1.28.1 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles standard references in text files. Specially crafted files may cause catastrophic backtracking, taking exponential time to complete.
Author avatar

GHSL-2022-001: Deserialization vulnerability in Orckestra C1 CMS - CVE-2022-24789

Deserialization of untrusted data allows for Server Side Request Forgery (SSRF) or arbitrary file truncation.
Author avatar

GHSL-2022-039: Exponential ReDoS (Regular Expression Denial of Service) in jquery-validation - CVE-2022-31147

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the jquery-validation npm package, when an attacker is able to supply arbitrary input to the url2 method
Author avatar

GHSL-2022-046: Arbitrary Intent in WordPress for Android leads to read and write access

The WordPress for Android app has a security issue by which a malicious application installed on the same device can send it an arbitrary Intent that gets reflected back, unintentionally giving read and write access to non-exported Content Providers in WordPress for Android.
Author avatar

GHSL-2021-111: ReDoS (Regular Expression Denial of Service) in Dependency Parser - CVE-2022-39280

Dependency Parser contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).
Author avatar

GHSL-2021-1046: Cross-site scripting (XSS) in medium.js

medium.js is prone to XSS when handling untrusted placeholder values.
Author avatar

GHSL-2021-1035: Cross-Site Scripting (XXS) in Cockpit Next - CVE-2021-32857

Bad HTML sanitization in htmleditor.js may lead to cross-site scripting (XSS) issues.
Author avatar

GHSL-2021-1034: HTML sanitizer bypass leading to XSS in esdoc-publish-html-plugin - CVE-2021-32858

The esdoc-publish-html-plugin HTML sanitizer can be bypassed which may lead to cross-site scripting (XSS) issues.
Author avatar

GHSL-2021-070: Command injection in react-dev-utils - CVE-2020-1920

There exists a command injection in the react-dev-utils npm package, which is a part of Facebook's facebook/create-react-app repository.
Author avatar

GHSL-2021-1007: SQL Injection and insufficient permission control in Nextcloud Android app - CVE-2021-43863, CVE-2021-41166

The Nextcloud Android app uses content providers to manage its data. The providers FileContentProvider and DiskLruImageCacheFileProvider have security issues (an SQL injection, and an insufficient permission control, respectively) that allow malicious apps in the same device to access Nextcloud's data bypassing the permission control system.
Author avatar

2021

GHSL-2021-1033: Intent URI permission manipulation in Nextcloud News for Android - CVE-2021-41256

The Nextcloud News for Android app has a security issue by which a malicious application installed on the same device can send it an arbitrary Intent that gets reflected back, unintentionally giving read and write access to non-exported Content Providers in Nextcloud News for Android.
Author avatar

GHSL-2021-100: ReDoS (Regular Expression Denial of Service) in Octobox - CVE-2021-32848

A user of the system can provide a specifically crafted search query string that will trigger a ReDoS vulnerability.
Author avatar

Remote Linux Kernel Heap Overflow | TIPC Module Allows Arbitrary Code Execution - CVE-2021-43267

SentinelLabs discovered a heap overflow vulnerability in the TIPC module of the Linux Kernel.
Author avatar

GHSL-2021-102: ReDoS (Regular Expression Denial of Service) in Fluentd - CVE-2021-41186

parser_apache2 plugin in Fluentd v0.14.14 to v1.14.1 suffers from a regular expression denial of service (ReDoS) vulnerability. A broken apache log with a certain pattern of string can spend too much time in a regular expression, resulting in the potential for a DoS attack.
Author avatar

GHSL-2021-118: ReDoS (Regular Expression Denial of Service) in Zulip - CVE-2021-41115

Zulip contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).
Author avatar

GHSL-2020-348: ReDoS (Regular Expression Denial of Service) in DevExtreme

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
Author avatar

GHSL-2020-304: ReDoS (Regular Expression Denial of Service) in CyberChef

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
Author avatar

GHSL-2020-292: ReDoS (Regular Expression Denial of Service) in CKEditor 5 - CVE-2021-21254

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
Author avatar

Hunting for XSS with CodeQL

Writing a query to find clipboard-based XSS bugs.
Author avatar

GHSL-2021-098: ReDoS in OpenProject - CVE-2021-32763

A user of the system can post a message on a forum containing a specifically crafted string that will trigger a ReDoS vulnerability.
Author avatar

GHSL-2020-310: ReDoS (Regular Expression Denial of Service) in Rocket Chat - CVE-2021-32832

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
Author avatar

GHSL-2020-258: ZipSlip vulnerability in bblfshd - CVE-2021-32825

The unsafe handling of symbolic links in an unpacking routine may enable attackers to read and/or write to arbitrary locations outside the designated target folder.
Author avatar

GHSL-2021-034_043: Multiple pre-auth RCEs in Apache Dubbo - CVE-2021-25641, CVE-2021-30179, CVE-2021-30180, CVE-2021-30181, CVE-2021-32824

Multiple vulnerabilities have been found in Apache Dubbo enabling attackers to compromise and run arbitrary system commands on both Dubbo consumers and providers.
Author avatar

GHSL-2021-075: Path injection in Django - CVE-2021-33203

A Path Injection issue was found in django that allows a malicious admin user to disclose the presence of files on the file-system if the module django.contrib.admindocs is enabled.
Author avatar

GHSL-2020-293: Regular expression Denial of Service in react-native - CVE-2020-1920

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
Author avatar

GHSL-2020-345: Regular expression Denial of Service in mootools - CVE-2021-32821

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
Author avatar

GHSL-2021-032: Template object injection in Mailtrain - CVE-2021-27136

Dangerous usage of the template rendering API may lead to Cross Site Scripting (XSS), file disclosure, and Remote Code Execution (RCE).
Author avatar

GHSL-2020-373: Command injection in node-notifier

node-notifier recently addressed a command injection vulnerability with an insufficient fix, resulting in command injection through malicious input still being possible.
Author avatar

GHSL-2020-357: ReDoS (Regular Expression Denial of Service) in amazeui

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
Author avatar

GHSL-2020-352: ReDoS (Regular Expression Denial of Service) in revalidator

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
Author avatar

GHSL-2020-350: ReDoS (Regular Expression Denial of Service) in ng2-validation

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
Author avatar

GHSL-2020-339: Command Injection vulnerability in OMF

A Command Injection vulnerability has been found in Open Modeling Framework (OMF)
Author avatar

GHSL-2020-336: reflected Cross-Site scripting (XSS) in analytics-quarry-web - CVE-2020-36324

A reflected Cross-Site scripting (XSS) vulnerability has been found in analytics-quarry-web
Author avatar

GHSL-2020-358: Regular expression Denial of Service in Schema-Inspector

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
Author avatar

GHSL-2020-349: ReDoS (Regular Expression Denial of Service) in date-and-time - CVE-2020-26289

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
Author avatar

GHSL-2020-343: ReDoS (Regular Expression Denial of Service) in Vant

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
Author avatar

GHSL-2020-359: ReDoS (Regular Expression Denial of Service) in etherpad-lite

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
Author avatar

GHSL-2021-030: ReDoS (Regular expression Denial of Service in CodeMirror

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
Author avatar

GHSL-2020-257: The unsafe handling of symbolic links in an unpacking routine in oras - CVE-2021-21272

The unsafe handling of symbolic links in an unpacking routine may enable attackers to read and/or write to arbitrary locations outside the designated target folder.
Author avatar

GHSL-2020-308: ReDoS (Regular Expression Denial of Service) in TinyMCE

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
Author avatar

GHSL-2020-299: ReDoS (Regular Expression Denial of Service) in simple-markdown

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
Author avatar

GHSL-2020-294: ReDoS (Regular Expression Denial of Service) in jquery.validation - CVE-2021-21252

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
Author avatar

GHSL-2020-311: Regular Expression Denial of Service in SquadCal

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
Author avatar

GHSL-2020-309: Regular Expression Denial of Service in Fast-csv - CVE-2020-26256

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
Author avatar

GHSL-2020-307: Regular Expression Denial of Service in CodeMirror

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
Author avatar

GHSL-2020-306: Regular Expression Denial of Service in highlight.js

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
Author avatar

GHSL-2020-300: Regular Expression Denial of Service in markdown-to-jsx

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
Author avatar

GHSL-2020-298: Regular Expression Denial of Service in Metro-UI-CSS

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
Author avatar

GHSL-2020-262: Unsafe handling of symbolic links in go-slug unpacking routine - CVE-2020-29529

The unsafe handling of symbolic links in an unpacking routine may enable attackers to read and/or write to arbitrary locations outside the designated target folder.
Author avatar

GHSL-2020-261: Unsafe handling of symbolic links in oc unpacking routine - CVE-2020-27833

The unsafe handling of symbolic links in an unpacking routine may enable attackers to read and/or write to arbitrary locations outside the designated target folder.
Author avatar

GHSL-2020-256: Unsafe handling of symbolic links in dbdeployer unpacking routine - CVE-2020-26277

The unsafe handling of symbolic links in an unpacking routine may enable attackers to read and/or write to arbitrary locations outside the designated target folder.
Author avatar

GHSL-2020-252: Unsafe handling of symbolic links in archiver unpacking routine

The unsafe handling of symbolic links in an unpacking routine may enable attackers to read and/or write to arbitrary locations outside the designated target folder.
Author avatar

2020

Variant analysis of the ‘Sequoia’ bug

Variant analysis of the Sequoia bug discovered by the Qualys Research team, identified by CVE-2021-33909.
Author avatar

GHSL-2020-212: Template injection in Cron-utils - CVE-2020-26238

A Template Injection was identified in Cron-Utils enabling attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability
Author avatar

GHSL-2020-204: Server-Side Template Injection in Corona Warn App Server

A Server-Side Template Injection was identified in Corona Warn App Server enabling attackers to inject arbitrary Java EL expressions, leading to un-auth Remote Code Execution (RCE) vulnerability
Author avatar

GHSL-2020-145: Command injection on Windows in Opener

Although code execution is part of the intended purpose of Opener, a crafted url can run an arbitrary shell command rather than just launching a browser.
Author avatar

GHSL-2020-126: Open URL redirect in Orange Forum 1.x.x

There exists an `Open URL redirect` vulnerability in the 1.x.x branch of Orange Forum. An attacker can send an Orange Forum user a crafted link targeting the login page of Orange Forum, redirecting to a malicious site.
Author avatar

GHSL-2020-109: Command injection in codecov

The `upload` method has a command injection vulnerability. Clients of the `codecov-node` library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.
Author avatar

GHSL-2020-086, 087, 088, 089 - Server-Side Template Injection in Apache Camel - CVE-2020-11994

Apache Camel FreeMarker, Velocity, MVEL and Moustache components are vulnerable to Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE) or Arbitrary File Disclosure.
Author avatar

GHSL-2020-069: Unsafe deserialization of XMLRPC arguments in ApacheOfBiz - CVE-2020-9496

Apache OfBiz is vulnerable to pre-auth Remote Code Execution (RCE) via unsafe deserialization.
Author avatar

GHSL-2020-068: Cross-Site Scripting in Apache OfBiz - CVE-2020-9496

Apache OfBiz is vulnerable to Reflected Cross-Site Scripting through POST request
Author avatar

GHSL-2020-055: Server-Side Template Injection in Apache Syncope (RCE) - CVE-2019-17557

The GitHub Security Lab team has identified several potential security vulnerabilities in Apache Syncope, including RCE and XSS.
Author avatar

GHSL-2020-029: Server-Side template injection in Apache Syncope (RCE) - CVE-2020-1959

The GitHub Security Labs team has identified a Server-Side template injection vulnerability in Apache Syncope, which leads to RCE.
Author avatar

GHSL-2020-085: Open redirect vulnerability in Sourcegraph - CVE-2020-12283

By exploiting an open redirect vulnerability, an attacker could potentially redirect a victim to any arbitrary URL and access their OAUTH token.
Author avatar

GHSL-2020-030: Server-Side Template Injection in Dropwizard

Server-Side Template Injection in Dropwizard leading to Remote Code Execution (RCE).
Author avatar

GHSL-2020-015: Remote Code Execution - Bypass of CVE-2018-16621 mitigations in Nexus Repository Manager

High privileged users can bypass the existing mitigations and inject arbitrary Java EL expressions in Nexus Repository Manager, leading to a Remote Code Execution (RCE) vulnerability.
Author avatar

GHSL-2020-014: Remote Code execution - Dynamic Code Evaluation via Scheduled Tasks in Nexus Repository Manager

It is possible for a user with the right permissions to execute arbitrary groovy or javascript scripts resulting in remote code execution.
Author avatar

GHSL-2020-013: Remote Code Execution - Dynamic Code Evaluation via Scripts in Nexus Repository Manager

It is possible for a user with the right permissions to execute arbitrary groovy or javascript scripts resulting in remote code execution.
Author avatar

GHSL-2020-012: Remote Code Execution - JavaEL Injection (high privileged accounts) in Nexus Repository Manager

High privileged users can inject arbitrary Java EL expressions in Nexus Repository Manager, leading to a Remote Code Execution (RCE) vulnerability.
Author avatar

GHSL-2020-016: Persistent Cross-Site scripting in Nexus Repository Manager

An attacker with elevated privileges can create content selectors with a specially crafted name using the REST API, which when viewed by another user can execute arbitrary JavaScript in the context of the NXRM application.
Author avatar

GHSL-2020-011: Remote Code Execution - JavaEL Injection (low privileged accounts) in Nexus Repository Manager

Attackers can inject arbitrary Java EL expressions in Nexus Repository Manager, leading to a Remote Code Execution (RCE) vulnerability.
Author avatar

GHSL-2020-028: Server-Side Template Injection in Netflix Titus

A Server-Side Template Injection was identified in Netflix Titus enabling attackers to inject arbitrary Java EL expressions, leading to a pre-auth Remote Code Execution (RCE) vulnerability.
Author avatar

GHSL-2020-027: Server-Side Template Injection in Netflix Conductor

A Server-Side Template Injection was identified in Netflix Conductor enabling attackers to inject arbitrary Java EL expressions, leading to a pre-auth Remote Code Execution (RCE) vulnerability.
Author avatar