Vulnerabilities we've disclosed

GitHub Security Lab researchers find vulnerabilities in key, widely-used open source projects. We then coordinate the disclosure of those vulnerabilities to security teams at those projects. We only publish vulnerabilities here after they’ve been announced by the affected projects' development teams and patches are available. See our disclosure policy below for more information.

114 CVEs discovered by GitHub Security Lab
  • XSS vulnerability in hotspot link
    CVE-2019-16763 • Pannellum • published 15 days ago • discovered by Max Schaefer
    A malicious user can inject a data: or vbscript: hotspot link if they control the viewer configuration, which leads to XSS once a user clicks the link.
  • Integer overflow in amqp_handle_input
    CVE-2019-18609 • rabbitmq-c • published a month ago • discovered by Agustin Gianni
  • Remote denial of service or possible information disclosure when connecting to a malicious SSH server
    CVE-2019-17498 • libssh2 • published 2 months ago • discovered by Kevin Backhouse
    A malicious SSH server can trigger an out-of-bounds read by sending a crafted disconnect message, possibly leading to denial of service or information disclosure.
  • Heap-based overflow in contrib/pmaixforwardedfrom/pmaixforwardedfrom.c
    CVE-2019-17041 • rsyslog • published 2 months ago • discovered by Agustin Gianni
  • Out-of-bounds read in contrib/pmdb2diag/pmdb2diag.c
    CVE-2019-17040 • rsyslog • published 2 months ago • discovered by Agustin Gianni
  • Heap-based overflow in contrib/pmcisconames/pmcisconames.c
    CVE-2019-17042 • rsyslog • published 2 months ago • discovered by Agustin Gianni
  • Use after free in media session
    CVE-2019-5876 • Google Chromium • published 3 months ago • discovered by Man Yue Mo
  • Multiple NULL deref on alloc_workqueue
    CVE-2019-16230, CVE-2019-16231, CVE-2019-16232, CVE-2019-16233, CVE-2019-16234 • Linux Kernel • published 3 months ago • discovered by Nico Waisman
  • Stack based out-of-bounds memory read
    CVE-2019-15026 • Memcached • published 3 months ago • discovered by Antonio
  • 13 remote code vulnerabilities in UBoot including stack overflows
  • 12 memory corruption vulnerabilities including heap overflows
  • File Permission Problems on NPS
    CVE-2019-15119 • NPS • published 4 months ago • discovered by Nico Waisman
  • Heap Overflow parsing MTM
    CVE-2019-14524 • schismtracker • published 4 months ago • discovered by Nico Waisman
  • Heap Overflow parsing Amiga Oktalyzer files
    CVE-2019-14523 • schismtracker • published 4 months ago • discovered by Nico Waisman
  • Local privilege escalation due to TOCTOU in crash reporter
    CVE-2019-7307 • Ubuntu Apport • published 5 months ago • discovered by Kevin Backhouse
    A time-of-check to time-of-use (TOCTOU) vulnerability in Apport enables an unprivileged local user to trick Apport into including the contents of an arbitrary file in a crash report.
  • Denial of service (crash due to heap buffer overflow) when handling large crash dumps
    CVE-2019-11476 • Ubuntu whoopsie • published 5 months ago • discovered by Kevin Backhouse
    An integer overflow when reading large crash dumps (> 4GB) leads to a heap buffer overflow, which may enable a local attacker to gain code execution in the whoopsie daemon. This could enable an attacker to read crash reports belonging to other users and thereby gain access to privileged information.
  • Remote information disclosure when connecting to a malicious SSH server
    CVE-2019-13115 • libssh2 • published 6 months ago • discovered by Kevin Backhouse
    A malicious SSH server can trigger an out-of-bounds read during Diffie Hellman key exchange, possibly leading to remote information disclosure.
  • Denial of service due to heap corruption in PHP function scrypt_enc
    CVE-2019-3570 • Facebook HHVM • published 6 months ago • discovered by Robert Marsh
    If an attacker is able to control the parameters of a call to the PHP function scrypt_enc, then they can trigger an integer overflow leading to a heap corruption, thereby possibly achieving code execution. There is no risk of exploitation if the server-side PHP code does not pass untrusted parameters to scrypt_enc.
  • Denial of service (uncaught std::bad_alloc exception) when reading a crafted PNG image file
    CVE-2019-13112 • Exiv2 • published 7 months ago • discovered by Kevin Backhouse
    A PngChunk::parseChunkContent uncontrolled memory allocation in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (crash due to an std::bad_alloc exception) via a crafted PNG image file.
  • Denial of service (integer overflow leading to an out-of-bounds read) when reading a craft CRW image file
    CVE-2019-13110 • Exiv2 • published 7 months ago • discovered by Kevin Backhouse
    A CiffDirectory::readDirectory integer overflow and out-of-bounds read in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (SIGSEGV) via a crafted CRW image file.
  • Denial of service (assertion failure) when reading a crafted CRW image file
    CVE-2019-13113 • Exiv2 • published 7 months ago • discovered by Kevin Backhouse
    Exiv2 through 0.27.1 allows an attacker to cause a denial of service (crash due to assertion failure) via an invalid data location in a CRW image file.
  • Denial of service (SIGSEGV) when reading a crafted PNG image file
    CVE-2019-13108 • Exiv2 • published 7 months ago • discovered by Kevin Backhouse
    An integer overflow in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (SIGSEGV) via a crafted PNG image file, because PngImage::readMetadata mishandles a zero value for iccOffset.
  • Denial of service (integer overflow leading to a very large allocation) when reading a crafted PNG image file
    CVE-2019-13109 • Exiv2 • published 7 months ago • discovered by Kevin Backhouse
    An integer overflow in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (SIGSEGV) via a crafted PNG image file, because PngImage::readMetadata mishandles a chunkLength - iccOffset subtraction.
  • Remote denial of service (null pointer dereference) when connecting to a malicious HTTP server
    CVE-2019-13114 • Exiv2 • published 7 months ago • discovered by Kevin Backhouse
    http.cpp in Exiv2 through 0.27.1 allows a malicious HTTP server to cause a denial of service (crash due to a NULL pointer dereference) by returning a crafted response that lacks a space character.
  • Denial of service (integer overflow leading to a very large allocation) when reading a crafted WEBP image file
    CVE-2019-13111 • Exiv2 • published 7 months ago • discovered by Kevin Backhouse
    A WebPImage::decodeChunks integer overflow in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (large heap allocation followed by a very long running loop) via a crafted WEBP image file.
  • Denial of service vulnerability in Facebook Fizz
    CVE-2019-3560 • Facebook Fizz • published 9 months ago • discovered by Kevin Backhouse
    An unauthenticated remote attacker could cause a denial of service by triggering an infinite loop in Fizz, Facebook's open source TLS library.
  • Denial of service due to quadratic call to sscanf in srtdec.c (close brace scanning)
    CVE-2019-9717 • libav • published 9 months ago • discovered by Kevin Backhouse
    In Libav 12.3, a denial of service in the subtitle decoder allows attackers to hog the CPU via a crafted video file in Matroska format, because srt_to_ass in libavcodec/srtdec.c has a complex format argument to sscanf.
  • Denial of service due to use of sscanf in inner loop in htmlsubtitles.c (close tag scanning)
    CVE-2019-9718 • FFmpeg • published 9 months ago • discovered by Kevin Backhouse
    In FFmpeg 4.1, a denial of service in the subtitle decoder allows attackers to hog the CPU via a crafted video file in Matroska format, because ff_htmlmarkup_to_ass in libavcodec/htmlsubtitles.c has a complex format argument to sscanf.
  • FFmpeg denial of service due to use of sscanf in inner loop in htmlsubtitles.c (close brace scanning)
    CVE-2019-9721 • FFmpeg • published 9 months ago • discovered by Kevin Backhouse
    A denial of service in the subtitle decoder in FFmpeg 4.1 allows attackers to hog the CPU via a crafted video file in Matroska format, because handle_open_brace in libavcodec/htmlsubtitles.c has a complex format argument to sscanf.
  • Stack buffer overflow in libav (snprintf overflow)
    CVE-2019-9719 • libav • published 9 months ago • discovered by Nick Rolfe & Kevin Backhouse
    A stack-based buffer overflow in the subtitle decoder in Libav 12.3 allows attackers to corrupt the stack via a crafted video file in Matroska format, because srt_to_ass in libavcodec/srtdec.c misuses snprintf.
  • Denial of service due to quadratic call to strstr in srtdec.c (close tag scanning)
    CVE-2019-9720 • libav • published 9 months ago • discovered by Kevin Backhouse
    A denial of service in the subtitle decoder in Libav 12.3 allows attackers to hog the CPU via a crafted video file in Matroska format, because srt_to_ass in libavcodec/srtdec.c misuses strstr.
  • Information disclosure vulnerability due to unsafe XML External Entities processing
    CVE-2018-20222 • Airsonic • published 10 months ago • discovered by Bas van Schaik
    An attacker with permissions to manage podcasts can read (and publish) arbitrary files from the server hosting an Airsonic media streamer by uploading a specially-crafted XML podcast specification containing one or more XML external entities.
  • Ansible: path traversal in the fetch module
    CVE-2019-3828 • Red Hat Ansible • published 10 months ago • discovered by Kevin Backhouse
    Ansible fetch module has a path traversal vulnerability which allows copying and overwriting files outside of the specified destination in the local ansible controller host, by not restricting an absolute path.
  • SPARQL injection in VIVO
    CVE-2019-6986 • VIVO Project Vitro • published 10 months ago • discovered by Kevin Backhouse
    SPARQL Injection in VIVO Vitro v1.10.0 allows a remote attacker to execute arbitrary SPARQL via the uri parameter, leading to a regular expression denial of service (ReDoS), as demonstrated by crafted use of FILTER%20regex in a /individual?uri= request.
  • Command Injection Vulnerability in kill-port Package
    CVE-2019-5414 • npm kill-port • published a year ago • discovered by Cristian-Alexandru Staicu
    If an attacker can control the port, which in itself is a very sensitive value, he can inject arbitrary OS commands due to the usage of exec in a third-party module.
  • Denial of service (infinite loop) in Apple's packet-mangler
    CVE-2018-4460 • Apple XNU kernel • published a year ago • discovered by Kevin Backhouse
    This vulnerability affects a range of Apple products. If the kernel's packet-mangler is enabled, it allows an attacker to remotely trigger an infinite loop in the kernel, thereby preventing the device from accessing the internet and hogging one of its CPU cores.
  • Prototype pollution in node.extend package
    CVE-2018-16491 • npm node.extend • published a year ago • discovered by Asger Feldthaus
    The node.extend package can be tricked into adding or modifying properties of the Object prototype.
  • Prototype pollution in just-extend package
    CVE-2018-16489 • npm just-extend • published a year ago • discovered by Asger Feldthaus
    The just-extend package can be tricked into adding or modifying properties of the Object prototype.
  • Prototype pollution in mpath package
    CVE-2018-16490 • npm mpath • published a year ago • discovered by Cristian-Alexandru Staicu
    If an attacker controls the name of the property to set, they can inject arbitrary properties on Object.prototype.
  • Type confusion vulnerability in Ghostscript when opening or processing PS and PDF files
    CVE-2018-19476, CVE-2018-19477 • Artifex Ghostscript • published a year ago • discovered by Man Yue Mo
    Using a specially-crafted PS or PDF file, an attacker can corrupt memory when the file is opened or processed by Ghostscript. This is caused by insufficient type checking, leading to type confusion, which could potentially be exploited to execute code even when Ghostscript is running in sandbox mode (using the '-dSAFER' option).
  • RCE vulnerability in Ghostscript when opening or processing PS and PDF files
    CVE-2018-19475 • Artifex Ghostscript • published a year ago • discovered by Man Yue Mo
    Using a specially-crafted PS or PDF file, an attacker can execute arbitrary shell commands when the file is opened or processed by Ghostscript, even when Ghostscript is running in sandbox mode (using the '-dSAFER' option).
  • RCE vulnerability in Ghostscript when opening or processing PS and PDF files
    CVE-2018-19134 • Artifex Ghostscript • published a year ago • discovered by Man Yue Mo
    Using a specially-crafted PS or PDF file, an attacker can execute arbitrary code when the file is opened or processed by Ghostscript, even when Ghostscript is running in sandbox mode (using the '-dSAFER' option). This is caused by insufficient type checking, leading to type confusion and memory corruption, which can be exploited to execute code.
  • Prototype pollution in cached-path-relative package
    CVE-2018-16472 • npm cached-path-relative • published a year ago • discovered by Cristian-Alexandru Staicu
    If an attacker control boths the path and the cached value, they can deploy a prototype pollution attack and thus overwrite arbitrary properties on Object.prototype.
  • RCE vulnerability in Icecast Server
    CVE-2018-18820 • Xiph Icecast • published a year ago • discovered by Nick Rolfe
    A remote code execution vulnerability exists in the way the Icecast streaming media server copies HTTP headers from a user request when preparing a request to send to an authentication server. The vulnerability could allow an attacker to craft special HTTP headers that corrupt memory and execute arbitrary code on the server.
  • Kernel crash caused by buffer overflow in Apple's ICMP packet-handling code
    CVE-2018-4407 • Apple XNU kernel • published a year ago • discovered by Kevin Backhouse
  • Prototype pollution in lodash package
    CVE-2018-16487 • npm lodash • published a year ago • discovered by Asger Feldthaus
    The functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of the Object prototype.
  • Kernel RCE caused by buffer overflows in macOS NFS client
    CVE-2018-4259, CVE-2018-4286, CVE-2018-4287, CVE-2018-4288, CVE-2018-4291 • Apple XNU kernel • published a year ago • discovered by Kevin Backhouse
    A malicious NFS server can trigger a buffer overflow in the kernel when a Mac attempts to mount the NFS share.
  • Code Injection Vulnerability in morgan Package
    CVE-2019-5413 • npm morgan • published a year ago • discovered by Cristian-Alexandru Staicu
    An attacker can use the format parameter to inject arbitrary commands.
  • Command injection in libnmap package
    CVE-2018-16461 • npm libnmap • published a year ago • discovered by Cristian-Alexandru Staicu
    If an attacker controls the range field for the network scan, they can inject arbitrary OS commands instead of an IP range.
  • Prototype pollution in merge package
    CVE-2018-16469 • npm merge • published a year ago • discovered by Asger Feldthaus
    The merge.recursive function can be tricked into adding or modifying properties of the Object prototype.
  • Prototype pollution in defaults-deep package
    CVE-2018-16486 • npm defaults-deep • published a year ago • discovered by Asger Feldthaus
    The defaults-deep package can be tricked into adding or modifying properties of the Object prototype.
  • Command injection in ps package
    CVE-2018-16460 • npm ps • published a year ago • discovered by Cristian-Alexandru Staicu
    If an attacker controls the pid parameter, they can inject arbitrary OS commands instead of a process ID.
  • Prototype pollution in extend package
    CVE-2018-16492 • npm extend • published a year ago • discovered by Asger Feldthaus
    The extend package can be tricked into adding or modifying properties of the Object prototype.
  • RCE vulnerability in Apache Struts
    CVE-2018-11776 • Apache Struts • published a year ago • discovered by Man Yue Mo
    Under certain common configurations, to compute the namespace Struts will evaluate untrusted user input as OGNL, which allows for an attacker to execute arbitrary code.
  • RCE in Apache Ignite via GridClientJdkMarshaller
    CVE-2018-8018 • Apache Ignite • published a year ago • discovered by Man Yue Mo
    An attacker can execute arbitrary code on Ignite nodes via the GridClientJdkMarshaller deserialization endpoint when the Ignite classpath contains vulnerable classes.
  • Chakra Scripting Engine Memory Corruption Vulnerability
    CVE-2018-8294 • Microsoft Edge Browser • published a year ago • discovered by Pavel Avgustinov & Nick Rolfe
    A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • RCE in Apple's packet-mangler
    CVE-2018-4249 • Apple XNU kernel • published 2 years ago • discovered by Kevin Backhouse
    An issue was discovered in certain Apple products. iOS before 11.4 is affected. macOS before 10.13.5 is affected. tvOS before 11.4 is affected. watchOS before 4.3.1 is affected. The issue involves pktmnglr_ipfilter_input in com.apple.packet-mangler in the "Kernel" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (integer overflow and stack-based buffer overflow) via a crafted app.
  • Apache Batik information disclosure vulnerability
    CVE-2018-8013 • Apache Batik • published 2 years ago • discovered by Man Yue Mo
    When deserializing subclasses of AbstractDocument, the class takes a string from the inputStream as the class name. This name is then used to call the no-arg constructor of the class. This vulnerability was fixed by checking the class type before calling newInstance in deserialization.
  • Buffer underflow vulnerability in strongSwan VPN charon server
    CVE-2018-5388 • strongSwan • published 2 years ago • discovered by Kevin Backhouse
    A remote attacker with local user credentials (possibly a normal user in the vpn group, or root) may be able to underflow the buffer and cause a denial of service.
  • Possible RCE in Apache Ignite deserialization endpoints
    CVE-2018-1295 • Apache Ignite • published 2 years ago • discovered by Man Yue Mo
    The Apache Ignite serialization mechanism does not have a list of classes allowed for serialization/deserialization, which makes it possible to run arbitrary code when 3rd party vulnerable classes are present in the Ignite classpath. An attacker can exploit the vulnerability by sending a specially crafted serialized object to one of the deserialization endpoints of some Ignite components: discovery SPI, Ignite persistence, Memcached endpoint and socket steamer.
  • Negative integer overflows in Apple's NFS Diskless Boot
    CVE-2018-4136, CVE-2018-4160 • Apple XNU kernel • published 2 years ago • discovered by Jonas Jensen
  • Stack buffer overflow in rsyslog librelp
    CVE-2018-1000140 • rsyslog • published 2 years ago • discovered by Bas van Schaik & Kevin Backhouse
    rsyslog librelp version 1.2.14 and earlier contains a Buffer Overflow vulnerability in the checking of x509 certificates from a peer that can result in remote code execution.
  • RCE in Apache Geode due to unsafe deserialization of application objects
    CVE-2017-15693 • Apache Geode • published 2 years ago • discovered by Man Yue Mo
    The Geode server stores application objects in serialized form. Certain cluster operations and API invocations cause these objects to be deserialized. An user with DATA:WRITE access to the cluster may be able to cause remote code execution if certain classes are present on the classpath.
  • RCE in Apache Geode due unsafe deserialization in TcpServer
    CVE-2017-15692 • Apache Geode • published 2 years ago • discovered by Man Yue Mo
    The TcpServer within the Geode locator opens a network port that deserializes data. If an unprivileged user gains access to the Geode locator, they may be able to cause remote code execution if certain classes are present on the classpath.
  • RCE in Apple's packet-mangler
    CVE-2017-13904 • Apple XNU kernel • published 2 years ago • discovered by Kevin Backhouse
    An issue was discovered in certain Apple products. iOS before 11.2 is affected. macOS before 10.13.2 is affected. tvOS before 11.2 is affected. watchOS before 4.2 is affected. The issue involves the "Kernel" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.
  • Unsafe deserialization in Infinispan
    CVE-2017-15089 • Red Hat Infinispan • published 2 years ago • discovered by Man Yue Mo
    The Hotrod client in Infinispan would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks.
  • XSS in Etherpad Lite before v1.6.3 via window.location.href
    CVE-2018-6834 • Etherpad Lite • published 2 years ago • discovered by Man Yue Mo
    A page in the pad editor of Etherpad Lite is vulnerable to cross site scripting (XSS) attack via a maliciously crafted link. This affects all versions of Etherpad Lite before v1.6.3 was released.
  • RFD vulnerability in Etherpad Lite's HTTP API
    CVE-2018-6835 • Etherpad Lite • published 2 years ago • discovered by Man Yue Mo
    Versions of Etherpad Lite before the release of v1.16.3 fail to sanitize the name of the JSONP callback function used in the HTTP API. This allows remote attackers to bypass intended access restrictions, making the HTTP API vulnerable to a reflected file download (RFD) attack.
  • XXE vulnerability in Apache Hadoop
    CVE-2017-15713 • Apache Hadoop • published 2 years ago • discovered by Man Yue Mo
    This vulnerability in Apache Hadoop allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host.
  • Apache Camel's Castor unmarshalling operation is vulnerable to RCE attacks
    CVE-2017-12634 • Apache Camel-Castor • published 2 years ago • discovered by Man Yue Mo
    Apache Camel's camel-castor component has a Java object deserialization vulnerability. Deserializing untrusted data can lead to security flaws.
  • Memory exposure vulnerability in DTrace
    CVE-2017-13782 • Apple XNU kernel • published 2 years ago • discovered by Kevin Backhouse
    This vulnerability gives a local attacker who can trigger DTrace to run the ability to read any memory address within a 32GB range of the kernel's address space.
  • XXE vulnerability in JBoss business process manager
    CVE-2017-7545 • Red Hat JBoss Process Manager • published 2 years ago • discovered by Man Yue Mo
    The XmlUtils class in jbpmmigration performed expansion of external parameter entities while parsing XML files. A remote attacker could use this flaw to read files accessible to the user running the application server and, potentially, perform other more advanced XML external entity (XXE) attacks.
  • Parameter entity XXE vulnerability in Restlet
    CVE-2017-14949 • Restlet • published 2 years ago • discovered by Man Yue Mo
    Restlet Framework before 2.3.12 allows remote attackers to access arbitrary files via a crafted REST API HTTP request that conducts an XXE attack, because only general external entities (not parameter external entities) are properly considered. This is related to XmlRepresentation, DOMRepresentation, SaxRepresentation, and JacksonRepresentation.
  • XML External Entity expansion vulnerability in Restlet
    CVE-2017-14868 • Restlet • published 2 years ago • discovered by Man Yue Mo
    Restlet Framework before 2.3.11, when using SimpleXMLProvider, allows remote attackers to access arbitrary files via an XXE attack in a REST API HTTP request. This affects use of the Jax-rs extension.
  • RCE in PATCH requests in Spring Data REST
    CVE-2017-8046 • Spring Data REST • published 2 years ago • discovered by Man Yue Mo
    Malicious PATCH requests submitted to servers using Spring Data REST backed HTTP resources can use specially crafted JSON data to run arbitrary Java code.
  • RCE vulnerability in Spring AMQP
    CVE-2017-8045 • Spring AMQP • published 2 years ago • discovered by Man Yue Mo
    In Pivotal Spring AMQP versions before 1.7.4, 1.6.11, and 1.5.7, an org.springframework.amqp.core.Message may be unsafely deserialized when being converted into a string. A malicious payload could be crafted to exploit this and enable a remote code execution attack.
  • RCE vulnerability in the Apache Struts REST plugin
    CVE-2017-9805 • Apache Struts • published 2 years ago • discovered by Man Yue Mo
    In vulnerable versions of Apache Struts, the REST plugin uses an XStreamHandler with an instance of XStream to deserialize data without applying any type filtering. This makes it possible to provide an XML payload that will allow remote code execution (RCE) when it is deserialized.
  • Arbitrary code execution via Swagger YAML parser
    CVE-2017-1000207, CVE-2017-1000208 • Swagger Codegen and Parser • published 2 years ago • discovered by Man Yue Mo
    The Swagger code generator and parser use the SnakeYaml library to process OpenAPI/Swagger specifications written in YAML. They invoke SnakeYaml insecurely which allows an attacker to parse a malicious specification and execute arbitrary code.
  • Unsafe deserialization in Apache Spark launcher API
    CVE-2017-12612 • Apache Spark • published 3 years ago • discovered by Aditya Sharad
    In all versions of Apache Spark from 1.16.0 to 2.1.1, the launcher API performs unsafe deserialization of data received by its socket. This makes applications launched programmatically using the launcher API potentially vulnerable to arbitrary code execution by an attacker with access to any user account on the local machine. The attacker would be able to execute code as the user that ran the Spark application. It does not affect apps run by spark-submit or spark-shell.
  • Scripting engine remote memory corruption vulnerability
    CVE-2017-0141 • Microsoft Edge Browser • published 3 years ago • discovered by Kevin Backhouse
    Microsoft Edge is prone to a remote memory-corruption vulnerability. Attackers can exploit this issue by enticing an unsuspecting user to view a specially crafted web page. This could allow the attacker to execute arbitrary code in the context of the currently logged-in user. Failed attacks will cause denial of service conditions.

Disclosure policy

Last updated: November 4th, 2019

The GitHub Security Lab research team is dedicated to working closely with the open source community and with projects that are affected by a vulnerability, in order to protect users and ensure a coordinated disclosure. When a vulnerability is identified in a project, we will report it by contacting the publicly-listed security contact for the project if one exists; otherwise we will attempt to contact the project maintainers directly.

If the project team responds and agrees the issue is security-critical, we will work with the project security team or maintainers to communicate the vulnerability in detail, and agree on the process for public disclosure. Responsibility for developing and releasing a patch lies firmly with the project team, though we aim to facilitate this by providing detailed information about the vulnerability.

Our disclosure deadline for publicly disclosing a vulnerability is: 90 days after the first report to the project team, or 30 days after a project maintainer has published a code change that publicly addresses the vulnerability, whichever is sooner.

Example: The maintainers of an open source project were notified by us of a security vulnerability in their project on July 1. Public disclosure needs to have taken place by September 29 (90 days after the initial report). On July 20, one of the project’s developers pushes a commit that addresses the vulnerability to a publicly accessible repository. The deadline for public disclosure is now August 19 (30 days after the commit).

Until this disclosure deadline lapses, we are available to coordinate with the project team in preparing a public announcement, providing that appropriate credit is given to the GitHub Security Lab, and the researcher(s) who discovered the vulnerability. Prior to the public disclosure, we expect the project team to arrange the assignment of a CVE through the usual channels.

For some vulnerabilities we may choose to publish a blog post on the GitHub Security Lab as part of the public announcement and disclosure. We will not release a proof-of-concept exploit at the same time as the initial public announcement and disclosure, unless otherwise agreed with the project team.

If the disclosure deadline lapses without any announcement being made by the project team, we will disclose the vulnerability to the public unless agreed otherwise.

In the event that the project team does not respond or agree that a reported vulnerability is a genuine security issue, then we may decide to request a CVE ourselves and subsequently publicly disclose the issue at any time, not subject to the above disclosure deadlines.

Please contact us at securitylab@github.com if you have any questions about our disclosure policy or our security research.