37 Pull requests merged by 10 people

• [GHSA-p43w-g3c5-g5mq] Out of bounds read in Pillow

  #4130 merged Mar 26, 2024

• [GHSA-8xjq-8fcg-g5hw] Out-of-bounds Write in Pillow

  #4133 merged Mar 26, 2024

• [GHSA-57h3-9rgr-c24m] Out of bounds write in Pillow

  #4134 merged Mar 26, 2024

• [GHSA-mvg9-xffr-p774] Out of bounds read in Pillow

  #4132 merged Mar 26, 2024

• [GHSA-9hx2-hgq2-2g4f] Regular Expression Denial of Service (ReDoS) in Pillow

  #4131 merged Mar 26, 2024

• [GHSA-3xv8-3j54-hgrp] Out-of-bounds read in Pillow

  #4140 merged Mar 26, 2024

• [GHSA-j7mj-748x-7p78] DOS attack in Pillow when processing specially crafted image files

  #4142 merged Mar 26, 2024

• [GHSA-q3p4-gw7r-wqjc] Apache Airflow vulnerable to XSS and local file disclosure

  #4087 merged Mar 26, 2024

• [GHSA-7mx5-x372-xh87] Incorrect Session Validation in Apache Airflow

  #4093 merged Mar 26, 2024

• [GHSA-gxpj-cx7g-858c] Regular Expression Denial of Service in debug

  #4117 merged Mar 25, 2024

• [GHSA-fh37-cx83-q542] Improper Authentication in Apache Airflow

  #4094 merged Mar 25, 2024

• [GHSA-86vp-x3pr-79rx] Apache Airflow Cross-site scripting due to incomplete fix for CVE-2020-13944

  #4092 merged Mar 25, 2024

• [GHSA-6r3p-fcvm-xh7c] SSRF vulnerability in Arache Airflow

  #4091 merged Mar 25, 2024

• [GHSA-9g2w-5f3v-mfmm] Insecure default config of Celery worker in Apache Airflow

  #4090 merged Mar 25, 2024

• [GHSA-976r-qfjj-c24w] Command injection via Celery broker in Apache Airflow

  #4089 merged Mar 25, 2024

• [GHSA-rvmq-4x66-q7j3] Remote code execution in Apache Airflow

  #4088 merged Mar 25, 2024

• [GHSA-77rc-x84q-pv4f] Improper Certificate Validation in Apache Airflow

  #4085 merged Mar 25, 2024

• [GHSA-99cv-8cvv-666c] Apache Airflow vulnerable to Stored XSS

  #4084 merged Mar 25, 2024

• [GHSA-68wv-rjrm-576p] Cross-Site Request Forgery (CSRF) in Apache Airflow

  #4083 merged Mar 25, 2024

• [GHSA-hvpq-7vcc-5hj5] Froala Editor Cross-site Scripting vulnerability

  #4082 merged Mar 25, 2024

• Update GHSA-3hcm-6fjc-47qq.json

  #4075 merged Mar 24, 2024

• Update GHSA-3885-8gqc-3wpf.json

  #4073 merged Mar 22, 2024

• Update GHSA-g3q9-xf95-8hp5.json

  #4072 merged Mar 22, 2024

• [GHSA-wjxj-5m7g-mg7q] Bouncy Castle Denial of Service (DoS)

  #4078 merged Mar 22, 2024

• [GHSA-4hh5-2678-83fx] Cross-Site Request Forgery vulnerability in Prefect

  #4079 merged Mar 22, 2024

• [GHSA-5925-88xh-6h99] Authentication bypass via Cross site request forgery

  #4076 merged Mar 22, 2024

• [GHSA-9822-6m93-xqf4] Rails has possible XSS Vulnerability in Action Controller

  #4070 merged Mar 21, 2024

• [GHSA-9w38-p64v-xpmv] Out-of-bounds Write vulnerability in Apache Commons...

  #4067 merged Mar 21, 2024

• [GHSA-xjp4-hw94-mvp5] Out-of-bounds Write vulnerability in Apache Commons...

  #4068 merged Mar 21, 2024

• [GHSA-78hx-gp6g-7mj6] Memory leaks in code encrypting and verifying RSA payloads

  #4065 merged Mar 21, 2024

• [GHSA-jcp9-796g-pv9p] Missing Cryptographic Step in OWASP Enterprise Security API for Java

  #3817 merged Mar 20, 2024

• [GHSA-898j-5cc8-cmf5] Moderate severity vulnerability that affects org.apache.storm:storm-core

  #3838 merged Mar 20, 2024

• [GHSA-5gg7-5wv8-4gcj] Undertow Request Smuggling vulnerability

  #4064 merged Mar 20, 2024

• [GHSA-4fq3-mr56-cg6r] Spring Data Commons remote code injection vulnerability

  #4063 merged Mar 20, 2024

• [GHSA-4fq3-mr56-cg6r] Spring Data Commons remote code injection vulnerability

  #3882 merged Mar 20, 2024

• [GHSA-22v7-w6c5-v4rr] Apache Ranger Access Restriction Bypass

  #4062 merged Mar 20, 2024

• [GHSA-5vcc-86wm-547q] Improper Privilege Management in djangorestframework-simplejwt

  #4061 merged Mar 20, 2024

54 Pull requests opened by 8 people

• [GHSA-78hx-gp6g-7mj6] Memory leaks in code encrypting and verifying RSA payloads

  #4069 opened Mar 21, 2024

• Update GHSA-6qmf-mmc7-6c2p.json

  #4077 opened Mar 22, 2024

• [GHSA-wr3j-pwj9-hqq6] Path traversal in webpack-dev-middleware

  #4081 opened Mar 24, 2024

• [GHSA-m6h2-jx9v-58w6] Missing Authorization in Apache Airflow

  #4095 opened Mar 25, 2024

• [GHSA-q8h9-pqcx-59hw] Apache Airflow exposes arbitrary file content

  #4096 opened Mar 25, 2024

• [GHSA-6pw3-8h9w-32gc] Apache Airflow vulnerable to OS Command Injection via example DAGs

  #4097 opened Mar 25, 2024

• [GHSA-4fg5-j4mm-wfpg] Apache Airflow contains open redirect

  #4098 opened Mar 25, 2024

• [GHSA-6xwf-xvf3-v459] Apache Airflow: Incorrect Default Permissions in audit logs for Ops and Viewers users

  #4099 opened Mar 25, 2024

• [GHSA-6v6w-h8m6-7mv2] Apache Airflow: DAG Code and Import Error Permissions Ignored

  #4100 opened Mar 25, 2024

• [GHSA-h574-6646-vfxx] Apache Airflow: Ignored Airflow Permission

  #4101 opened Mar 25, 2024

• [GHSA-3gh2-xw74-jmcw] SQL injection in Django

  #4102 opened Mar 25, 2024

• [GHSA-2m34-jcjv-45xf] XSS in Django

  #4103 opened Mar 25, 2024

• [GHSA-xpfp-f569-q3p2] SQL Injection in Django

  #4104 opened Mar 25, 2024

• [GHSA-6mx3-3vqg-hpp2] Django allows unprivileged users to read the password hashes of arbitrary accounts

  #4105 opened Mar 25, 2024

• [GHSA-jrh2-hc4r-7jwx] Directory-traversal in Django

  #4106 opened Mar 25, 2024

• [GHSA-95rw-fx8r-36v6] Cross-site Scripting in Django

  #4107 opened Mar 25, 2024

• [GHSA-6cw3-g6wv-c2xv] Infinite Loop in Django

  #4108 opened Mar 25, 2024

• [GHSA-8x94-hmjh-97hq] Django vulnerable to Reflected File Download attack

  #4109 opened Mar 25, 2024

• [GHSA-qrw5-5h28-6cmg] Django denial-of-service vulnerability in internationalized URLs

  #4110 opened Mar 25, 2024

• [GHSA-2hrw-hx67-34x6] Resource exhaustion in Django

  #4111 opened Mar 25, 2024

• [GHSA-r3xc-prgr-mg9p] Django bypasses validation when using one form field to upload multiple files

  #4112 opened Mar 25, 2024

• [GHSA-7h4p-27mh-hmrw] Django Denial of service vulnerability in django.utils.encoding.uri_to_iri

  #4113 opened Mar 25, 2024

• [GHSA-qmf9-6jqf-j8fq] Django potential denial of service vulnerability in UsernameField on Windows

  #4114 opened Mar 25, 2024

• [GHSA-vh55-786g-wjwj] .NET Information Disclosure Vulnerability

  #4115 opened Mar 25, 2024

• [GHSA-cxjh-pqwp-8mfp] follow-redirects' Proxy-Authorization header kept across hosts

  #4118 opened Mar 25, 2024

• [GHSA-8ghj-p4vj-mr35] Pillow Denial of Service vulnerability

  #4119 opened Mar 26, 2024

• [GHSA-q4mp-jvh2-76fj] Pillow subject to DoS via SAMPLESPERPIXEL tag

  #4120 opened Mar 26, 2024

• [GHSA-hr8g-f6r6-mr22] Buffer over-flow in Pillow

  #4121 opened Mar 26, 2024

• [GHSA-9j59-75qj-795w] Path traversal in Pillow

  #4122 opened Mar 26, 2024

• [GHSA-xrcv-f9gm-v42c] Out-of-bounds Read in Pillow

  #4123 opened Mar 26, 2024

• [GHSA-pw3c-h7wp-cvhx] Improper Initialization in Pillow

  #4124 opened Mar 26, 2024

• [GHSA-7534-mm45-c74v] Buffer Overflow in Pillow

  #4125 opened Mar 26, 2024

• [GHSA-q5hq-fp76-qmrc] Uncontrolled Resource Consumption in Pillow

  #4126 opened Mar 26, 2024

• [GHSA-95q3-8gr9-gm8w] Pillow Denial of Service by Uncontrolled Resource Consumption

  #4127 opened Mar 26, 2024

• [GHSA-3wvg-mj6g-m9cv] Pillow Uncontrolled Resource Consumption

  #4128 opened Mar 26, 2024

• [GHSA-f4w8-cv6p-x6r5] Pillow Denial of Service by Uncontrolled Resource Consumption

  #4129 opened Mar 26, 2024

• [GHSA-hf64-x4gq-p99h] Pillow Out-of-bounds Read

  #4135 opened Mar 26, 2024

• [GHSA-vqcj-wrf2-7v73] Pillow Out-of-bounds Write

  #4136 opened Mar 26, 2024

• [GHSA-43fq-w8qq-v88h] Out-of-bounds read in Pillow

  #4137 opened Mar 26, 2024

• [GHSA-vj42-xq3r-hr3r] Out-of-bounds reads in Pillow

  #4138 opened Mar 26, 2024

• [GHSA-8843-m7mw-mxqm] Buffer overflow in Pillow

  #4139 opened Mar 26, 2024

• [GHSA-cqhg-xjhh-p8hf] Out-of-bounds reads in Pillow

  #4141 opened Mar 26, 2024

• [GHSA-rc4r-wh2q-q6c4] Moby supplementary group permissions not set up properly, allowing attackers to bypass primary group restrictions

  #4144 opened Mar 26, 2024

• [GHSA-vp35-85q5-9f25] Container build can leak any path on the host into the container

  #4145 opened Mar 26, 2024

• [GHSA-8fvr-5rqf-3wwh] Information Exposure in Docker Engine

  #4146 opened Mar 26, 2024

• [GHSA-v4h8-794j-g8mm] Arbitrary File Override in Docker Engine

  #4147 opened Mar 26, 2024

• [GHSA-qrqr-3x5j-2xw9] Docker Moby Authentication Bypass

  #4148 opened Mar 26, 2024

• [GHSA-v2cv-wwxq-qq97] Moby Docker cp broken with debian containers

  #4149 opened Mar 26, 2024

• [GHSA-vj3f-3286-r4pf] Path Traversal in Docker

  #4150 opened Mar 26, 2024

• [GHSA-6hwg-w5jg-9c6x] Path Traversal in Moby builder

  #4151 opened Mar 26, 2024

• [GHSA-7452-xqpj-6rpc] moby Access to remapped root allows privilege escalation to real root

  #4152 opened Mar 26, 2024

• [GHSA-6fj5-m822-rqx8] moby docker daemon crash during image pull of malicious image

  #4153 opened Mar 26, 2024

• [GHSA-3fwx-pjgw-3558] Moby (Docker Engine) Insufficiently restricted permissions on data directory

  #4154 opened Mar 26, 2024

• [GHSA-47g3-mf24-6559] Vulnerability in the Oracle Java SE, Oracle GraalVM...

  #4156 opened Mar 26, 2024

28 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• [GHSA-7f3x-x4pr-wqhj] Server-Side Request Forgery in parse-url

  #3889 commented on Mar 27, 2024 • 1 new comment

• [GHSA-p5hg-3xm3-gcjg] Spring Framework allows applications to expose STOMP over WebSocket endpoints

  #3885 commented on Mar 26, 2024 • 1 new comment

• [GHSA-jf2m-435m-mxw8] SQL Injection in hive-jdbc

  #3879 commented on Mar 26, 2024 • 1 new comment

• [GHSA-chp4-rv79-68j3] Apache serialization mechanism does not have a list of classes allowed for serialization/deserialization

  #3877 commented on Mar 25, 2024 • 1 new comment

• [GHSA-cx2v-jrjc-g54w] OpenTSDB vulnerable to OS Command Injection

  #3875 commented on Mar 25, 2024 • 1 new comment

• [GHSA-6w3v-66mj-2qm6] Moderate severity vulnerability that affects org.apache.qpid:apache-qpid-broker-j

  #3874 commented on Mar 25, 2024 • 1 new comment

• [GHSA-v49x-8hvm-q347] Exposure of Sensitive Information in Apache Pluto

  #3873 commented on Mar 25, 2024 • 1 new comment

• [GHSA-42xw-p62x-hwcf] Improper Access Control in Apache Derby

  #3871 commented on Mar 25, 2024 • 1 new comment

• [GHSA-m929-7fr6-cvjg] Spring Data Commons, used in combination with XMLBeam, contains a property binder vulnerability caused by improper restriction of XML external entity references

  #3864 commented on Mar 23, 2024 • 1 new comment

• [GHSA-rrpm-pj7p-7j9q] Spring Security OAuth vulnerable to remote code execution (RCE)

  #3863 commented on Mar 23, 2024 • 1 new comment

• [GHSA-pjv3-rh6v-2pj8] Cross-site Scripting in wicket-jquery-ui

  #3861 commented on Mar 24, 2024 • 1 new comment

• [GHSA-p8jx-x2vw-wm33] High severity vulnerability that affects org.apache.storm:storm-core

  #3860 commented on Mar 24, 2024 • 1 new comment

• [GHSA-9r24-gp44-h3pm] High severity vulnerability that affects org.apache.tika:tika-core

  #3859 commented on Mar 23, 2024 • 1 new comment

• [GHSA-cfw5-v7cw-69cw] Critical severity vulnerability that affects org.apache.directory.api:apache-ldap-api

  #3858 commented on Mar 23, 2024 • 1 new comment

• [GHSA-v6c7-8qx5-8gmp] Deserialization of Untrusted Data in Apache Tomcat

  #3810 commented on Mar 22, 2024 • 1 new comment

• [GHSA-qxp4-27vx-xmm3] Improper Input Validation in Jetty

  #3802 commented on Mar 21, 2024 • 1 new comment

• [GHSA-2ppp-xj34-vvf7] Apache Struts's CookieInterceptor component does not use the parameter-name whitelist

  #3795 commented on Mar 22, 2024 • 1 new comment

• [GHSA-3p86-xgrq-m6p6] Improper Neutralization of Input During Web Page Generation in Apache Tomcat

  #3775 commented on Mar 21, 2024 • 1 new comment

• [GHSA-p5hg-3xm3-gcjg] Spring Framework allows applications to expose STOMP over WebSocket endpoints

  #3726 commented on Mar 21, 2024 • 1 new comment

• [GHSA-ffvq-7w96-97p7] Denial of Service in Spring Framework

  #3722 commented on Mar 21, 2024 • 1 new comment

• [GHSA-hhpm-5cp2-hg4x] Deserialization of Untrusted Data in Jenkins

  #3698 commented on Mar 21, 2024 • 1 new comment

• [GHSA-vj2m-9f5j-mpr5] Vapor vulnerable to denial of service in HTTP Range Request of FileMiddleware

  #3601 commented on Mar 27, 2024 • 1 new comment

• [GHSA-pg6w-hq9f-wfwr] resumable.php (aka PHP backend for resumable.js) 0.1.4...

  #3214 commented on Mar 27, 2024 • 1 new comment

• [GHSA-ffvq-7w96-97p7] Denial of Service in Spring Framework

  #3856 commented on Mar 22, 2024 • 0 new comments

• [GHSA-9h9c-f287-c6vp] Improper Control of Interaction Frequency in Apache syncope-core

  #3853 commented on Mar 22, 2024 • 0 new comments

• [GHSA-3448-vfvv-xp9g] Apache Tika Denial of Service due to Infinite Loop in Tika's SQLite3Parser

  #3846 commented on Mar 21, 2024 • 0 new comments

• [GHSA-rhq2-2574-78mc] Unzip function in ZipUtil.java in Hutool allows remote attackers to overwrite arbitrary files via directory traversal

  #3844 commented on Mar 21, 2024 • 0 new comments

• [GHSA-vrwc-qjmw-5rjm] ClassLoader manipulation in Apache Struts

  #3826 commented on Mar 21, 2024 • 0 new comments