Darkamaul

**Name of the Vulnerable Software and Affected Versions** immich versions prior to 2.5.0 **Description** immich is a self-hosted photo and video management solution. Prior to version 2.5.0, API keys could elevate their own permissions by utilizing the update endpoint. This allowed a low-privilege API key to gain full administrative access to the system. The vulnerable endpoint is `/api/v1/users/me` and the vulnerable parameter is `role`. **Recommendations** Update to version 2.5.0 or later.

Name of the Vulnerable Software and Affected Versions: protobuf crate for Rust versions prior to 3.7.2 Description: The issue allows uncontrolled recursion in the `protobuf::coded input stream::CodedInputStream::skip group` function when parsing unknown fields in untrusted input. This can occur due to the improper handling of unknown fields, leading to potential security risks. Recommendations: For versions prior to 3.7.2, update to version 3.7.2 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `protobuf::coded input stream::CodedInputStream::skip group` function when parsing untrusted input until a patch is available.

**Name of the Vulnerable Software and Affected Versions** XStream versions prior to 1.4.21 Bitbucket Data Center and Server versions 8.6.0 through 8.19.0 Bitbucket Data Center and Server versions 9.0.0 through 9.4.0 Bitbucket Data Center and Server version 8.9.0 through 8.9.23 Bitbucket Data Center and Server version 8.19.0 through 8.19.13 Bitbucket Data Center and Server version 9.4.0 through 9.4.1 **Description** The issue is related to a stack overflow error in the BinaryStreamDriver component of the XStream library, which can be exploited by a remote attacker to terminate the application, resulting in a denial of service. This can be achieved by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. The vulnerability may allow an attacker to expose assets in the environment susceptible to exploitation, with no impact to confidentiality, no impact to integrity, and high impact to availability. **Recommendations** For XStream versions prior to 1.4.21, upgrade to version 1.4.21 or later. For Bitbucket Data Center and Server version 8.9.0 through 8.9.23, upgrade to a release greater than or equal to 8.9.24. For Bitbucket Data Center and Server version 8.19.0 through 8.19.13, upgrade to a release greater than or equal to 8.19.14. For Bitbucket Data Center and Server version 9.4.0 through 9.4.1, upgrade to a release greater than or equal to 9.4.2. For Bitbucket Data Center and Server version 9.5, upgrade to a release greater than or equal to 9.5.0. As a temporary workaround, users unable to upgrade may catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver.