Govulnbot

**Name of the Vulnerable Software and Affected Versions** Traefik versions prior to 2.11.24 Traefik versions prior to 3.3.6 Traefik versions prior to 3.4.0-rc2 **Description** The issue concerns Traefik, an HTTP reverse proxy and load balancer, where a potential vulnerability exists in managing requests using a PathPrefix, Path, or PathRegex matcher. When Traefik is configured to route requests to a backend using a matcher based on the path, if the URL contains a /../ in its path, it is possible to target a backend exposed using another router, bypassing the middlewares chain. **Recommendations** For versions prior to 2.11.24, update to version 2.11.24 or later. For versions prior to 3.3.6, update to version 3.3.6 or later. For versions prior to 3.4.0-rc2, update to version 3.4.0-rc2 or later. As a temporary workaround, consider adding a `PathRegexp` rule to the matcher to prevent matching a route with a `/../` in the path.

**Name of the Vulnerable Software and Affected Versions** snapd versions prior to 2.62 **Description** The issue arises when using AppArmor for enforcement of sandbox permissions in snapd. It failed to restrict writes to the $HOME/bin path. In Ubuntu, when this path exists, it is automatically added to the users PATH. An attacker could convince a user to install a malicious snap that uses the 'home' plug, allowing them to install arbitrary scripts into the users PATH. These scripts may then be run by the user outside of the expected snap sandbox, enabling them to escape confinement. **Recommendations** To resolve the issue, update to snapd version 2.62 or later. As a temporary workaround, consider restricting access to the 'home' plug for snaps until the update is applied. Additionally, users can manually remove any suspicious scripts from the $HOME/bin path to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Gin-Gonic CORS middleware versions prior to 1.6.0 **Description** The issue arises from the mishandling of a wildcard at the end of an origin string by the `parseWildcardRules` function in Gin-Gonic CORS middleware. This results in unintended origins being allowed. For example, `https://example.community/*` is allowed when the intention is to only allow `https://example.com/*`, and `http://localhost.example.com/*` is allowed when the intention is to only allow `http://localhost/*`. **Recommendations** For versions prior to 1.6.0, update to version 1.6.0 or later to resolve the issue. As a temporary workaround, consider manually validating origin strings to ensure they match the intended patterns, avoiding the use of wildcards at the end of origin strings until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Ollama versions prior to 0.1.47 **Description** The issue is related to the `extractFromZipFile()` function in `model.go` of the Ollama system, which is used for launching and managing large language models (LLM). This function has an incorrect restriction on the directory path name with limited access. Exploitation of this issue may allow a remote attacker to impact the confidentiality and integrity of protected information. The `extractFromZipFile` function can extract members of a ZIP archive outside of the parent directory. **Recommendations** For versions prior to 0.1.47, update to version 0.1.47 or later to resolve the issue. As a temporary workaround, consider restricting access to the `extractFromZipFile` function in `model.go` until a patch is available. Avoid using the `extractFromZipFile` function to extract members of a ZIP archive outside of the parent directory until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** firebase-tools versions prior to 13.6.0 **Description** This issue is related to a potential CSRF attack. When running the Firebase emulator suite, there is an export endpoint used to export data from running emulators. If a user is running the emulator and navigates to a malicious website with the exploit on a browser that allows calls to localhost, the website could exfiltrate emulator data. **Recommendations** For versions prior to 13.6.0, upgrade past version 13.6.0 or apply the commit 068a2b08dc308c7ab4b569617f5fc8821237e3a0 to resolve the issue. As a temporary workaround, consider restricting access to the export endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** coredns (affected versions not specified) **Description** The issue is related to information disclosure via caching in the coredns DNS server. It could allow a remote attacker to conduct spoofing attacks due to incorrectly implemented caching, leading to invalid cache entries being returned. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** tiagorlampert CHAOS versions before 1b451cf62582295b7225caf5a7b506f0bad56f6b and 24c9e109b5be34df7b2bce8368eae669c481ed5e tiagorlampert CHAOS version v5.0.1 **Description** The issue allows a remote attacker to execute arbitrary code via the unsafe concatenation of the `filename` argument into the `buildStr` string without any sanitization or filtering. A remote attacker can also execute arbitrary commands via crafted HTTP requests. The BuildClient function within client service.go is also vulnerable. **Recommendations** For tiagorlampert CHAOS versions before 1b451cf62582295b7225caf5a7b506f0bad56f6b and 24c9e109b5be34df7b2bce8368eae669c481ed5e, consider disabling the `buildStr` string concatenation until a patch is available. For tiagorlampert CHAOS version v5.0.1, restrict access to the BuildClient function within client service.go to minimize the risk of exploitation. Avoid using the `filename` argument in affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** free5GC udm versions prior to 1.2.0 **Description** The issue allows an Invalid Curve Attack because it may compute a shared secret via an uncompressed public key that has not been validated. An attacker can send arbitrary SUCIs to the UDM, which tries to decrypt them via both its private key and the attacker's public key. **Recommendations** For versions prior to 1.2.0, update to version 1.2.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the `suci.go` module in `pkg/suci` to minimize the risk of exploitation. Avoid using uncompressed public keys in the affected UDM until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** gRPC versions 1.23 and later **Description** The issue is related to a lack of error handling in the TCP server in Google's gRPC, which allows an attacker to cause a denial of service by initiating a significant number of connections with the server. This affects gRPC C++, Python, and Ruby, but does not affect gRPC Java and Go. The issue is present on posix-compatible platforms, such as Linux. **Recommendations** For gRPC versions 1.23 and later, consider implementing proper error handling mechanisms in the TCP server to prevent denial of service attacks. As a temporary workaround, consider restricting the number of connections allowed to the server to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Etcd version 3.5.4 **Description** The issue allows remote attackers to cause a denial of service via the `PageWriter.write` function in `pagewriter.go`. The vendor's position is that this is not a vulnerability. **Recommendations** For Etcd version 3.5.4, as a temporary workaround, consider disabling the `PageWriter.write` function until a patch is available or further guidance is provided by the vendor. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Swoole version 4.5.2 **Description** A HTTP response header injection issue allows attackers to execute arbitrary code via supplying a crafted URL. **Recommendations** For Swoole version 4.5.2, update to a version that fixes this issue to prevent arbitrary code execution.

**Name of the Vulnerable Software and Affected Versions** Gitpod versions prior to 2022.11.3 **Description** The issue allows for XSS because redirection can occur for some protocols outside of the trusted set of three, which includes `vscode:`, `vscode-insiders:`, and `jetbrains-gateway:`. **Recommendations** For versions prior to 2022.11.3, update to version 2022.11.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Gitpod versions prior to release-2022.11.2.16 **Description** The issue allows attackers to make WebSocket connections to the Gitpod JSONRPC server using a victim’s credentials due to the lack of restriction on the Origin header. This can lead to the extraction of data from workspaces or a full takeover of the workspace. **Recommendations** For versions prior to release-2022.11.2.16, update to release-2022.11.2.16 or later to resolve the issue. As a temporary workaround, consider restricting access to the Gitpod JSONRPC server to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OpenShift OSIN (affected versions not specified) **Description** A vulnerability was found in OpenShift OSIN, classified as problematic. It affects the function `ClientSecretMatches/CheckClientSecret`. The manipulation of the argument `secret` leads to observable timing discrepancy, making it vulnerable to timing attacks. This could permit an attacker to determine client secrets. **Recommendations** To fix this issue, it is recommended to apply a patch. As a temporary workaround, consider restricting access to the `ClientSecretMatches/CheckClientSecret` function until a patch is available. Avoid using the `secret` argument in the affected function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** docconv versions up to 1.2.0 **Description** A vulnerability was found in docconv, classified as problematic, affecting the function `ConvertDocx/ConvertODT/ConvertPages/ConvertXML/XMLToText`. The manipulation leads to uncontrolled memory allocation. The attack may be initiated remotely. **Recommendations** For docconv versions up to 1.2.0, upgrade to version 1.2.1 to address this issue. As a temporary workaround, consider disabling the `ConvertDocx/ConvertODT/ConvertPages/ConvertXML/XMLToText` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** destiny.gg chat (affected versions not specified) **Description** A vulnerability was found in the destiny.gg chat, affecting the function `websocket.Upgrader` of the file main.go. The manipulation leads to cross-site request forgery, and the attack may be initiated remotely. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** docconv versions prior to 1.2.1 **Description** A critical issue affects the function ConvertPDFImages of the file pdf ocr.go. The manipulation of the argument `path` leads to os command injection. The attack can be initiated remotely. **Recommendations** For versions prior to 1.2.1, upgrade to version 1.2.1 to address this issue. As a temporary workaround, consider restricting the use of the `ConvertPDFImages` function until the upgrade is applied.

**Name of the Vulnerable Software and Affected Versions** studygolang (affected versions not specified) **Description** A problematic vulnerability was found in studygolang, affecting the `Search` function of the file `http/controller/search.go`. The manipulation of the argument `q` leads to cross-site scripting. The attack can be initiated remotely. **Recommendations** To fix this issue, it is recommended to apply a patch with the name 97ba556d42fa89dfaa7737e9cd3a8ddaf670bb23. As a temporary workaround, consider restricting the use of the `Search` function or limiting the manipulation of the `q` argument until the patch is applied.

**Name of the Vulnerable Software and Affected Versions** Synthetic Monitoring Agent for Grafana versions prior to 0.12.0 **Description** The Synthetic Monitoring Agent for Grafana's Synthetic Monitoring application provides probe functionality and executes network checks for monitoring remote targets. Users running the Synthetic Monitoring agent prior to version 0.12.0 in their local network are impacted. The authentication token used to communicate with the Synthetic Monitoring API is exposed through a debugging endpoint. This token can be used to retrieve the Synthetic Monitoring checks created by the user and assigned to the agent identified with that token. The Synthetic Monitoring API will reject connections from already-connected agents, so access to the token does not guarantee access to the checks. **Recommendations** For versions prior to 0.12.0, review the agent settings and set the HTTP listening address in a manner that limits the exposure, for example, localhost or a non-routed network, by using the command line parameter `-listen-address`, e.g. `-listen-address localhost:4050`. After upgrading to version 0.12.0 or later, review the configuration stored in `/etc/synthetic-monitoring/synthetic-monitoring-agent.conf`, specifically the `API TOKEN` variable which has been renamed to `SM AGENT API TOKEN`. Rotate the agent tokens.

**Name of the Vulnerable Software and Affected Versions** Hyperledger Fabric version 2.3 **Description** The issue allows attackers to cause a denial of service by repeatedly sending a crafted channel transaction with the same channel name, leading to an orderer crash. However, the official Fabric with Raft prevents exploitation through a locking mechanism and a check for existing names. **Recommendations** For Hyperledger Fabric version 2.3, consider implementing a locking mechanism and a check for existing channel names to prevent the denial of service attack, similar to the official Fabric with Raft.