Justin Taft

**Name of the Vulnerable Software and Affected Versions** actions/artifact versions 2.0.0 through 2.1.1 actions/artifact versions 2.1.2 through 2.1.6 **Description** The issue concerns arbitrary file write when using `downloadArtifactInternal`, `downloadArtifactPublic`, or `streamExtractExternal` for extracting a specifically crafted artifact that contains path traversal filenames. Users are advised to upgrade to a newer version to mitigate the risk. **Recommendations** For actions/artifact versions 2.0.0 through 2.1.1, upgrade to version 2.1.2 or higher. For actions/artifact versions 2.1.2 through 2.1.6, upgrade to version 2.1.7 or higher. As a temporary workaround, consider disabling the `downloadArtifactInternal`, `downloadArtifactPublic`, or `streamExtractExternal` functions until a patch is available. Restrict access to the vulnerable `actions/artifact` module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Lexmark devices (affected versions not specified) **Description** A buffer overflow vulnerability has been identified in the postscript interpreter of Lexmark devices. This issue allows for remote code execution. The vulnerability was identified through 2021-12-07. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Delta Electronics TPEditor versions 1.97 and prior **Description** A write-what-where condition may be exploited by processing a specially crafted project file, potentially allowing an attacker to read or modify information, execute arbitrary code, and/or crash the application. **Recommendations** For Delta Electronics TPEditor versions 1.97 and prior, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Delta Electronics TPEditor versions 1.97 and prior **Description** The issue is related to improper input validation. It can be exploited by processing a specially crafted project file that is not validated when the data is entered by a user. Successful exploitation may allow an attacker to read or modify information, execute arbitrary code, and/or crash the application. **Recommendations** For versions 1.97 and prior, consider avoiding the use of untrusted project files until a patch is available. As a temporary workaround, restrict the ability to open or process project files from untrusted sources to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.