Kule500

**Name of the Vulnerable Software and Affected Versions** OliveTin versions 3000.10.2 and earlier **Description** OliveTin allows access to predefined shell commands through a web interface. In versions 3000.10.2 and earlier, the live EventStream broadcasts execution events and action output to authenticated dashboard subscribers without enforcing authorization on a per-action basis. This allows a low-privileged authenticated user to receive output from actions they are not permitted to view, resulting in broken access control and the disclosure of sensitive information. The issue resides in the live event streaming path, specifically within the `EventStream()` function, which only verifies dashboard access during subscription. Execution callbacks broadcast to all connected clients without checking recipient authorization before sending action metadata or output. The vulnerable functions involved are `OnExecutionStarted`, `OnExecutionFinished`, and `OnOutputChunk`. The event payload includes action output via `internalLogEntryToPb` and `Output`. A proof-of-concept (PoC) test demonstrates that a user without relevant access control lists (ACLs) can still receive streamed completion events and protected action output. This impacts multi-user OliveTin deployments where privileged actions produce sensitive data. **Recommendations** Versions prior to 3000.10.2 are affected.

**Name of the Vulnerable Software and Affected Versions** OliveTin versions prior to 3000.11.0 **Description** OliveTin allows an unauthenticated guest to terminate running actions through the KillAction Remote Procedure Call (RPC) even when `authRequireGuestsToLogin: true` is enabled. Guests are blocked from dashboard access, but can still directly call the KillAction RPC and successfully stop a running action. This is a broken access control issue that causes unauthorized denial of service against legitimate action executions. The issue is caused by inconsistent authorization enforcement between dashboard access and action-control RPCs. Specifically, the `KillAction()` function authenticates the caller and applies only the per-action kill Access Control List (ACL) check, but does not enforce the guest login requirement. When `authRequireGuestsToLogin` is enabled, configuration sanitization disables guest view, execution, and logs permissions, but leaves kill unchanged. As a result, an unauthenticated guest user can satisfy the `IsAllowedKill()` check and terminate actions. The `/api/KillAction` API endpoint is vulnerable, accepting the `executionTrackingId` variable to terminate actions. This can lead to disruption of long-running administrative or operational workflows. **Recommendations** Versions prior to 3000.11.0 should be updated to version 3000.11.0 or later.

**Name of the Vulnerable Software and Affected Versions** pypdf versions prior to 6.7.5 **Description** A crafted PDF file can cause excessive processing time when accessing a stream that utilizes the `/ASCIIHexDecode` filter. This issue affects the pypdf library. **Recommendations** Update to version 6.7.5 or later.

**Name of the Vulnerable Software and Affected Versions** OliveTin versions prior to 3000.10.3 **Description** OliveTin is susceptible to a denial-of-service condition stemming from an unsynchronized access issue within its OAuth2 login flow. Concurrent requests to the `/oauth/login` API endpoint can trigger a Go runtime panic, specifically a 'concurrent map writes' error, leading to process termination. This allows a remote, unauthenticated attacker to crash the service when OAuth2 is enabled. The issue arises from unsynchronized access to a shared `registeredStates` map. The vulnerable code paths include unlocked reads and writes in the login handler, callback check, callback flow, and authentication chain check. The API endpoints involved are `/oauth/login` and `/oauth/callback`. **Recommendations** Versions prior to 3000.10.3 should be updated to version 3000.10.3 or later.

**Name of the Vulnerable Software and Affected Versions** pypdf versions prior to 6.9.1 **Description** pypdf is a free and open-source pure-python PDF library. Versions prior to 6.9.1 allow an attacker to create a malicious PDF that can cause prolonged runtimes and/or significant memory usage. Exploitation requires accessing an array-based stream containing numerous entries. The issue has been addressed in version 6.9.1. **Recommendations** Upgrade to pypdf version 6.9.1 or later.