Ori Hollander

**Name of the Vulnerable Software and Affected Versions** webfinger.js versions 2.8.0 and below **Description** webfinger.js is a TypeScript-based WebFinger client used in browser and Node.js environments. The `lookup` function does not prevent access to localhost services, only checking for hosts that start with "localhost" and end with a port. This allows attackers to perform blind Server-Side Request Forgery (SSRF) attacks by sending GET requests with controlled host, path, and port parameters to query services on the instance's host or local network. **Recommendations** Update to version 2.8.1 or later.

**Name of the Vulnerable Software and Affected Versions** Tensorflow serving versions up to 2.18.0 **Description** The issue is related to incorrect JSON input stringification in Tensorflow serving, which allows for potentially unbounded recursion. This can lead to a server crash. **Recommendations** For versions up to 2.18.0, update to a version later than 2.18.0 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** PeerTube (affected versions not specified) **Description** This issue allows any authenticated user to cause the server to consume large amounts of disk space by extracting a Zip Bomb. When user import is enabled, which is the default setting, any registered user can upload an archive for importing. The yauzl library used for reading the archive lacks a mechanism to detect or prevent extraction of a Zip Bomb, leading to disk space resource exhaustion when using the User Import functionality with a Zip Bomb. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PeerTube (affected versions not specified) **Description** The issue allows any authenticated user to leak the contents of arbitrary `.m3u8` files from the PeerTube server due to a path traversal in the HLS endpoint. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PeerTube (affected versions not specified) **Description** The issue allows an attacker to cause the PeerTube server to stop functioning or, in special cases, send requests to arbitrary URLs, which is known as Blind Server-Side Request Forgery (SSRF). Attackers can exploit the "Create Activity" functionality by sending crafted ActivityPub activities to PeerTube's "inbox" endpoint, potentially leading to denial of service or an attacker-controlled blind SSRF. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PeerTube (affected versions not specified) **Description** This issue allows an attacker to cause the PeerTube server to become unresponsive due to an infinite loop in the "inbox" endpoint when receiving crafted ActivityPub activities. The estimated number of potentially affected devices worldwide is not available. Details about real-world incidents where this issue was exploited are not provided. The issue is related to the `/inbox` API endpoint, where an infinite loop can occur when processing certain ActivityPub activities. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** The product name cannot be determined. **Description** This issue allows an attacker to add playlists to a different user's channel using the ActivityPub protocol. The vulnerable code sets the owner of the new playlist to be the user who performed the request and then sets the associated channel to the channel ID supplied by the request, without checking if it belongs to the user. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PeerTube (affected versions not specified) **Description** The issue allows an existing user to add playlists to a different user’s channel using the PeerTube REST API. The vulnerable code sets the owner of the new playlist to be the user who performed the request, and then sets the associated channel to the channel ID supplied by the request, without checking if it belongs to the user. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PeerTube (affected versions not specified) **Description** The issue allows any authenticated user to cause the PeerTube server to stop functioning in a persistent manner. If user import is enabled, which is the default setting, any registered user can upload an archive for importing. The code uses the yauzl library for reading the archive. If the yauzl library encounters a filename that is considered illegal, it raises an exception that is uncaught by PeerTube, leading to a crash which repeats infinitely on startup. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Mage AI (affected versions not specified) **Description** The issue allows remote users with the "Viewer" role to leak arbitrary files from the Mage server due to a path traversal in the "Pipeline Interaction" request. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Mage AI framework (affected versions not specified) **Description** The issue concerns guest users in the Mage AI framework who remain logged in after their accounts are deleted. These users are mistakenly given high privileges, specifically access to remotely execute arbitrary code through the Mage AI terminal server. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Mage AI (affected versions not specified) **Description** The issue allows remote users with the "Viewer" role to leak arbitrary files from the Mage server due to a path traversal in the "File Content" request. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Mage AI (affected versions not specified) **Description** The issue allows remote users with the "Viewer" role to leak arbitrary files from the Mage server due to a path traversal in the "Git Content" request. This can potentially lead to remote exploitation. There is no information provided about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the "Git Content" request handler to minimize the risk of exploitation. Validate input/output paths to prevent path traversal attacks. Additionally, audit logs for signs of compromise and tighten access to sensitive files.

Name of the Vulnerable Software and Affected Versions: Mage AI (affected versions not specified) Description: The issue allows remote unauthenticated attackers to leak the terminal server command history of arbitrary users. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** lighttpd versions <= 1.4.50 **Description** The issue is related to a use-after-free vulnerability that can allow access to compare data in a case-insensitive manner with a reused pointer. This vulnerability might read from invalid pointers to memory used in the same request. **Recommendations** For lighttpd versions <= 1.4.50, update to a version greater than 1.4.50 to resolve the issue. At the moment, there is no information about other specific workarounds for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** H2O versions prior to 3.38.0 **Description** The H2O machine learning platform uses "Iced" classes to move Java objects around the cluster, which supports the inclusion of serialized Java objects. When a model is deserialized, any class is allowed to be deserialized without a whitelist, allowing an attacker to construct a crafted Iced model that uses Java gadgets and leads to arbitrary code execution when imported to the H2O platform. **Recommendations** For versions prior to 3.38.0, upgrade to version 3.38.0 to prevent attackers from running arbitrary code on the system. As a temporary workaround, consider restricting the import of models to trusted sources until the upgrade is applied.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** A remote attacker can trigger a denial of service by sending a crafted HTTP request, affecting the `socket.remoteAddress` variable. The usage of this undefined variable raises a TypeError exception. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Json-smart versions 2.5.0 through 2.5.1 **Description** The issue is related to uncontrolled recursion in the Json-smart library. When the library encounters a '{' or '[' character in the JSON input, it parses an object or array respectively. However, there is no limit to the nesting of these objects or arrays, which can cause a stack exhaustion and crash the software. This can be exploited by an attacker to cause a Denial of Service (DoS). **Recommendations** For Json-smart versions 2.5.0 through 2.5.1, upgrade to a version that includes a fix for this issue. As a temporary workaround, consider restricting the use of the Json-smart library to minimize the risk of exploitation. Avoid using the library to parse JSON input with deeply nested objects or arrays until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** conduit-hyper versions prior to 0.4.2 **Description** The issue arises from `conduit-hyper` not checking any limit on a request's length before calling `hyper::body::to bytes`. An attacker could send a malicious request with an abnormally large `Content-Length`, which could lead to a panic if memory allocation failed for that request. In version 0.4.2, `conduit-hyper` sets an internal limit of 128 MiB per request, otherwise returning status 400 ("Bad Request"). This crate is part of the implementation of Rust's crates.io, but that service is not affected due to its existing cloud infrastructure, which already drops such malicious requests. Even with the new limit in place, `conduit-hyper` is not recommended for production use, nor to directly serve the public Internet. **Recommendations** For versions prior to 0.4.2, update to version 0.4.2 or later to set an internal limit of 128 MiB per request and return status 400 ("Bad Request") for requests exceeding this limit. As a temporary workaround, consider restricting the `Content-Length` of incoming requests to prevent potential memory allocation issues until a patch is available. Avoid using `conduit-hyper` for production use or to directly serve the public Internet, even with the new limit in place.

**Name of the Vulnerable Software and Affected Versions** Cargo versions prior to 1.64 **Description** The issue is related to Cargo, a package manager for the Rust programming language, which does not limit the amount of data extracted from compressed archives. An attacker could upload a specially crafted package to an alternate registry that extracts more data than its size, also known as a "zip bomb", exhausting the disk space on the machine using Cargo to download the package. By design, Cargo allows code execution at build time due to build scripts and procedural macros, making it possible for malicious dependencies to cause damage. The vulnerability allows performing a subset of the possible damage in a harder to track down way. Users of alternate registries are recommended to exercise care in which package they download, by only including trusted dependencies in their projects. **Recommendations** For versions prior to 1.64, update to Rust 1.64 or later to fix the issue. For users of Rust 1.63.0, patch files are available in the wg-security-response repository for people building their own toolchain. As a temporary workaround, consider exercising care in which package you download, by only including trusted dependencies in your projects. Restrict access to untrusted dependencies to minimize the risk of exploitation.