Pirikara

**Name of the Vulnerable Software and Affected Versions** Apache Airflow versions prior to 3.2.2 **Description** A bug in the bulk Task Instances API allows an authenticated UI or API user to bypass authorization and mutate Task Instance states across different DAGs. The system evaluates authorization based on the `dag id` provided in the URL path but performs operations using the `dag id` and `dag run id` extracted from the request body. Consequently, a user with edit permissions for one DAG can modify Task Instances in any other DAG by specifying the authorized ID in the URL and the target IDs in the request body. This issue impacts deployments that use per-DAG edit-scope to isolate Task Instance states between teams. The affected endpoint is 'PATCH/DELETE /api/v2/dags/{dag id}/dagRuns/{dag run id}/taskInstances', and the vulnerable variables are `dag id` and `dag run id`. **Recommendations** Upgrade to version 3.2.2 or later.

**Name of the Vulnerable Software and Affected Versions** Nextcloud Server versions 32.0.0 through 32.0.8 Nextcloud Server versions 33.0.0 through 33.0.2 Nextcloud Enterprise Server versions prior to 26.0.13.26 Nextcloud Enterprise Server versions prior to 27.1.11.25 Nextcloud Enterprise Server versions prior to 28.0.14.17 Nextcloud Enterprise Server versions prior to 29.0.16.16 Nextcloud Enterprise Server versions prior to 30.0.17.9 Nextcloud Enterprise Server versions prior to 31.0.14.5 Nextcloud Enterprise Server versions prior to 32.0.9 Nextcloud Enterprise Server versions prior to 33.0.3 **Description** An issue exists in the content collaboration platform where a malicious user with access to a file share can utilize the share token to directly access chunking uploads. This allows the attacker to view temporary part files while uploads are ongoing. **Recommendations** Upgrade Nextcloud Server versions 32.0.0 through 32.0.8 to 32.0.9. Upgrade Nextcloud Server versions 33.0.0 through 33.0.2 to 33.0.3. Upgrade Nextcloud Enterprise Server to 26.0.13.26, 27.1.11.25, 28.0.14.17, 29.0.16.16, 30.0.17.9, 31.0.14.5, 32.0.9, or 33.0.3.

**Name of the Vulnerable Software and Affected Versions** Faraday versions 2.0.0 through 2.14.1 **Description** Faraday is an HTTP client library abstraction layer. A flaw exists where protocol-relative host override is possible when the request target is passed as a `URI` object instead of a `String` to the `Faraday::Connection#build exclusive url` function. This allows off-host request forgery, where a request intended for a fixed-base connection can be redirected to an attacker-controlled host. During this process, connection-scoped values, such as `Authorization` headers and default query parameters, are forwarded to the malicious host. Other affected functions include `Faraday::Connection#run request`, `Faraday::Request#url`, and `Faraday::Request#to env`. **Recommendations** Update to version 2.14.3. As a temporary workaround, avoid passing `URI` objects to `Faraday::Connection#build exclusive url` and use `String` targets instead.

**Name of the Vulnerable Software and Affected Versions** Rack versions prior to 2.2.20 Rack versions prior to 3.1.18 Rack versions prior to 3.2.3 **Description** Rack is a modular Ruby web server interface. In versions prior to 2.2.20, 3.1.18, and 3.2.3, the `Rack::Request#POST` method reads the entire request body into memory when handling `Content-Type: application/x-www-form-urlencoded` requests without enforcing a length or cap. This can lead to a denial of service (DoS) through memory exhaustion if an attacker sends a large request body. The vulnerable code calls `rack.input.read(nil)` which allows unbounded reads of `application/x-www-form-urlencoded` bodies. **Recommendations** Upgrade to Rack version 2.2.20 to address the issue. Upgrade to Rack version 3.1.18 to address the issue. Upgrade to Rack version 3.2.3 to address the issue. Enforce strict maximum body size at the proxy or web server layer, such as using `client max body size` in Nginx or `LimitRequestBody` in Apache.