Rootxharsh

**Name of the Vulnerable Software and Affected Versions** OAuth2 Proxy versions 7.5.0 through 7.15.1 **Description** A configuration-dependent authentication bypass exists when the software is deployed using `skip auth routes` or the legacy `skip auth regex` with patterns that can be widened by attacker-controlled suffixes. This occurs when protected upstream applications interpret the `#` character as a fragment delimiter or route the request to the protected base path. An unauthenticated attacker can send a crafted request containing a number sign in the path, including the browser-safe encoded form `%23`, allowing the request to match a public allowlist rule while the backend serves a protected resource. **Recommendations** Update to version 7.15.2. Tighten or remove `skip auth routes` and `skip auth regex` rules, specifically patterns using broad wildcards across path segments. Replace broad rules with exact, anchored public paths and explicit HTTP methods. Reject requests containing `%23` or `#` in the path at the ingress, load balancer, or WAF level. Avoid placing sensitive application paths behind broad `skip auth routes` rules.

**Name of the Vulnerable Software and Affected Versions** @fastify/middie versions prior to 9.1.0 **Description** A security issue exists in @fastify/middie where middleware registered with a specific path prefix can be bypassed using URL-encoded characters. For example, using `/%61dmin` instead of `/admin`. The middleware engine fails to match the encoded path, skipping execution, but the Fastify router decodes the path and matches the route handler, potentially allowing access to protected endpoints. The issue occurs because the underlying Fastify router correctly decodes the path while the middleware engine does not. This allows attackers to bypass middleware constraints and access protected endpoints. **Recommendations** Update @fastify/middie to version 9.1.0 or later.

**Name of the Vulnerable Software and Affected Versions** @fastify/express versions prior to 4.0.3 **Description** A security issue exists in the @fastify/express plugin, which provides Express compatibility for Fastify. The problem occurs when middleware is registered with a specific path prefix. Attackers can bypass the middleware by using URL-encoded characters in the request path, such as `/%61dmin` instead of `/admin`. The Fastify router correctly decodes the path and matches the route handler, allowing access to protected endpoints without the intended middleware restrictions. This bypass is due to how @fastify/express matches requests against registered middleware paths. **Recommendations** Update to @fastify/express version 4.0.3 or later.

**Name of the Vulnerable Software and Affected Versions** Netmaker versions prior to 0.17.1 Netmaker versions 0.18.0 through 0.18.5 **Description** Hardcoded DNS key usage has been found in Netmaker, allowing unauthorized users to interact with DNS API endpoints. The issue is patched in version 0.17.1 and fixed in version 0.18.6. **Recommendations** For versions prior to 0.17.1, upgrade to version 0.17.1 or later. For versions 0.18.0 through 0.18.5, upgrade to version 0.18.6 or later. If using version 0.17.1, run `docker pull gravitl/netmaker:v0.17.1` and `docker-compose up -d` to switch to the patched version. As a temporary workaround for version 0.17.1, pull the latest docker image of the backend and restart the server.

**Name of the Vulnerable Software and Affected Versions** Netmaker versions prior to 0.17.1 Netmaker versions 0.18.0 through 0.18.5 **Description** An Insecure Direct Object Reference (IDOR) vulnerability was found in the user update function, allowing an attacker to update another user's password by specifying their username. **Recommendations** For versions prior to 0.17.1, upgrade to version 0.17.1 or later. For versions 0.18.0 through 0.18.5, upgrade to version 0.18.6 or later. If using version 0.17.1, run `docker pull gravitl/netmaker:v0.17.1` and `docker-compose up -d` to switch to the patched users. As a temporary workaround for version 0.17.1, pull the latest docker image of the backend and restart the server.

**Name of the Vulnerable Software and Affected Versions** Netmaker versions prior to 0.17.1 Netmaker versions 0.18.0 through 0.18.5 **Description** A Mass assignment vulnerability was found in Netmaker that allows a non-admin user to escalate privileges to those of an admin user. The issue is patched in version 0.17.1 and fixed in version 0.18.6. **Recommendations** For versions prior to 0.17.1, upgrade to version 0.17.1 or later. For versions 0.18.0 through 0.18.5, upgrade to version 0.18.6 or later. If using version 0.17.1, run `docker pull gravitl/netmaker:v0.17.1` and `docker-compose up -d` to switch to the patched version. As a temporary workaround for version 0.17.1, pull the latest docker image of the backend and restart the server.

**Name of the Vulnerable Software and Affected Versions** Lucee versions prior to 5.4.3.2 Lucee versions prior to 5.3.12.1 **Description** A security flaw has been discovered in Lucee, impacting all prior releases. New releases (5.4.3.2, 5.3.12.1) have been made to address the issue and enhance security. **Recommendations** For versions prior to 5.4.3.2, update to version 5.4.3.2 to resolve the issue. For versions prior to 5.3.12.1, update to version 5.3.12.1 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** OAuth2 Proxy versions prior to 5.1.1 **Description** The issue is related to an open redirect vulnerability. Users can provide a redirect address for the proxy to send the authenticated user to at the end of the authentication flow. This redirect URL is checked within the proxy and validated before redirecting the user to prevent malicious actors providing redirects to potentially harmful sites. However, by crafting a redirect URL with HTML encoded whitespace characters, the validation could be bypassed and allow a redirect to any URL provided. **Recommendations** For OAuth2 Proxy versions prior to 5.1.1, update to version 5.1.1 to resolve the issue. As a temporary workaround, consider validating redirect URLs more strictly to prevent bypassing the validation. Restrict access to the `IsValidRedirect` function to minimize the risk of exploitation. Avoid using HTML encoded whitespace characters in redirect URLs until the issue is resolved.