Sim4N6

Name of the Vulnerable Software and Affected Versions GitLab EE versions 18.2 through 18.8.9, 18.9 through 18.9.5, and 18.10 through 18.10.3 Description The issue involves improper input validation in GraphQL queries, potentially allowing an authenticated user to cause a denial of service to the GitLab instance. Recommendations Update to GitLab EE version 18.8.9 or later. Update to GitLab EE version 18.9.5 or later. Update to GitLab EE version 18.10.3 or later.

**Name of the Vulnerable Software and Affected Versions** GitLab CE/EE versions 9.2 through 18.7.4 GitLab CE/EE versions 18.8 through 18.8.4 GitLab CE/EE versions 18.9 through 18.9.0 **Description** An unauthenticated user could potentially cause a denial of service by sending specially crafted input to a merge request endpoint. This issue involves a regular expression denial of service. **Recommendations** Update GitLab CE/EE to version 18.7.5 or later. Update GitLab CE/EE to version 18.8.5 or later. Update GitLab CE/EE to version 18.9.1 or later.

**Name of the Vulnerable Software and Affected Versions** GitLab CE/EE versions 17.7 through 17.10.8 GitLab CE/EE versions 17.11 through 17.11.4 GitLab CE/EE versions 18.0 through 18.0.2 **Description** An issue has been discovered in GitLab CE/EE that allows an attacker to trigger an infinite redirect loop, potentially leading to a denial of service condition. This issue affects various versions of GitLab CE/EE, allowing an attacker to exploit it and cause a denial of service. **Recommendations** For versions 17.7 through 17.10.8, update to a version after 17.10.8 to resolve the issue. For versions 17.11 through 17.11.4, update to a version after 17.11.4 to resolve the issue. For versions 18.0 through 18.0.2, update to a version after 18.0.2 to resolve the issue. As a temporary workaround, consider restricting access to the affected GitLab CE/EE instances to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GitLab CE/EE versions 17.3 through 17.9.7 GitLab CE/EE versions 17.10 through 17.10.5 GitLab CE/EE versions 17.11 through 17.11.1 **Description** An issue has been discovered in GitLab CE/EE that allows attackers to bypass Device OAuth flow protections. This enables authorization form submission through minimal user interaction. **Recommendations** For versions 17.3 through 17.9.7, update to version 17.9.8 or later. For versions 17.10 through 17.10.5, update to version 17.10.6 or later. For versions 17.11 through 17.11.1, update to version 17.11.2 or later.

**Name of the Vulnerable Software and Affected Versions** Mobile Security Framework (MobSF) versions prior to 4.3.2 **Description** The issue concerns a vulnerability in the `valid host()` function that uses `socket.gethostbyname()`, making it susceptible to SSRF abuse via the DNS rebinding technique. This vulnerability is related to the Mobile Security Framework (MobSF), a tool for pen-testing, malware analysis, and security assessment that performs static and dynamic analysis. **Recommendations** For versions prior to 4.3.2, update to version 4.3.2 to resolve the issue. As a temporary workaround, consider restricting the use of the `valid host()` function until the update is applied.

**Name of the Vulnerable Software and Affected Versions** GitLab CE/EE versions 14.1 through 17.6.4 GitLab CE/EE versions 17.7 through 17.7.3 GitLab CE/EE versions 17.8 through 17.8.1 **Description** A denial of service issue affects the availability of GitLab via unbounded symbol creation. This is achieved through the `scopes` parameter in a Personal Access Token. **Recommendations** For versions 14.1 through 17.6.4, update to version 17.6.5 or later. For versions 17.7 through 17.7.3, update to version 17.7.4 or later. For versions 17.8 through 17.8.1, update to version 17.8.2 or later. As a temporary workaround, consider restricting the use of the `scopes` parameter in Personal Access Tokens until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Plane versions prior to 0.23.0 **Description** The issue concerns an open-source project management tool that uses ** wildcard support to retrieve images from any hostname, potentially allowing an attacker to induce the server into performing requests to unintended locations. **Recommendations** For versions prior to 0.23.0, update to version 0.23.0 to resolve the issue. As a temporary workaround, consider restricting access to the `/web/next.config.js` endpoint until the update is applied.

**Name of the Vulnerable Software and Affected Versions** GitLab CE/EE versions 16.4 through 17.1.7 GitLab CE/EE versions 17.2 through 17.2.5 GitLab CE/EE versions 17.3 through 17.3.2 **Description** The issue is related to the use of a regular expression with inefficient computational complexity in GitLab, a software platform based on git for collaborative code work. Exploitation of the issue could allow a remote attacker to cause a denial of service by sending a specific POST request, potentially via a large `glm source` parameter. **Recommendations** For GitLab CE/EE versions 16.4 through 17.1.7, update to version 17.1.7 or later. For GitLab CE/EE versions 17.2 through 17.2.5, update to version 17.2.5 or later. For GitLab CE/EE versions 17.3 through 17.3.2, update to version 17.3.2 or later. As a temporary workaround, consider restricting access to the `glm source` parameter in the affected API endpoint until a patch is available.

Name of the Vulnerable Software and Affected Versions: Yeti versions prior to 2.1.11 Description: The issue concerns a denial of service vulnerability. Remote user-controlled data tags can lead to Unicode normalization with a compatibility form NFKD. Under Windows, such normalization is costly in resources and may lead to denial of service with attacks, potentially worsened by the use of special Unicode characters. Recommendations: For versions prior to 2.1.11, update to version 2.1.11 to resolve the issue. As a temporary workaround, consider restricting the use of remote user-controlled data tags until the patch is applied.

**Name of the Vulnerable Software and Affected Versions** MindsDB versions prior to 23.12.4.2 **Description** MindsDB is a platform for building artificial intelligence from enterprise data. A threat actor can bypass the server-side request forgery protection on the whole website with DNS Rebinding, which can also lead to denial of service. **Recommendations** For versions prior to 23.12.4.2, update to version 23.12.4.2 to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable API endpoints to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** rack-contrib versions prior to 2.5.0 **Description** The issue is related to a denial of service vulnerability due to the lack of constraints on user-controlled data `profiler runs`. This allows for the allocation of resources on the server side with no limitation, potentially leading to a denial of service by remotely controlled data. The vulnerability is caused by the fact that the `profiler runs` variable is not constrained to any limitation, which would lead to allocating resources on the server side with no limitation. **Recommendations** For versions prior to 2.5.0, update to version 2.5.0 or later, which contains a patch for the issue. As a temporary workaround, consider restricting access to the `Rack::Profiler` middleware to minimize the risk of exploitation. Avoid using the `profiler runs` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Frigate versions prior to 0.13.2 **Description** The issue arises from the lack of limitation on the length of filenames and the costly use of Unicode normalization with the form NFKD under the hood of the `secure filename()` function. This can lead to an application-level denial of service when a user intentionally uploads a file or retrieves a filename with a large Unicode name. **Recommendations** For versions prior to 0.13.2, update to version 0.13.2 or later to resolve the issue. As a temporary workaround, consider restricting the length of filenames to prevent intentional denial of service attacks.

**Name of the Vulnerable Software and Affected Versions** NVIDIA NeMo framework for Ubuntu (affected versions not specified) **Description** The NVIDIA NeMo framework for Ubuntu contains a vulnerability in tools/asr webapp where an attacker may cause an allocation of resources without limits or throttling. A successful exploit of this issue may lead to a server-side denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** spbu se site versions prior to 2024.01.29 **Description** The issue arises when an authenticated user uploads an avatar image with a large Unicode filename, leading to a server-side denial of service under Windows. This is due to the lack of limitation on the filename length and the costly use of Unicode normalization with the form NFKD on Windows OS. **Recommendations** For versions prior to 2024.01.29, update to the 2024.01.29 release to resolve the issue. As a temporary workaround, consider restricting the length of filenames for avatar uploads to prevent potential denial of service attacks.

**Name of the Vulnerable Software and Affected Versions** OTCLient versions prior to commit db560de0b56476c87a2f967466407939196dd254 **Description** The issue concerns an expression injection vulnerability in the `/mehah/otclient` "Analysis - SonarCloud" workflow, allowing an attacker to run commands remotely on the runner, leak secrets, and alter the repository using this workflow. **Recommendations** For versions prior to commit db560de0b56476c87a2f967466407939196dd254, update to a version that includes the fix commit db560de0b56476c87a2f967466407939196dd254 to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable "Analysis - SonarCloud" workflow until the update is applied.

**Name of the Vulnerable Software and Affected Versions** ffcss versions prior to 0.2.0 **Description** The issue arises from the function `lookupPreprocess()` which applies transformations to a string by disabling characters in the regex `[- .]`. However, due to the use of late Unicode normalization of type NFKD, it is possible to bypass that validation and re-introduce all the characters in the regex `[- .]`. This can be achieved with equivalent Unicode characters, resulting in omitted characters being reintroduced. The `lookupPreprocess()` function is used to search for themes loosely, and the actual security impact is classified as low. **Recommendations** For versions prior to 0.2.0, update to version 0.2.0 to resolve the issue. As a temporary workaround, consider modifying the `lookupPreprocess()` function to initially perform Unicode normalization and then apply the rest of the validations. Restrict access to user-controlled data coming from command args to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SHIRASAGI versions prior to 1.18.0 **Description** The issue is related to a Post-Unicode normalization problem. This occurs when security checks are performed before Unicode normalization, allowing Unicode character equivalents to resurface after normalization. **Recommendations** For versions prior to 1.18.0, update to version 1.18.0 to resolve the issue. As a temporary workaround, consider initially performing Unicode normalization, then stripping all whitespaces, and finally checking for a blank string to mitigate the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** jcvi (affected versions not specified) **Description** A configuration injection occurs when user input is considered by the application in an unsanitized format and can reach the configuration file. A malicious user may craft a special payload that may lead to a command injection. The impact of a configuration injection may vary. Under some conditions, it may lead to command injection if there is shell code execution from the configuration file values. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** mindsdb versions prior to 23.2.1.0 **Description** The issue is related to an unsafe extraction performed using `tarfile.extractall()` from a remotely retrieved tarball, which may lead to the writing of extracted files to an unintended location. This is sometimes referred to as a TarSlip or a ZipSlip variant. An attacker may leverage this to overwrite any local file that the server process has access to. There is no risk of file exposure with this vulnerability. API Endpoints: `/<name>` Vulnerable Parameters or Variables: `name`, `file`, `original file name`, `source` Function Names: `put()`, `extractall()` The vulnerability can be exploited by crafting a malicious tarball with a filename path, such as ../../../../../../../../etc/passwd, and then serving the archive remotely, proceeding to the PUT request of the tarball through mindsdb, and overwriting the system files of the hosting server. **Recommendations** For versions prior to 23.2.1.0, upgrade to release 23.2.1.0 to address the issue. As a temporary workaround, consider validating the location or the absolute path of the extracted files and discard those with malicious paths such as relative path `../../..` or absolute path such as `/etc/password`. A simple wrapper could be written to raise an exception when a path traversal may be identified. Restrict access to the `tarfile.extractall()` function until a patch is available. Avoid using the `tarfile` module for extracting archives from untrusted sources without prior inspection.

**Name of the Vulnerable Software and Affected Versions** MindsDB versions prior to 22.11.4.3 **Description** MindsDB is an open source machine learning platform. An unsafe extraction is being performed using `shutil.unpack archive()` from a remotely retrieved tarball, which may lead to the writing of the extracted files to an unintended location. This issue is sometimes called a TarSlip or a ZipSlip variant. Unpacking files using the high-level function `shutil.unpack archive()` from a potentially malicious tarball without validating that the destination file path remained within the intended destination directory may cause files to be overwritten outside the destination directory. An attacker could craft a malicious tarball with a filename path, such as `../../../../../../../../etc/passwd`, and then serve the archive remotely using a personal bucket `s3`, thus, retrieve the tarball through MindsDB and overwrite the system files of the hosting server. **Recommendations** For versions prior to 22.11.4.3, upgrade to version 22.11.4.3 or later to address the issue. As a temporary workaround, consider validating the location of the extracted files and discard those with malicious paths such as relative path `..` or absolute path such as `/etc/password`. Additionally, using a safer module like `zipfile` can help mitigate the issue. Avoid ingesting archives from untrusted sources until the issue is resolved.