Splitline

**Name of the Vulnerable Software and Affected Versions** esm.sh versions 137 and earlier **Description** The legacy router retrieves a response from `legacyServer`, parses the request path, and writes data to storage using the `buildStorage.Put()` function. Because the router concatenates path components without sanitization, it produces a storage key that allows the underlying file system to resolve relative segments. This enables an attacker to craft requests that write data to arbitrary locations on the server, potentially leading to privilege escalation or remote code execution by overwriting critical binaries or scripts. **Recommendations** Update to a version later than 137.

**Name of the Vulnerable Software and Affected Versions** Dart SDK versions prior to 3.11.0 Flutter SDK versions prior to 3.41.0 **Description** The Dart and Flutter SDKs are susceptible to a path traversal issue within the pub client (`dart pub` and `flutter pub`) when extracting package archives from the `PUB CACHE`. A malicious package archive could potentially write files outside the intended destination directory. This occurs because the pub client does not properly normalize file paths before writing files, allowing an attacker to traverse up the directory structure using symlinks. The issue is addressed by normalizing the file path before writing, preventing unauthorized file access. All packages on pub.dev have been vetted for this issue, and new packages are no longer permitted to contain symlinks. **Recommendations** Dart SDK versions prior to 3.11.0 should be updated to version 3.11.0 or later. Flutter SDK versions prior to 3.41.0 should be updated to version 3.41.0 or later.

Name of the Vulnerable Software and Affected Versions: Registrator versions prior to 1.9.5 Description: The issue concerns a GitHub app that automates creation of registration pull requests for julia packages. A shell script injection can occur within the `withpasswd` function if the clone URL returned by GitHub is malicious. Alternatively, an argument injection is possible in the `gettreesha` function, which can lead to a potential remote code execution (RCE). Recommendations: For all versions prior to 1.9.5, upgrade immediately to version 1.9.5 to receive a fix. As a temporary workaround, consider restricting the use of the `withpasswd` and `gettreesha` functions until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: GitForge.jl versions prior to 0.4.3 Description: The issue is related to a lack of input validation for user-provided values in certain functions. Specifically, in the `GitForge.get repo` function for GitHub, the `owner` and `repo` fields can be manipulated by a user to access unintended endpoints on api.github.com by adding path traversal patterns like `../`. This is possible because the inputs are not validated or safely encoded before being sent to the server. Recommendations: For versions prior to 0.4.3, update to version 0.4.3 to resolve the issue. As a temporary workaround, consider validating and safely encoding user-provided inputs for the `owner` and `repo` fields in the `GitForge.get repo` function to prevent path traversal attacks.

Name of the Vulnerable Software and Affected Versions: HTTP.jl versions prior to 1.10.17 URIs.jl versions prior to 1.6.0 Description: The issue allows the construction of URIs containing CR/LF characters, which can lead to a CRLF injection attack if user input is not properly escaped or protected. Recommendations: For HTTP.jl versions prior to 1.10.17, upgrade to HTTP.jl v1.10.17. For URIs.jl versions prior to 1.6.0, upgrade to URIs.jl v1.6.0. As a temporary workaround, manually validate any URIs before passing them on to functions in this package.

Name of the Vulnerable Software and Affected Versions: Registrator versions prior to 1.9.5 Description: The issue concerns a GitHub app that automates creation of registration pull requests for julia packages. If the clone URL returned by GitHub is malicious, an argument injection is possible in the `gettreesha()` function, potentially leading to remote code execution. Recommendations: For all versions prior to 1.9.5, upgrade immediately to version 1.9.5 to receive a patch. As a temporary workaround, consider restricting the use of the `gettreesha()` function until the patch is applied.

**Name of the Vulnerable Software and Affected Versions** Go (affected versions not specified) **Description** A flaw exists where downloading and building modules with malicious version strings can lead to local code execution. Systems utilizing Mercurial (hg) are susceptible to unexpected code execution when downloading modules from non-standard sources, stemming from the construction of external VCS commands. This issue can also be triggered by supplying malicious version strings directly to the toolchain. On systems with Git installed, malicious version strings can enable an attacker to write to arbitrary files on the filesystem, but this requires explicitly providing the malicious strings and does not impact usage of `@latest` or bare module paths. The issue relates to unexpected code execution when invoking the toolchain. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Microsoft Excel versions (affected versions not specified) Microsoft 365 Apps for Enterprise versions (affected versions not specified) Microsoft Office versions (affected versions not specified) Microsoft Office Long Term Servicing Channel versions (affected versions not specified) Microsoft Office Online Server versions (affected versions not specified) Description: The issue is related to a lack of data sanitization at the management level in Microsoft Office packages, including Microsoft Excel. Exploitation of this issue may allow an attacker to execute arbitrary code using a specially crafted malicious file. Recommendations: For Microsoft Excel, consider disabling the execution of external files until a patch is available. For Microsoft 365 Apps for Enterprise, restrict access to potentially vulnerable components to minimize the risk of exploitation. For Microsoft Office, Microsoft Office Long Term Servicing Channel, and Microsoft Office Online Server, avoid using potentially vulnerable features or modules until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Apache Subversion versions up to and including 1.14.3 Description: On Windows platforms, a "best fit" character encoding conversion of command line arguments to Subversion's executables may lead to unexpected command line argument interpretation, including argument injection and execution of other programs, if a specially crafted command line argument string is processed. This issue affects Windows platforms only and does not impact UNIX-like platforms. Recommendations: For Apache Subversion versions up to and including 1.14.3, upgrade to version 1.14.4, which fixes this issue.

**Name of the Vulnerable Software and Affected Versions** XZ Utils versions 5.6.2 and older **Description** The issue concerns a command line argument injection vulnerability in XZ Utils when built for native Windows. This occurs when Unicode characters in filenames are converted to similar-looking ASCII characters, potentially changing the command line's meaning and allowing for argument injection or directory traversal attacks. The estimated number of potentially affected devices is not specified. **Recommendations** For versions 5.6.2 and older, update to version 5.6.3 or newer to resolve the issue. As a temporary workaround, consider avoiding the use of Unicode characters in filenames for command line tools until a patch is applied. Restrict access to sensitive directories to minimize the risk of directory traversal attacks.