Uriya Yavnieli

**Name of the Vulnerable Software and Affected Versions** Weave server (affected versions not specified) **Description** The Weave server API allows remote users to fetch files from a specific directory, but due to a lack of input validation, it is possible to traverse and leak arbitrary files remotely. In various common scenarios, this allows a low-privileged user to assume the role of the server admin. The issue is being actively exploited. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** libxmljs versions <= 1.0.11 **Description** The issue is related to a type confusion vulnerability when parsing a specially crafted XML while invoking a function on the result of `attrs()` that was called on a parsed node. This might lead to denial of service on both 32-bit and 64-bit systems, data leak, infinite loop, and remote code execution on 32-bit systems with the XML PARSE HUGE flag enabled. **Recommendations** For libxmljs versions <= 1.0.11, update to a patched version when available. As a temporary workaround, consider limiting untrusted XML parsing to minimize the risk of exploitation. Restrict access to the `attrs()` function in the affected libxmljs module until the issue is resolved. Avoid using the `attrs()` function on untrusted input until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** libxmljs2 (affected versions not specified) **Description** The issue is related to a type confusion vulnerability that occurs when parsing a specially crafted XML. This happens when the `namespaces()` function is invoked on a grand-child of a node that refers to an entity, which in turn invokes `XmlNode::get local namespaces()`. The vulnerability can lead to denial of service and remote code execution. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** libxmljs2 (affected versions not specified) **Description** The issue is related to a type confusion vulnerability that occurs when parsing a specially crafted XML. This happens while invoking a function on the result of `attrs()` that was called on a parsed node. The vulnerability might lead to denial of service on both 32-bit and 64-bit systems, data leak, infinite loop, and remote code execution on 32-bit systems with the XML PARSE HUGE flag enabled. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** libxmljs (affected versions not specified) **Description** The issue is related to a type confusion vulnerability that occurs when parsing a specially crafted XML. This happens when the `namespaces()` function is invoked on a grand-child of a node that refers to an entity, which in turn invokes ` wrap xmlNode nsDef get()`. The vulnerability can lead to denial of service and remote code execution. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** sqlparse (affected versions not specified) **Description** The issue is related to the sqlparse.parse() function, which can lead to a Denial of Service due to a RecursionError when processing a heavily nested list. This can be exploited by a remote attacker to cause a denial of service. The impact depends on the use of the sqlparse.parse() function, and anyone parsing user input with this function is affected. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider limiting the recursion depth in the flatten() function of the TokenList class to prevent excessive recursion. For example, you can modify the function to raise an error when a maximum depth is reached.

**Name of the Vulnerable Software and Affected Versions** MLflow versions prior to 2.4.1 **Description** The issue stems from insufficient sanitization in MLflow, leading to cross-site scripting (XSS) when running an untrusted recipe. This can be escalated to a client-side remote code execution (RCE) when running the recipe via Jupyter Notebook. The vulnerability is due to a lack of sanitization over template variables. **Recommendations** To protect against remote code execution, update to version 2.4.1. As a temporary workaround, consider restricting the use of untrusted recipes in Jupyter Notebook until the issue is resolved. Avoid running untrusted recipes to minimize the risk of exploitation.

The issue is with MLflow, which has a problem with insufficient sanitization, leading to XSS when running a recipe that uses an untrusted dataset. This can further result in a client-side RCE when the recipe is run in Jupyter Notebook. The affected software is MLflow, and the issue arises from a lack of sanitization of dataset table fields. An exploit for this issue is available, but the specific affected versions of MLflow are not specified. The issue can be exploited when running a recipe with an untrusted dataset, leading to XSS and potentially client-side RCE in Jupyter Notebook. #MLflow #XSS #RCE #JupyterNotebook #cybersecurityawareness #infosec #hacker

**Name of the Vulnerable Software and Affected Versions** PJSIP (affected versions not specified) **Description** The issue is related to a stack overflow in the PJSUA API when calling the `pjsua player create` function. An attacker-controlled `filename` argument may cause a buffer overflow since it is copied to a fixed-size stack buffer without any size validation. This could allow a remote attacker to execute arbitrary code on the target system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PJSIP (affected versions not specified) **Description** The issue is related to a buffer overflow in the PJSUA API when calling the `pjsua call dump` function. An attacker-controlled `buffer` argument may cause a buffer overflow if an output buffer smaller than 128 characters is supplied, regardless of the `maxlen` argument. This could allow a remote attacker to execute arbitrary code. The vulnerability is associated with a boundary error in the PJSUA API, potentially leading to memory corruption. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ClickHouse (affected versions not specified) **Description** A heap out-of-bounds read issue exists in ClickHouse's LZ4 compression codec when parsing a malicious query. The `LZ4::decompressImpl()` loop reads a 16-bit unsigned user-supplied value (`offset`) from the compressed data, which is later used in the length of a copy operation without checking the upper bounds of the source of the copy operation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ClickHouse (affected versions not specified) **Description** The issue is related to a heap buffer overflow in ClickHouse's LZ4 compression codec. This occurs when parsing a malicious query, as there is no verification that copy operations in the LZ4::decompressImpl loop do not exceed the destination buffer's limits. The vulnerable copy operation is in a different wildCopy call, making it similar to a previously identified issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ClickHouse (affected versions not specified) **Description** The issue is related to a heap buffer overflow in ClickHouse's LZ4 compression codec. This occurs when parsing a malicious query, as there is no verification that copy operations do not exceed the destination buffer's limits. Specifically, the arbitrary copy operation in the LZ4::decompressImpl loop can lead to this overflow. An attacker could potentially exploit this vulnerability to execute arbitrary code remotely. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ClickHouse (affected versions not specified) **Description** The issue is related to a divide-by-zero error in ClickHouse's Gorilla compression codec. This occurs when parsing a malicious query, where the first byte of the compressed buffer is used in a modulo operation without being checked for 0. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Clickhouse (affected versions not specified) **Description** The issue is related to a divide-by-zero error in Clickhouse's DeltaDouble compression codec. This occurs when parsing a malicious query, where the first byte of the compressed buffer is used in a modulo operation without being checked for 0. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Clickhouse (affected versions not specified) **Description** The issue is related to a divide-by-zero error in Clickhouse's Delta compression codec. This error occurs when parsing a malicious query, where the first byte of the compressed buffer is used in a modulo operation without being checked for 0. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ClickHouse (affected versions not specified) **Description** A heap out-of-bounds read issue exists in ClickHouse's LZ4 compression codec when parsing a malicious query. The `LZ4::decompressImpl()` loop reads a 16-bit unsigned user-supplied value (`offset`) from the compressed data. This `offset` is later used in the length of a copy operation without checking the lower bounds of the source of the copy operation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.