Woodruffw

Name of the Vulnerable Software and Affected Versions: rfc3161-client versions prior to 1.0.3 Description: The issue is related to a flaw in the timestamp response signature verification logic. Specifically, the chain verification is performed against the TSR's embedded certificates up to the trusted root(s), but it fails to verify the TSR's own signature against the timestamping leaf certificates. This allows an attacker to introduce any TSR signature as long as the embedded leaf chains up to some root TSA, resulting in insufficient signature validation. Recommendations: For versions prior to 1.0.3, update to version 1.0.3 to resolve the issue. As a temporary workaround, consider restricting the use of the timestamp response signature verification logic until a patch is available.

**Name of the Vulnerable Software and Affected Versions** step-security/harden-runner versions prior to v2.10.2 **Description** The issue concerns command injection weaknesses via environment variables in step-security/harden-runner. These weaknesses could potentially be exploited under specific conditions. However, due to the current execution order of pre-steps in GitHub Actions and the placement of harden-runner as the first step in a job, the likelihood of exploitation is low. There are no known exploits at this time. The weaknesses are found in several areas, including the use of `execSync` with interpolated variables, such as `process.env.USER` and `$USER`, which an attacker could modify to inject arbitrary shell expressions. Additionally, the expansion of `getRunnerTempDir()` may be injectable due to its dependence on potentially attacker-controllable environment variables, such as `RUNNER TEMP`. **Recommendations** For versions prior to v2.10.2, update to version 2.10.2, which contains a patch for the command injection weaknesses. As a temporary workaround, consider restricting the modification of environment variables, such as `USER` and `RUNNER TEMP`, to minimize the risk of exploitation. Additionally, consider replacing the use of `execSync` with `execFileSync` or similar to bypass shell evaluation and reduce the risk of command injection.

**Name of the Vulnerable Software and Affected Versions** py versions through 1.11.0 **Description** The py library allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the `InfoSvnCommand` argument is mishandled. This issue is related to the regular expression at `py. path.svnurl.InfoSvnCommand.lspattern` and is only relevant when dealing with subversion (svn) projects. Note that this issue has been disputed by multiple third parties as not being reproduceable, and they argue this is not a valid vulnerability. **Recommendations** For py versions through 1.11.0, consider updating to a version of a dependent package, such as pytest, that removes its dependency on the vulnerable py version, for example, updating to pytest version 7.2.0. At the moment, there is no information about a newer version of py that contains a fix for this issue.