Vulnerabilities we've disclosed
GitHub Security Lab researchers find vulnerabilities in key, widely-used open source projects. We then coordinate the disclosure of those vulnerabilities to security teams at those projects. We only publish vulnerabilities here after they’ve been announced by the affected projects' development teams and patches are available. See our disclosure policy below for more information.
Incorrect use of X509_check_ip_asc
Incorrect use of X509_check_email
Incorrect use of X509_check_host (regarding return value)
Use-after-free in memory pools during data transfer
Multiple int-to-bool casting vulnerabilities, leading to heap overflow
Stack overflow (stack exhaustion) in listdir (remote DoS)
A malicious user can inject a data: or vbscript: hotspot link if they control the viewer configuration, which leads to XSS once a user clicks the link.
Integer overflow in amqp_handle_input
PID recycling enables an unprivileged user to exploit a PID race in Apport to generate a crash report which contains the ASLR offsets for a privileged process.
Denial of service due to symlink traversal
An integer overflow in bson_ensure_space (bson.c:613) can lead to a subsequent heap buffer overflow, which can be exploited to gain code execution as the whoopsie user.
Remote denial of service or possible information disclosure when connecting to a malicious SSH server
Heap-based overflow in contrib/pmaixforwardedfrom/pmaixforwardedfrom.c
Heap-based overflow in contrib/pmcisconames/pmcisconames.c
Multiple NULL deref on alloc_workqueue
13 remote code vulnerabilities in UBoot including stack overflows
12 memory corruption vulnerabilities including heap overflows
A stack-based buffer overflow in the subtitle decoder in Libav 12.3 allows attackers to corrupt the stack via a crafted video file in Matroska format, because srt_to_ass in libavcodec/srtdec.c misuses snprintf.
Denial of service due to quadratic call to strstr in srtdec.c (close tag scanning)
An attacker with permissions to manage podcasts can read (and publish) arbitrary files from the server hosting an Airsonic media streamer by uploading a specially-crafted XML podcast specification containing one or more XML external entities.
Ansible: path traversal in the fetch module
SPARQL Injection in VIVO Vitro v1.10.0 allows a remote attacker to execute arbitrary SPARQL via the uri parameter, leading to a regular expression denial of service (ReDoS), as demonstrated by crafted use of FILTER%20regex in a /individual?uri= request.
Command Injection Vulnerability in kill-port Package
This vulnerability affects a range of Apple products. If the kernel's packet-mangler is enabled, it allows an attacker to remotely trigger an infinite loop in the kernel, thereby preventing the device from accessing the internet and hogging one of its CPU cores.
Prototype pollution in node.extend package
The just-extend package can be tricked into adding or modifying properties of the Object prototype.
Prototype pollution in mpath package
An issue was discovered in certain Apple products. iOS before 11.4 is affected. macOS before 10.13.5 is affected. tvOS before 11.4 is affected. watchOS before 4.3.1 is affected. The issue involves pktmnglr_ipfilter_input in com.apple.packet-mangler in the "Kernel" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (integer overflow and stack-based buffer overflow) via a crafted app.
Apache Batik information disclosure vulnerability
A remote attacker with local user credentials (possibly a normal user in the vpn group, or root) may be able to underflow the buffer and cause a denial of service.
Possible RCE in Apache Ignite deserialization endpoints
rsyslog librelp version 1.2.14 and earlier contains a Buffer Overflow vulnerability in the checking of x509 certificates from a peer that can result in remote code execution.
RCE in Apache Geode due to unsafe deserialization of application objects
The TcpServer within the Geode locator opens a network port that deserializes data. If an unprivileged user gains access to the Geode locator, they may be able to cause remote code execution if certain classes are present on the classpath.
RCE in Apple's packet-mangler
The Hotrod client in Infinispan would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks.
XSS in Etherpad Lite before v1.6.3 via window.location.href
Versions of Etherpad Lite before the release of v1.16.3 fail to sanitize the name of the JSONP callback function used in the HTTP API. This allows remote attackers to bypass intended access restrictions, making the HTTP API vulnerable to a reflected file download (RFD) attack.
XXE vulnerability in Apache Hadoop
Apache Camel's camel-castor component has a Java object deserialization vulnerability. Deserializing untrusted data can lead to security flaws.
Memory exposure vulnerability in DTrace
The XmlUtils class in jbpmmigration performed expansion of external parameter entities while parsing XML files. A remote attacker could use this flaw to read files accessible to the user running the application server and, potentially, perform other more advanced XML external entity (XXE) attacks.
Parameter entity XXE vulnerability in Restlet
Restlet Framework before 2.3.11, when using SimpleXMLProvider, allows remote attackers to access arbitrary files via an XXE attack in a REST API HTTP request. This affects use of the Jax-rs extension.
RCE in PATCH requests in Spring Data REST
In Pivotal Spring AMQP versions before 1.7.4, 1.6.11, and 1.5.7, an org.springframework.amqp.core.Message may be unsafely deserialized when being converted into a string. A malicious payload could be crafted to exploit this and enable a remote code execution attack.
RCE vulnerability in the Apache Struts REST plugin