We’ve disclosed 3273 vulnerabilities
by Snyk Security
Researchers
How to fix?
Avoid using all malicious instances of the tukaani-project/xz
package.
thelounge is a self-hosted Web IRC client.
Affected versions of this package are vulnerable to Information Exposure due to improper handling of user identity verification on port 113, when multiple connections use the same local port number. An attacker can obtain a list of usernames by scanning the range of local ports, exploiting the non-unique and public nature of the ident information.
freeipa is an An integrated security information management solution.
Affected versions of this package are vulnerable to Denial of Service (DoS) when sending a very long password to the server. The password hashing process could exhaust memory and CPU leading the website to become unresponsive.
Affected versions of this package are vulnerable to Path Traversal via the file upload process. An attacker can manipulate the file path and content by providing a custom filename in the multipart/form-data request, allowing the file to be written to arbitrary locations on the server where the Java process has write permissions.
Note: Genie users who do not store these attachments locally on the underlying file system are not vulnerable to this issue.
Improper Certificate Validation in componentspace.saml2 (nuget)
Arbitrary Code Injection in mysql2 (npm)
Prototype Pollution in lodash (npm)
Prototype Pollution in lodash.zipobjectdeep (npm)
Remote Code Execution (RCE) in mysql2 (npm)
by Snyk Security
Researchers
Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.