Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

25,050

Total Advisories

1,846

With Dependabot PRs

3,534

Critical Severity

8,712

High Severity

Clear All Filters
XWiki allows RCE from script right in configurable sections
GHSA-r279-47wg-chpr CVE-2024-55879 CRITICAL about 1 year ago
### Impact Any user with script rights can perform arbitrary remote code execution by adding instances of `XWiki.ConfigurableClass` to any page. Th...
maven
No PRs yet
io.quarkus.http/quarkus-http-core: Quarkus HTTP Cookie Smuggling
GHSA-cxrx-q234-m22m CVE-2024-12397 HIGH about 1 year ago
A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could ...
maven
No PRs yet
Apache Struts file upload logic is flawed
GHSA-43mq-6xmg-29vm CVE-2024-53677 CRITICAL about 1 year ago
File upload logic is flawed vulnerability in Apache Struts. An attacker can manipulate file upload params to enable paths traversal and under some ...
maven
No PRs yet
sigstore-java has a vulnerability with bundle verification
GHSA-jp26-88mw-89qr CVE-2024-54140 LOW about 1 year ago
### Summary sigstore-java has insufficient verification for a situation where a bundle provides a invalid signature for a checkpoint. ### Impact T...
maven
No PRs yet
Apache Hive: Deserialization of untrusted data when fetching partitions from the Metastore
GHSA-6hqr-c69m-r76q CVE-2022-41137 HIGH about 1 year ago
Apache Hive Metastore (HMS) uses SerializationUtilities#deserializeObjectWithTypeInformation method when filtering and fetching partitions that is ...
maven
No PRs yet
Spring LDAP data exposure vulnerability
GHSA-mqvr-2rp8-j7h4 CVE-2024-38829 MODERATE about 1 year ago
A vulnerability in Spring LDAP allows data exposure for case sensitive comparisons.This issue affects Spring LDAP: from 2.4.0 through 2.4.3, from 3...
maven
No PRs yet
Apache Ozone: Improper authentication when generating S3 secrets
GHSA-rcq8-9q3j-98mw CVE-2024-45106 HIGH about 1 year ago
Improper authentication of an HTTP endpoint in the S3 Gateway of Apache Ozone 1.4.0 allows any authenticated Kerberos user to revoke and regenerate...
maven
No PRs yet
AsyncHttpClient (AHC) library's `CookieStore` replaces explicitly defined `Cookie`s
GHSA-mfj5-cf8g-g2fv CVE-2024-53990 CRITICAL about 1 year ago
### Summary When making any HTTP request, the automatically enabled and self-managed `CookieStore` (aka cookie jar) will silently replace explicit...
maven
29
Dependabot PRs
7%
Merged
veraPDF CLI has potential XXE (XML External Entity Injection) vulnerability
GHSA-4cx5-89vm-833x CVE-2024-52800 LOW about 1 year ago
### Impact Executing policy checks using custom schematron files via the CLI invokes an XSL transformation that may theoretically lead to a remote ...
maven
1
Dependabot PRs
Spring Framework has Authorization Bypass for Case Sensitive Comparisons
GHSA-q3v6-hm2v-pw99 CVE-2024-38827 MODERATE about 1 year ago
The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rule...
maven
No PRs yet
Ant-Media-Server vulnerable to Improper Output Neutralization for Logs
GHSA-2gx6-qrpp-c4p3 CVE-2024-35371 HIGH about 1 year ago
Ant-Media-Server v2.8.2 is affected by Improper Output Neutralization for Logs. The vulnerability stems from insufficient input sanitization in the...
maven
No PRs yet
Querydsl vulnerable to HQL injection through orderBy
GHSA-6q3q-6v5j-h6vg CVE-2024-49203 HIGH about 1 year ago
### Summary The order by method enables injecting HQL queries. This may cause blind HQL injection, which could lead to leakage of sensitive informa...
maven
No PRs yet
Jenkins Simple Queue Plugin has stored cross-site scripting (XSS) vulnerability
GHSA-4gwv-fpmg-cmv2 CVE-2024-54003 HIGH about 1 year ago
Jenkins Simple Queue Plugin 1.4.4 and earlier does not escape the view name. This results in a stored cross-site scripting (XSS) vulnerability exp...
maven
No PRs yet
Jenkins Filesystem List Parameter Plugin has Path Traversal vulnerability
GHSA-fwxq-3f52-5cmc CVE-2024-54004 MODERATE about 1 year ago
Jenkins Filesystem List Parameter Plugin 0.0.14 and earlier does not restrict the path used for the File system objects list Parameter. This allow...
maven
No PRs yet
sigstore-java has vulnerability with bundle verification
GHSA-q4xm-6fjc-5f6w CVE-2024-53267 MODERATE about 1 year ago
### Summary sigstore-java has insufficient verification for a situation where a validly-signed but "mismatched" bundle is presented as proof of inc...
maven
No PRs yet
Keycloak mTLS Authentication Bypass via Reverse Proxy TLS Termination
GHSA-93ww-43rr-79v3 CVE-2024-10039 HIGH about 1 year ago
A vulnerability was found in Keycloak. Deployments of Keycloak with a reverse proxy not using pass-through termination of TLS, with mTLS enabled, a...
maven
No PRs yet
Keycloak proxy header handling Denial-of-Service (DoS) vulnerability
GHSA-jgwc-jh89-rpgq CVE-2024-9666 MODERATE about 1 year ago
Keycloak versions 26 and earlier are vulnerable to a denial-of-service (DoS) attack through improper handling of proxy headers. When Keycloak is co...
maven
No PRs yet
Keycloak Build Process Exposes Sensitive Data
GHSA-v7gv-xpgf-6395 CVE-2024-10451 HIGH about 1 year ago
A flaw was found in Keycloak. This issue occurs because sensitive runtime values, such as passwords, may be captured during the Keycloak build proc...
maven
No PRs yet
Keycloak Path Traversal Vulnerability Due to External Control of File Name or Path
GHSA-5545-r4hg-rj4m CVE-2024-10492 MODERATE about 1 year ago
A vulnerability was found in Keycloak. A user with high privileges could read sensitive information from a Vault file that is not within the expect...
maven
No PRs yet
org.keycloak:keycloak-services has Inefficient Regular Expression Complexity
GHSA-wq8x-cg39-8mrr CVE-2024-10270 HIGH about 1 year ago
A vulnerability was found in the Keycloak-services package. If untrusted data is passed to the SearchQueryUtils method, it could lead to a denial o...
maven
3
Dependabot PRs
Searching Opencast may cause a denial of service
GHSA-jh6x-7xfg-9cq2 CVE-2024-52797 MODERATE about 1 year ago
### Impact First noticed in Opencast 13 and 14, Opencast's Elasticsearch integration may generate syntactically invalid Elasticsearch queries in re...
maven
No PRs yet
Apache Kafka Clients: Privilege escalation to filesystem read-access via automatic ConfigProvider
GHSA-2x2g-32r7-p4x8 CVE-2024-31141 MODERATE about 1 year ago
Files or Directories Accessible to External Parties, Improper Privilege Management vulnerability in Apache Kafka Clients. Apache Kafka Clients acc...
maven
1
Dependabot PRs
Graylog concurrent PDF report rendering can leak other users' reports
GHSA-vggm-3478-vm5m CVE-2024-52506 HIGH about 1 year ago
### Impact The reporting functionality in Graylog allows the creation and scheduling of reports which contain dashboard widgets displaying individ...
maven
No PRs yet
Apache Tomcat - XSS in generated JSPs
GHSA-f632-9449-3j4w CVE-2024-52318 MODERATE about 1 year ago
# Description: The fix for improvement 69333 caused pooled JSP tags not to be released after use which in turn could cause output of some tags not ...
maven
No PRs yet
Apache Tomcat Request and/or response mix-up
GHSA-qvf5-hvjx-wm27 CVE-2024-52317 MODERATE about 1 year ago
Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2 requests coul...
maven
No PRs yet
Apache Tomcat - Authentication Bypass
GHSA-xcpr-7mr4-h4xq CVE-2024-52316 CRITICAL about 1 year ago
Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAu...
maven
2
Dependabot PRs
Spring MVC controller vulnerable to a DoS attack
GHSA-w3c8-7r8f-9jp8 CVE-2024-38828 MODERATE about 1 year ago
Spring MVC controller methods with an @RequestBody byte[] method parameter are vulnerable to a DoS attack.
maven
No PRs yet
Debezium database connector has a script injection vulnerability
GHSA-hvw5-3mgw-7rcf CVE-2023-1419 MODERATE about 1 year ago
A script injection vulnerability was found in the Debezium database connector, where it does not properly sanitize some parameters. This flaw allow...
maven
No PRs yet
Undertow incorrectly parses cookies
GHSA-3jrv-jgp8-45v3 CVE-2023-4639 HIGH about 1 year ago
A flaw was found in Undertow, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allo...
maven
No PRs yet
FitNesse Cross-site scripting
GHSA-pg82-9w35-3w3r CVE-2024-39610 MODERATE about 1 year ago
Cross-site scripting vulnerability exists in FitNesse releases prior to 20241026. If this vulnerability is exploited, an arbitrary script may be ex...
maven
No PRs yet
FitNesse Path Traversal
GHSA-q297-5ff8-hc92 CVE-2024-42499 MODERATE about 1 year ago
Improper limitation of a pathname to a restricted directory ('Path Traversal') issue exists in FitNesse releases prior to 20241026. If this vulnera...
maven
No PRs yet
Restarting a run with revoked script approval allowed by Jenkins Pipeline: Declarative Plugin
GHSA-p2qq-c693-q53w CVE-2024-52551 HIGH about 1 year ago
Jenkins Pipeline: Declarative Plugin 2.2214.vb_b_34b_2ea_9b_83 and earlier does not check whether the main (Jenkinsfile) script used to restart a b...
maven
No PRs yet
Rebuilding a run with revoked script approval allowed by Jenkins Pipeline: Groovy Plugin
GHSA-mrpr-vr82-x88r CVE-2024-52550 HIGH about 1 year ago
Jenkins Pipeline: Groovy Plugin 3990.vd281dd77a_388 and earlier, except 3975.3977.v478dd9e956c3 does not check whether the main (Jenkinsfile) scrip...
maven
No PRs yet
Missing permission check in Jenkins Script Security Plugin
GHSA-jv82-75fh-23r7 CVE-2024-52549 MODERATE about 1 year ago
Jenkins Script Security Plugin 1367.vdf2fc45f229c and earlier, except 1365.1367.va_3b_b_89f8a_95b_ and 1362.1364.v4cf2dc5d8776, does not perform a ...
maven
No PRs yet
Stored XSS vulnerability in Jenkins Authorize Project Plugin
GHSA-8886-8v27-85j8 CVE-2024-52552 HIGH about 1 year ago
Jenkins Authorize Project Plugin 1.7.2 and earlier evaluates a string containing the job name with JavaScript on the Authorization view, resulting ...
maven
No PRs yet
Script security bypass vulnerability in Jenkins Shared Library Version Override Plugin
GHSA-7845-crfj-phc4 CVE-2024-52554 HIGH about 1 year ago
Jenkins Shared Library Version Override Plugin 17.v786074c9fce7 and earlier declares folder-scoped library overrides as trusted, so that they're no...
maven
No PRs yet
Session fixation vulnerability in Jenkins OpenId Connect Authentication Plugin
GHSA-h23j-73ww-7594 CVE-2024-52553 HIGH about 1 year ago
Jenkins OpenId Connect Authentication Plugin 4.418.vccc7061f5b_6d and earlier does not invalidate the previous session on login. This allows attack...
maven
No PRs yet
Denial of Service attack on windows app using netty
GHSA-xq3w-v528-46rv CVE-2024-47535 MODERATE about 1 year ago
### Summary An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Net...
maven
27
Dependabot PRs
3%
Merged
powertac-server XML External Entity vulnerability
GHSA-pgrc-8wp5-5mvq CVE-2024-51135 HIGH about 1 year ago
An XML External Entity (XXE) vulnerability in the component DocumentBuilderFactory of powertac-server v1.9.0 allows attackers to access sensitive i...
maven
No PRs yet
XXE vulnerability in XSLT parsing in `org.hl7.fhir.core`
GHSA-gr3c-q7xf-47vh CVE-2024-52007 HIGH about 1 year ago
### Summary XSLT parsing performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DT...
maven
No PRs yet
XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream
GHSA-hfq9-hggm-c56q CVE-2024-47072 HIGH about 1 year ago
### Impact The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service ...
maven
No PRs yet
Apache ZooKeeper: Authentication bypass with IP-based authentication in Admin Server
GHSA-g93m-8x6h-g5gv CVE-2024-51504 HIGH about 1 year ago
When using IPAuthenticationProvider in ZooKeeper Admin Server there is a possibility of Authentication Bypass by Spoofing -- this only impacts IP b...
maven
8
Dependabot PRs
hibernate-validator Cross-site Scripting vulnerability
GHSA-x83m-pf6f-pf9g CVE-2023-1932 MODERATE about 1 year ago
A flaw was found in hibernate-validator's 'isValid' method in the org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator class,...
maven
No PRs yet
Undertow Denial of Service vulnerability
GHSA-97cq-f4jm-mv8h CVE-2023-1973 MODERATE about 1 year ago
A flaw was found in Undertow package. Using the FormAuthenticationMechanism, a malicious user could trigger a Denial of Service by sending crafted ...
maven
No PRs yet
Apache Tomcat Allocation of Resources Without Limits or Throttling vulnerability
GHSA-7jqf-v358-p8g7 CVE-2024-38286 HIGH about 1 year ago
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0...
maven
2
Dependabot PRs
HAPI FHIR XML External Entity (XXE) vulnerability
GHSA-4cf2-cxp3-rjr7 CVE-2024-51132 HIGH about 1 year ago
An XML External Entity (XXE) vulnerability in HAPI FHIR before v6.4.0 allows attackers to access sensitive information or execute arbitrary code vi...
maven
No PRs yet
Reposilite vulnerable to path traversal while serving javadoc expanded files (arbitrary file read) (`GHSL-2024-074`)
GHSA-82j3-hf72-7x93 HIGH about 1 year ago
### Summary Reposilite v3.5.10 is affected by an Arbitrary File Read vulnerability via path traversal while serving expanded javadoc files. ### De...
maven
No PRs yet
hornetq vulnerable to file overwrite, sensitive information disclosure
GHSA-r7mv-mv7m-pjw3 CVE-2024-51127 HIGH about 1 year ago
An issue in the `createTempFile` method of hornetq v2.4.9 allows attackers to arbitrarily overwrite files or access sensitive information.
maven
No PRs yet
Apache Kylin Session Fixation vulnerability
GHSA-752q-72qc-rc66 CVE-2024-23590 HIGH about 1 year ago
Session Fixation vulnerability in Apache Kylin. This issue affects Apache Kylin: from 2.0.0 through 4.x. Users are recommended to upgrade to vers...
maven
No PRs yet
JeecgBoot SQL Injection vulnerability
GHSA-mcw3-h5xg-r95m CVE-2024-48307 HIGH about 1 year ago
JeecgBoot v3.7.1 was discovered to contain a SQL injection vulnerability via the component `/onlDragDatasetHead/getTotalData`.
maven
No PRs yet