Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

25,050

Total Advisories

1,846

With Dependabot PRs

3,534

Critical Severity

8,712

High Severity

Clear All Filters
Apereo CAS vulnerable to credential leaks for LDAP authentication
GHSA-p78h-m8pv-g9gm CVE-2023-28857 MODERATE over 1 year ago
Apereo CAS is an open source multilingual single sign-on solution for the web. Apereo CAS can be configured to use authentication based on client X...
maven
No PRs yet
Alpine allows Authentication Filter bypass
GHSA-whr2-9x5f-5c79 CVE-2022-23554 MODERATE over 1 year ago
Alpine is a scaffolding library in Java. Alpine prior to version 1.10.4 allows Authentication Filter bypass. The AuthenticationFilter relies on the...
maven
No PRs yet
Alpine allows URL access filter bypass
GHSA-2w4p-2hf7-gh8x CVE-2022-23553 HIGH over 1 year ago
Alpine is a scaffolding library in Java. Alpine prior to version 1.10.4 allows URL access filter bypass. This issue has been fixed in version 1.10....
maven
No PRs yet
Path traversal in Reposilite javadoc file expansion (arbitrary file creation/overwrite) (`GHSL-2024-073`)
GHSA-frvj-cfq4-3228 CVE-2024-36116 HIGH over 1 year ago
### Summary Reposilite v3.5.10 is affected by an Arbitrary File Upload vulnerability via path traversal in expanding of Javadoc archives. ### Deta...
maven
No PRs yet
Reposilite artifacts vulnerable to Stored Cross-site Scripting
GHSA-9w8w-34vr-65j2 CVE-2024-36115 HIGH over 1 year ago
### Summary Reposilite v3.5.10 is affected by Stored Cross-Site Scripting (XSS) when displaying artifact's content in the browser. ### Details As ...
maven
No PRs yet
Apache Inlong Code Injection vulnerability
GHSA-qff2-8qw7-hcvw CVE-2024-36268 HIGH over 1 year ago
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache InLong. This issue affects Apache InLong: from 1.10.0 through 1....
maven
No PRs yet
Apache Linkis vulnerable to privilege escalation
GHSA-v352-rg37-5q5m CVE-2024-27181 HIGH over 1 year ago
In Apache Linkis <= 1.5.0, Privilege Escalation in Basic management services where the attacking user is a trusted account allows access to Linkis'...
maven
No PRs yet
Apache Linkis arbitrary file deletion vulnerability
GHSA-j6vx-r77h-44wc CVE-2024-27182 HIGH over 1 year ago
In Apache Linkis <= 1.5.0, Arbitrary file deletion in Basic management services on a user with an administrator account could delete any file acces...
maven
No PRs yet
biscuit-java vulnerable to public key confusion in third party block
GHSA-5hcj-rwm6-xmw4 CVE-2024-41948 MODERATE over 1 year ago
### Impact Tokens with third-party blocks containing trusted annotations generated through a third party block request. Due to implementation issue...
maven
No PRs yet
Elasticsearch stores private key on disk unencrypted
GHSA-5v8f-xx9m-wj44 CVE-2024-23444 MODERATE over 1 year ago
It was discovered by Elastic engineering that when elasticsearch-certutil CLI tool is used with the csr option in order to create a new Certificate...
maven
No PRs yet
XWiki Platform vulnerable to Cross-Site Scripting (XSS) through conflict resolution
GHSA-692v-783f-mg8x CVE-2024-41947 CRITICAL over 1 year ago
### Impact By creating a conflict when another user with more rights is currently editing a page, it is possible to execute JavaScript snippets on...
maven
No PRs yet
XWiki Platform vulnerable to remote code execution from account via SearchSuggestConfigSheet
GHSA-h63h-5c77-77p5 CVE-2024-37901 CRITICAL over 1 year ago
### Impact Any user with edit right on any page can perform arbitrary remote code execution by adding instances of `XWiki.SearchSuggestConfig` and ...
maven
No PRs yet
XWiki Platform vulnerable to Cross-site Scripting through attachment filename in uploader
GHSA-wf3x-jccf-5g5g CVE-2024-37900 HIGH over 1 year ago
### Impact When uploading an attachment with a malicious filename, malicious JavaScript code could be executed. This requires a social engineering ...
maven
No PRs yet
XWiki Platform vulnerable to document deletion and overwrite from edit
GHSA-33gp-gmg3-hfpq CVE-2024-37898 MODERATE over 1 year ago
### Impact When a user has edit but not view right on a page in XWiki, that user can delete the page and replace it by a page with new content wit...
maven
No PRs yet
Apache SeaTunnel Web Authentication vulnerability
GHSA-cp2c-x2pc-fph7 CVE-2023-48396 HIGH over 1 year ago
Web Authentication vulnerability in Apache SeaTunnel. Since the jwt key is hardcoded in the application, an attacker can forge any token to log in ...
maven
No PRs yet
GraphQL Java does not properly consider ExecutableNormalizedFields (ENFs) as part of preventing denial of service
GHSA-h9mq-f6q5-6c8m CVE-2024-40094 HIGH over 1 year ago
GraphQL Java (aka graphql-java) before 21.5 does not properly consider ExecutableNormalizedFields (ENFs) as part of preventing denial of service vi...
maven
No PRs yet
Elasticsearch Insertion of Sensitive Information into Log File
GHSA-2hjr-vmf3-xwvp CVE-2023-49921 MODERATE over 1 year ago
An issue was discovered by Elastic whereby Watcher search input logged the search query results on DEBUG log level. This could lead to raw contents...
maven
No PRs yet
OpenAM FreeMarker template injection
GHSA-7726-43hg-m23v CVE-2024-41667 HIGH over 1 year ago
OpenAM is an open access management solution. In versions 15.0.3 and prior, the `getCustomLoginUrlTemplate` method in RealmOAuth2ProviderSettings.j...
maven
No PRs yet
Remote code execution in Spring Cloud Data Flow
GHSA-p528-3mvf-gr87 CVE-2024-37084 CRITICAL over 1 year ago
In Spring Cloud Data Flow versions prior to 2.11.4, a malicious user who has access to the Skipper server api can use a crafted upload request to w...
maven
No PRs yet
XML External Entity Reference (XXE) in the XML Format Plugin in Apache Drill
GHSA-v62g-jwj9-rfvx CVE-2023-48362 HIGH over 1 year ago
XXE in the XML Format Plugin in Apache Drill version 1.19.0 and greater allows a user to read any file on a remote file system or execute commands ...
maven
No PRs yet
Apache Pinot: Unauthorized endpoint exposed sensitive information
GHSA-8gj9-r4hv-3jjw CVE-2024-39676 HIGH over 1 year ago
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Pinot. This issue affects Apache Pinot: from 0.1 before 1.0.0. ...
maven
No PRs yet
DNSJava vulnerable to KeyTrap - Denial-of-Service Algorithmic Complexity Attacks
GHSA-crjg-w57m-rqqf HIGH over 1 year ago
### Impact Users using the `ValidatingResolver` for DNSSEC validation can run into CPU exhaustion with specially crafted DNSSEC-signed zones. ### ...
maven
22
Dependabot PRs
13%
Merged
DNSJava affected by KeyTrap - NSEC3 closest encloser proof can exhaust CPU resources
GHSA-mmwx-rj87-vfgr HIGH over 1 year ago
### Impact Users using the `ValidatingResolver` for DNSSEC validation can run into CPU exhaustion with specially crafted DNSSEC-signed zones. ### ...
maven
22
Dependabot PRs
13%
Merged
DNSJava DNSSEC Bypass
GHSA-cfxw-4h78-h7fw CVE-2024-25638 HIGH over 1 year ago
### Summary Records in DNS replies are not checked for their relevance to the query, allowing an attacker to respond with RRs from different zones...
maven
23
Dependabot PRs
13%
Merged
Apache Syncope Improper Input Validation vulnerability
GHSA-8pxv-x6jq-5vw9 CVE-2024-38503 HIGH over 1 year ago
When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could lead to potential exploits. T...
maven
No PRs yet
Apache RocketMQ Vulnerable to Unauthorized Exposure of Sensitive Data
GHSA-q9w2-h4cw-8ghp CVE-2024-23321 MODERATE over 1 year ago
For RocketMQ versions 5.2.0 and below, under certain conditions, there is a risk of exposure of sensitive Information to an unauthorized actor even...
maven
No PRs yet
H2O vulnerable to Deserialization of Untrusted Data
GHSA-w36w-948j-xhfw CVE-2024-6960 HIGH over 1 year ago
The H2O machine learning platform uses "Iced" classes as the primary means of moving Java Objects around the cluster. The Iced format supports incl...
maven
No PRs yet
Apache CXF allows unrestricted memory consumption in CXF HTTP clients
GHSA-4mgg-fqfq-64hg CVE-2024-41172 MODERATE over 1 year ago
In versions of Apache CXF before 3.6.4 and 4.0.5 (3.5.x and lower versions are not impacted), a CXF HTTP client conduit may prevent HTTPClient inst...
maven
No PRs yet
Apache CXF: SSRF vulnerability via WADL stylesheet parameter
GHSA-5m3j-pxh7-455p CVE-2024-29736 HIGH over 1 year ago
A SSRF vulnerability in WADL service description in versions of Apache CXF before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform SSRF style a...
maven
No PRs yet
Apache CXF Denial of Service vulnerability in JOSE
GHSA-6pff-fmh2-4mmf CVE-2024-32007 MODERATE over 1 year ago
An improper input validation of the p2c parameter in the Apache CXF JOSE code before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform a denial ...
maven
No PRs yet
Absent Input Validation in BinaryHttpParser
GHSA-q8f2-hxq5-cp4h CVE-2024-40642 HIGH over 1 year ago
### Summary `BinaryHttpParser` does not properly validate input values thus giving attackers almost complete control over the HTTP requests constru...
maven
No PRs yet
The OpenSearch reporting plugin improperly controls tenancy access to reporting resources
GHSA-xmvg-335g-x44q CVE-2024-39900 MODERATE over 1 year ago
### Summary An issue in the OpenSearch reporting plugin allows unintended access to private tenant resources like notebooks. The system did not pr...
maven
No PRs yet
Apache StreamPark: FreeMarker SSTI RCE Vulnerability
GHSA-vv8h-m63v-53pq CVE-2024-29178 HIGH over 1 year ago
On versions before 2.1.4, a user could log in and perform a template injection attack resulting in Remote Code Execution on the server, The attacke...
maven
No PRs yet
Apache StreamPark: Information leakage vulnerability
GHSA-hcf8-5j78-887v CVE-2024-29120 MODERATE over 1 year ago
In Streampark (version < 2.1.4), when a user logged in successfully, the Backend service would return "Authorization" as the front-end authenticati...
maven
No PRs yet
Eclipse Parsson stack overflow when parsing deeply nested input
GHSA-2rwm-xv5j-777p CVE-2023-7272 CRITICAL over 1 year ago
In Eclipse Parsson before 1.0.4 and 1.1.3, a document with a large depth of nested objects can allow an attacker to cause a Java stack overflow exc...
maven
No PRs yet
Apache StreamPipes has potential remote code execution (RCE) via file upload
GHSA-6523-jf4r-c962 CVE-2024-31411 HIGH over 1 year ago
Unrestricted Upload of File with dangerous type vulnerability in Apache StreamPipes. Such a dangerous type might be an executable file that may lea...
maven
No PRs yet
Apache StreamPipes has possibility of SSRF in pipeline element installation process
GHSA-9gr7-gh74-qg9x CVE-2024-31979 MODERATE over 1 year ago
Server-Side Request Forgery (SSRF) vulnerability in Apache StreamPipes during installation process of pipeline elements. Previously, StreamPipes al...
maven
No PRs yet
Apache StreamPipes potentially allows creation of multiple identical accounts
GHSA-2qph-v9p2-q2gv CVE-2024-30471 MODERATE over 1 year ago
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache StreamPipes in user self-registration. This allows an attacker to potenti...
maven
No PRs yet
Apache StreamPark: Unchecked maven build params could trigger remote command execution
GHSA-7g94-hfqc-q993 CVE-2023-52291 MODERATE over 1 year ago
In streampark, the project module integrates Maven's compilation capabilities. The input parameter validation is not strict, allowing attackers to ...
maven
No PRs yet
Apache StreamPark: maven build params could trigger remote command execution
GHSA-5v69-92vw-fmjh CVE-2024-29737 MODERATE over 1 year ago
In streampark, the project module integrates Maven's compilation capabilities. The input parameter validation is not strict, allowing attackers to ...
maven
No PRs yet
Apache Linkis DataSource's JDBC Datasource Module with DB2 has JNDI Injection vulnerability
GHSA-7qpc-4xx9-x5qw CVE-2023-49566 HIGH over 1 year ago
In Apache Linkis <=1.5.0, due to the lack of effective filteringof parameters, an attacker configuring malicious `db2` parameters in the DataSource...
maven
No PRs yet
Apache Linkis DataSource allows arbitrary file reading
GHSA-f22j-9j59-33j4 CVE-2023-41916 HIGH over 1 year ago
In Apache Linkis = 1.4.0, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in the Data...
maven
No PRs yet
Apache Linkis DataSource remote code execution vulnerability
GHSA-jjvc-v8gw-5255 CVE-2023-46801 HIGH over 1 year ago
In Apache Linkis <= 1.5.0, data source management module, when adding Mysql data source, exists remote code execution vulnerability for java versio...
maven
No PRs yet
Apache Wicket: Remote code execution via XSLT injection
GHSA-hhwc-gh8h-9rrp CVE-2024-36522 HIGH over 1 year ago
The default configuration of XSLTResourceStream.java is vulnerable to remote code execution via XSLT injection when processing input from an untrus...
maven
No PRs yet
OpenSearch Observability does not properly restrict access to private tenant resources
GHSA-77vc-rj32-2r33 CVE-2024-39901 LOW over 1 year ago
### Summary An issue in the OpenSearch observability plugins allows unintended access to private tenant resources like notebooks. The system did n...
maven
No PRs yet
Silverpeas Core Cross-site Scripting vulnerability
GHSA-vfwh-gvf6-mff8 CVE-2024-39031 MODERATE over 1 year ago
In Silverpeas Core <= 6.3.5, in Mes Agendas, a user can create new events and add them to their calendar. Additionally, users can invite others fro...
maven
No PRs yet
Spring Cloud Function Framework vulnerable to Denial of Service
GHSA-j4r7-p9fp-w3f3 CVE-2024-22271 HIGH over 1 year ago
In Spring Cloud Function framework, versions 4.1.x prior to 4.1.2, 4.0.x prior to 4.0.8 an application is vulnerable to a DOS attack when attemptin...
maven
No PRs yet
Undertow Missing Release of Memory after Effective Lifetime vulnerability
GHSA-ch7q-gpff-h9hp CVE-2024-3653 MODERATE over 1 year ago
A vulnerability was found in Undertow. This issue requires enabling the learning-push handler in the server's config, which is disabled by default,...
maven
1
Dependabot PRs
Undertow Denial of Service vulnerability
GHSA-xpp6-8r3j-ww43 CVE-2024-5971 HIGH over 1 year ago
A vulnerability was found in Undertow, where the chunked response hangs after the body was flushed. The response headers and body were sent but the...
maven
1
Dependabot PRs
Apache NiFi vulnerable to Cross-site Scripting
GHSA-h658-qqv9-qwv8 CVE-2024-37389 MODERATE over 1 year ago
Apache NiFi 1.10.0 through 1.26.0 and 2.0.0-M1 through 2.0.0-M3 support a description field in the Parameter Context configuration that is vulnerab...
maven
No PRs yet