Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

25,050

Total Advisories

1,846

With Dependabot PRs

3,534

Critical Severity

8,712

High Severity

Clear All Filters
@keystone-6/core's bundled cuid package known to be insecure
GHSA-5fp6-4xw3-xqq3 LOW over 2 years ago
### Summary The `cuid` package used by `@keystone-6/*` and upstream dependencies is deprecated and [marked as insecure by the author](https://githu...
npm
No PRs yet
git-url-parse crate vulnerable to Regular Expression Denial of Service
GHSA-qfh9-8p57-mjjj CVE-2023-33290 LOW over 2 years ago
The git-url-parse crate through 0.4.4 for Rust allows Regular Expression Denial of Service (ReDos) via a crafted URL to `normalize_url` in `lib.rs`...
cargo
No PRs yet
RuoYi Uncontrolled Resource Consumption vulnerability
GHSA-g3hh-q55f-9g3w CVE-2023-3163 LOW over 2 years ago
A vulnerability was found in y_project RuoYi up to 4.7.7. It has been classified as problematic. Affected is the function filterKeyword. The manipu...
maven
No PRs yet
buffered-reader vulnerable to out-of-bounds array access leading to panic
GHSA-29mf-62xx-28jq CVE-2023-53161 LOW over 2 years ago
Affected versions of the crate have a bug where attacker-controlled input can result in the use of an out-of-bound array index. Rust detects the us...
cargo
No PRs yet
sequoia-openpgp vulnerable to out-of-bounds array access leading to panic
GHSA-25mx-8f3v-8wh7 CVE-2023-53160 LOW over 2 years ago
Affected versions of the crate have several bugs where attacker-controlled input can result in the use of an out-of-bound array index. Rust detect...
cargo
No PRs yet
cheqd-node affected by Inter-blockchain Communication (IBC) protocol "Huckleberry" vulnerability
GHSA-7c94-gvvj-r3mg LOW over 2 years ago
### Impact This vulnerability affects the [`ibc-go` package for those running full nodes, dubbed "Huckleberry"](https://forum.cosmos.network/t/ibc-...
go
No PRs yet
Vulnerable OpenSSL included in cryptography wheels
GHSA-5cpq-8wj7-hf2v LOW over 2 years ago
pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 0.5-40.0.2 are vulnerable ...
pypi
No PRs yet
Go package github.com/cosmos/cosmos-sdk module x/crisis does NOT cause chain halt
GHSA-qfc5-6r3j-jj22 LOW over 2 years ago
# x/crisis does NOT cause chain halt ### Impact If an invariant check fails on a Cosmos SDK network and a transaction is sent to the `x/crisis` mo...
go
No PRs yet
In Lima, a malicious disk image could read a single file on the host filesystem as a qcow2/vmdk backing file
GHSA-f7qw-jj9c-rpq9 CVE-2023-32684 LOW over 2 years ago
> **Note** > > The official templates of Lima, and the well-known third party products (Colima, Rancher Desktop, and Finch) are *unlikely* to be af...
go
No PRs yet
CraftCMS stored XSS in Quick Post widget error message
GHSA-3wxg-w96j-8hq9 CVE-2023-33194 LOW over 2 years ago
### Summary The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. ### Det...
packagist
No PRs yet
Incorrect signature verification in django-ses
GHSA-qg36-9jxh-fj25 CVE-2023-33185 LOW over 2 years ago
The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` int...
pypi
No PRs yet
Jenkins NS-ND Integration Performance Publisher Plugin displays credentials without masking
GHSA-gqxr-hvrw-6hfh CVE-2023-33000 LOW over 2 years ago
Jenkins NS-ND Integration Performance Publisher Plugin stores credentials in job config.xml files on the Jenkins controller as part of its configur...
maven
No PRs yet
etcd Key name can be accessed via LeaseTimeToLive API
GHSA-3p4g-rcw5-8298 CVE-2023-32082 LOW over 2 years ago
### Impact LeaseTimeToLive API allows access to key names (not value) associated to a lease when `Keys` parameter is true, even a user doesn't have...
go
No PRs yet
PostgresNIO processes unencrypted bytes from man-in-the-middle
GHSA-9cfh-vx93-84vv CVE-2023-31136 LOW over 2 years ago
### Impact Any user of PostgresNIO connecting to servers with TLS enabled is vulnerable to a man-in-the-middle attacker injecting false responses t...
swift
No PRs yet
Answer Missing Authorization vulnerability
GHSA-qmqw-r4x6-3w2q CVE-2023-2590 LOW over 2 years ago
A missing authorization in GitHub repository answerdev/answer prior to 1.0.9 can lead to a user rating their own answer as the best answer.
go
No PRs yet
Mutagen list and monitor operations do not neutralize control characters in text controlled by remote endpoints
GHSA-jmp2-wc4p-wfh2 CVE-2023-30844 LOW over 2 years ago
### Impact Mutagen command line operations, as well as the log output from `mutagen daemon run`, are susceptible to control characters that could ...
go
No PRs yet
Under-validated ComSpec and cmd.exe resolution in Mutagen projects
GHSA-fwj4-72fm-c93g LOW over 2 years ago
### Impact Mutagen projects offer shell-based execution functionality. On Windows, the shell is resolved using the standard `%ComSpec%` mechanism...
go
No PRs yet
Possible prototype pollution in metadata record, when using meta decorator
GHSA-wwxh-74fx-33c6 CVE-2023-30857 LOW over 2 years ago
### Impact Possible prototype pollution for the `MetadataRecord`, when merged with a base class' metadata object, in `meta` decorator from the `@a...
npm
No PRs yet
Race Condition leading to logging errors
GHSA-hjp3-5g2q-7jww CVE-2024-22047 LOW over 2 years ago
In certain setups with threaded web servers, Audited's use of `Thread.current` can incorrectly attributed audits to the wrong user. Fixed in 5.3....
rubygems
No PRs yet
Concrete CMS (previously concrete5) is vulnerable to stored XSS in uploaded file and folder names
GHSA-474f-mcjv-pgrm CVE-2023-28819 LOW over 2 years ago
Concrete CMS (previously concrete5) before 9.1 is vulnerable to Stored XSS in uploaded file and folder names.
packagist
No PRs yet
Stored cross site scripting in RSS displayer
GHSA-fgxj-g7x3-85cq CVE-2023-28820 LOW over 2 years ago
Concrete CMS (previously concrete5) before 9.1 is vulnerable to stored XSS in RSS Displayer via the href attribute because the link element input w...
packagist
No PRs yet
Undefined Behavior in Rust runtime functions
GHSA-ch89-5g45-qwc7 CVE-2023-30624 LOW over 2 years ago
### Impact Wasmtime's implementation of managing per-instance state, such as tables and memories, contains LLVM-level undefined behavior. This und...
cargo
No PRs yet
Hop-by-hop abuse to malform header mutator
GHSA-w9mr-28mw-j8hg LOW over 2 years ago
### Impact Downstream services relying on the presence of headers set by the `header` mutator could be exploited. A client can drop the header set...
go
No PRs yet
Sensitive Terraform Output Values Printed At Info Logging Level In Kitchen-Terraform
GHSA-65g2-x53q-cmf6 CVE-2023-30618 LOW over 2 years ago
### Summary Kitchen-Terraform v7.0.0 introduced a regression which caused all Terraform output values, including sensitive values, to be printed a...
rubygems
No PRs yet
kiwi TCMS has possibility for user to update email address to unverified one
GHSA-7x6q-3v3m-cwjg CVE-2023-30544 LOW over 2 years ago
### Impact In previous versions of Kiwi TCMS users were able to update their email addresses via the "My profile" admin page. This page allowed the...
pypi
No PRs yet
eslint-detailed-reporter vulnerable to cross-site scripting
GHSA-4xr4-89m5-46c7 CVE-2022-4942 LOW over 2 years ago
A vulnerability was found in mportuga eslint-detailed-reporter up to 0.9.0 and classified as problematic. Affected by this issue is the function re...
npm
No PRs yet
AzuraCast/AzuraCast vulnerable to cross-site scripting
GHSA-q55c-hmpf-6h2g CVE-2023-2191 LOW over 2 years ago
AzuraCast/AzuraCast prior to version 0.18.0 is vulnerable to stored cross-site scripting. An issue was identified where a user who already had an A...
packagist
No PRs yet
Eclipse Jetty's cookie parsing of quoted values can exfiltrate values from other cookies
GHSA-p26g-97m4-6q7c CVE-2023-26049 LOW over 2 years ago
Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tamp...
maven
9
Dependabot PRs
33%
Merged
Unauthenticated user can have information about hidden users on subwikis through uorgsuggest.vm
GHSA-vvp7-r422-rx83 CVE-2023-29203 LOW over 2 years ago
### Impact It's possible to list some users who are normally not viewable from subwiki by requesting users on a subwiki which allows only global u...
maven
No PRs yet
Jenkins WSO2 Oauth Plugin does not mask the WSO2 Oauth client secret on the global configuration form
GHSA-q9hm-hr89-hgm7 CVE-2023-30528 LOW over 2 years ago
Jenkins WSO2 Oauth Plugin 1.0 and earlier stores the WSO2 Oauth client secret unencrypted in the global config.xml file on the Jenkins controller a...
maven
No PRs yet
Jenkins WSO2 Oauth Plugin stores WSO2 Oauth client secret unencrypted in global config.xml file on Jenkins controller
GHSA-g472-f8cm-8x5f CVE-2023-30527 LOW over 2 years ago
Jenkins WSO2 Oauth Plugin 1.0 and earlier stores the WSO2 Oauth client secret unencrypted in the global config.xml file on the Jenkins controller a...
maven
No PRs yet
govuk_tech_docs vulnerable to unescaped HTML on search results page
GHSA-x2xw-hw8g-6773 CVE-2024-22048 LOW over 2 years ago
### Impact Pages that are indexed in search results have their entire contents indexed, including any HTML code snippets. These HTML snippets woul...
rubygems
No PRs yet
configobj ReDoS exploitable by developer using values in a server-side configuration file
GHSA-c33w-24p9-8m24 CVE-2023-26112 LOW over 2 years ago
All versions of the package configobj are vulnerable to Regular Expression Denial of Service (ReDoS) via the validate function, using (.+?)\((.*)\)...
pypi
33
Dependabot PRs
12%
Merged
rootless: `/sys/fs/cgroup` is writable when cgroupns isn't unshared in runc
GHSA-m8cg-xc2p-r3fc CVE-2023-25809 LOW over 2 years ago
### Impact It was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons: 1. when runc is executed inside the user namespa...
go
10
Dependabot PRs
Answer vulnerable to Business Logic Errors
GHSA-h2wg-83fc-xvm9 CVE-2023-1541 LOW over 2 years ago
Business Logic Errors in GitHub repository answerdev/answer prior to 1.0.6.
go
No PRs yet
Possible Denial of Service Vulnerability in Rack's header parsing
GHSA-c6qg-cjj8-47qp CVE-2023-27539 LOW almost 3 years ago
There is a denial of service vulnerability in the header parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-202...
rubygems
446
Dependabot PRs
10%
Merged
Timing attack in eZ Platform Ibexa
GHSA-66m4-gc8h-hpjx CVE-2022-48366 LOW almost 3 years ago
Ibexa DXP is using random execution time to hinder timing attacks against user accounts, a method of discovering whether a given account exists in ...
packagist
No PRs yet
Incorrect Authorization in Jenkins Core
GHSA-584m-7r4m-8j6v CVE-2023-27903 LOW almost 3 years ago
When triggering a build from the Jenkins CLI, Jenkins creates a temporary file on the controller if a file parameter is provided through the CLI’s ...
maven
No PRs yet
Information disclosure through error stack traces related to agents
GHSA-rrgp-c2w8-6vg6 CVE-2023-27904 LOW almost 3 years ago
Jenkins 2.393 and earlier, LTS 2.375.3 and earlier, and prior to LTS 2.387.1 prints an error stack trace on agent-related pages when agent connecti...
maven
No PRs yet
wasmtime vulnerable to miscompilation of `i8x16.select` with the same inputs on x86_64
GHSA-xm67-587q-r2vw CVE-2023-27477 LOW almost 3 years ago
### Impact Wasmtime's code generation backend, Cranelift, has a bug on x86_64 platforms for the WebAssembly `i8x16.select` instruction which will ...
cargo
No PRs yet
Azure/setup-kubectl: Escalation of privilege vulnerability for v3 and lower
GHSA-p756-rfxh-x63h CVE-2023-23939 LOW almost 3 years ago
### Impact This vulnerability only impacts versions `v2` and lower. An insecure temporary creation of a file allows other actors on the Actions ru...
actions
No PRs yet
OpenStack Glance Inclusion of Functionality from Untrusted Control Sphere vulnerability
GHSA-5gp5-vxj6-4257 CVE-2022-4134 LOW almost 3 years ago
A flaw was found in openstack-glance. This issue could allow a remote, authenticated attacker to tamper with images, compromising the integrity of ...
pypi
No PRs yet
Saleor Unauthenticated Information Disclosure Vulnerability via Python Exceptions
GHSA-3hvj-3cg9-v242 CVE-2023-26052 LOW almost 3 years ago
### Impact Some internal Python exceptions are not handled properly and thus are returned in API as error messages. Some messages might contain sen...
pypi
No PRs yet
Imperative CLI vulnerable to Command Injection
GHSA-6q8m-42qq-64r7 CVE-2021-4326 LOW almost 3 years ago
A vulnerability in Imperative framework which allows already-privileged local actors to execute arbitrary shell commands via plugin install/update ...
npm
No PRs yet
RestEasy Reactive implementation of Quarkus allows Creation of Temporary File With Insecure Permissions
GHSA-j75r-vf64-6rrh CVE-2023-0481 LOW almost 3 years ago
In RestEasy Reactive implementation of Quarkus the insecure `File.createTempFile()` is used in the `FileBodyHandler` class which creates temp files...
maven
No PRs yet
Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU) Race Condition in remove_dir_all
GHSA-mc8h-8q98-g5hr LOW almost 3 years ago
The `remove_dir_all` crate is a Rust library that offers additional features over the Rust standard library `fs::remove_dir_all` function. It suffe...
cargo
5
Dependabot PRs
20%
Merged
CSRF vulnerability in Synopsys Jenkins Coverity Plugin
GHSA-px6v-6jhf-j46r CVE-2023-23847 LOW almost 3 years ago
A cross-site request forgery (CSRF) vulnerability in Synopsys Jenkins Coverity Plugin 3.0.2 and earlier allows attackers to connect to an attacker-...
maven
No PRs yet
Incorrect parsing of nameless cookies leads to __Host- cookies bypass
GHSA-px8h-6qxv-m22q CVE-2023-23934 LOW almost 3 years ago
Browsers may allow "nameless" cookies that look like `=value` instead of `key=value`. A vulnerable browser may allow a compromised application on a...
pypi
127
Dependabot PRs
16%
Merged
IPython vulnerable to command injection via set_term_title
GHSA-29gw-9793-fvw7 CVE-2023-24816 LOW almost 3 years ago
IPython provides an interactive Python shell and Jupyter kernel to use Python interactively. Versions prior to 8.10.0 are vulnerable to command inj...
pypi
122
Dependabot PRs
16%
Merged
Nervos CKB vulnerable to low-resource flood DDoS attacks through network message
GHSA-p2gm-ffr3-w2xw LOW almost 3 years ago
### Workarounds * forbid request genesis through network request * forbid requesting duplicate data through network request
cargo
No PRs yet