Vulnerabilities

A vulnerability has been found in NASA cFS up to 7.0.0. The impacted element is the function pickle.load of the component Pickle Module. Such manipulation leads to deserialization. The attack needs to be performed locally. The attack requires a high level of complexity. The exploitability is regarded as difficult. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

A vulnerability was found in NASA cFS up to 7.0.0. This affects the function CFE_MSG_GetSize of the file apps/to_lab/fsw/src/to_lab_passthru_encode.c of the component CCSDS Packet Header Handler. Performing a manipulation results in heap-based buffer overflow. The attacker must have access to the local network to execute the attack. The project was informed of the problem early through an issue report but has not responded yet.

A vulnerability was detected in Investory Toy Planet Trouble App up to 1.5.5 on Android. Impacted is an unknown function of the file assets/google-services-desktop.json of the component app.investory.toyfactory. The manipulation of the argument current_key results in use of hard-coded cryptographic key<br /> . The attack must be initiated from a local position. The exploit is now public and may be used.

A flaw has been found in ProjectsAndPrograms School Management System up to 6b6fae5426044f89c08d0dd101c7fa71f9042a59. The affected element is an unknown function of the file /admin_panel/settings.php of the component Profile Picture Handler. This manipulation of the argument File causes unrestricted upload. Remote exploitation of the attack is possible. The exploit has been published and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided.

A security vulnerability has been detected in mixelpixx Google-Research-MCP 1e062d7bd887bfe5f6e582b6cc288bb897b35cf2/ca613b736ab787bc926932f59cddc69457185a83. This issue affects the function extractContent of the file src/services/content-extractor.service.ts of the component Model Context Protocol Handler. The manipulation of the argument URL leads to server-side request forgery. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The vendor was contacted early about this disclosure but did not respond in any way.

Budibase is an open-source low-code platform. Prior to version 3.33.4, the plugin file upload endpoint (POST /api/plugin/upload) passes the user-supplied filename directly to createTempFolder() without sanitizing path traversal sequences. An attacker with Global Builder privileges can craft a multipart upload with a filename containing ../ to delete arbitrary directories via rmSync and write arbitrary files via tarball extraction to any filesystem path the Node.js process can access. This issue has been patched in version 3.33.4.

Budibase is an open-source low-code platform. Prior to version 3.32.5, Budibase&amp;#39;s Builder Command Palette renders entity names (tables, views, queries, automations) using Svelte&amp;#39;s {@html} directive without any sanitization. An authenticated user with Builder access can create a table, automation, view, or query whose name contains an HTML payload (e.g. ). When any Builder-role user in the same workspace opens the Command Palette (Ctrl+K), the payload executes in their browser, stealing their session cookie and enabling full account takeover. This issue has been patched in version 3.32.5.

Budibase is an open-source low-code platform. Prior to version 3.33.4, an unauthenticated attacker can achieve Remote Code Execution (RCE) on the Budibase server by triggering an automation that contains a Bash step via the public webhook endpoint. No authentication is required to trigger the exploit. The process executes as root inside the container. This issue has been patched in version 3.33.4.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> HID: bpf: prevent buffer overflow in hid_hw_request<br /> <br /> right now the returned value is considered to be always valid. However,<br /> when playing with HID-BPF, the return value can be arbitrary big,<br /> because it&amp;#39;s the return value of dispatch_hid_bpf_raw_requests(), which<br /> calls the struct_ops and we have no guarantees that the value makes<br /> sense.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nfsd: fix heap overflow in NFSv4.0 LOCK replay cache<br /> <br /> The NFSv4.0 replay cache uses a fixed 112-byte inline buffer<br /> (rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses.<br /> This size was calculated based on OPEN responses and does not account<br /> for LOCK denied responses, which include the conflicting lock owner as<br /> a variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT).<br /> <br /> When a LOCK operation is denied due to a conflict with an existing lock<br /> that has a large owner, nfsd4_encode_operation() copies the full encoded<br /> response into the undersized replay buffer via read_bytes_from_xdr_buf()<br /> with no bounds check. This results in a slab-out-of-bounds write of up<br /> to 944 bytes past the end of the buffer, corrupting adjacent heap memory.<br /> <br /> This can be triggered remotely by an unauthenticated attacker with two<br /> cooperating NFSv4.0 clients: one sets a lock with a large owner string,<br /> then the other requests a conflicting lock to provoke the denial.<br /> <br /> We could fix this by increasing NFSD4_REPLAY_ISIZE to allow for a full<br /> opaque, but that would increase the size of every stateowner, when most<br /> lockowners are not that large.<br /> <br /> Instead, fix this by checking the encoded response length against<br /> NFSD4_REPLAY_ISIZE before copying into the replay buffer. If the<br /> response is too large, set rp_buflen to 0 to skip caching the replay<br /> payload. The status is still cached, and the client already received the<br /> correct response on the original request.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd<br /> <br /> The /proc/fs/nfs/exports proc entry is created at module init<br /> and persists for the module&amp;#39;s lifetime. exports_proc_open()<br /> captures the caller&amp;#39;s current network namespace and stores<br /> its svc_export_cache in seq-&gt;private, but takes no reference<br /> on the namespace. If the namespace is subsequently torn down<br /> (e.g. container destruction after the opener does setns() to a<br /> different namespace), nfsd_net_exit() calls nfsd_export_shutdown()<br /> which frees the cache. Subsequent reads on the still-open fd<br /> dereference the freed cache_detail, walking a freed hash table.<br /> <br /> Hold a reference on the struct net for the lifetime of the open<br /> file descriptor. This prevents nfsd_net_exit() from running --<br /> and thus prevents nfsd_export_shutdown() from freeing the cache<br /> -- while any exports fd is open. cache_detail already stores<br /> its net pointer (cd-&gt;net, set by cache_create_net()), so<br /> exports_release() can retrieve it without additional per-file<br /> storage.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> NFSD: Defer sub-object cleanup in export put callbacks<br /> <br /> svc_export_put() calls path_put() and auth_domain_put() immediately<br /> when the last reference drops, before the RCU grace period. RCU<br /> readers in e_show() and c_show() access both ex_path (via<br /> seq_path/d_path) and ex_client-&gt;name (via seq_escape) without<br /> holding a reference. If cache_clean removes the entry and drops the<br /> last reference concurrently, the sub-objects are freed while still<br /> in use, producing a NULL pointer dereference in d_path.<br /> <br /> Commit 2530766492ec ("nfsd: fix UAF when access ex_uuid or<br /> ex_stats") moved kfree of ex_uuid and ex_stats into the<br /> call_rcu callback, but left path_put() and auth_domain_put() running<br /> before the grace period because both may sleep and call_rcu<br /> callbacks execute in softirq context.<br /> <br /> Replace call_rcu/kfree_rcu with queue_rcu_work(), which defers the<br /> callback until after the RCU grace period and executes it in process<br /> context where sleeping is permitted. This allows path_put() and<br /> auth_domain_put() to be moved into the deferred callback alongside<br /> the other resource releases. Apply the same fix to expkey_put(),<br /> which has the identical pattern with ek_path and ek_client.<br /> <br /> A dedicated workqueue scopes the shutdown drain to only NFSD<br /> export release work items; flushing the shared<br /> system_unbound_wq would stall on unrelated work from other<br /> subsystems. nfsd_export_shutdown() uses rcu_barrier() followed<br /> by flush_workqueue() to ensure all deferred release callbacks<br /> complete before the export caches are destroyed.<br /> <br /> Reviwed-by: Jeff Layton