Vulnerabilities

An issue was discovered in GitLab EE affecting all versions starting from 16.0 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2, which allowed cross project access for Security policy bot.

When asked to use a `.netrc` file for credentials **and** to follow HTTP<br /> redirects, curl could leak the password used for the first host to the<br /> followed-to host under certain circumstances.<br /> <br /> This flaw only manifests itself if the netrc file has a `default` entry that<br /> omits both login and password. A rare circumstance.

libcurl would wrongly close the same eventfd file descriptor twice when taking<br /> down a connection channel after having completed a threaded name resolve.

When libcurl is asked to perform automatic gzip decompression of<br /> content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option,<br /> **using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow would<br /> make libcurl perform a buffer overflow.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nf_tables: don&amp;#39;t skip expired elements during walk<br /> <br /> There is an asymmetry between commit/abort and preparation phase if the<br /> following conditions are met:<br /> <br /> 1. set is a verdict map ("1.2.3.4 : jump foo")<br /> 2. timeouts are enabled<br /> <br /> In this case, following sequence is problematic:<br /> <br /> 1. element E in set S refers to chain C<br /> 2. userspace requests removal of set S<br /> 3. kernel does a set walk to decrement chain-&gt;use count for all elements<br /> from preparation phase<br /> 4. kernel does another set walk to remove elements from the commit phase<br /> (or another walk to do a chain-&gt;use increment for all elements from<br /> abort phase)<br /> <br /> If E has already expired in 1), it will be ignored during list walk, so its use count<br /> won&amp;#39;t have been changed.<br /> <br /> Then, when set is culled, -&gt;destroy callback will zap the element via<br /> nf_tables_set_elem_destroy(), but this function is only safe for<br /> elements that have been deactivated earlier from the preparation phase:<br /> lack of earlier deactivate removes the element but leaks the chain use<br /> count, which results in a WARN splat when the chain gets removed later,<br /> plus a leak of the nft_chain structure.<br /> <br /> Update pipapo_get() not to skip expired elements, otherwise flush<br /> command reports bogus ENOENT errors.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nf_tables: don&amp;#39;t fail inserts if duplicate has expired<br /> <br /> nftables selftests fail:<br /> run-tests.sh testcases/sets/0044interval_overlap_0<br /> Expected: 0-2 . 0-3, got:<br /> W: [FAILED] ./testcases/sets/0044interval_overlap_0: got 1<br /> <br /> Insertion must ignore duplicate but expired entries.<br /> <br /> Moreover, there is a strange asymmetry in nft_pipapo_activate:<br /> <br /> It refetches the current element, whereas the other -&gt;activate callbacks<br /> (bitmap, hash, rhash, rbtree) use elem-&gt;priv.<br /> Same for .remove: other set implementations take elem-&gt;priv,<br /> nft_pipapo_remove fetches elem-&gt;priv, then does a relookup,<br /> remove this.<br /> <br /> I suspect this was the reason for the change that prompted the<br /> removal of the expired check in pipapo_get() in the first place,<br /> but skipping exired elements there makes no sense to me, this helper<br /> is used for normal get requests, insertions (duplicate check)<br /> and deactivate callback.<br /> <br /> In first two cases expired elements must be skipped.<br /> <br /> For -&gt;deactivate(), this gets called for DELSETELEM, so it<br /> seems to me that expired elements should be skipped as well, i.e.<br /> delete request should fail with -ENOENT error.

The WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 8.0.8 via the &amp;#39;attachments.php&amp;#39; file. This makes it possible for unauthenticated attackers to extract sensitive data including files uploaded via forms.

NETGEAR XR1000 before 1.0.0.74, XR1000v2 before 1.1.0.22, and XR500 before 2.3.2.134 allow remote code execution by unauthenticated users.

Versions of the package spatie/browsershot before 5.0.5 are vulnerable to Improper Input Validation in the setHtml function, invoked by Browsershot::html(), which can be bypassed by omitting the slashes in the file URI (e.g., file:../../../../etc/passwd). This is due to missing validations of the user input that should be blocking file URI schemes (e.g., file:// and file:/) in the HTML content.

Versions of the package cockpit-hq/cockpit before 2.4.1 are vulnerable to Arbitrary File Upload where an attacker can use different extension to bypass the upload filter.

Versions of the package spatie/browsershot before 5.0.5 are vulnerable to Improper Input Validation due to improper URL validation through the setUrl method, which results in a Local File Inclusion allowing the attacker to read sensitive files.<br /> <br /> **Note:**<br /> <br /> This is a bypass of the fix for [CVE-2024-21549](https://security.snyk.io/vuln/SNYK-PHP-SPATIEBROWSERSHOT-8533023).

The Contact Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the contact form upload feature in all versions up to, and including, 8.6.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site&amp;#39;s server which may make remote code execution possible in specific configurations where the first extension is processed over the final. This vulnerability also requires successfully exploiting a race condition in order to exploit.