We’ve disclosed 1155 vulnerabilities
by Snyk Security
Researchers
Open Source Vulnerability Database
The most comprehensive, accurate, and timely database for open source vulnerabilities.
Remote Code Execution
Affecting org.springframework:spring-beans package, versions
[ ,5.2.20) , [5.3.0, 5.3.18)
How to fix?
Upgrade org.springframework:spring-beans to version 5.2.20, 5.3.18 or higher.
Vulnerabilities from the last week
Missing Cryptographic Step
cassproject is a Competency and Skills Service
Affected versions of this package are vulnerable to Missing Cryptographic Step when storing cryptographic keys. Exploiting this vulnerability allows a server administrator access to an account’s cryptographic keys.
Notes:
This affects CaSS servers using standalone username/password authentication, which uses a method that expects e2e cryptographic security of authorization credentials.
The vulnerable accounts are only resecured when the user next logs in using standalone authentication after upgrading.
Heap-based Buffer Overflow
Pillow is a PIL (Python Imaging Library) fork.
Affected versions of this package are vulnerable to Heap-based Buffer Overflow. When reading a TGA file with RLE packets that cross scan lines. Pillow reads the information past the end of the first line without deducting that from the length of the remaining file data.
Cross-site Scripting (XSS)
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper input validation, it is possible to inject malicious content into the Name field.
Recent vulnerabilities disclosed by Snyk
- M
Regular Expression Denial of Service (ReDoS) in url-regex (pip)
- H
Denial of Service (DoS) in dicer (npm)
- H
Command Injection in workspace-tools (npm)
- M
Prototype Pollution in sds (npm)
- H
Prototype Pollution in convict (npm)
About Snyk
Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.
