We’ve disclosed 1175 vulnerabilities
by Snyk Security
Researchers
How to fix?
Upgrade org.springframework:spring-beans
to version 5.2.20, 5.3.18 or higher.
middleware-serde is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'.
grafana-django-saml2-auth is a Django SAML2 Authentication Made Easy.
Affected versions of this package are vulnerable to Open Redirect due to missing validation of the next
URL in the login flow.
org.springframework.data:spring-data-mongodb [,3.3.5) , [3.4.0,3.4.1) Open this link in a new tab
Affected versions of this package are vulnerable to SpEL Expression injection when using @Query
or @Aggregation-annotated
query methods with SpEL
expressions. Exploiting this vulnerability is possible if the query parameter placeholders contain unsanitized value binding.
Notes:
Applications are not affected if one of the followings is true:
The annotated repository query or aggregation method does not contain expressions
The annotated repository query or aggregation method does not use the parameter placeholder syntax within the expression
The user-supplied input is sanitized by the application
The repository is configured to use a QueryMethodEvaluationContextProvider
that limits SpEL
usage
Denial of Service (DoS) in @discordjs/opus (npm)
Out-of-bounds Read in fast-string-search (npm)
Prototype Pollution in mout (npm)
Prototype Pollution in deep-get-set (npm)
Denial of Service (DoS) in fast-string-search (npm)
by Snyk Security
Researchers
Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.