We’ve disclosed 3369 vulnerabilities
by Snyk Security
Researchers
How to fix?
Avoid using all malicious instances of the @lottiefiles/lottie-player
package.
kibana is an open source (Apache Licensed), browser-based analytics and search dashboard for Elasticsearch.
Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the parsing of a YAML document in the fleet
plugin. An attacker can execute arbitrary code by supplying a crafted payload.
Note:
This is only exploitable if the attacker has specific Elasticsearch indices privileges and Kibana privileges:
Elasticsearch indices privileges: write
privilege on the system indices .kibana_ingest
and the allow_restricted_indices
flag set to true
;
Any of the following Kibana privileges: All
privilege under Fleet
, Read or
Allprivilege under Integration, or access to the
fleet-setup` privilege through the Fleet Server’s service account token.
python-openstackclient is an OpenStack Command-line Client
Affected versions of this package are vulnerable to Race Condition due to an improper handling of non-existing identifiers. An attacker can inadvertently cause the deletion of valid access rules by attempting to delete non-existent ones.
io.undertow:undertow-core is a Java web server based on non-blocking IO.
Affected versions of this package are vulnerable to HTTP Request Smuggling due to the interaction of quotation marks and delimiters in the parseCookie()
function. An attacker can exfiltrate HttpOnly
cookie values or smuggle extra cookie values.
Regular Expression Denial of Service (ReDoS) in @eslint/plugin-kit (npm)
Arbitrary Code Execution in dom-iterator (npm)
Directory Traversal in source-map-support (npm)
Cross-site Scripting (XSS) in tarteaucitronjs (npm)
Regular Expression Denial of Service (ReDoS) in cross-spawn (npm)
by Snyk Security
Researchers
Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.