Explore packages and vulnerabilities by …
Operating system
Infrastructure as Code
Vulnerabilities from the last week
Malicious Package
SECURITY ISSUES FOUNDLIMITEDSUSTAINABLELIMITED
Affects
@augmentor/experiences is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship.
Resources Downloaded over Insecure Protocol
Affects
onnx is an Open Neural Network Exchange
Affected versions of this package are vulnerable to Resources Downloaded over Insecure Protocol via the onnx.hub.load function when the silent parameter is set to True. An attacker can bypass repository trust verification and suppress all security warnings and confirmation prompts by exploiting this logic, allowing the download and execution of malicious models from attacker-controlled repositories without user notification. This enables the attacker to exfiltrate sensitive files from the victim's machine upon model loading.
Improper Input Validation
Affected versions of this package are vulnerable to Improper Input Validation when processing arbitrary Spark configuration values in requests. An attacker can gain unauthorized access to files by sending specially crafted requests to the REST or JDBC interface.
Note:
This is only exploitable if the attacker has access to the REST or JDBC interface and can supply arbitrary Spark configuration values.
Recent vulnerabilities disclosed by Snyk
- H
Improper Verification of Cryptographic Signature in sjcl (npm)- H
Authorization Bypass Through User-Controlled Key in flowise (npm)- H
Directory Traversal in @google/clasp (npm)- C
Improper Handling of Case Sensitivity in @whyour/qinglong (npm)- C
Remote Code Execution (RCE) in @whyour/qinglong (npm)
Snyk security
researchers
have disclosed
3476
vulnerabilities
About Snyk dependencies vulnerability database
Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.
