We’ve disclosed3435vulnerabilities
by Snyk Security
Researchers
Avoid using all malicious instances of the ngx-bootstrap
package.
tar-fs is a filesystem bindings for tar-stream.
Affected versions of this package are vulnerable to Symlink Following via the symlink validation process in the inCwd
function. An attacker can write files outside the intended extraction directory by crafting a malicious tarball that contains symlinks starting with the name of the current working directory.
Affected versions of this package are vulnerable to Symlink Attack via _untar_without_filter
when used with Python versions that do not implement PEP 706 (<3.9.17, <3.10.12, <3.11.4, or <3.12). An attacker can write files outside the target directory by enticing the user to install a tar archive containing malicious symbolic links that are not properly validated to ensure they point within the intended extraction directory.
Note: This is only exploitable through the fallback tar extraction logic used with non-PEP 706 compliant Python versions; when using a Python version that implements PEP 706, pip doesn't use the vulnerable fallback code.
Affected versions of this package are vulnerable to Insufficient Session Expiration in the SpSessionTerminationSamlPortalFilter
. An attacker can gain unauthorized access to user accounts by reusing old session tokens via the SLO API, causing the session to be reinitialized when it should be invalidated.
by Snyk Security
Researchers
Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.