shineouts is a malicious package. This package exfiltrates Kubernetes configurations and SSH keys from compromised machines to a remote server.

Affected versions of this package are vulnerable to Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') when the gevent.pywsgi function is used. An attacker can craft invalid trailers in chunked requests on keep-alive connections that might appear as two requests to gevent.pywsgi. This could potentially bypass checks if an upstream server is filtering incoming requests based on paths or header fields and simply passing trailers through without validating them.

Note: If the upstream server validated that the trailers meet the HTTP specification, this could not occur, because characters that are required in an HTTP request, like a space, are not allowed in trailers.

org.springframework.graphql:spring-graphql is a GraphQL Support for Spring Applications

Affected versions of this package are vulnerable to Information Exposure via the DefaultBatchLoaderRegistry function. If an application provides a DataLoaderOptions instance when registering batch loader functions through the vulnerable function, it may get exposed to GraphQL context with values, including security context values, from a different session.