We’ve disclosed 1155 vulnerabilities
by Snyk Security
Researchers
How to fix?
Upgrade org.springframework:spring-beans
to version 5.2.20, 5.3.18 or higher.
Affected versions of this package are vulnerable to Arbitrary File Upload which allows attackers to execute arbitrary code via a crafted filename.
Note:
The conditions to be vulnerable are as follows:
eval (user input) file name as code
use the keepextension
option
use Linux or =iOS (where
<>` are valid file chars)
not using the filename option, or using it without validating user input
Pillow is a PIL (Python Imaging Library) fork.
Affected versions of this package are vulnerable to Heap-based Buffer Overflow. When reading a TGA file with RLE packets that cross scan lines. Pillow reads the information past the end of the first line without deducting that from the length of the remaining file data.
Affected versions of this package are vulnerable to Arbitrary File Upload which allows attackers to execute arbitrary code via a crafted filename.
Note:
The conditions to be vulnerable are as follows:
eval (user input) file name as code
use the keepextension
option
use Linux or =iOS (where
<>` are valid file chars)
not using the filename option, or using it without validating user input
Regular Expression Denial of Service (ReDoS) in url-regex (pip)
Denial of Service (DoS) in dicer (npm)
Command Injection in workspace-tools (npm)
Prototype Pollution in sds (npm)
Prototype Pollution in convict (npm)
by Snyk Security
Researchers
Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.