@kottster/server is an Instant admin panel for your project

Affected versions of this package are vulnerable to Access Control Bypass via the initApp and installPackagesForDataSource actions. An attacker can gain unauthorized administrative access and execute arbitrary system commands by repeatedly triggering application reinitialization to create a new root account, obtaining a JWT token, and leveraging unescaped command arguments.

Note:

This is only exploitable if the application is running in development mode and accessible to the attacker.

nvidia-pytriton is a PyTriton - Flask/FastAPI-like interface to simplify Triton's deployment in Python environments.

Affected versions of this package are vulnerable to Access Control Bypass via SharedMemoryManager::RegisterSystemSharedMemory. An attacker could cause memory corruption by identifying and accessing the shared memory region used by the Python backend. A successful exploit of this vulnerability might lead to denial of service.

This vulnerability is only exploitable when using the default Triton Server binary bundled in /pytriton/tritonserver/bin/tritonserver.

It is possible to update the Triton Server binary to a patched version independently of PyTriton; See Building binaries from source.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in DisposalDaemon.java. In high-core environments under heavy load, the disposal thread can fall behind and allow excessive memory use.

Note This issue was reported for environments using Java 21; While BouncyCastle has not received reports for other environments, their analysis indicates that the problem must be present and should show up eventually if not dealt with by upgrading.