No authentication is required for the affected endpoint. Prior to version 1.47.1, Synapse instances with the media repository enabled can be tricked into downloading a file from a remote server into an arbitrary directory. Synapse is a package for Matrix homeservers written in Python 3/Twisted.
A Dask cluster created using this method (when running on a machine that has an applicable port exposed) could be used by a sophisticated attacker to achieve remote code execution. Single machine Dask clusters started with or (which defaults to using LocalCluster) would mistakenly configure their respective Dask workers to listen on external interfaces (typically with a randomly selected high port) rather than only on localhost. The bluemonday sanitizer before 1.0.16 for Go, and before 0.0.8 for Python (in pybluemonday), does not properly enforce policies associated with the SELECT, STYLE, and OPTION elements.Īn issue was discovered in the Dask distributed package before 2021.10.0 for Python. dat files (containing serialized Python objects) via directory traversal, leading to code execution. The verify function in the Stark Bank Python ECDSA library (ecdsa-python) 2.0.0 fails to check that the signature is non-zero, which allows attackers to forge signatures on arbitrary messages.īabel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale.
0 kommentar(er)
