We’ve disclosed 3381 vulnerabilities
by Snyk Security
Researchers
How to fix?
Avoid using all malicious instances of the tukaani-project/xz
package.
deep-defaults is a Recursive version of _.defaults
Affected versions of this package are vulnerable to Prototype Pollution due to the _deepDefaults
function. An attacker can cause a denial of service and may lead to remote code execution by supplying a malicious value that includes the __proto__
property, leading to the pollution of the Object prototype. This flaw allows for the creation of non-existent properties or manipulation of existing ones, which can disrupt service or potentially allow for arbitrary code execution.
viur-core is a The core component of ViUR, a development framework for Google App Engine
Affected versions of this package are vulnerable to Access Control Bypass due to data being inadvertently rendered through the default view.html
template. This could lead to unauthorized data exposure.
Affected versions of this package are vulnerable to Authentication Bypass by Spoofing due to improper validation of user-supplied input in the authentication mechanism. An attacker can bypass authentication controls by spoofing a legitimate user's credentials. This vulnerability is particularly concerning because it allows unauthorized access to the system, potentially leading to further exploitation such as data theft, system manipulation, or the deployment of malicious software.
Note:
Enabling the "Whitelist-IP/port" function improves the security of RESTful-API execution.
Arbitrary Code Injection in mysql2 (npm)
Prototype Pollution in lodash (npm)
Prototype Pollution in lodash.zipobjectdeep (npm)
Remote Code Execution (RCE) in mysql2 (npm)
Prototype Poisoning in mysql2 (npm)
by Snyk Security
Researchers
Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.