link:
https://access.redhat.com/security/cve/CVE-2024-37891[CVE-2024-37891]::
A flaw was found in urllib3, an HTTP client library for Python. In certain configurations, urllib3 does not treat the Proxy-Authorization HTTP header as one carrying authentication material. This issue results in not stripping the header on cross-origin redirects.
link:
https://access.redhat.com/security/cve/CVE-2024-35255[CVE-2024-35255]::
A flaw was found in the Azure identity library at github.com/Azure/azure-sdk-for-go/sdk/azidentity. This issue allows an elevation of privileges.
link:
https://access.redhat.com/security/cve/CVE-2024-24790[CVE-2024-24790]::
A flaw was found in the Go language standard library net/netip. The method Is*() (IsPrivate(), IsPublic(), etc) doesn't behave properly when working with IPv6 mapped to IPv4 addresses. The unexpected behavior can lead to integrity and confidentiality issues, specifically when these methods are used to control access to resources or data.
link:
https://access.redhat.com/security/cve/CVE-2024-39008[CVE-2024-39008]::
A flaw was found in the fast-loops Node.js package. This flaw allows an attacker to alter the behavior of all objects inheriting from the affected prototype by passing arguments to the objectMergeDeep function crafted with the built-in property: proto. This issue can potentially lead to a denial of service, remote code execution, or Cross-site scripting.
link:
https://access.redhat.com/security/cve/CVE-2024-39249[CVE-2024-39249]::
A flaw was found in the async Node.js package. A Regular expression Denial of Service (ReDoS) attack can potentially be triggered via the autoinject function while parsing specially crafted input.
link:
https://access.redhat.com/security/cve/CVE-2024-24791[CVE-2024-24791]::
A flaw was found in Go. The net/http module mishandles specific server responses from HTTP/1.1 client requests. This issue may render a connection invalid and cause a denial of service.
link:
https://access.redhat.com/security/cve/CVE-2024-37891[CVE-2024-37891]::
A flaw was found in urllib3, an HTTP client library for Python. In certain configurations, urllib3 does not treat the Proxy-Authorization HTTP header as one carrying authentication material. This issue results in not stripping the header on cross-origin redirects.
link:
https://access.redhat.com/security/cve/CVE-2024-41818[CVE-2024-41818]::
A regular expression denial of service (ReDoS) flaw was found in fast-xml-parser in the currency.js script. By sending a specially crafted regex input, a remote attacker could cause a denial of service condition.
link:
https://access.redhat.com/security/cve/CVE-2024-39338[CVE-2024-39338]::
A vulnerability was found in the Axios HTTP Client. It is vulnerable to a server-side request forgery attack (SSRF) caused by unexpected behavior where requests for path-relative URLs get processed as protocol-relative URLs. This flaw allows an attacker to perform arbitrary requests from the server, potentially accessing internal systems or exfiltrating sensitive data.
link:
https://access.redhat.com/security/cve/CVE-2024-43788[CVE-2024-43788]::
A DOM Clobbering vulnerability was found in Webpack via AutoPublicPathRuntimeModule. DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script through seemingly benign HTML markups in the webpage, for example, through a post or comment, and leverages the gadgets (pieces of JS code) living in the existing javascript code to transform it into executable code. This vulnerability can lead to Cross-site scripting (XSS) on websites that include Webpack-generated files and allow users to inject certain scriptless HTML tags with improperly sanitized name or ID attributes.
link:
https://access.redhat.com/security/cve/CVE-2024-45590[CVE-2024-45590]::
A flaw was found in body-parser. This vulnerability causes denial of service via a specially crafted payload when the URL encoding is enabled.
link:
https://access.redhat.com/security/cve/CVE-2024-21529[CVE-2024-21529]::
A flaw was found in the dset package. Affected versions of this package are vulnerable to Prototype Pollution via the dset function due to improper user input sanitization. This vulnerability allows the attacker to inject a malicious object property using the built-in Object property proto, which is recursively assigned to all the objects in the program.