VYPR

rpm package

opensuse/velociraptor&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/velociraptor&distro=openSUSE%20Tumbleweed

Vulnerabilities (85)

  • CVE-2024-45811MedSep 17, 2024
    affected < 0.7.0.4.git142.862ef23-1.1fixed 0.7.0.4.git142.862ef23-1.1

    Vite a frontend build tooling framework for javascript. In affected versions the contents of arbitrary files can be returned to the browser. `@fs` denies access to files outside of Vite serving allow list. Adding `?import&raw` to the URL bypasses this limitation and returns the f

  • CVE-2024-45296HigSep 9, 2024
    affected < 0.7.0.4.git142.862ef23-1.1fixed 0.7.0.4.git142.862ef23-1.1

    path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will

  • CVE-2024-39338Aug 9, 2024
    affected < 0.7.0.4.git97.675e45f9-12.1fixed 0.7.0.4.git97.675e45f9-12.1

    axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.

  • CVE-2024-42461Aug 2, 2024
    affected < 0.7.0.4.git142.862ef23-1.1fixed 0.7.0.4.git142.862ef23-1.1

    In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because BER-encoded signatures are allowed.

  • CVE-2024-42460Aug 2, 2024
    affected < 0.7.0.4.git142.862ef23-1.1fixed 0.7.0.4.git142.862ef23-1.1

    In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because there is a missing check for whether the leading bit of r and s is zero.

  • CVE-2024-42459Aug 2, 2024
    affected < 0.7.0.4.git142.862ef23-1.1fixed 0.7.0.4.git142.862ef23-1.1

    In the Elliptic package 6.5.6 for Node.js, EDDSA signature malleability occurs because there is a missing signature length check, and thus zero-valued bytes can be removed or appended.

  • CVE-2024-37298HigJul 1, 2024
    affected < 0.7.0.4.git142.862ef23-1.1fixed 0.7.0.4.git142.862ef23-1.1

    gorilla/schema converts structs to and from form values. Prior to version 1.4.1 Running `schema.Decoder.Decode()` on a struct that has a field of type `[]struct{...}` opens it up to malicious attacks regarding memory allocations, taking advantage of the sparse slice functionality

  • CVE-2024-6104Jun 24, 2024
    affected < 0.7.0.4.git142.862ef23-1.1fixed 0.7.0.4.git142.862ef23-1.1

    go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.

  • CVE-2024-4068May 13, 2024
    affected < 0.7.0.4.git142.862ef23-1.1fixed 0.7.0.4.git142.862ef23-1.1

    The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program

  • CVE-2024-4067May 13, 2024
    affected < 0.7.0.4.git142.862ef23-1.1fixed 0.7.0.4.git142.862ef23-1.1

    The NPM package `micromatch` prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching w

  • CVE-2023-45288HigApr 4, 2024
    affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1

    An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed Ma

  • CVE-2024-31207MedApr 4, 2024
    affected < 0.7.0.4.git142.862ef23-1.1fixed 0.7.0.4.git142.862ef23-1.1

    Vite (French word for "quick", pronounced /vit/, like "veet") is a frontend build tooling to improve the frontend development experience.`server.fs.deny` does not deny requests for patterns with directories. This vulnerability has been patched in version(s) 5.2.6, 5.1.7, 5.0.13,

  • CVE-2024-28849Mar 14, 2024
    affected < 0.7.0.4.git74.3426c0a-5.1fixed 0.7.0.4.git74.3426c0a-5.1

    follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which

  • CVE-2024-28180Mar 9, 2024
    affected < 0.7.0.4.git142.862ef23-1.1fixed 0.7.0.4.git142.862ef23-1.1

    Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now ret

  • CVE-2024-24786HigMar 5, 2024
    affected < 0.7.0.4.git142.862ef23-1.1fixed 0.7.0.4.git142.862ef23-1.1

    The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

  • CVE-2024-23331Jan 19, 2024
    affected < 0.7.0.4.git142.862ef23-1.1fixed 0.7.0.4.git142.862ef23-1.1

    Vite is a frontend tooling framework for javascript. The Vite dev server option `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 -

  • CVE-2023-5950Nov 6, 2023
    affected < 0.7.0.4.git74.3426c0a-5.1fixed 0.7.0.4.git74.3426c0a-5.1

    Rapid7 Velociraptor versions prior to 0.7.0-4 suffer from a reflected cross site scripting vulnerability. This vulnerability allows attackers to inject JS into the error path, potentially leading to unauthorized execution of scripts within a user's web browser. This vulnerability

  • CVE-2023-46234Oct 26, 2023
    affected < 0.7.0.4.git142.862ef23-1.1fixed 0.7.0.4.git142.862ef23-1.1

    browserify-sign is a package to duplicate the functionality of node's crypto public key functions, much of this is based on Fedor Indutny's work on indutny/tls.js. An upper bound check issue in `dsaVerify` function allows an attacker to construct signatures that can be successful

  • CVE-2023-45683Oct 16, 2023
    affected < 0.7.0.4.git142.862ef23-1.1fixed 0.7.0.4.git142.862ef23-1.1

    github.com/crewjam/saml is a saml library for the go language. In affected versions the package does not validate the ACS Location URI according to the SAML binding being parsed. If abused, this flaw allows attackers to register malicious Service Providers at the IdP and inject J

  • CVE-2023-45133Oct 12, 2023
    affected < 0.7.0.4.git142.862ef23-1.1fixed 0.7.0.4.git142.862ef23-1.1

    Babel is a compiler for writingJavaScript. In `@babel/traverse` prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of `babel-traverse`, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when

Page 4 of 5