We’ve disclosed 3294 vulnerabilities
by Snyk Security
Researchers
How to fix?
Avoid using all malicious instances of the tukaani-project/xz
package.
permenmd-wifi is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship.
apache-airflow-providers-fab is a Provider package apache-airflow-providers-fab for Apache Airflow
Affected versions of this package are vulnerable to Insufficient Session Expiration due to improper session management. An attacker can maintain access to the application even after the user attempts to log out by exploiting the session persistence, because The FAB provider prevented the user from logging out.
Note:
FAB provider 1.2.1 only affected Airflow 2.9.3 (earlier and later versions of Airflow are not affected)
FAB provider 1.2.0 affected all versions of Airflow.
Users who run Apache Airflow 2.9.3 are recommended to upgrade to Apache Airflow Providers FAB version 1.2.2, which fixes the issue.
Affected versions of this package are vulnerable to Incorrect Authorization that allows a user with administrative privileges to delete any file that the application user can access.
Server-side Request Forgery (SSRF) in github.com/gotenberg/gotenberg/v8/pkg/modules/webhook (golang)
Server-side Request Forgery (SSRF) in github.com/gotenberg/gotenberg/v8/pkg/modules/chromium (golang)
Server-side Request Forgery (SSRF) in github.com/gotenberg/gotenberg/v8/pkg/gotenberg (golang)
Cookie Tossing in @gitpod/gitpod-protocol (npm)
Cookie Tossing in github.com/gitpod-io/gitpod/install/installer/pkg/components/public-api-server (golang)
by Snyk Security
Researchers
Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.