We’ve disclosed 3381 vulnerabilities
by Snyk Security
Researchers
How to fix?
Avoid using all malicious instances of the tukaani-project/xz
package.
njwt is a JWT Library for Node.js
Affected versions of this package are vulnerable to Prototype Pollution in the parse
method. An attacker can manipulate the prototype chain by injecting malicious properties.
consoleme is an A central control plane for AWS permissions and access
Affected versions of this package are vulnerable to Improper Neutralization of Special Elements used in a Command ('Command Injection') via the command
process. A specific flag allows authenticated users to read any server files accessible by the ConsoleMe process. Given ConsoleMe's role as an AWS identity broker, accessing files containing secrets on the server could potentially be exploited for privilege escalation.
Note:
Deployments of ConsoleMe that allow templated resources are impacted and urged to patch immediately. Deployments that do not permit templated resources are not affected.
Affected versions of this package are vulnerable to Directory Traversal. An attacker can craft a URL to return any file as a download, including system files outside of Nexus Repository application scope, without any authentication.
Improper Certificate Validation in componentspace.saml2 (nuget)
Arbitrary Code Injection in mysql2 (npm)
Prototype Pollution in lodash (npm)
Prototype Pollution in lodash.zipobjectdeep (npm)
Remote Code Execution (RCE) in mysql2 (npm)
by Snyk Security
Researchers
Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.