Résumé
nebula-mesh's stores enrollment tokens unhashed in SQLite
Références
Vulnérabilités liées
Tout Supply chain →- MEDIUMGHSA-2F86-9CP8-6HCF
Grav: Admin Backup Zip File Exposes Account Credentials and Configuration Secrets
- HIGHSC-ARTIPACKED-2024
On August 13, 2024, Palo Alto Networks Unit 42 published ArtiPACKED, a widespread CI/CD misconfiguration class in which GitHub Actions build artifacts inadvertently leaked authentication tokens, affecting major open-source projects from Google, Microsoft, Red Hat, AWS, Canonical, and OWASP. The root cause is that actions/checkout persists credentials by default, writing the workflow's GITHUB_TOKEN into the checked-out .git/config for authenticated Git operations; when a later step uploaded the workspace (test results, build output, or the full checkout directory) via actions/upload-artifact, the .git directory and its embedded token, along with environment-derived secrets and cloud credentials, were packaged into the downloadable artifact. Because v4 artifacts can be downloaded while the run is still in progress and are readable by anyone for public repositories, an attacker could win a race condition: download the artifact, extract the still-valid GITHUB_TOKEN before the job completed and the token expired, and use it to push code, create branches, or pivot into connected cloud environments. Unit 42 identified numerous large projects leaking tokens this way and disclosed each responsibly for remediation.
- HIGHGHSA-WV27-2VQP-J7G5
Gogs has the ability to import local repositories via Mirror Settings
- HIGHGHSA-PWX3-QCGW-VH7H
Gogs Vulnerable to CSRF Leading to Organization Owner Takeover
- HIGHGHSA-P9F5-H3RX-J5QW
Gogs Missing Authorization in Attachment Download
- HIGHGHSA-JQ8V-RMF6-65JW
Gogs has Stored XSS in `.ipynb` Preview