RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the admin router explicitly whitelists /profile/cpu and /profile/memory from the authentication layer, allowing any
sudo-rs is a memory safe implementation of sudo and su written in Rust. Prior to version 0.2.6, users with limited sudo privileges (e.g. execution of a single command) can list sudo privileges of othe
A vulnerability was found in WeKan up to 8.20. This affects an unknown function of the file models/attachments.js of the component Attachment Storage. The manipulation results in improper access contr
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, a path traversal vulnerability exists in open-webui's cache file serving endpoint tha
A vulnerability, which was classified as critical, was found in zhangyanbo2007 youkefu 4.2.0. This affects an unknown part of the file WebIMController.java of the component File Upload. The manipulati
RustFS is a distributed object storage system built in Rust. Prior to alpha.90, RustFS contains a missing authorization check in the multipart copy path (UploadPartCopy). A low-privileged user who can
A container privilege escalation flaw was found in KServe ModelMesh container images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In cer
RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 through 1.0.0-alpha.78, a flawed `deny_only` short-circuit in RustFS IAM allows a restricted service account or
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the RustFS console endpoint GET /rustfs/console/license returns parsed license metadata without requiring authentica
A vulnerability was found in WeKan up to 8.20. Affected by this issue is some unknown functionality of the file server/methods/positionHistory.js of the component Position-History Tracking. The manipu
tar-rs is a tar archive reading/writing library for Rust. In versions 0.4.44 and below, when unpacking a tar archive, the tar crate's unpack_dir function uses fs::metadata() to check whether a path th
apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, a path traversal vulnerability was discovered in apko's dirFS filesystem abstr
A vulnerability was found in Roothub up to 2.6. It has been declared as problematic. Affected by this vulnerability is the function Edit of the file src/main/java/cn/roothub/web/admin/SystemConfigAdmi
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, when RUSTFS_CORS_ALLOWED_ORIGINS is unset, the RustFS S3 listener's ConditionalCorsLayer reflects any request Origin
A TOCTOU and symlink race in svenstaro/miniserve 0.32.0 upload finalization (when uploads are enabled) can allow an attacker to overwrite arbitrary files outside the intended upload/document root in d
Nix is a package manager for Linux and other Unix systems. A bug in the fix for CVE-2024-27297 allowed for arbitrary overwrites of files writable by the Nix process orchestrating the builds (typically
libcontainer is a library for container control. Prior to libcontainer 0.5.3, while creating a tenant container, the tenant builder accepts a list of capabilities to be added in the spec of tenant con
The install utility in uutils coreutils is vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition during file installation. The implementation unlinks an existing destination file and th
In UNIX Fourth Research Edition (v4), the su command is vulnerable to a buffer overflow due to the 'password' variable having a fixed size of 100 bytes. A local user can exploit this to gain root priv
A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of openSUSE Tumbleweed traefik2 allows the traefik user to escalate to root. This issue affects Tumbleweed: from ? before 2.11.2