CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52308 – Connecting to a malicious Codespaces via GH CLI could allow command execution on the user's computer
https://notcve.org/view.php?id=CVE-2024-52308
The GitHub CLI version 2.6.1 and earlier are vulnerable to remote code execution through a malicious codespace SSH server when using `gh codespace ssh` or `gh codespace logs` commands. ... `gh codespace ssh` and `gh codespace logs` commands could execute arbitrary code on the user's workstation if the remote username contains something like `-oProxyCommand="echo hacked" #`. The `-oProxyCommand` flag causes `ssh` to execute the provided command while `#` shell comment causes any other `ssh` arguments to be ignored. In `2.62.0`, the remote username information is being validated before being used. • https://github.com/cli/cli/security/advisories/GHSA-p2h2-3vg9-4p87 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 7.7EPSS: 0%CPEs: 3EXPL: 0CVE-2024-10397
https://notcve.org/view.php?id=CVE-2024-10397
A malicious server can crash the OpenAFS cache manager and other client utilities, and possibly execute arbitrary code. • https://openafs.org/pages/security/OPENAFS-SA-2024-003.txt • CWE-787: Out-of-bounds Write •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49362 – Remote Code Execution on click of <a> Link in markdown preview
https://notcve.org/view.php?id=CVE-2024-49362
Joplin-desktop has a vulnerability that leads to remote code execution (RCE) when a user clicks on an <a> link within untrusted notes. ... This vulnerability allows the execution of untrusted HTML content within the Electron window, which has full access to Node.js APIs, enabling arbitrary shell command execution. • https://github.com/laurent22/joplin/security/advisories/GHSA-hff8-hjwv-j9q7 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-4343 – Python Command Injection in imartinez/privategpt
https://notcve.org/view.php?id=CVE-2024-4343
This method of parsing is unsafe as it can execute arbitrary Python code contained within the response. An attacker can exploit this vulnerability by manipulating the response from the AWS SageMaker LLM endpoint to include malicious Python code, leading to potential execution of arbitrary commands on the system hosting the application. • https://github.com/imartinez/privategpt/commit/86368c61760c9cee5d977131d23ad2a3e063cbe9 https://huntr.com/bounties/1d1e8f06-ec45-4b17-ae24-b83a41304c15 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52524 – ReDoS in Giskard Scan text perturbation
https://notcve.org/view.php?id=CVE-2024-52524
A Remote Code Execution (ReDoS) vulnerability was discovered in Giskard component by the GitHub Security Lab team. • https://github.com/Giskard-AI/giskard/commit/48ce81f5c626171767188d6f0669498fb613b4d3 https://github.com/Giskard-AI/giskard/security/advisories/GHSA-pjwm-cr36-mwv3 • CWE-1333: Inefficient Regular Expression Complexity •