Skip to content

v1.8.6
Compare
Choose a tag to compare
@wy65701436 wy65701436 released this 18 Nov 05:21
v1.8.6
5d2c4c2
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Resolved Issues

  • Bump up Clair version to v2.1.0

  • Fix security issue: a user with Project-Admin capabilities can utilize and exploit SQL Injection to read secrets from the underlying database or conduct privilege escalation.
    GHSA-qcfv-8v29-469w

  • Fix security issue: An authenticated administrator can send a specially crafted SQL payload through the GET parameter sort, allowing the extraction of sensitive information from the database.
    GHSA-rh89-vvrg-fg64

  • Fix security issue: a normal user to gain administrator account privileges by making an API call to modify the email address of a specific user
    GHSA-3868-7c5x-4827

  • Fix security issue: Non-administrator users (such as those created via self-registration) can list all usernames and user IDs by sending a GET request to /api/users/search with no parameters
    GHSA-6qj9-33j4-rvhg

  • Fix security issue: without protection against Cross-Site Request Forgery (CSRF), an attacker can execute any action on the platform in the context of the currently authenticated victim
    GHSA-gcqm-v682-ccw6

Assets 7
Loading