TLP: Clear - The documentation for the DevGuard Project

📚 DevGuard Documentation

sbom-documentation

SupportButton

699-create-how-to-commit-documentation

main

add-workflows-components-docus

0.1.0 button

update-gitlab-integration-dokument

contacts

docu-update

 TLP: Clear - Devguard GitLab CI/CD Components

🧩 DevGuard CI-Components

TLP: Clear - DevGuard GitHub Reusable Workflows

🧩 DevGuard Action

TLP: Clear - The repository of the DevGuard Web Project

👩‍💻 DevGuard Web

TLP: Clear - The repository for the customized DevGuard Postgresql

🗄️ Devguard Postgresql

TLP: Clear - The main repository - contains the API, the devguard-scanner CLI and the Helm-Chart

💡 DevGuard

TLP: Clear - Manage your CVEs seamlessly, Integrate your Vulnerability Scanners, Documentation made easy, Compliance to security Frameworks - OWASP Incubating Project

🛡️ DevGuard

Robot User

Badge-API

Test Project 1

Lars Hermges

Patrick Rissmann

Sebastian Kawelke

Tim Bastin

David Luhmer

Refaei Shikho

Frédéric Noppe

timbastin

seb-kw

Frederic-Kenji

refoo0

L3montree Cybersecurity

Webhook which sends notification into our matrix chat

Matrix Error-Tracking

Next.js is a React framework for building full-stack web applications. Versions prior to 14.2.24 and 15.1.6 have a race-condition vulnerability. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve `pageProps` data instead of standard HTML. This issue was patched in versions 15.1.6 and 14.2.24 by stripping the `x-now-route-matches` header from incoming requests. Applications hosted on Vercel's platform are not affected by this issue, as the platform does not cache responses based solely on `200 OK` status without explicit `cache-control` headers. Those who self-host Next.js deployments and are unable to upgrade immediately can mitigate this vulnerability by stripping the `x-now-route-matches` header from all incoming requests at the content development network and setting `cache-control: no-store` for all responses under risk. The maintainers of Next.js strongly recommend only caching responses with explicit cache-control headers.

Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.

Next.js is a React framework for building full-stack web applications. In versions starting from 13.0 to before 14.2.30 and 15.0.0 to before 15.2.2, Next.js may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to visit a malicious webpage while npm run dev is active. This issue has been patched in versions 14.2.30 and 15.2.2.

Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization API routes are affected by cache key confusion. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5. All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.

Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization is vulnerable to content injection. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5.

Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next() was used without explicitly passing the request object, it could lead to SSRF in self-hosted applications that incorrectly forwarded user-supplied headers. This vulnerability has been fixed in Next.js versions 14.2.32 and 15.4.7. All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.

Issue summary: A timing side-channel which could potentially allow recovering
the private key exists in the ECDSA signature computation.

Impact summary: A timing side-channel in ECDSA signature computations
could allow recovering the private key by an attacker. However, measuring
the timing would require either local access to the signing application or
a very fast network connection with low latency.

There is a timing signal of around 300 nanoseconds when the top word of
the inverted ECDSA nonce value is zero. This can happen with significant
probability only for some of the supported elliptic curves. In particular
the NIST P-521 curve is affected. To be able to measure this leak, the attacker
process must either be located in the same physical computer or must
have a very fast network connection with low latency. For that reason
the severity of this vulnerability is Low.

The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are affected by this issue.

Babel is a compiler for writing next generation JavaScript. When using versions of Babel prior to 7.26.10 and 8.0.0-alpha.17 to compile regular expression named capturing groups, Babel will generate a polyfill for the `.replace` method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to `.replace`). Generated code is vulnerable if all the following conditions are true: Using Babel to compile regular expression named capturing groups, using the `.replace` method on a regular expression that contains named capturing groups, and the code using untrusted strings as the second argument of `.replace`. This problem has been fixed in `@babel/helpers` and `@babel/runtime` 7.26.10 and 8.0.0-alpha.17. It's likely that individual users do not directly depend on `@babel/helpers`, and instead depend on `@babel/core` (which itself depends on `@babel/helpers`). Upgrading to `@babel/core` 7.26.10 is not required, but it guarantees use of a new enough `@babel/helpers` version. Note that just updating Babel dependencies is not enough; one will also need to re-compile the code. No known workarounds are available.

**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains 
that target AArch64 allows an attacker to exploit an existing buffer 
overflow in dynamically-sized local variables in your application 
without this being detected. This stack-protector failure only applies 
to C99-style dynamically-sized local variables or those created using 
alloca(). The stack-protector operates as intended for statically-sized 
local variables.

The default behavior when the stack-protector 
detects an overflow is to terminate your application, resulting in 
controlled loss of availability. An attacker who can exploit a buffer 
overflow without triggering the stack-protector might be able to change 
program flow control to cause an uncontrolled loss of availability or to
 go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.

estree-util-value-to-estree converts a JavaScript value to an ESTree expression. When generating an ESTree from a value with a property named __proto__, valueToEstree would generate an object that specifies a prototype instead. This vulnerability is fixed in 3.3.3.

DOMPurify before 3.2.4 has an incorrect template literal regular expression, sometimes leading to mutation cross-site scripting (mXSS).

Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. In the default configuration of mermaid 10.9.0-rc.1 to 11.9.0, user supplied input for sequence diagram labels is passed to innerHTML during calculation of element size, causing XSS.

Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. In the default configuration of mermaid 11.9.0 and earlier, user supplied input for architecture diagram icons is passed to the d3 html() method, creating a sink for cross site scripting. This vulnerability is fixed in 11.10.0.

A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.1.12, 2.0.2, 3.0.1 and 4.0.1 is able to address this issue. The name of the patch is a5b98a4f30d7813266b221435e1eaaf25a1b0ac5. It is recommended to upgrade the affected component.

Package	Max Risk	Max CVSS	Vulnerability Count	Installed Version	Action
next	HIGH (7.7)	CRITICAL (9.1)	12	14.2.23	Update to version 14.2.32 to reduce total risk by 31.5
debian/openssl	LOW (1.7)	MEDIUM (4.1)	1	3.0.15	No fix available
@babel/helpers	LOW (2.9)	MEDIUM (6.2)	1	7.24.8	Update to version 7.26.10 to reduce total risk by 2.9
@babel/runtime	LOW (2.9)	MEDIUM (6.2)	1	7.22.5	Update to version 7.26.10 to reduce total risk by 2.9
debian/gcc-12	LOW (1.9)	MEDIUM (4.8)	1	12.2.0	No fix available
estree-util-value-to-estree	LOW (1.4)	MEDIUM (6.9)	2	3.2.1	Update to version 3.3.3 to reduce total risk by 2.7
estree-util-value-to-estree	LOW (0.7)	MEDIUM (6.9)	2	1.3.0	Update to version 3.3.3 to reduce total risk by 1.3
dompurify	LOW (0.6)	MEDIUM (4.5)	2	3.1.6	Update to version 3.2.4 to reduce total risk by 1.2
mermaid	LOW (0.3)	MEDIUM (5.3)	4	11.4.0	Update to version 11.10.0 to reduce total risk by 1.2
brace-expansion	LOW (0.3)	LOW (2.3)	1	2.0.1	Update to version 2.0.2 to reduce total risk by 0.3
brace-expansion	LOW (0.1)	LOW (2.3)	2	1.1.11	Update to version 1.1.12 to reduce total risk by 0.3

🛡️ DevGuard
Group
/📚 DevGuard Documentation
Repository

Identified Risks