Snyk Security Database

envoy1 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship.

sagemaker is an Open source library for training and deploying models on Amazon SageMaker.

Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data via the storage of HMAC keys and disclosure through the DescribeTrainingJob API. An attacker can extract secret keys from environment variables to insert in malicious serialized payloads by leveraging API permissions. When combined with write access to output locations, this can result in arbitrary code execution, unauthorized access to sensitive data, and the compromise of adjacent services or data in shared environments.

Note: In multi-tenant environments, with shared S3 buckets, a disclosed HMAC key could act as a pivot point to perform actions against other users' remote function workloads.

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the Admin API when the Organizations feature is enabled. An authenticated attacker can enumerate the organization memberships of any other user if their unique identifier (UUID) is known.

Note:

This is only exploitable if the Organizations feature is enabled (which is the default in recent versions), the attacker possesses a valid access token for the realm and the attacker knows the UUID of the victim user.