Dinky
Monthly
Dinky versions up to 1.2.5 contain an authentication bypass in the OpenAPI endpoint handler that allows unauthenticated remote attackers to manipulate interceptor configuration. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor.
Server-side request forgery in Dinky up to version 1.2.5 allows authenticated attackers to make arbitrary HTTP requests through the Flink Proxy Controller's proxyUba function. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. An attacker with valid credentials can leverage this to access internal resources or perform actions on behalf of the affected server.
Path traversal in Dinky up to version 1.2.5 allows authenticated remote attackers to access arbitrary files on the system through manipulation of the projectName parameter in the GitRepository component. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker with valid credentials can exploit this to read sensitive files or potentially escalate privileges within Java-based Dinky deployments.
Dinky versions up to 1.2.5 contain an authentication bypass in the OpenAPI endpoint handler that allows unauthenticated remote attackers to manipulate interceptor configuration. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor.
Server-side request forgery in Dinky up to version 1.2.5 allows authenticated attackers to make arbitrary HTTP requests through the Flink Proxy Controller's proxyUba function. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. An attacker with valid credentials can leverage this to access internal resources or perform actions on behalf of the affected server.
Path traversal in Dinky up to version 1.2.5 allows authenticated remote attackers to access arbitrary files on the system through manipulation of the projectName parameter in the GitRepository component. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker with valid credentials can exploit this to read sensitive files or potentially escalate privileges within Java-based Dinky deployments.