BIG-IP, Enterprise Manager Security Vulnerabilities

GHSA-49GW-VXVF-FC2G vulnerabilities

Vulnerabilities for packages: ingress-nginx-controller, metrics-server, hubble-ui, certificate-transparency, kubescape, oras, fulcio, sbomqs, nerdctl, nsc, volume-modifier-for-k8s, wave, cilium, kube-bench, kind, kaniko, octo-sts, external-dns, neuvector-sigstore-interface, dgraph, wolfictl,...

GHSA-5F94-VHJQ-RPG8 vulnerabilities

Vulnerabilities for packages: vertical-pod-autoscaler, docker-credential-ecr-login, go-bindata, wait-for-port, nats, local-path-provisioner, nri-discovery-kubernetes, go-md2man, helm-push, ip-masq-agent, metrics-server, cilium-envoy, goreleaser, hey, aws-flb-firehose, k3d, cass-operator,...

GHSA-9F76-WG39-X86H vulnerabilities

Vulnerabilities for packages: vertical-pod-autoscaler, docker-credential-ecr-login, go-bindata, wait-for-port, nats, local-path-provisioner, nri-discovery-kubernetes, go-md2man, helm-push, ip-masq-agent, metrics-server, cilium-envoy, goreleaser, hey, aws-flb-firehose, k3d, cass-operator,...

CVE-2024-28180 vulnerabilities

Vulnerabilities for packages: external-secrets-operator, rook, flux-kustomize-controller, ko, zarf, argo-cd, tekton-pipelines, cert-manager, frp, weaviate, skaffold, apko, grpc-health-probe, tekton-chains, istio-pilot-agent, terragrunt, goreleaser, timestamp-authority, istio-cni, containerd, dex,.....

GHSA-V53G-5GJP-272R vulnerabilities

Vulnerabilities for packages: helm-operator, eksctl, chartmuseum, flux-helm-controller, istio-operator, zarf, cert-manager, k8sgpt, flux-source-controller, k9s, kots, kubescape, trivy, cilium-cli, helm-push, up,...

GHSA-XW73-RW38-6VJC vulnerabilities

Vulnerabilities for packages: k3s, zarf, docker-credential-gcr, buildkitd, tekton-pipelines, cert-manager, skaffold, flux-image-reflector-controller, timoni, tekton-chains, cri-tools, istio-pilot-agent, vexctl, goreleaser, newrelic-infrastructure-agent, gitlab-runner, gitsign, kubescape,...

CVE-2023-45290 vulnerabilities

Vulnerabilities for packages: vertical-pod-autoscaler, ferretdb, docker-credential-ecr-login, delve, go-bindata, wait-for-port, nri-redis, dockerize, esbuild, ingress-nginx-controller, kor, mongo-tools, nfs-subdir-external-provisioner, metrics-server, cri-tools, aws-efs-csi-driver, goreleaser,...

GHSA-PXHW-596R-RWQ5 vulnerabilities

Vulnerabilities for packages: node-feature-discovery, spark-operator, local-static-provisioner, kubernetes, kubernetes-csi-driver-hostpath, kubernetes-dns-node-cache, calico, ip-masq-agent, nodetaint, aws-ebs-csi-driver,...

CVE-2024-24788 vulnerabilities

Vulnerabilities for packages: vertical-pod-autoscaler, ferretdb, bank-vaults, docker-credential-ecr-login, hcloud, frp, delve, go-bindata, wait-for-port, dockerize, crossplane-provider-gcp, mongo-tools, nfs-subdir-external-provisioner, metrics-server, tekton-chains, cri-tools, aws-efs-csi-driver,.....

GHSA-236W-P7WF-5PH8 vulnerabilities

Vulnerabilities for packages: ingress-nginx-controller, metrics-server, hubble-ui, certificate-transparency, kubescape, oras, fulcio, sbomqs, nerdctl, nsc, volume-modifier-for-k8s, wave, cilium, kube-bench, kind, kaniko, octo-sts, external-dns, neuvector-sigstore-interface, dgraph, wolfictl,...

CVE-2023-44487 affecting package cert-manager for versions less than 1.11.2-5

CVE-2023-44487 affecting package cert-manager for versions less than 1.11.2-5. A patched version of the package is...

CVE-2023-39325 affecting package cert-manager for versions less than 1.11.2-5

CVE-2023-39325 affecting package cert-manager for versions less than 1.11.2-5. A patched version of the package is...

CVE-2023-44487 affecting package cert-manager for versions less than 1.11.2-5

CVE-2023-44487 affecting package cert-manager for versions less than 1.11.2-5. A patched version of the package is...

CVE-2023-39325 affecting package cert-manager for versions less than 1.11.2-5

CVE-2023-39325 affecting package cert-manager for versions less than 1.11.2-5. A patched version of the package is...

CVE-2024-33620

Absolute path traversal vulnerability exists in ID Link Manager and FUJITSU Software TIME CREATOR. If this vulnerability is exploited, the file contents including sensitive information on the server may be retrieved by an unauthenticated remote...

CVE-2024-33622

Missing authentication for critical function vulnerability exists in ID Link Manager and FUJITSU Software TIME CREATOR. If this vulnerability is exploited, sensitive information may be obtained and/or the information stored in the database may be altered by a remote authenticated...

CVE-2024-33620

Absolute path traversal vulnerability exists in ID Link Manager and FUJITSU Software TIME CREATOR. If this vulnerability is exploited, the file contents including sensitive information on the server may be retrieved by an unauthenticated remote...

CVE-2024-33622

Missing authentication for critical function vulnerability exists in ID Link Manager and FUJITSU Software TIME CREATOR. If this vulnerability is exploited, sensitive information may be obtained and/or the information stored in the database may be altered by a remote authenticated...

CVE-2024-34024

Observable response discrepancy issue exists in ID Link Manager and FUJITSU Software TIME CREATOR. If this vulnerability is exploited, an unauthenticated remote attacker may determine if a username is valid or...

CVE-2024-34024

Observable response discrepancy issue exists in ID Link Manager and FUJITSU Software TIME CREATOR. If this vulnerability is exploited, an unauthenticated remote attacker may determine if a username is valid or...

CVE-2024-34024

Observable response discrepancy issue exists in ID Link Manager and FUJITSU Software TIME CREATOR. If this vulnerability is exploited, an unauthenticated remote attacker may determine if a username is valid or...

CVE-2024-33620

Absolute path traversal vulnerability exists in ID Link Manager and FUJITSU Software TIME CREATOR. If this vulnerability is exploited, the file contents including sensitive information on the server may be retrieved by an unauthenticated remote...

CVE-2024-33622

Missing authentication for critical function vulnerability exists in ID Link Manager and FUJITSU Software TIME CREATOR. If this vulnerability is exploited, sensitive information may be obtained and/or the information stored in the database may be altered by a remote authenticated...

SUSE: Security Advisory (SUSE-SU-2024:2033-1)

The remote host is missing an update for...

SUSE: Security Advisory (SUSE-SU-2024:2043-1)

The remote host is missing an update for...

SUSE: Security Advisory (SUSE-SU-2024:2038-1)

The remote host is missing an update for...

JVN#65171386: Multiple vulnerabilities in ID Link Manager and FUJITSU Software TIME CREATOR

ID Link Manager and FUJITSU Software TIME CREATOR provided by Fsas Technologies Inc. contain multiple vulnerabilities listed below. Path Traversal (CWE-36) CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N Base Score 8.6 CVE-2024-33620 Missing Authentication (CWE-306)...

SUSE: Security Advisory (SUSE-SU-2024:2036-1)

The remote host is missing an update for...

SUSE: Security Advisory (SUSE-SU-2024:2039-1)

The remote host is missing an update for...

K000140029: libcurl vulnerability CVE-2024-2398

Security Advisory Description When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously...

SUSE: Security Advisory (SUSE-SU-2024:2035-1)

The remote host is missing an update for...

SUSE: Security Advisory (SUSE-SU-2024:2037-1)

The remote host is missing an update for...

Rancher's RKE1 Encryption Config kept in plain-text within cluster AppliedSpec

Impact This issue is only relevant to clusters provisioned using RKE1 with secrets encryption configuration enabled. A vulnerability has been identified in which an RKE1 cluster keeps constantly reconciling when secrets encryption configuration is enabled (please see the RKE documentation). When...

Rancher's RKE1 Encryption Config kept in plain-text within cluster AppliedSpec

Impact This issue is only relevant to clusters provisioned using RKE1 with secrets encryption configuration enabled. A vulnerability has been identified in which an RKE1 cluster keeps constantly reconciling when secrets encryption configuration is enabled (please see the RKE documentation). When...

Rancher's External RoleTemplates can lead to privilege escalation

Impact A vulnerability has been identified whereby privilege escalation checks are not properly enforced for RoleTemplateobjects when external=true, which in specific scenarios can lead to privilege escalation. The bug in the webhook rule resolver ignores rules from a ClusterRole for external...

Rancher's External RoleTemplates can lead to privilege escalation

Impact A vulnerability has been identified whereby privilege escalation checks are not properly enforced for RoleTemplateobjects when external=true, which in specific scenarios can lead to privilege escalation. The bug in the webhook rule resolver ignores rules from a ClusterRole for external...

rke's credentials are stored in the RKE1 Cluster state ConfigMap

Impact When RKE provisions a cluster, it stores the cluster state in a configmap called full-cluster-state inside the kube-system namespace of the cluster itself. This cluster state object contains information used to set up the K8s cluster, which may include the following sensitive data: ...

rke's credentials are stored in the RKE1 Cluster state ConfigMap

Impact When RKE provisions a cluster, it stores the cluster state in a configmap called full-cluster-state inside the kube-system namespace of the cluster itself. This cluster state object contains information used to set up the K8s cluster, which may include the following sensitive data: ...

Rancher does not automatically clean up a user deleted or disabled from the configured Authentication Provider

Impact A vulnerability has been identified in which Rancher does not automatically clean up a user which has been deleted from the configured authentication provider (AP). This characteristic also applies to disabled or revoked users, Rancher will not reflect these modifications which may leave...

Rancher does not automatically clean up a user deleted or disabled from the configured Authentication Provider

Impact A vulnerability has been identified in which Rancher does not automatically clean up a user which has been deleted from the configured authentication provider (AP). This characteristic also applies to disabled or revoked users, Rancher will not reflect these modifications which may leave...

Firefly III has a MFA bypass in oauth flow

Impact A MFA bypass in the Firefly III OAuth flow may allow malicious users to bypass the MFA-check. This allows malicious users to use password spraying to gain access to your Firefly III data using passwords stolen from other sources. As OAuth applications are easily enumerable using an...

Firefly III has a MFA bypass in oauth flow

Impact A MFA bypass in the Firefly III OAuth flow may allow malicious users to bypass the MFA-check. This allows malicious users to use password spraying to gain access to your Firefly III data using passwords stolen from other sources. As OAuth applications are easily enumerable using an...

Malvertising Campaign Leads to Execution of Oyster Backdoor

The following analysts contributed to this blog: Thomas Elkins, Daniel Thiede, Josh Lockwood, Tyler McGraw, and Sasha Kovalev. Executive Summary Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and.....

CVE-2024-37893

Firefly III is a free and open source personal finance manager. In affected versions an MFA bypass in the Firefly III OAuth flow may allow malicious users to bypass the MFA-check. This allows malicious users to use password spraying to gain access to Firefly III data using passwords stolen from...

CVE-2024-37893

Firefly III is a free and open source personal finance manager. In affected versions an MFA bypass in the Firefly III OAuth flow may allow malicious users to bypass the MFA-check. This allows malicious users to use password spraying to gain access to Firefly III data using passwords stolen from...

CVE-2024-37893 MFA bypass in oauth flow in Firefly III

Firefly III is a free and open source personal finance manager. In affected versions an MFA bypass in the Firefly III OAuth flow may allow malicious users to bypass the MFA-check. This allows malicious users to use password spraying to gain access to Firefly III data using passwords stolen from...

CVE-2024-6059

A vulnerability, which was classified as problematic, has been found in Ingenico Estate Manager 2023. This issue affects some unknown processing of the file /emgui/rest/ums/messages of the component News Feed. The manipulation of the argument message leads to cross site scripting. The attack may...

CVE-2024-6059

A vulnerability, which was classified as problematic, has been found in Ingenico Estate Manager 2023. This issue affects some unknown processing of the file /emgui/rest/ums/messages of the component News Feed. The manipulation of the argument message leads to cross site scripting. The attack may...

CVE-2024-6059 Ingenico Estate Manager News Feed messages cross site scripting

A vulnerability, which was classified as problematic, has been found in Ingenico Estate Manager 2023. This issue affects some unknown processing of the file /emgui/rest/ums/messages of the component News Feed. The manipulation of the argument message leads to cross site scripting. The attack may...

(Almost) everything you always wanted to know about cybersecurity, but were too afraid to ask, with Tjitske de Vries: Lock and Code S05E13

This week on the Lock and Code podcast… Ready to know what Malwarebytes knows? Ask us your questions and get some answers. What is a passphrase and what makes it—what’s the word? Strong? Every day, countless readers, listeners, posters, and users ask us questions about some of the most commonly...