HPE Integrated Lights-out 5 (iLO 5), HPE Integrated Lights-out 6 (iLO 6), Security Vulnerabilities

CVE-2021-3716 affecting package nbdkit 1.20.7-5

CVE-2021-3716 affecting package nbdkit 1.20.7-5. This CVE either no longer is or was never...

CVE-2020-25722 affecting package samba 4.12.5-6

CVE-2020-25722 affecting package samba 4.12.5-6. No patch is available...

CVE-2010-4226 affecting package cpio 2.13-5

CVE-2010-4226 affecting package cpio 2.13-5. This CVE either no longer is or was never...

CVE-2023-39325 affecting package cert-manager for versions less than 1.11.2-5

CVE-2023-39325 affecting package cert-manager for versions less than 1.11.2-5. A patched version of the package is...

CVE-2022-3437 affecting package samba 4.12.5-6

CVE-2022-3437 affecting package samba 4.12.5-6. No patch is available...

CVE-2022-2989 affecting package podman 4.1.1-5

CVE-2022-2989 affecting package podman 4.1.1-5. This CVE either no longer is or was never...

CVE-2022-32742 affecting package samba 4.12.5-6

CVE-2022-32742 affecting package samba 4.12.5-6. No patch is available...

CVE-2020-25718 affecting package samba 4.12.5-6

CVE-2020-25718 affecting package samba 4.12.5-6. No patch is available...

CVE-2020-25717 affecting package samba 4.12.5-6

CVE-2020-25717 affecting package samba 4.12.5-6. No patch is available...

CVE-2021-44142 affecting package samba 4.12.5-6

CVE-2021-44142 affecting package samba 4.12.5-6. No patch is available...

CVE-2020-27840 affecting package samba 4.12.5-6

CVE-2020-27840 affecting package samba 4.12.5-6. No patch is available...

CVE-2019-25051 affecting package aspell 0.60.8-5

CVE-2019-25051 affecting package aspell 0.60.8-5. This CVE either no longer is or was never...

CVE-2022-3857 affecting package libpng for versions less than 1.6.39-1

CVE-2022-3857 affecting package libpng for versions less than 1.6.39-1. No patch is available...

CVE-2023-0286 affecting package reaper 3.1.1-6

CVE-2023-0286 affecting package reaper 3.1.1-6. This CVE either no longer is or was never...

CVE-2023-22466 affecting package rpm-ostree 2022.1-6

CVE-2023-22466 affecting package rpm-ostree 2022.1-6. This CVE either no longer is or was never...

CVE-2022-42898 affecting package samba 4.12.5-6

CVE-2022-42898 affecting package samba 4.12.5-6. No patch is available...

CVE-2022-4904 affecting package python-gevent 1.3.6-5

CVE-2022-4904 affecting package python-gevent 1.3.6-5. No patch is available...

CVE-2023-0215 affecting package shim-unsigned-aarch64 15-5

CVE-2023-0215 affecting package shim-unsigned-aarch64 15-5. This CVE either no longer is or was never...

CVE-2022-4515 affecting package ctags 5.8-6

CVE-2022-4515 affecting package ctags 5.8-6. No patch is available...

CVE-2021-25741 affecting package kubernetes-1.19.13 1.19.13-5

CVE-2021-25741 affecting package kubernetes-1.19.13 1.19.13-5. No patch is available...

CVE-2022-30699 affecting package unbound 1.10.0-5

CVE-2022-30699 affecting package unbound 1.10.0-5. No patch is available...

CVE-2022-30698 affecting package unbound 1.10.0-5

CVE-2022-30698 affecting package unbound 1.10.0-5. No patch is available...

CVE-2020-8563 affecting package kubernetes-1.18.17 1.18.17-6

CVE-2020-8563 affecting package kubernetes-1.18.17 1.18.17-6. No patch is available...

CVE-2018-25078 affecting package man-db 2.8.4-5

CVE-2018-25078 affecting package man-db 2.8.4-5. This CVE either no longer is or was never...

CVE-2023-44487 affecting package cert-manager for versions less than 1.11.2-5

CVE-2023-44487 affecting package cert-manager for versions less than 1.11.2-5. A patched version of the package is...

CVE-2023-39325 affecting package vitess for versions less than 16.0.2-5

CVE-2023-39325 affecting package vitess for versions less than 16.0.2-5. A patched version of the package is...

CVE-2023-44487 affecting package vitess for versions less than 16.0.2-5

CVE-2023-44487 affecting package vitess for versions less than 16.0.2-5. A patched version of the package is...

CVE-2023-3817 affecting package rust for versions less than 1.68.2-5

CVE-2023-3817 affecting package rust for versions less than 1.68.2-5. A patched version of the package is...

CVE-2023-44487 affecting package opa for versions less than 0.50.2-6

CVE-2023-44487 affecting package opa for versions less than 0.50.2-6. A patched version of the package is...

CVE-2023-39325 affecting package cert-manager for versions less than 1.11.2-5

CVE-2023-39325 affecting package cert-manager for versions less than 1.11.2-5. A patched version of the package is...

CVE-2023-39325 affecting package opa for versions less than 0.50.2-6

CVE-2023-39325 affecting package opa for versions less than 0.50.2-6. A patched version of the package is...

Singapore Police Extradites Malaysians Linked to Android Malware Fraud

The Singapore Police Force (SPF) has announced the extradition of two men from Malaysia for their alleged involvement in a mobile malware campaign targeting citizens in the country since June 2023. The unnamed individuals, aged 26 and 47, engaged in scams that tricked unsuspecting users into...

SUSE: Security Advisory (SUSE-SU-2024:2033-1)

The remote host is missing an update for...

CVE-2024-37891

urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with ProxyManager, the Proxy-Authorization header is only sent to the configured proxy, as expected. However, when sending HTTP requests without using urllib3's proxy support, it's possible to...

Rancher's RKE1 Encryption Config kept in plain-text within cluster AppliedSpec

Impact This issue is only relevant to clusters provisioned using RKE1 with secrets encryption configuration enabled. A vulnerability has been identified in which an RKE1 cluster keeps constantly reconciling when secrets encryption configuration is enabled (please see the RKE documentation). When...

Rancher's RKE1 Encryption Config kept in plain-text within cluster AppliedSpec

Impact This issue is only relevant to clusters provisioned using RKE1 with secrets encryption configuration enabled. A vulnerability has been identified in which an RKE1 cluster keeps constantly reconciling when secrets encryption configuration is enabled (please see the RKE documentation). When...

Rancher's External RoleTemplates can lead to privilege escalation

Impact A vulnerability has been identified whereby privilege escalation checks are not properly enforced for RoleTemplateobjects when external=true, which in specific scenarios can lead to privilege escalation. The bug in the webhook rule resolver ignores rules from a ClusterRole for external...

Rancher's External RoleTemplates can lead to privilege escalation

Impact A vulnerability has been identified whereby privilege escalation checks are not properly enforced for RoleTemplateobjects when external=true, which in specific scenarios can lead to privilege escalation. The bug in the webhook rule resolver ignores rules from a ClusterRole for external...

rke's credentials are stored in the RKE1 Cluster state ConfigMap

Impact When RKE provisions a cluster, it stores the cluster state in a configmap called full-cluster-state inside the kube-system namespace of the cluster itself. This cluster state object contains information used to set up the K8s cluster, which may include the following sensitive data: ...

rke's credentials are stored in the RKE1 Cluster state ConfigMap

Impact When RKE provisions a cluster, it stores the cluster state in a configmap called full-cluster-state inside the kube-system namespace of the cluster itself. This cluster state object contains information used to set up the K8s cluster, which may include the following sensitive data: ...

Rancher does not automatically clean up a user deleted or disabled from the configured Authentication Provider

Impact A vulnerability has been identified in which Rancher does not automatically clean up a user which has been deleted from the configured authentication provider (AP). This characteristic also applies to disabled or revoked users, Rancher will not reflect these modifications which may leave...

Rancher does not automatically clean up a user deleted or disabled from the configured Authentication Provider

Impact A vulnerability has been identified in which Rancher does not automatically clean up a user which has been deleted from the configured authentication provider (AP). This characteristic also applies to disabled or revoked users, Rancher will not reflect these modifications which may leave...

Firefly III has a MFA bypass in oauth flow

Impact A MFA bypass in the Firefly III OAuth flow may allow malicious users to bypass the MFA-check. This allows malicious users to use password spraying to gain access to your Firefly III data using passwords stolen from other sources. As OAuth applications are easily enumerable using an...

urllib3's Proxy-Authorization request header isn't stripped during cross-origin redirects

When using urllib3's proxy support with ProxyManager, the Proxy-Authorization header is only sent to the configured proxy, as expected. However, when sending HTTP requests without using urllib3's proxy support, it's possible to accidentally configure the Proxy-Authorization header even though it...

urllib3's Proxy-Authorization request header isn't stripped during cross-origin redirects

When using urllib3's proxy support with ProxyManager, the Proxy-Authorization header is only sent to the configured proxy, as expected. However, when sending HTTP requests without using urllib3's proxy support, it's possible to accidentally configure the Proxy-Authorization header even though it...

LNbits improperly handles potential network and payment failures when using Eclair backend

Summary Paying invoices in Eclair that do not get settled within the internal timeout (about 30s) lead to a payment being considered failed, even though it may still be in flight. Details Using blocking: true on the API call will lead to a timeout error if a payment does not get settled in the 30s....

LNbits improperly handles potential network and payment failures when using Eclair backend

Summary Paying invoices in Eclair that do not get settled within the internal timeout (about 30s) lead to a payment being considered failed, even though it may still be in flight. Details Using blocking: true on the API call will lead to a timeout error if a payment does not get settled in the 30s....

CVE-2024-6064

A vulnerability was found in GPAC 2.5-DEV-rev228-g11067ea92-master. It has been declared as problematic. This vulnerability affects the function xmt_node_end of the file src/scene_manager/loader_xmt.c of the component MP4Box. The manipulation leads to use after free. Local access is required to...

CVE-2024-6063

A vulnerability was found in GPAC 2.5-DEV-rev228-g11067ea92-master. It has been classified as problematic. This affects the function m2tsdmx_on_event of the file src/filters/dmx_m2ts.c of the component MP4Box. The manipulation leads to null pointer dereference. An attack has to be approached...

Zero-Day Marketplace Explained: How Zerodium, BugTraq, and Fear contributed to the Rise of the Zero-Day Vulnerability Black Market

Whenever a company is notified about or discovers a critical flaw in their system/application that has the potential to be exploited by malicious elements, it’s termed a vulnerability. However, every time a flaw being actively exploited is discovered, code red is punched as the organization’s IT...