Security Bulletin: AIX is vulnerable to a denial of service due to libxml2 (CVE-2024-25062)
Summary Vulnerability in libxml2 could allow a remote attacker to cause a denial of service (CVE-2024-25062). AIX uses libxml2 as part of its XML parsing functions. Vulnerability Details ** CVEID: CVE-2024-25062 DESCRIPTION: **GNOME libxml2 is vulnerable to a denial of service, caused by a...
7.5CVSS
7.4AI Score
0.0005EPSS
Envoy is a cloud-native, open source edge and service proxy. Due to how Envoy invoked the nlohmann JSON library, the library could throw an uncaught exception from downstream data if incomplete UTF-8 strings were serialized. The uncaught exception would cause Envoy to...
7.5CVSS
7.1AI Score
0.0004EPSS
Envoy is a cloud-native, open source edge and service proxy. Due to how Envoy invoked the nlohmann JSON library, the library could throw an uncaught exception from downstream data if incomplete UTF-8 strings were serialized. The uncaught exception would cause Envoy to...
7.5CVSS
7.5AI Score
0.0004EPSS
CVE-2024-34363 Envoy can crash due to uncaught nlohmann JSON exception
Envoy is a cloud-native, open source edge and service proxy. Due to how Envoy invoked the nlohmann JSON library, the library could throw an uncaught exception from downstream data if incomplete UTF-8 strings were serialized. The uncaught exception would cause Envoy to...
7.5CVSS
7.5AI Score
0.0004EPSS
An arbitrary file upload vulnerability in the /v1/app/appendFileSync interface of Jan v0.4.12 allows attackers to execute arbitrary code via uploading a crafted...
7.4AI Score
EPSS
An arbitrary file upload vulnerability in the /v1/app/appendFileSync interface of Jan v0.4.12 allows attackers to execute arbitrary code via uploading a crafted...
8AI Score
EPSS
An arbitrary file upload vulnerability in the /v1/app/writeFileSync interface of Jan v0.4.12 allows attackers to execute arbitrary code via uploading a crafted...
8AI Score
EPSS
An arbitrary file upload vulnerability in the /v1/app/writeFileSync interface of Jan v0.4.12 allows attackers to execute arbitrary code via uploading a crafted...
7.4AI Score
EPSS
Jan v0.4.12 was discovered to contain an arbitrary file read vulnerability via the /v1/app/readFileSync...
7.1AI Score
EPSS
Jan v0.4.12 was discovered to contain an arbitrary file read vulnerability via the /v1/app/readFileSync...
7.7AI Score
EPSS
Insertion of Sensitive Information into Log File vulnerability in Code Parrots Easy Forms for Mailchimp.This issue affects Easy Forms for Mailchimp: from n/a through...
7.5CVSS
7.3AI Score
0.0004EPSS
Insertion of Sensitive Information into Log File vulnerability in Code Parrots Easy Forms for Mailchimp.This issue affects Easy Forms for Mailchimp: from n/a through...
7.5CVSS
7.7AI Score
0.0004EPSS
Insertion of Sensitive Information into Log File vulnerability in Code Parrots Easy Forms for Mailchimp.This issue affects Easy Forms for Mailchimp: from n/a through...
7.5CVSS
7.7AI Score
0.0004EPSS
malicious container creates symlink "mtab" on the host External
Impact A malicious container can affect the host by taking advantage of code cri-o added to show the container mounts on the host. A workload built from this Dockerfile: ``` FROM docker.io/library/busybox as source RUN mkdir /extra && cd /extra && ln -s ../../../../../../../../root etc FROM...
6.7AI Score
EPSS
malicious container creates symlink "mtab" on the host External
Impact A malicious container can affect the host by taking advantage of code cri-o added to show the container mounts on the host. A workload built from this Dockerfile: ``` FROM docker.io/library/busybox as source RUN mkdir /extra && cd /extra && ln -s ../../../../../../../../root etc FROM...
6.7AI Score
EPSS
apko Exposure of HTTP basic auth credentials in log output
Summary Exposure of HTTP basic auth credentials from repository and keyring URLs in log output Details There was a handful of instances where the apko tool was outputting error messages and log entries where HTTP basic authentication credentials were exposed for one of two reasons: The%s verb was.....
7.5CVSS
6.9AI Score
0.0004EPSS
apko Exposure of HTTP basic auth credentials in log output
Summary Exposure of HTTP basic auth credentials from repository and keyring URLs in log output Details There was a handful of instances where the apko tool was outputting error messages and log entries where HTTP basic authentication credentials were exposed for one of two reasons: The%s verb was.....
7.5CVSS
6.9AI Score
0.0004EPSS
Security Bulletin: IBM QRadar SIEM is vulnerable to AJP Smuggling (CVE-2022-26377)
Summary IBM QRadar SIEM is vulnerable to AJP Smuggling to Response Queue Poisoning. This vulnerability has been addressed in the update. Vulnerability Details ** CVEID: CVE-2022-26377 DESCRIPTION: **Apache HTTP Server is vulnerable to HTTP request smuggling, caused by an inconsistent...
7.5CVSS
8.5AI Score
0.006EPSS
Flooding Server with Thumbnail files
Details 1. All Imagick supported Fileformats are served without filtering The Thumbnail endpoint does not check against any filters what file formats should be served. We can transcode the image in all formats imagemagick supports. With that we can create Files that are much larger in filesize...
7.5CVSS
6.5AI Score
0.0004EPSS
Flooding Server with Thumbnail files
Details 1. All Imagick supported Fileformats are served without filtering The Thumbnail endpoint does not check against any filters what file formats should be served. We can transcode the image in all formats imagemagick supports. With that we can create Files that are much larger in filesize...
7.5CVSS
6.5AI Score
0.0004EPSS
Summary In addition to OS level package updates, multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation 21.0.3-IF033 and 23.0.2-IF005. Vulnerability Details ** CVEID: CVE-2024-21501 DESCRIPTION: **Node.js sanitize-html module could allow a remote attacker to...
8.8CVSS
9.7AI Score
EPSS
In the Linux kernel, the following vulnerability has been resolved: tracefs: Reset permissions on remount if permissions are options There's an inconsistency with the way permissions are handled in tracefs. Because the permissions are generated when accessed, they default to the root inode's...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: thermal/debugfs: Fix two locking issues with thermal zone debug With the current thermal zone locking arrangement in the debugfs code, user space can open the "mitigations" file for a thermal zone before the zone's debugfs pointer....
6.4AI Score
0.0004EPSS
Summary A vulnerabilitiy in IBM® SDK Java™ Technology Edition that is shipped as part of multiple IBM Tivoli Monitoring (ITM) components. CVE-2024-3933 Vulnerability Details ** CVEID: CVE-2024-3933 DESCRIPTION: **Eclipse Openj9 could allow a local authenticated attacker to bypass security...
5.3CVSS
6.7AI Score
0.0004EPSS
AIX is vulnerable to denial of service due to ISC BIND
IBM SECURITY ADVISORY First Issued: Tue Jun 4 16:06:25 CDT 2024 |Updated: Wed Jun 5 08:17:08 CDT 2024 |Update: Corrected the affected fileset levels to reflect that | bind.rte 7.1.916.2604 and 7.3.916.2601 are vulnerable. The most recent version of this document is available here:...
7.5CVSS
8.1AI Score
0.037EPSS
Access Restriction Bypass in go-ipfs in github.com/ipfs/go-ipfs
Access Restriction Bypass in go-ipfs in...
7.5CVSS
6.4AI Score
0.001EPSS
Owncast vulnerable to arbitrary file deletion in emoji.go (GHSL-2023-277) in...
2.7CVSS
6.5AI Score
0.0004EPSS
Apache Answer Unrestricted Upload of File with Dangerous Type vulnerability in...
6.4AI Score
0.0004EPSS
Pebble service manager's file pull API allows access by any user in github.com/canonical/pebble
Pebble service manager's file pull API allows access by any user in...
6.5CVSS
6.5AI Score
0.0004EPSS
azure-file-csi-driver leaks service account tokens in the logs in sigs.k8s.io/azurefile-csi-driver
azure-file-csi-driver leaks service account tokens in the logs in...
6.5CVSS
6.4AI Score
0.0004EPSS
Sensitive Information leak via Log File in Kubernetes in k8s.io/kubernetes
Sensitive Information leak via Log File in Kubernetes in...
5.5CVSS
6AI Score
0.0005EPSS
Pterodactyl Wings vulnerable to improper isolation of server file access in...
9.9CVSS
6.3AI Score
0.0004EPSS
Pterodactyl Wings vulnerable to Arbitrary File Write/Read in github.com/pterodactyl/wings
Pterodactyl Wings vulnerable to Arbitrary File Write/Read in...
8.4CVSS
6.3AI Score
0.0004EPSS
Pimcore is an Open Source Data & Experience Management Platform. The Pimcore thumbnail generation can be used to flood the server with large files. By changing the file extension or scaling factor of the requested thumbnail, attackers can create files that are much larger in file size than the...
7.5CVSS
6.7AI Score
0.0004EPSS
Pimcore is an Open Source Data & Experience Management Platform. The Pimcore thumbnail generation can be used to flood the server with large files. By changing the file extension or scaling factor of the requested thumbnail, attackers can create files that are much larger in file size than the...
7.5CVSS
7.4AI Score
0.0004EPSS
Pimcore is an Open Source Data & Experience Management Platform. The Pimcore thumbnail generation can be used to flood the server with large files. By changing the file extension or scaling factor of the requested thumbnail, attackers can create files that are much larger in file size than the...
7.5CVSS
7AI Score
0.0004EPSS
Typo3 Arbitrary File Disclosure in Form Component
Failing to properly validate user input, the form component is susceptible to Arbitrary File Disclosure. A valid backend user account is needed to exploit this vulnerability. Only forms are vulnerable, which contain upload...
7.1AI Score
Typo3 Arbitrary File Disclosure in Form Component
Failing to properly validate user input, the form component is susceptible to Arbitrary File Disclosure. A valid backend user account is needed to exploit this vulnerability. Only forms are vulnerable, which contain upload...
7.1AI Score
TotalCloud Insights: Securing Your Data—The Power of Encryption in Preventing Threats
Introduction Did you know there is a 90% failure rate for encryption-related controls of MySQL Server in Microsoft Azure? The issue isn't confined to Azure; in Google Cloud Platform (GCP) environments there is a 98% failure rate of encryption-related controls for both compute engine and storage...
7.2AI Score
XML External Entity (XXE) Processing in TYPO3 Core
All XML processing within the TYPO3 CMS are vulnerable to XEE processing. This can lead to load internal and/or external (file) content within an XML structure. Furthermore it is possible to inject arbitrary files for an XML Denial of Service attack. For more information on that topic see...
6.9AI Score
XML External Entity (XXE) Processing in TYPO3 Core
All XML processing within the TYPO3 CMS are vulnerable to XEE processing. This can lead to load internal and/or external (file) content within an XML structure. Furthermore it is possible to inject arbitrary files for an XML Denial of Service attack. For more information on that topic see...
6.9AI Score
CVE-2024-32871 Pimcore Vulnerable to Flooding Server with Thumbnail files
Pimcore is an Open Source Data & Experience Management Platform. The Pimcore thumbnail generation can be used to flood the server with large files. By changing the file extension or scaling factor of the requested thumbnail, attackers can create files that are much larger in file size than the...
7.5CVSS
7.4AI Score
0.0004EPSS
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Wow-Company Easy Digital Downloads – Recent Purchases allows PHP Remote File Inclusion.This issue affects Easy Digital Downloads – Recent Purchases: from n/a through...
9.6CVSS
9.6AI Score
0.0004EPSS
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Wow-Company Easy Digital Downloads – Recent Purchases allows PHP Remote File Inclusion.This issue affects Easy Digital Downloads – Recent Purchases: from n/a through...
9.6CVSS
7.4AI Score
0.0004EPSS
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Wow-Company Woocommerce – Recent Purchases allows PHP Local File Inclusion.This issue affects Woocommerce – Recent Purchases: from n/a through...
4.9CVSS
7.2AI Score
0.0004EPSS
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Wow-Company Woocommerce – Recent Purchases allows PHP Local File Inclusion.This issue affects Woocommerce – Recent Purchases: from n/a through...
4.9CVSS
5.5AI Score
0.0004EPSS
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Select-Themes Stockholm allows PHP Local File Inclusion.This issue affects Stockholm: from n/a through...
8.5CVSS
7.1AI Score
0.0004EPSS
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Select-Themes Stockholm allows PHP Local File Inclusion.This issue affects Stockholm: from n/a through...
9CVSS
7.1AI Score
0.0004EPSS
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Select-Themes Stockholm allows PHP Local File Inclusion.This issue affects Stockholm: from n/a through...
9CVSS
9.2AI Score
0.0004EPSS
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Select-Themes Stockholm Core allows PHP Local File Inclusion.This issue affects Stockholm Core: from n/a through...
8.5CVSS
7.1AI Score
0.0004EPSS