OMGF | Host Google Fonts Locally Security Vulnerabilities

CVE-2024-4264

A remote code execution (RCE) vulnerability exists in the berriai/litellm project due to improper control of the generation of code when using the eval function unsafely in the litellm.get_secret() method. Specifically, when the server utilizes Google KMS, untrusted data is passed to the eval...

CVE-2024-4264 Remote Code Execution in berriai/litellm

A remote code execution (RCE) vulnerability exists in the berriai/litellm project due to improper control of the generation of code when using the eval function unsafely in the litellm.get_secret() method. Specifically, when the server utilizes Google KMS, untrusted data is passed to the eval...

CVE-2024-35825

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: ncm: Fix handling of zero block length packets While connecting to a Linux host with CDC_NCM_NTB_DEF_SIZE_TX set to 65536, it has been observed that we receive short packets, which come at interval of 5-10 seconds...

CVE-2024-27405

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: ncm: Avoid dropping datagrams of properly parsed NTBs It is observed sometimes when tethering is used over NCM with Windows 11 as host, at some instances, the gadget_giveback has one byte appended at the end of a...

Exploit for CVE-2024-29895

CVE-2024-29895 - RCE ON CACTI [!WARNING] This is an...

GHSA-8R3F-844C-MC37 vulnerabilities

Vulnerabilities for packages: falco, gatekeeper, prometheus-bind-exporter, prometheus-pushgateway, k3s, crossplane-provider-gcp, k8sgpt, envoy-ratelimit, aactl, atlantis, kyverno, kargo, crossplane-provider-aws, grpc-health-probe, newrelic-nri-kube-events, newrelic-infra-operator,...

CVE-2024-24786 vulnerabilities

Vulnerabilities for packages: falco, gatekeeper, prometheus-bind-exporter, prometheus-pushgateway, k3s, crossplane-provider-gcp, k8sgpt, envoy-ratelimit, aactl, atlantis, kyverno, kargo, crossplane-provider-aws, grpc-health-probe, newrelic-nri-kube-events, newrelic-infra-operator,...

GHSA-9763-4F94-GFCH vulnerabilities

Vulnerabilities for packages: argo-cd, falco, pulumi-language-java, slsa-verifier, pulumi, aactl, crossplane-provider-aws, terragrunt, crossplane, kubevela, skaffold, pulumi-language-dotnet, boring-registry, flux-kustomize-controller, terraform-provider-google, zarf, kubescape, goreleaser,...

CVE-2023-45288 vulnerabilities

Vulnerabilities for packages: k8sgpt, envoy-ratelimit, aactl, kyverno, nri-redis, bom, terraform-provider-google, opentofu, newrelic-infrastructure-agent, crossplane-provider-azure, ferretdb, xcaddy, lazygit, stern, task, cri-tools, dynamic-localpv-provisioner, nats-server, pulumi, kubevela,...

GHSA-4V7X-PQXF-CX7M vulnerabilities

Vulnerabilities for packages: k8sgpt, envoy-ratelimit, aactl, kyverno, nri-redis, bom, terraform-provider-google, opentofu, newrelic-infrastructure-agent, crossplane-provider-azure, ferretdb, xcaddy, lazygit, stern, task, cri-tools, dynamic-localpv-provisioner, nats-server, pulumi, kubevela,...

CVE-2024-4671

Use after free in Visuals in Google Chrome prior to 124.0.6367.201 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) Mitigation Red Hat has investigated whether a possible...

CVE-2024-3292

A race condition vulnerability exists where an authenticated, local attacker on a Windows Nessus Agent host could modify installation parameters at installation time, which could lead to the execution of arbitrary code on the Nessus host. -...

CVE-2024-3292 Race Condition

A race condition vulnerability exists where an authenticated, local attacker on a Windows Nessus Agent host could modify installation parameters at installation time, which could lead to the execution of arbitrary code on the Nessus host. -...

CVE-2024-3289

When installing Nessus to a directory outside of the default location on a Windows host, Nessus versions prior to 10.7.3 did not enforce secure permissions for sub-directories. This could allow for local privilege escalation if users had not secured the directories in the non-default installation.....

CVE-2024-3290

A race condition vulnerability exists where an authenticated, local attacker on a Windows Nessus host could modify installation parameters at installation time, which could lead to the execution of arbitrary code on the Nessus...

CVE-2024-3291

When installing Nessus Agent to a directory outside of the default location on a Windows host, Nessus Agent versions prior to 10.6.4 did not enforce secure permissions for sub-directories. This could allow for local privilege escalation if users had not secured the directories in the non-default...

CVE-2024-3291 Privilege Escalation

When installing Nessus Agent to a directory outside of the default location on a Windows host, Nessus Agent versions prior to 10.6.4 did not enforce secure permissions for sub-directories. This could allow for local privilege escalation if users had not secured the directories in the non-default...

CVE-2024-3290 Race Condition

A race condition vulnerability exists where an authenticated, local attacker on a Windows Nessus host could modify installation parameters at installation time, which could lead to the execution of arbitrary code on the Nessus...

CVE-2024-3289

When installing Nessus to a directory outside of the default location on a Windows host, Nessus versions prior to 10.7.3 did not enforce secure permissions for sub-directories. This could allow for local privilege escalation if users had not secured the directories in the non-default installation.....

GHSA-8R3F-844C-MC37 vulnerabilities

Vulnerabilities for packages: prometheus-statsd-exporter, istio-operator-fips, tctl-fips, external-secrets-fips, nerdctl, external-secrets, kube-logging-logging-operator, eks-distro-kubernetes-csi-node-driver-registrar, rqlite, temporal-ui-server, argo-cd-fips, kube-state-metrics-fips, karpenter,.....

CVE-2023-45288 vulnerabilities

Vulnerabilities for packages: prometheus-statsd-exporter, istio-operator-fips, croc, tctl-fips, tailscale, external-secrets-fips, external-secrets, kube-logging-logging-operator, git-lfs, eks-distro-kubernetes-csi-node-driver-registrar, rqlite, s5cmd, temporal-ui-server, argo-cd-fips, helm-fips,...

CVE-2024-24786 vulnerabilities

Vulnerabilities for packages: prometheus-statsd-exporter, istio-operator-fips, tctl-fips, external-secrets-fips, nerdctl, external-secrets, kube-logging-logging-operator, eks-distro-kubernetes-csi-node-driver-registrar, rqlite, temporal-ui-server, argo-cd-fips, kube-state-metrics-fips, karpenter,.....

GHSA-4V7X-PQXF-CX7M vulnerabilities

Vulnerabilities for packages: prometheus-statsd-exporter, istio-operator-fips, croc, tctl-fips, tailscale, external-secrets-fips, external-secrets, kube-logging-logging-operator, git-lfs, eks-distro-kubernetes-csi-node-driver-registrar, rqlite, s5cmd, temporal-ui-server, argo-cd-fips, helm-fips,...

GHSA-9763-4F94-GFCH vulnerabilities

Vulnerabilities for packages: flux-source-controller-2.0, grafana, kaniko, falcoctl-fips, pulumi, flux-notification-controller, kubevela, flux-source-controller, zarf, pulumi-language-yaml, kubescape, zot, goreleaser, actions-runner-controller, keda, pulumi-kubernetes-operator, skaffold, flux,...

Submariner Operator sets unnecessary RBAC permissions in helm charts

A flaw was found in the Submariner project. Due to unnecessary role-based access control permissions, a privileged attacker can run a malicious container on a node that may allow them to steal service account tokens and further compromise other nodes and potentially the entire...

CVE-2024-35846

In the Linux kernel, the following vulnerability has been resolved: mm: zswap: fix shrinker NULL crash with cgroup_disable=memory Christian reports a NULL deref in zswap that he bisected down to the zswap shrinker. The issue also cropped up in the bug trackers of libguestfs [1] and the Red Hat...

CVE-2024-35846 mm: zswap: fix shrinker NULL crash with cgroup_disable=memory

In the Linux kernel, the following vulnerability has been resolved: mm: zswap: fix shrinker NULL crash with cgroup_disable=memory Christian reports a NULL deref in zswap that he bisected down to the zswap shrinker. The issue also cropped up in the bug trackers of libguestfs [1] and the Red Hat...

CVE-2024-35825

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: ncm: Fix handling of zero block length packets While connecting to a Linux host with CDC_NCM_NTB_DEF_SIZE_TX set to 65536, it has been observed that we receive short packets, which come at interval of 5-10 seconds...

CVE-2024-35825 usb: gadget: ncm: Fix handling of zero block length packets

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: ncm: Fix handling of zero block length packets While connecting to a Linux host with CDC_NCM_NTB_DEF_SIZE_TX set to 65536, it has been observed that we receive short packets, which come at interval of 5-10 seconds...

CVE-2024-27405

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: ncm: Avoid dropping datagrams of properly parsed NTBs It is observed sometimes when tethering is used over NCM with Windows 11 as host, at some instances, the gadget_giveback has one byte appended at the end of a...

CVE-2024-27405 usb: gadget: ncm: Avoid dropping datagrams of properly parsed NTBs

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: ncm: Avoid dropping datagrams of properly parsed NTBs It is observed sometimes when tethering is used over NCM with Windows 11 as host, at some instances, the gadget_giveback has one byte appended at the end of a...

Path Traversal

mlflow is vulnerable to Path Traversal. The vulnerability is due to improper validation of artifact URLs, particularly in handling the fragment part of the URL. Attackers can exploit this by inserting a #'character, allowing the artifact to bypass validation, resulting an arbitrary file access on.....

CVE-2023-47683

Improper Privilege Management vulnerability in miniOrange WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) allows Privilege Escalation.This issue affects WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn): from n/a through...

CVE-2023-44478

Cross-Site Request Forgery (CSRF) vulnerability in WP Hive Events Rich Snippets for Google allows Exploitation of Trusted Credentials.This issue affects Events Rich Snippets for Google: from n/a through...

CVE-2023-47683 WordPress Social Login, Social Sharing by miniOrange plugin <= 7.6.6 - Authenticated Privilege Escalation vulnerability

Improper Privilege Management vulnerability in miniOrange WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) allows Privilege Escalation.This issue affects WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn): from n/a through...

CVE-2023-44478 WordPress Events Rich Snippets for Google plugin <= 1.8 - CSRF Leading to Privilege Escalation vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in WP Hive Events Rich Snippets for Google allows Exploitation of Trusted Credentials.This issue affects Events Rich Snippets for Google: from n/a through...

Security Bulletin: IBM Operational Decision Manager for April 2024 - Multiple CVEs addressed

Summary IBM Operational Decision Manager is vulnerable to multiple remote code execution and denial of service attacks in third party and open source used in the product for various functions. See full list below. The vulnerabilities have been addressed. Vulnerability Details ** CVEID:...

Huawei EulerOS: Security Advisory for python-mako (EulerOS-SA-2024-1701)

The remote host is missing an update for the Huawei...

Huawei EulerOS: Security Advisory for bind (EulerOS-SA-2024-1673)

The remote host is missing an update for the Huawei...

Huawei EulerOS: Security Advisory for flac (EulerOS-SA-2024-1679)

The remote host is missing an update for the Huawei...

Huawei EulerOS: Security Advisory for linux-firmware (EulerOS-SA-2024-1692)

The remote host is missing an update for the Huawei...

Huawei EulerOS: Security Advisory for xorg-x11-server (EulerOS-SA-2024-1709)

The remote host is missing an update for the Huawei...

Mageia: Security Advisory (MGASA-2024-0179)

The remote host is missing an update for...

Huawei EulerOS: Security Advisory for libcap (EulerOS-SA-2024-1686)

The remote host is missing an update for the Huawei...

Huawei EulerOS: Security Advisory for python-urllib3 (EulerOS-SA-2024-1703)

The remote host is missing an update for the Huawei...

bind9 - security update

Bulletin has no...

thunderbird - security update

Bulletin has no...

Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2024-1672)

The remote host is missing an update for the Huawei...

Ubuntu: Security Advisory (USN-6777-1)

The remote host is missing an update for...

Huawei EulerOS: Security Advisory for openssl (EulerOS-SA-2024-1695)

The remote host is missing an update for the Huawei...