Tuesday, July 2, 2024 Security Releases
Summary The Node.js project will release new versions of the 22.x, 20.x, 18.x releases lines on or shortly after, Tuesday, July 2, 2024 in order to address: 1 high severity issues. 2 medium severity issues. 3 low severity issues. Node.js fetch will be upgraded to undici v6.19.2 on Node.js 18.x...
7AI Score
parseWildcardRules in Gin-Gonic CORS middleware before 1.6.0 mishandles a wildcard at the end of an origin string, e.g., https://example.community/ is allowed when the intention is that only https://example.com/ should be allowed, and http://localhost.example.com/ is allowed when the intention is.....
6.9AI Score
EPSS
parseWildcardRules in Gin-Gonic CORS middleware before 1.6.0 mishandles a wildcard at the end of an origin string, e.g., https://example.community/ is allowed when the intention is that only https://example.com/ should be allowed, and http://localhost.example.com/ is allowed when the intention is.....
EPSS
In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length...
EPSS
In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length...
6.9AI Score
EPSS
R74n Sandboxels 1.9 through 1.9.5 allows XSS via a message in a modified saved-game...
5.9AI Score
EPSS
R74n Sandboxels 1.9 through 1.9.5 allows XSS via a message in a modified saved-game...
EPSS
dd-trace-cpp is the Datadog distributed tracing for C++. When the library fails to extract trace context due to malformed unicode, it logs the list of audited headers and their values using the nlohmann JSON library. However, due to the way the JSON library is invoked, it throws an uncaught...
7.5CVSS
7.5AI Score
EPSS
dd-trace-cpp is the Datadog distributed tracing for C++. When the library fails to extract trace context due to malformed unicode, it logs the list of audited headers and their values using the nlohmann JSON library. However, due to the way the JSON library is invoked, it throws an uncaught...
7.5CVSS
EPSS
BigBlueButton is an open-source virtual classroom designed to help teachers teach and learners learn. An attacker may be able to exploit the overly elevated file permissions in the /usr/local/bigbluebutton/core/vendor/bundle/ruby/2.7.0/gems/resque-2.6.0 directory with the goal of privilege...
3.7CVSS
4.1AI Score
EPSS
BigBlueButton is an open-source virtual classroom designed to help teachers teach and learners learn. An attacker with a valid join link to a meeting can trick BigBlueButton into generating a signed join link with additional parameters. One of those parameters may be "role=moderator", allowing an.....
4.6CVSS
EPSS
BigBlueButton is an open-source virtual classroom designed to help teachers teach and learners learn. An attacker may be able to exploit the overly elevated file permissions in the /usr/local/bigbluebutton/core/vendor/bundle/ruby/2.7.0/gems/resque-2.6.0 directory with the goal of privilege...
3.7CVSS
EPSS
BigBlueButton is an open-source virtual classroom designed to help teachers teach and learners learn. An attacker with a valid join link to a meeting can trick BigBlueButton into generating a signed join link with additional parameters. One of those parameters may be "role=moderator", allowing an.....
4.6CVSS
4.7AI Score
EPSS
Kavita is a cross platform reading server. Opening an ebook with malicious scripts inside leads to code execution inside the browsing context. Kavita doesn't sanitize or sandbox the contents of epubs, allowing scripts inside ebooks to execute. This vulnerability was patched in version...
3.5CVSS
EPSS
Kavita is a cross platform reading server. Opening an ebook with malicious scripts inside leads to code execution inside the browsing context. Kavita doesn't sanitize or sandbox the contents of epubs, allowing scripts inside ebooks to execute. This vulnerability was patched in version...
3.5CVSS
4.4AI Score
EPSS
CVE-2024-38525 dd-trace-cpp malformed unicode header values may cause crash
dd-trace-cpp is the Datadog distributed tracing for C++. When the library fails to extract trace context due to malformed unicode, it logs the list of audited headers and their values using the nlohmann JSON library. However, due to the way the JSON library is invoked, it throws an uncaught...
7.5CVSS
EPSS
GHSA-2C7C-3MJ9-8FQH vulnerabilities
Vulnerabilities for packages: vault, istio-pilot-discovery, kots, sops, cloudflared, kyverno, slsa-verifier, oauth2-proxy, argo-workflows, cosign, tekton-pipelines, flux-source-controller, aactl, external-secrets-operator, argo-cd, tkn, fulcio, tekton-chains, spire-server, terragrunt, vexctl,...
7.5AI Score
GHSA-JQ35-85CJ-FJ4P vulnerabilities
Vulnerabilities for packages: skaffold, prometheus, k3d, ctop, slsa-verifier, k3s, bom, paranoia, goreleaser, tekton-pipelines, aactl, kpt, up, tekton-chains, scorecard, cert-manager, kubescape, loki, chartmuseum,...
7.5AI Score
GHSA-7WW5-4WQC-M92C vulnerabilities
Vulnerabilities for packages: neuvector-agent, trivy, skaffold, cilium-cli, kots, k3d, kaniko, newrelic-infrastructure-agent, helm, ctop, telegraf, tekton-pipelines, flux-source-controller, eksctl, up, gitness, grype, kubevela, cert-manager, kubescape, helm-push, zot, flux-helm-controller,...
7.5AI Score
CVE-2024-25620 vulnerabilities
Vulnerabilities for packages: helm-operator, flux-source-controller, kots, k8sgpt, trivy, zarf, k9s, cert-manager, eksctl, helm-push, chartmuseum, kubescape, flux-helm-controller, up, zot, cilium-cli,...
6.4CVSS
6.7AI Score
0.0004EPSS
GHSA-R53H-JV2G-VPX6 vulnerabilities
Vulnerabilities for packages: helm-operator, flux-source-controller, kots, k8sgpt, trivy, zarf, k9s, cert-manager, eksctl, helm-push, chartmuseum, kubescape, flux-helm-controller, up, zot, cilium-cli,...
7.5AI Score
GHSA-VVPX-J8F3-3W6H vulnerabilities
Vulnerabilities for packages: k3d, dynamic-localpv-provisioner, hey, wireguard-go, go, restic, falco, grpcurl,...
7.5AI Score
CVE-2023-45289 vulnerabilities
Vulnerabilities for packages: aws-flb-firehose, configmap-reload, nuclei, k8sgpt, dagger, flannel-cni-plugin, secrets-store-csi-driver-provider-gcp, velero, temporal-ui-server, kaf, wireguard-go, wazero, k8ssandra-operator, aws-ebs-csi-driver, nri-discovery-kubernetes, nri-couchbase,...
7.8AI Score
0.0004EPSS
GHSA-8R3F-844C-MC37 vulnerabilities
Vulnerabilities for packages: configmap-reload, nuclei, k8sgpt, dagger, secrets-store-csi-driver-provider-gcp, velero, temporal-ui-server, kaf, k8ssandra-operator, aws-ebs-csi-driver, nri-discovery-kubernetes, guac, capslock, kaniko, sops, temporal, filebeat, kubernetes-dns-node-cache,...
7.5AI Score
CVE-2024-21626 vulnerabilities
Vulnerabilities for packages: kubernetes, trivy, skopeo, skaffold, ingress-nginx-controller, kots, k3d, kaniko, newrelic-infrastructure-agent, wolfictl, ctop, telegraf, k3s, nvidia-device-plugin, cadvisor, syft, runc, buildkitd, grype, zarf, nerdctl, docker, k9s, kubescape, zot,...
8.6CVSS
9.2AI Score
0.051EPSS
Vulnerabilities for packages: nuclei, step-ca, skopeo, flux-image-automation-controller, ksops, gitlab-shell, consul, gitlab-kas, prometheus, timestamp-authority, crossplane-provider-azure, guac, policy-controller, rook, k3d, flux-notification-controller, pulumi-kubernetes-operator, sops, kyverno,....
6CVSS
6AI Score
0.0004EPSS
CVE-2023-44487 vulnerabilities
Vulnerabilities for packages: secrets-store-csi-driver-provider-gcp, kaf, wireguard-go, git-lfs, oauth2-proxy, grpcurl, spark-operator, pulumi-language-java, flux-source-controller, kubeflow-katib, dotnet, weaviate, atlantis, gitlab-runner, kind, buildkitd, keda, cert-manager,...
7.5CVSS
9AI Score
0.732EPSS
CVE-2022-41723 vulnerabilities
Vulnerabilities for packages: k3d, dynamic-localpv-provisioner, hey, wireguard-go, go, restic, falco, grpcurl,...
7.5CVSS
8.4AI Score
0.024EPSS
CVE-2024-24557 vulnerabilities
Vulnerabilities for packages: trivy, k8sgpt, dagger, skopeo, skaffold, cri-tools, timoni, prometheus, istio-pilot-discovery, guac, policy-controller, docker-credential-gcr, kots, newrelic-infrastructure-agent, kyverno, flux-image-reflector-controller, filebeat, helm, ctop, slsa-verifier, telegraf,....
7.8CVSS
7.5AI Score
0.001EPSS
CVE-2023-45288 vulnerabilities
Vulnerabilities for packages: configmap-reload, nuclei, k8sgpt, k8ssandra-operator, nri-cassandra, http-echo, gobump, tigera-operator, aws-network-policy-agent, aws-load-balancer-controller, grpcurl, protoc-gen-go, postgres-operator, neuvector-sigstore-interface, flannel, velero-plugin-for-csi,...
6.8AI Score
0.0004EPSS
CVE-2024-24787 vulnerabilities
Vulnerabilities for packages: configmap-reload, k8sgpt, secrets-store-csi-driver-provider-gcp, kaf, ksops, wireguard-go, go, neuvector-scanner, aws-ebs-csi-driver, guac, http-echo, capslock, git-lfs, grafana-rollout-operator, gobump, sops, kubernetes-dns-node-cache, kubeadm-bootstrap-controller,...
6.5AI Score
0.0004EPSS
GHSA-5FQ7-4MXC-535H vulnerabilities
Vulnerabilities for packages: configmap-reload, k8sgpt, secrets-store-csi-driver-provider-gcp, kaf, ksops, wireguard-go, go, neuvector-scanner, aws-ebs-csi-driver, guac, http-echo, capslock, git-lfs, grafana-rollout-operator, gobump, sops, kubernetes-dns-node-cache, kubeadm-bootstrap-controller,...
7.5AI Score
CVE-2024-24789 vulnerabilities
Vulnerabilities for packages: configmap-reload, k8sgpt, dagger, k8ssandra-operator, nri-cassandra, http-echo, gobump, aws-load-balancer-controller, grpcurl, logstash, protoc-gen-go, postgres-operator, neuvector-sigstore-interface, flannel, velero-plugin-for-csi, speedtest-go,...
5.5CVSS
6.1AI Score
0.0004EPSS
GHSA-V6V8-XJ6M-XWQH vulnerabilities
Vulnerabilities for packages: nuclei, step-ca, skopeo, flux-image-automation-controller, ksops, gitlab-shell, consul, gitlab-kas, prometheus, timestamp-authority, crossplane-provider-azure, guac, policy-controller, rook, k3d, flux-notification-controller, pulumi-kubernetes-operator, sops, kyverno,....
7.5AI Score
Vulnerabilities for packages: k8sgpt, secrets-store-csi-driver-provider-gcp, kaf, wireguard-go, aws-ebs-csi-driver, git-lfs, apko, oauth2-proxy, aws-load-balancer-controller, grpcurl, spark-operator, pulumi-language-java, flux-source-controller, kubeflow-katib, prometheus-mongodb-exporter,...
6.1CVSS
7.3AI Score
0.001EPSS
CVE-2023-48795 vulnerabilities
Vulnerabilities for packages: libssh2, temporal-ui-server, kaf, wireguard-go, temporal, git-lfs, sops, apko, tigera-operator, oauth2-proxy, istio-pilot-agent, istio-cni, docker-credential-acr-env, argo-workflows, grpc-health-probe, spark-operator, kube-rbac-proxy, flux-source-controller,...
5.9CVSS
7.1AI Score
0.963EPSS
CVE-2024-24786 vulnerabilities
Vulnerabilities for packages: configmap-reload, nuclei, k8sgpt, dagger, secrets-store-csi-driver-provider-gcp, velero, temporal-ui-server, kaf, k8ssandra-operator, aws-ebs-csi-driver, nri-discovery-kubernetes, guac, capslock, kaniko, sops, temporal, filebeat, kubernetes-dns-node-cache,...
6.6AI Score
0.0004EPSS
CVE-2024-24784 vulnerabilities
Vulnerabilities for packages: aws-flb-firehose, configmap-reload, nuclei, k8sgpt, dagger, flannel-cni-plugin, secrets-store-csi-driver-provider-gcp, velero, temporal-ui-server, kaf, wireguard-go, wazero, k8ssandra-operator, aws-ebs-csi-driver, nri-discovery-kubernetes, nri-couchbase,...
7.8AI Score
0.0004EPSS
GHSA-RR6R-CFGF-GC6H vulnerabilities
Vulnerabilities for packages: aws-flb-firehose, configmap-reload, nuclei, k8sgpt, dagger, flannel-cni-plugin, secrets-store-csi-driver-provider-gcp, velero, temporal-ui-server, kaf, wireguard-go, wazero, k8ssandra-operator, aws-ebs-csi-driver, nri-discovery-kubernetes, nri-couchbase,...
7.5AI Score
GHSA-M5VV-6R4H-3VJ9 vulnerabilities
Vulnerabilities for packages: boring-registry, sqlpad, trivy, nuclei, k8sgpt, rclone, step-ca, velero, ksops, harbor-registry, prometheus, timestamp-authority, guac, policy-controller, tempo, rook, cortex, sops, teleport, fluent-bit-plugin-loki, flux-image-reflector-controller, filebeat, kyverno,.....
7.5AI Score
GHSA-RCJV-MGP8-QVMR vulnerabilities
Vulnerabilities for packages: calico, kubernetes, prometheus-adapter, ipfs, keda, kubevela, cert-manager, up, gitlab-kas, thanos, prometheus, k3s, caddy,...
7.5AI Score
CVE-2023-45285 vulnerabilities
Vulnerabilities for packages: aws-flb-firehose, oras, configmap-reload, nsc, vertical-pod-autoscaler, flannel-cni-plugin, prometheus-stackdriver-exporter, sbom-scorecard, influx, dgraph, protoc-gen-go-grpc, nri-discovery-kubernetes, kubernetes-dashboard-metrics-scraper, hey, go-bindata,...
7.5CVSS
7.9AI Score
0.001EPSS
CVE-2023-45142 vulnerabilities
Vulnerabilities for packages: calico, kubernetes, prometheus-adapter, ipfs, keda, kubevela, cert-manager, up, gitlab-kas, thanos, prometheus, k3s, caddy,...
7.5CVSS
7.9AI Score
0.001EPSS
CVE-2024-35255 vulnerabilities
Vulnerabilities for packages: boring-registry, sqlpad, trivy, nuclei, k8sgpt, rclone, step-ca, velero, ksops, harbor-registry, prometheus, timestamp-authority, guac, policy-controller, tempo, rook, cortex, sops, teleport, fluent-bit-plugin-loki, flux-image-reflector-controller, filebeat, kyverno,.....
5.5CVSS
6AI Score
0.0004EPSS
GHSA-3Q2C-PVP5-3CQP vulnerabilities
Vulnerabilities for packages: aws-flb-firehose, configmap-reload, nuclei, k8sgpt, dagger, flannel-cni-plugin, secrets-store-csi-driver-provider-gcp, velero, temporal-ui-server, kaf, wireguard-go, wazero, k8ssandra-operator, aws-ebs-csi-driver, nri-discovery-kubernetes, nri-couchbase,...
7.5AI Score
GHSA-J6M3-GC37-6R6Q vulnerabilities
Vulnerabilities for packages: aws-flb-firehose, configmap-reload, nuclei, k8sgpt, dagger, flannel-cni-plugin, secrets-store-csi-driver-provider-gcp, velero, temporal-ui-server, kaf, wireguard-go, wazero, k8ssandra-operator, aws-ebs-csi-driver, nri-discovery-kubernetes, nri-couchbase,...
7.5AI Score
GHSA-FGQ5-Q76C-GX78 vulnerabilities
Vulnerabilities for packages: aws-flb-firehose, configmap-reload, nuclei, k8sgpt, dagger, flannel-cni-plugin, secrets-store-csi-driver-provider-gcp, velero, temporal-ui-server, kaf, wireguard-go, wazero, k8ssandra-operator, aws-ebs-csi-driver, nri-discovery-kubernetes, nri-couchbase,...
7.5AI Score
CVE-2023-44487 affecting package cert-manager for versions less than 1.11.2-5
CVE-2023-44487 affecting package cert-manager for versions less than 1.11.2-5. A patched version of the package is...
7.5CVSS
7.8AI Score
0.732EPSS
GHSA-2JWV-JMQ4-4J3R vulnerabilities
Vulnerabilities for packages: configmap-reload, k8sgpt, secrets-store-csi-driver-provider-gcp, kaf, ksops, wireguard-go, go, neuvector-scanner, aws-ebs-csi-driver, guac, http-echo, capslock, git-lfs, grafana-rollout-operator, gobump, sops, kubernetes-dns-node-cache, kubeadm-bootstrap-controller,...
7.5AI Score
GHSA-4V7X-PQXF-CX7M vulnerabilities
Vulnerabilities for packages: configmap-reload, nuclei, k8sgpt, k8ssandra-operator, nri-cassandra, http-echo, gobump, tigera-operator, aws-network-policy-agent, aws-load-balancer-controller, grpcurl, protoc-gen-go, postgres-operator, neuvector-sigstore-interface, flannel, velero-plugin-for-csi,...
7.5AI Score