MiniOrange's Google Authenticator Security Vulnerabilities

GHSA-8R3F-844C-MC37 vulnerabilities

Vulnerabilities for packages: vertical-pod-autoscaler, policy-controller, envoy-ratelimit-fips, nvidia-device-plugin, volume-modifier-for-k8s-fips, prometheus-statsd-exporter-fips, kubernetes-csi-external-provisioner, kaniko, jaeger-agent, cortex, eks-distro-kubernetes-csi-external-provisioner,...

CVE-2023-45290 vulnerabilities

Vulnerabilities for packages: vertical-pod-autoscaler, envoy-ratelimit-fips, nvidia-device-plugin, volume-modifier-for-k8s-fips, prometheus-statsd-exporter-fips, kubernetes-csi-external-provisioner, cortex, eks-distro-kubernetes-csi-external-provisioner, q, crossplane-provider-azure,...

GHSA-3Q2C-PVP5-3CQP vulnerabilities

Vulnerabilities for packages: vertical-pod-autoscaler, envoy-ratelimit-fips, nvidia-device-plugin, volume-modifier-for-k8s-fips, prometheus-statsd-exporter-fips, kubernetes-csi-external-provisioner, cortex, eks-distro-kubernetes-csi-external-provisioner, q, crossplane-provider-azure,...

CVE-2024-24785 vulnerabilities

Vulnerabilities for packages: vertical-pod-autoscaler, envoy-ratelimit-fips, nvidia-device-plugin, volume-modifier-for-k8s-fips, prometheus-statsd-exporter-fips, kubernetes-csi-external-provisioner, cortex, eks-distro-kubernetes-csi-external-provisioner, q, crossplane-provider-azure,...

CVE-2023-39325 vulnerabilities

Vulnerabilities for packages: vertical-pod-autoscaler, hey, istio-pilot-agent, nvidia-device-plugin, secrets-store-csi-driver, chartmuseum, volume-modifier-for-k8s-fips, mc, prometheus-statsd-exporter, py3-seldon-core, prometheus-postgres-exporter, dynamic-localpv-provisioner,...

CVE-2024-24787 vulnerabilities

Vulnerabilities for packages: vertical-pod-autoscaler, policy-controller, nvidia-device-plugin, volume-modifier-for-k8s-fips, harbor-fips, cert-manager-webhook-pdns-fips, prometheus-statsd-exporter-fips, kubernetes-csi-external-provisioner, jaeger-agent, opentelemetry-collector-contrib-fips,...

GHSA-32CH-6X54-Q4H9 vulnerabilities

Vulnerabilities for packages: vertical-pod-autoscaler, envoy-ratelimit-fips, nvidia-device-plugin, volume-modifier-for-k8s-fips, prometheus-statsd-exporter-fips, kubernetes-csi-external-provisioner, cortex, eks-distro-kubernetes-csi-external-provisioner, q, crossplane-provider-azure,...

CVE-2023-45288 vulnerabilities

Vulnerabilities for packages: vertical-pod-autoscaler, policy-controller, envoy-ratelimit-fips, nvidia-device-plugin, volume-modifier-for-k8s-fips, harbor-fips, cert-manager-webhook-pdns-fips, prometheus-statsd-exporter-fips, kubernetes-csi-external-provisioner, kaniko, jaeger-agent,...

CVE-2024-24786 vulnerabilities

Vulnerabilities for packages: vertical-pod-autoscaler, policy-controller, envoy-ratelimit-fips, nvidia-device-plugin, volume-modifier-for-k8s-fips, prometheus-statsd-exporter-fips, kubernetes-csi-external-provisioner, kaniko, jaeger-agent, cortex, eks-distro-kubernetes-csi-external-provisioner,...

CVE-2023-45289 vulnerabilities

Vulnerabilities for packages: vertical-pod-autoscaler, envoy-ratelimit-fips, nvidia-device-plugin, volume-modifier-for-k8s-fips, prometheus-statsd-exporter-fips, kubernetes-csi-external-provisioner, cortex, eks-distro-kubernetes-csi-external-provisioner, q, crossplane-provider-azure,...

CVE-2024-24783 vulnerabilities

Vulnerabilities for packages: vertical-pod-autoscaler, envoy-ratelimit-fips, nvidia-device-plugin, volume-modifier-for-k8s-fips, prometheus-statsd-exporter-fips, kubernetes-csi-external-provisioner, cortex, eks-distro-kubernetes-csi-external-provisioner, q, crossplane-provider-azure,...

GHSA-5FQ7-4MXC-535H vulnerabilities

Vulnerabilities for packages: vertical-pod-autoscaler, policy-controller, nvidia-device-plugin, volume-modifier-for-k8s-fips, harbor-fips, cert-manager-webhook-pdns-fips, prometheus-statsd-exporter-fips, kubernetes-csi-external-provisioner, jaeger-agent, opentelemetry-collector-contrib-fips,...

GHSA-4V7X-PQXF-CX7M vulnerabilities

Vulnerabilities for packages: vertical-pod-autoscaler, policy-controller, envoy-ratelimit-fips, nvidia-device-plugin, volume-modifier-for-k8s-fips, harbor-fips, cert-manager-webhook-pdns-fips, prometheus-statsd-exporter-fips, kubernetes-csi-external-provisioner, kaniko, jaeger-agent,...

GHSA-RR6R-CFGF-GC6H vulnerabilities

Vulnerabilities for packages: vertical-pod-autoscaler, envoy-ratelimit-fips, nvidia-device-plugin, volume-modifier-for-k8s-fips, prometheus-statsd-exporter-fips, kubernetes-csi-external-provisioner, cortex, eks-distro-kubernetes-csi-external-provisioner, q, crossplane-provider-azure,...

CVE-2024-24784 vulnerabilities

Vulnerabilities for packages: vertical-pod-autoscaler, envoy-ratelimit-fips, nvidia-device-plugin, volume-modifier-for-k8s-fips, prometheus-statsd-exporter-fips, kubernetes-csi-external-provisioner, cortex, eks-distro-kubernetes-csi-external-provisioner, q, crossplane-provider-azure,...

GHSA-J6M3-GC37-6R6Q vulnerabilities

Vulnerabilities for packages: vertical-pod-autoscaler, envoy-ratelimit-fips, nvidia-device-plugin, volume-modifier-for-k8s-fips, prometheus-statsd-exporter-fips, kubernetes-csi-external-provisioner, cortex, eks-distro-kubernetes-csi-external-provisioner, q, crossplane-provider-azure,...

CVE-2024-24788 vulnerabilities

Vulnerabilities for packages: vertical-pod-autoscaler, policy-controller, nvidia-device-plugin, harbor-fips, cert-manager-webhook-pdns-fips, prometheus-statsd-exporter-fips, kubernetes-csi-external-provisioner, jaeger-agent, opentelemetry-collector-contrib-fips, cortex, multus-cni-fips,...

GHSA-2JWV-JMQ4-4J3R vulnerabilities

Vulnerabilities for packages: vertical-pod-autoscaler, policy-controller, nvidia-device-plugin, harbor-fips, cert-manager-webhook-pdns-fips, prometheus-statsd-exporter-fips, kubernetes-csi-external-provisioner, jaeger-agent, opentelemetry-collector-contrib-fips, cortex, multus-cni-fips,...

GHSA-4374-P667-P6C8 vulnerabilities

Vulnerabilities for packages: vertical-pod-autoscaler, hey, istio-pilot-agent, nvidia-device-plugin, secrets-store-csi-driver, chartmuseum, volume-modifier-for-k8s-fips, mc, prometheus-statsd-exporter, py3-seldon-core, prometheus-postgres-exporter, dynamic-localpv-provisioner,...

GHSA-45X7-PX36-X8W8 vulnerabilities

Vulnerabilities for packages: grpc-health-probe, istio-pilot-agent, secrets-store-csi-driver-provider-azure, secrets-store-csi-driver, scorecard, prometheus-statsd-exporter, libssh, py3-seldon-core, prometheus-postgres-exporter, dynamic-localpv-provisioner, flux-kustomize-controller-2.0,...

CVE-2023-48795 vulnerabilities

Vulnerabilities for packages: grpc-health-probe, istio-pilot-agent, secrets-store-csi-driver-provider-azure, secrets-store-csi-driver, scorecard, prometheus-statsd-exporter, libssh, py3-seldon-core, prometheus-postgres-exporter, dynamic-localpv-provisioner, flux-kustomize-controller-2.0,...

CVE-2023-3978 vulnerabilities

Vulnerabilities for packages: vertical-pod-autoscaler, hey, nvidia-device-plugin, secrets-store-csi-driver, chartmuseum, volume-modifier-for-k8s-fips, mc, prometheus-statsd-exporter, py3-seldon-core, prometheus-postgres-exporter, dynamic-localpv-provisioner, prometheus-statsd-exporter-fips,...

GHSA-FGQ5-Q76C-GX78 vulnerabilities

Vulnerabilities for packages: vertical-pod-autoscaler, envoy-ratelimit-fips, nvidia-device-plugin, volume-modifier-for-k8s-fips, prometheus-statsd-exporter-fips, kubernetes-csi-external-provisioner, cortex, eks-distro-kubernetes-csi-external-provisioner, q, crossplane-provider-azure,...

GHSA-2WRH-6PVC-2JM9 vulnerabilities

Vulnerabilities for packages: vertical-pod-autoscaler, hey, nvidia-device-plugin, secrets-store-csi-driver, chartmuseum, volume-modifier-for-k8s-fips, mc, prometheus-statsd-exporter, py3-seldon-core, prometheus-postgres-exporter, dynamic-localpv-provisioner, prometheus-statsd-exporter-fips,...

GHSA-9763-4F94-GFCH vulnerabilities

Vulnerabilities for packages: pulumi-language-dotnet, policy-controller, flux-source-controller, gitsign, rclone, scorecard, slsa-verifier, keda, boring-registry, kubevela, skaffold, apko, grafana, actions-runner-controller, flux-kustomize-controller-2.0, kaniko, vault,...

GHSA-8R3F-844C-MC37 vulnerabilities

Vulnerabilities for packages: prometheus-mongodb-exporter, prometheus-operator, cert-exporter, restic, scorecard, envoy-ratelimit, kubeflow-pipelines, conftest, hugo, loki, cloudflared, kaf, secrets-store-csi-driver-provider-aws, trust-manager, cluster-proportional-autoscaler, supercronic,...

CVE-2023-45288 vulnerabilities

Vulnerabilities for packages: prometheus-mongodb-exporter, esbuild, secrets-store-csi-driver-provider-aws, trust-manager, tctl, docker-credential-acr-env, doppler-kubernetes-operator, ollama, wazero, consul, kuberay-operator, node-problem-detector, opentelemetry-collector-contrib,...

CVE-2024-24786 vulnerabilities

Vulnerabilities for packages: prometheus-mongodb-exporter, prometheus-operator, cert-exporter, restic, scorecard, envoy-ratelimit, kubeflow-pipelines, conftest, hugo, loki, cloudflared, kaf, secrets-store-csi-driver-provider-aws, trust-manager, cluster-proportional-autoscaler, supercronic,...

GHSA-4V7X-PQXF-CX7M vulnerabilities

Vulnerabilities for packages: prometheus-mongodb-exporter, esbuild, secrets-store-csi-driver-provider-aws, trust-manager, tctl, docker-credential-acr-env, doppler-kubernetes-operator, ollama, wazero, consul, kuberay-operator, node-problem-detector, opentelemetry-collector-contrib,...

GHSA-9763-4F94-GFCH vulnerabilities

Vulnerabilities for packages: crossplane, rclone, grafana, boring-registry, scorecard, kaniko, skaffold, pulumi-language-yaml, keda, wolfictl, slsa-verifier, aactl, sops, flux, apko, pulumi-language-java, melange, zarf, falco, gitsign, argo-cd, kubescape, kubevela, zot, policy-controller,...

CVE-2024-4264

A remote code execution (RCE) vulnerability exists in the berriai/litellm project due to improper control of the generation of code when using the eval function unsafely in the litellm.get_secret() method. Specifically, when the server utilizes Google KMS, untrusted data is passed to the eval...

CVE-2024-4264 Remote Code Execution in berriai/litellm

A remote code execution (RCE) vulnerability exists in the berriai/litellm project due to improper control of the generation of code when using the eval function unsafely in the litellm.get_secret() method. Specifically, when the server utilizes Google KMS, untrusted data is passed to the eval...

random_compat Uses insecure CSPRNG

random_compat versions prior to 2.0 are affected by a security vulnerability related to the insecure usage of Cryptographically Secure Pseudo-Random Number Generators (CSPRNG). The affected versions use openssl_random_pseudo_bytes(), which may result in insufficient entropy and compromise the...

onelogin/php-saml signature wrapping attacks

Vulnerability in onelogin/php-saml versions prior to 2.10.0 allows signature Wrapping attacks which may result in a malicious user gaining unauthorized access to a...

onelogin/php-saml Improper signature validation on LogoutRequest/LogoutResponse.

In order to verify Signatures on Logoutrequests and LogoutResponses we use the verifySignature of the class XMLSecurityKey from the xmlseclibs library. That method end up calling openssl_verify() depending on the signature algorithm used. The openssl_verify() function returns 1 when the signature.....

nzo/url-encryptor-bundle Insecure default secret key and IV allowing anyone to decrypt values

Versions of nzo/url-encryptor-bundle prior to 5.0.1 and 4.3.2 are affected by a security vulnerability related to the lack of mandatory key and IV requirements. By default, the bundle uses the aes-256-ctr algorithm, which is susceptible to malleability attacks, potentially leading to Insecure...

Flow Swift Mailer package Remote code execution

A remote code execution vulnerability has been found in the Swift Mailer library (swiftmailer/swiftmailer) recently. See this advisory for details. If you are not using the default mail() transport, this particular problem does not affect you. Upgrading is of course still...

Cross-site Scripting vulnerabilities in Neos

It has been discovered that Neos is vulnerable to several XSS attacks. Through these vulnerabilities, an attacker could tamper with page rendering, redirect victims to a fake login page, or capture user credentials (such as cookies). With the potential backdoor upload an attacker could gain access....

Privilege Escalation in TYPO3 Neos

It has been discovered that TYPO3 Neos is vulnerable to Privilege Escalation. Logged in editors could access, create and modify content nodes that exist in the workspace of other...

Time-Based Information Disclosure Vulnerability in Flow

The PersistedUsernamePasswordProvider was prone to a information disclosure of account existance based on timing attacks as the hashing of passwords was only done in case an account was found. We changed the core so that the provider always does a password comparison in case credentials were...

Neos Information Disclosure Security Note

Due to reports it has been validated that internal workspaces in Neos are accessible without authentication. Some users assumed this is a planned feature but it is not. A workspace preview should be an additional feature with respective security measures in place. Note that this only allows...

Neos Flow Information disclosure in entity security

If you had used entity security and wanted to secure entities not just based on the user's role, but on some property of the user (like the company he belongs to), entity security did not work properly together with the doctrine query cache. This could lead to other users re-using SQL queries from....

Neos Flow Arbitrary file upload and XML External Entity processing

It has been discovered that Flow 3.0.0 allows arbitrary file uploads, inlcuding server-side scripts, posing the risk of attacks. If those scripts are executed by the server when accessed through their public URL, anything not blocked through other means is possible (information disclosure,...

Insecure deserialize Vulnerability in FLOW3

Due to a missing signature (HMAC) for a request argument, an attacker could unserialize arbitrary objects within FLOW3. To our knowledge it is neither possible to inject code through this vulnerability, nor are there exploitable objects within the FLOW3 Base Distribution. However, there might be...

namshi/jose - Verification bypass

Several widely-used JSON Web Token (JWT) libraries, including node-jsonwebtoken, pyjwt, namshi/jose, php-jwt, and jsjwt, are affected by critical vulnerabilities that could allow attackers to bypass the verification step when using asymmetric keys (RS256, RS384, RS512, ES256, ES384,...

namshi/jose insecure JSON Web Signatures (JWS)

namshi/jose allows the acceptance of unsecure JSON Web Signatures (JWS) by default. The vulnerability arises from the $allowUnsecure flag, which, when set to true during the loading of JWSes, permits tokens signed with 'none' algorithms to be processed. This behavior poses a significant security...

Exploit for CVE-2024-29895

CVE-2024-29895 - RCE ON CACTI [!WARNING] This is an...

CVE-2024-4671

Use after free in Visuals in Google Chrome prior to 124.0.6367.201 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) Mitigation Red Hat has investigated whether a possible...

CVE-2024-35190

Asterisk is an open source private branch exchange and telephony toolkit. After upgrade to 18.23.0, ALL unauthorized SIP requests are identified as PJSIP Endpoint of local asterisk server. This vulnerability is fixed in 18.23.1, 20.8.1, and...

Submariner Operator sets unnecessary RBAC permissions in helm charts

A flaw was found in the Submariner project. Due to unnecessary role-based access control permissions, a privileged attacker can run a malicious container on a node that may allow them to steal service account tokens and further compromise other nodes and potentially the entire...