GHSA-8R3F-844C-MC37 vulnerabilities
Vulnerabilities for packages: vertical-pod-autoscaler, policy-controller, envoy-ratelimit-fips, nvidia-device-plugin, volume-modifier-for-k8s-fips, prometheus-statsd-exporter-fips, kubernetes-csi-external-provisioner, kaniko, jaeger-agent, cortex, eks-distro-kubernetes-csi-external-provisioner,...
7.3AI Score
CVE-2023-45290 vulnerabilities
Vulnerabilities for packages: vertical-pod-autoscaler, envoy-ratelimit-fips, nvidia-device-plugin, volume-modifier-for-k8s-fips, prometheus-statsd-exporter-fips, kubernetes-csi-external-provisioner, cortex, eks-distro-kubernetes-csi-external-provisioner, q, crossplane-provider-azure,...
6.2AI Score
0.0004EPSS
GHSA-3Q2C-PVP5-3CQP vulnerabilities
Vulnerabilities for packages: vertical-pod-autoscaler, envoy-ratelimit-fips, nvidia-device-plugin, volume-modifier-for-k8s-fips, prometheus-statsd-exporter-fips, kubernetes-csi-external-provisioner, cortex, eks-distro-kubernetes-csi-external-provisioner, q, crossplane-provider-azure,...
7.3AI Score
CVE-2024-24785 vulnerabilities
Vulnerabilities for packages: vertical-pod-autoscaler, envoy-ratelimit-fips, nvidia-device-plugin, volume-modifier-for-k8s-fips, prometheus-statsd-exporter-fips, kubernetes-csi-external-provisioner, cortex, eks-distro-kubernetes-csi-external-provisioner, q, crossplane-provider-azure,...
6.2AI Score
0.0004EPSS
CVE-2023-39325 vulnerabilities
Vulnerabilities for packages: vertical-pod-autoscaler, hey, istio-pilot-agent, nvidia-device-plugin, secrets-store-csi-driver, chartmuseum, volume-modifier-for-k8s-fips, mc, prometheus-statsd-exporter, py3-seldon-core, prometheus-postgres-exporter, dynamic-localpv-provisioner,...
8AI Score
0.002EPSS
CVE-2024-24787 vulnerabilities
Vulnerabilities for packages: vertical-pod-autoscaler, policy-controller, nvidia-device-plugin, volume-modifier-for-k8s-fips, harbor-fips, cert-manager-webhook-pdns-fips, prometheus-statsd-exporter-fips, kubernetes-csi-external-provisioner, jaeger-agent, opentelemetry-collector-contrib-fips,...
6.3AI Score
0.0004EPSS
GHSA-32CH-6X54-Q4H9 vulnerabilities
Vulnerabilities for packages: vertical-pod-autoscaler, envoy-ratelimit-fips, nvidia-device-plugin, volume-modifier-for-k8s-fips, prometheus-statsd-exporter-fips, kubernetes-csi-external-provisioner, cortex, eks-distro-kubernetes-csi-external-provisioner, q, crossplane-provider-azure,...
7.3AI Score
CVE-2023-45288 vulnerabilities
Vulnerabilities for packages: vertical-pod-autoscaler, policy-controller, envoy-ratelimit-fips, nvidia-device-plugin, volume-modifier-for-k8s-fips, harbor-fips, cert-manager-webhook-pdns-fips, prometheus-statsd-exporter-fips, kubernetes-csi-external-provisioner, kaniko, jaeger-agent,...
6.5AI Score
0.0004EPSS
CVE-2024-24786 vulnerabilities
Vulnerabilities for packages: vertical-pod-autoscaler, policy-controller, envoy-ratelimit-fips, nvidia-device-plugin, volume-modifier-for-k8s-fips, prometheus-statsd-exporter-fips, kubernetes-csi-external-provisioner, kaniko, jaeger-agent, cortex, eks-distro-kubernetes-csi-external-provisioner,...
6.2AI Score
0.0004EPSS
CVE-2023-45289 vulnerabilities
Vulnerabilities for packages: vertical-pod-autoscaler, envoy-ratelimit-fips, nvidia-device-plugin, volume-modifier-for-k8s-fips, prometheus-statsd-exporter-fips, kubernetes-csi-external-provisioner, cortex, eks-distro-kubernetes-csi-external-provisioner, q, crossplane-provider-azure,...
6.2AI Score
0.0004EPSS
CVE-2024-24783 vulnerabilities
Vulnerabilities for packages: vertical-pod-autoscaler, envoy-ratelimit-fips, nvidia-device-plugin, volume-modifier-for-k8s-fips, prometheus-statsd-exporter-fips, kubernetes-csi-external-provisioner, cortex, eks-distro-kubernetes-csi-external-provisioner, q, crossplane-provider-azure,...
6.1AI Score
0.0004EPSS
GHSA-5FQ7-4MXC-535H vulnerabilities
Vulnerabilities for packages: vertical-pod-autoscaler, policy-controller, nvidia-device-plugin, volume-modifier-for-k8s-fips, harbor-fips, cert-manager-webhook-pdns-fips, prometheus-statsd-exporter-fips, kubernetes-csi-external-provisioner, jaeger-agent, opentelemetry-collector-contrib-fips,...
7.3AI Score
GHSA-4V7X-PQXF-CX7M vulnerabilities
Vulnerabilities for packages: vertical-pod-autoscaler, policy-controller, envoy-ratelimit-fips, nvidia-device-plugin, volume-modifier-for-k8s-fips, harbor-fips, cert-manager-webhook-pdns-fips, prometheus-statsd-exporter-fips, kubernetes-csi-external-provisioner, kaniko, jaeger-agent,...
7.3AI Score
GHSA-RR6R-CFGF-GC6H vulnerabilities
Vulnerabilities for packages: vertical-pod-autoscaler, envoy-ratelimit-fips, nvidia-device-plugin, volume-modifier-for-k8s-fips, prometheus-statsd-exporter-fips, kubernetes-csi-external-provisioner, cortex, eks-distro-kubernetes-csi-external-provisioner, q, crossplane-provider-azure,...
7.3AI Score
CVE-2024-24784 vulnerabilities
Vulnerabilities for packages: vertical-pod-autoscaler, envoy-ratelimit-fips, nvidia-device-plugin, volume-modifier-for-k8s-fips, prometheus-statsd-exporter-fips, kubernetes-csi-external-provisioner, cortex, eks-distro-kubernetes-csi-external-provisioner, q, crossplane-provider-azure,...
6.2AI Score
0.0004EPSS
GHSA-J6M3-GC37-6R6Q vulnerabilities
Vulnerabilities for packages: vertical-pod-autoscaler, envoy-ratelimit-fips, nvidia-device-plugin, volume-modifier-for-k8s-fips, prometheus-statsd-exporter-fips, kubernetes-csi-external-provisioner, cortex, eks-distro-kubernetes-csi-external-provisioner, q, crossplane-provider-azure,...
7.3AI Score
CVE-2024-24788 vulnerabilities
Vulnerabilities for packages: vertical-pod-autoscaler, policy-controller, nvidia-device-plugin, harbor-fips, cert-manager-webhook-pdns-fips, prometheus-statsd-exporter-fips, kubernetes-csi-external-provisioner, jaeger-agent, opentelemetry-collector-contrib-fips, cortex, multus-cni-fips,...
6.3AI Score
0.0004EPSS
GHSA-2JWV-JMQ4-4J3R vulnerabilities
Vulnerabilities for packages: vertical-pod-autoscaler, policy-controller, nvidia-device-plugin, harbor-fips, cert-manager-webhook-pdns-fips, prometheus-statsd-exporter-fips, kubernetes-csi-external-provisioner, jaeger-agent, opentelemetry-collector-contrib-fips, cortex, multus-cni-fips,...
7.3AI Score
GHSA-4374-P667-P6C8 vulnerabilities
Vulnerabilities for packages: vertical-pod-autoscaler, hey, istio-pilot-agent, nvidia-device-plugin, secrets-store-csi-driver, chartmuseum, volume-modifier-for-k8s-fips, mc, prometheus-statsd-exporter, py3-seldon-core, prometheus-postgres-exporter, dynamic-localpv-provisioner,...
7.3AI Score
GHSA-45X7-PX36-X8W8 vulnerabilities
Vulnerabilities for packages: grpc-health-probe, istio-pilot-agent, secrets-store-csi-driver-provider-azure, secrets-store-csi-driver, scorecard, prometheus-statsd-exporter, libssh, py3-seldon-core, prometheus-postgres-exporter, dynamic-localpv-provisioner, flux-kustomize-controller-2.0,...
7.3AI Score
CVE-2023-48795 vulnerabilities
Vulnerabilities for packages: grpc-health-probe, istio-pilot-agent, secrets-store-csi-driver-provider-azure, secrets-store-csi-driver, scorecard, prometheus-statsd-exporter, libssh, py3-seldon-core, prometheus-postgres-exporter, dynamic-localpv-provisioner, flux-kustomize-controller-2.0,...
6.7AI Score
0.962EPSS
Vulnerabilities for packages: vertical-pod-autoscaler, hey, nvidia-device-plugin, secrets-store-csi-driver, chartmuseum, volume-modifier-for-k8s-fips, mc, prometheus-statsd-exporter, py3-seldon-core, prometheus-postgres-exporter, dynamic-localpv-provisioner, prometheus-statsd-exporter-fips,...
6.3AI Score
0.001EPSS
GHSA-FGQ5-Q76C-GX78 vulnerabilities
Vulnerabilities for packages: vertical-pod-autoscaler, envoy-ratelimit-fips, nvidia-device-plugin, volume-modifier-for-k8s-fips, prometheus-statsd-exporter-fips, kubernetes-csi-external-provisioner, cortex, eks-distro-kubernetes-csi-external-provisioner, q, crossplane-provider-azure,...
7.3AI Score
GHSA-2WRH-6PVC-2JM9 vulnerabilities
Vulnerabilities for packages: vertical-pod-autoscaler, hey, nvidia-device-plugin, secrets-store-csi-driver, chartmuseum, volume-modifier-for-k8s-fips, mc, prometheus-statsd-exporter, py3-seldon-core, prometheus-postgres-exporter, dynamic-localpv-provisioner, prometheus-statsd-exporter-fips,...
7.3AI Score
GHSA-9763-4F94-GFCH vulnerabilities
Vulnerabilities for packages: pulumi-language-dotnet, policy-controller, flux-source-controller, gitsign, rclone, scorecard, slsa-verifier, keda, boring-registry, kubevela, skaffold, apko, grafana, actions-runner-controller, flux-kustomize-controller-2.0, kaniko, vault,...
7.3AI Score
GHSA-8R3F-844C-MC37 vulnerabilities
Vulnerabilities for packages: prometheus-mongodb-exporter, prometheus-operator, cert-exporter, restic, scorecard, envoy-ratelimit, kubeflow-pipelines, conftest, hugo, loki, cloudflared, kaf, secrets-store-csi-driver-provider-aws, trust-manager, cluster-proportional-autoscaler, supercronic,...
7.5AI Score
CVE-2023-45288 vulnerabilities
Vulnerabilities for packages: prometheus-mongodb-exporter, esbuild, secrets-store-csi-driver-provider-aws, trust-manager, tctl, docker-credential-acr-env, doppler-kubernetes-operator, ollama, wazero, consul, kuberay-operator, node-problem-detector, opentelemetry-collector-contrib,...
6.9AI Score
0.0004EPSS
CVE-2024-24786 vulnerabilities
Vulnerabilities for packages: prometheus-mongodb-exporter, prometheus-operator, cert-exporter, restic, scorecard, envoy-ratelimit, kubeflow-pipelines, conftest, hugo, loki, cloudflared, kaf, secrets-store-csi-driver-provider-aws, trust-manager, cluster-proportional-autoscaler, supercronic,...
6.6AI Score
0.0004EPSS
GHSA-4V7X-PQXF-CX7M vulnerabilities
Vulnerabilities for packages: prometheus-mongodb-exporter, esbuild, secrets-store-csi-driver-provider-aws, trust-manager, tctl, docker-credential-acr-env, doppler-kubernetes-operator, ollama, wazero, consul, kuberay-operator, node-problem-detector, opentelemetry-collector-contrib,...
7.5AI Score
GHSA-9763-4F94-GFCH vulnerabilities
Vulnerabilities for packages: crossplane, rclone, grafana, boring-registry, scorecard, kaniko, skaffold, pulumi-language-yaml, keda, wolfictl, slsa-verifier, aactl, sops, flux, apko, pulumi-language-java, melange, zarf, falco, gitsign, argo-cd, kubescape, kubevela, zot, policy-controller,...
7.5AI Score
A remote code execution (RCE) vulnerability exists in the berriai/litellm project due to improper control of the generation of code when using the eval function unsafely in the litellm.get_secret() method. Specifically, when the server utilizes Google KMS, untrusted data is passed to the eval...
9.8CVSS
0.0004EPSS
CVE-2024-4264 Remote Code Execution in berriai/litellm
A remote code execution (RCE) vulnerability exists in the berriai/litellm project due to improper control of the generation of code when using the eval function unsafely in the litellm.get_secret() method. Specifically, when the server utilizes Google KMS, untrusted data is passed to the eval...
0.0004EPSS
random_compat Uses insecure CSPRNG
random_compat versions prior to 2.0 are affected by a security vulnerability related to the insecure usage of Cryptographically Secure Pseudo-Random Number Generators (CSPRNG). The affected versions use openssl_random_pseudo_bytes(), which may result in insufficient entropy and compromise the...
onelogin/php-saml signature wrapping attacks
Vulnerability in onelogin/php-saml versions prior to 2.10.0 allows signature Wrapping attacks which may result in a malicious user gaining unauthorized access to a...
onelogin/php-saml Improper signature validation on LogoutRequest/LogoutResponse.
In order to verify Signatures on Logoutrequests and LogoutResponses we use the verifySignature of the class XMLSecurityKey from the xmlseclibs library. That method end up calling openssl_verify() depending on the signature algorithm used. The openssl_verify() function returns 1 when the signature.....
nzo/url-encryptor-bundle Insecure default secret key and IV allowing anyone to decrypt values
Versions of nzo/url-encryptor-bundle prior to 5.0.1 and 4.3.2 are affected by a security vulnerability related to the lack of mandatory key and IV requirements. By default, the bundle uses the aes-256-ctr algorithm, which is susceptible to malleability attacks, potentially leading to Insecure...
Flow Swift Mailer package Remote code execution
A remote code execution vulnerability has been found in the Swift Mailer library (swiftmailer/swiftmailer) recently. See this advisory for details. If you are not using the default mail() transport, this particular problem does not affect you. Upgrading is of course still...
0.944EPSS
Cross-site Scripting vulnerabilities in Neos
It has been discovered that Neos is vulnerable to several XSS attacks. Through these vulnerabilities, an attacker could tamper with page rendering, redirect victims to a fake login page, or capture user credentials (such as cookies). With the potential backdoor upload an attacker could gain access....
Privilege Escalation in TYPO3 Neos
It has been discovered that TYPO3 Neos is vulnerable to Privilege Escalation. Logged in editors could access, create and modify content nodes that exist in the workspace of other...
Time-Based Information Disclosure Vulnerability in Flow
The PersistedUsernamePasswordProvider was prone to a information disclosure of account existance based on timing attacks as the hashing of passwords was only done in case an account was found. We changed the core so that the provider always does a password comparison in case credentials were...
Neos Information Disclosure Security Note
Due to reports it has been validated that internal workspaces in Neos are accessible without authentication. Some users assumed this is a planned feature but it is not. A workspace preview should be an additional feature with respective security measures in place. Note that this only allows...
Neos Flow Information disclosure in entity security
If you had used entity security and wanted to secure entities not just based on the user's role, but on some property of the user (like the company he belongs to), entity security did not work properly together with the doctrine query cache. This could lead to other users re-using SQL queries from....
Neos Flow Arbitrary file upload and XML External Entity processing
It has been discovered that Flow 3.0.0 allows arbitrary file uploads, inlcuding server-side scripts, posing the risk of attacks. If those scripts are executed by the server when accessed through their public URL, anything not blocked through other means is possible (information disclosure,...
Insecure deserialize Vulnerability in FLOW3
Due to a missing signature (HMAC) for a request argument, an attacker could unserialize arbitrary objects within FLOW3. To our knowledge it is neither possible to inject code through this vulnerability, nor are there exploitable objects within the FLOW3 Base Distribution. However, there might be...
namshi/jose - Verification bypass
Several widely-used JSON Web Token (JWT) libraries, including node-jsonwebtoken, pyjwt, namshi/jose, php-jwt, and jsjwt, are affected by critical vulnerabilities that could allow attackers to bypass the verification step when using asymmetric keys (RS256, RS384, RS512, ES256, ES384,...
namshi/jose insecure JSON Web Signatures (JWS)
namshi/jose allows the acceptance of unsecure JSON Web Signatures (JWS) by default. The vulnerability arises from the $allowUnsecure flag, which, when set to true during the loading of JWSes, permits tokens signed with 'none' algorithms to be processed. This behavior poses a significant security...
0.0004EPSS
Use after free in Visuals in Google Chrome prior to 124.0.6367.201 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) Mitigation Red Hat has investigated whether a possible...
0.02EPSS
Asterisk is an open source private branch exchange and telephony toolkit. After upgrade to 18.23.0, ALL unauthorized SIP requests are identified as PJSIP Endpoint of local asterisk server. This vulnerability is fixed in 18.23.1, 20.8.1, and...
Submariner Operator sets unnecessary RBAC permissions in helm charts
A flaw was found in the Submariner project. Due to unnecessary role-based access control permissions, a privileged attacker can run a malicious container on a node that may allow them to steal service account tokens and further compromise other nodes and potentially the entire...