Tuesday, July 2, 2024 Security Releases
Summary The Node.js project will release new versions of the 22.x, 20.x, 18.x releases lines on or shortly after, Tuesday, July 2, 2024 in order to address: 1 high severity issues. 2 medium severity issues. 3 low severity issues. Node.js fetch will be upgraded to undici v6.19.2 on Node.js 18.x...
7AI Score
BigBlueButton is an open-source virtual classroom designed to help teachers teach and learners learn. An attacker with a valid join link to a meeting can trick BigBlueButton into generating a signed join link with additional parameters. One of those parameters may be "role=moderator", allowing an.....
4.6CVSS
EPSS
BigBlueButton is an open-source virtual classroom designed to help teachers teach and learners learn. An attacker may be able to exploit the overly elevated file permissions in the /usr/local/bigbluebutton/core/vendor/bundle/ruby/2.7.0/gems/resque-2.6.0 directory with the goal of privilege...
3.7CVSS
4.1AI Score
EPSS
BigBlueButton is an open-source virtual classroom designed to help teachers teach and learners learn. An attacker may be able to exploit the overly elevated file permissions in the /usr/local/bigbluebutton/core/vendor/bundle/ruby/2.7.0/gems/resque-2.6.0 directory with the goal of privilege...
3.7CVSS
EPSS
BigBlueButton is an open-source virtual classroom designed to help teachers teach and learners learn. An attacker with a valid join link to a meeting can trick BigBlueButton into generating a signed join link with additional parameters. One of those parameters may be "role=moderator", allowing an.....
4.6CVSS
4.7AI Score
EPSS
CVE-2024-38525 dd-trace-cpp malformed unicode header values may cause crash
dd-trace-cpp is the Datadog distributed tracing for C++. When the library fails to extract trace context due to malformed unicode, it logs the list of audited headers and their values using the nlohmann JSON library. However, due to the way the JSON library is invoked, it throws an uncaught...
7.5CVSS
6.9AI Score
EPSS
CVE-2024-38525 dd-trace-cpp malformed unicode header values may cause crash
dd-trace-cpp is the Datadog distributed tracing for C++. When the library fails to extract trace context due to malformed unicode, it logs the list of audited headers and their values using the nlohmann JSON library. However, due to the way the JSON library is invoked, it throws an uncaught...
7.5CVSS
EPSS
CVE-2023-45289 vulnerabilities
Vulnerabilities for packages: aws-flb-firehose, configmap-reload, nuclei, k8sgpt, dagger, flannel-cni-plugin, secrets-store-csi-driver-provider-gcp, velero, temporal-ui-server, kaf, wireguard-go, wazero, k8ssandra-operator, aws-ebs-csi-driver, nri-discovery-kubernetes, nri-couchbase,...
7.8AI Score
0.0004EPSS
GHSA-8R3F-844C-MC37 vulnerabilities
Vulnerabilities for packages: configmap-reload, nuclei, k8sgpt, dagger, secrets-store-csi-driver-provider-gcp, velero, temporal-ui-server, kaf, k8ssandra-operator, aws-ebs-csi-driver, nri-discovery-kubernetes, guac, capslock, kaniko, sops, temporal, filebeat, kubernetes-dns-node-cache,...
7.5AI Score
CVE-2024-24787 vulnerabilities
Vulnerabilities for packages: configmap-reload, k8sgpt, secrets-store-csi-driver-provider-gcp, kaf, ksops, wireguard-go, go, neuvector-scanner, aws-ebs-csi-driver, guac, http-echo, capslock, git-lfs, grafana-rollout-operator, gobump, sops, kubernetes-dns-node-cache, kubeadm-bootstrap-controller,...
6.5AI Score
0.0004EPSS
GHSA-5FQ7-4MXC-535H vulnerabilities
Vulnerabilities for packages: configmap-reload, k8sgpt, secrets-store-csi-driver-provider-gcp, kaf, ksops, wireguard-go, go, neuvector-scanner, aws-ebs-csi-driver, guac, http-echo, capslock, git-lfs, grafana-rollout-operator, gobump, sops, kubernetes-dns-node-cache, kubeadm-bootstrap-controller,...
7.5AI Score
CVE-2024-24789 vulnerabilities
Vulnerabilities for packages: configmap-reload, k8sgpt, dagger, k8ssandra-operator, nri-cassandra, http-echo, gobump, aws-load-balancer-controller, grpcurl, logstash, protoc-gen-go, postgres-operator, neuvector-sigstore-interface, flannel, velero-plugin-for-csi, speedtest-go,...
5.5CVSS
6.1AI Score
0.0004EPSS
CVE-2023-45285 vulnerabilities
Vulnerabilities for packages: aws-flb-firehose, oras, configmap-reload, nsc, vertical-pod-autoscaler, flannel-cni-plugin, prometheus-stackdriver-exporter, sbom-scorecard, influx, dgraph, protoc-gen-go-grpc, nri-discovery-kubernetes, kubernetes-dashboard-metrics-scraper, hey, go-bindata,...
7.5CVSS
7.9AI Score
0.001EPSS
CVE-2024-24786 vulnerabilities
Vulnerabilities for packages: configmap-reload, nuclei, k8sgpt, dagger, secrets-store-csi-driver-provider-gcp, velero, temporal-ui-server, kaf, k8ssandra-operator, aws-ebs-csi-driver, nri-discovery-kubernetes, guac, capslock, kaniko, sops, temporal, filebeat, kubernetes-dns-node-cache,...
6.6AI Score
0.0004EPSS
CVE-2024-24784 vulnerabilities
Vulnerabilities for packages: aws-flb-firehose, configmap-reload, nuclei, k8sgpt, dagger, flannel-cni-plugin, secrets-store-csi-driver-provider-gcp, velero, temporal-ui-server, kaf, wireguard-go, wazero, k8ssandra-operator, aws-ebs-csi-driver, nri-discovery-kubernetes, nri-couchbase,...
7.8AI Score
0.0004EPSS
GHSA-RR6R-CFGF-GC6H vulnerabilities
Vulnerabilities for packages: aws-flb-firehose, configmap-reload, nuclei, k8sgpt, dagger, flannel-cni-plugin, secrets-store-csi-driver-provider-gcp, velero, temporal-ui-server, kaf, wireguard-go, wazero, k8ssandra-operator, aws-ebs-csi-driver, nri-discovery-kubernetes, nri-couchbase,...
7.5AI Score
CVE-2023-45288 vulnerabilities
Vulnerabilities for packages: configmap-reload, nuclei, k8sgpt, k8ssandra-operator, nri-cassandra, http-echo, gobump, tigera-operator, aws-network-policy-agent, aws-load-balancer-controller, grpcurl, protoc-gen-go, postgres-operator, neuvector-sigstore-interface, flannel, velero-plugin-for-csi,...
6.8AI Score
0.0004EPSS
GHSA-3Q2C-PVP5-3CQP vulnerabilities
Vulnerabilities for packages: aws-flb-firehose, configmap-reload, nuclei, k8sgpt, dagger, flannel-cni-plugin, secrets-store-csi-driver-provider-gcp, velero, temporal-ui-server, kaf, wireguard-go, wazero, k8ssandra-operator, aws-ebs-csi-driver, nri-discovery-kubernetes, nri-couchbase,...
7.5AI Score
GHSA-J6M3-GC37-6R6Q vulnerabilities
Vulnerabilities for packages: aws-flb-firehose, configmap-reload, nuclei, k8sgpt, dagger, flannel-cni-plugin, secrets-store-csi-driver-provider-gcp, velero, temporal-ui-server, kaf, wireguard-go, wazero, k8ssandra-operator, aws-ebs-csi-driver, nri-discovery-kubernetes, nri-couchbase,...
7.5AI Score
GHSA-FGQ5-Q76C-GX78 vulnerabilities
Vulnerabilities for packages: aws-flb-firehose, configmap-reload, nuclei, k8sgpt, dagger, flannel-cni-plugin, secrets-store-csi-driver-provider-gcp, velero, temporal-ui-server, kaf, wireguard-go, wazero, k8ssandra-operator, aws-ebs-csi-driver, nri-discovery-kubernetes, nri-couchbase,...
7.5AI Score
GHSA-2JWV-JMQ4-4J3R vulnerabilities
Vulnerabilities for packages: configmap-reload, k8sgpt, secrets-store-csi-driver-provider-gcp, kaf, ksops, wireguard-go, go, neuvector-scanner, aws-ebs-csi-driver, guac, http-echo, capslock, git-lfs, grafana-rollout-operator, gobump, sops, kubernetes-dns-node-cache, kubeadm-bootstrap-controller,...
7.5AI Score
GHSA-4V7X-PQXF-CX7M vulnerabilities
Vulnerabilities for packages: configmap-reload, nuclei, k8sgpt, k8ssandra-operator, nri-cassandra, http-echo, gobump, tigera-operator, aws-network-policy-agent, aws-load-balancer-controller, grpcurl, protoc-gen-go, postgres-operator, neuvector-sigstore-interface, flannel, velero-plugin-for-csi,...
7.5AI Score
CVE-2024-24790 vulnerabilities
Vulnerabilities for packages: configmap-reload, k8sgpt, dagger, k8ssandra-operator, nri-cassandra, http-echo, gobump, aws-load-balancer-controller, grpcurl, logstash, protoc-gen-go, postgres-operator, neuvector-sigstore-interface, flannel, velero-plugin-for-csi, speedtest-go,...
9.8CVSS
9.8AI Score
0.001EPSS
GHSA-9763-4F94-GFCH vulnerabilities
Vulnerabilities for packages: boring-registry, rclone, skaffold, flux-image-automation-controller, vault, pulumi-language-yaml, policy-controller, pulumi-kubernetes-operator, flux-notification-controller, kaniko, sops, wolfictl, apko, slsa-verifier, actions-runner-controller, flux, goreleaser,...
7.5AI Score
GHSA-49GW-VXVF-FC2G vulnerabilities
Vulnerabilities for packages: configmap-reload, k8sgpt, dagger, k8ssandra-operator, nri-cassandra, http-echo, gobump, aws-load-balancer-controller, grpcurl, logstash, protoc-gen-go, postgres-operator, neuvector-sigstore-interface, flannel, velero-plugin-for-csi, speedtest-go,...
7.5AI Score
CVE-2023-39326 vulnerabilities
Vulnerabilities for packages: aws-flb-firehose, oras, configmap-reload, nsc, vertical-pod-autoscaler, flannel-cni-plugin, prometheus-stackdriver-exporter, sbom-scorecard, influx, dgraph, protoc-gen-go-grpc, nri-discovery-kubernetes, kubernetes-dashboard-metrics-scraper, hey, go-bindata,...
5.3CVSS
7.2AI Score
0.001EPSS
GHSA-5F94-VHJQ-RPG8 vulnerabilities
Vulnerabilities for packages: aws-flb-firehose, oras, configmap-reload, nsc, vertical-pod-autoscaler, flannel-cni-plugin, prometheus-stackdriver-exporter, sbom-scorecard, influx, dgraph, protoc-gen-go-grpc, nri-discovery-kubernetes, kubernetes-dashboard-metrics-scraper, hey, go-bindata,...
7.5AI Score
CVE-2024-24783 vulnerabilities
Vulnerabilities for packages: aws-flb-firehose, configmap-reload, nuclei, k8sgpt, dagger, flannel-cni-plugin, secrets-store-csi-driver-provider-gcp, velero, temporal-ui-server, kaf, wireguard-go, wazero, k8ssandra-operator, aws-ebs-csi-driver, nri-discovery-kubernetes, nri-couchbase,...
7.8AI Score
0.0004EPSS
CVE-2024-24785 vulnerabilities
Vulnerabilities for packages: aws-flb-firehose, configmap-reload, nuclei, k8sgpt, dagger, flannel-cni-plugin, secrets-store-csi-driver-provider-gcp, velero, temporal-ui-server, kaf, wireguard-go, wazero, k8ssandra-operator, aws-ebs-csi-driver, nri-discovery-kubernetes, nri-couchbase,...
7.8AI Score
0.0004EPSS
GHSA-32CH-6X54-Q4H9 vulnerabilities
Vulnerabilities for packages: aws-flb-firehose, configmap-reload, nuclei, k8sgpt, dagger, flannel-cni-plugin, secrets-store-csi-driver-provider-gcp, velero, temporal-ui-server, kaf, wireguard-go, wazero, k8ssandra-operator, aws-ebs-csi-driver, nri-discovery-kubernetes, nri-couchbase,...
7.5AI Score
GHSA-9F76-WG39-X86H vulnerabilities
Vulnerabilities for packages: aws-flb-firehose, oras, configmap-reload, nsc, vertical-pod-autoscaler, flannel-cni-plugin, prometheus-stackdriver-exporter, sbom-scorecard, influx, dgraph, protoc-gen-go-grpc, nri-discovery-kubernetes, kubernetes-dashboard-metrics-scraper, hey, go-bindata,...
7.5AI Score
CVE-2024-24788 vulnerabilities
Vulnerabilities for packages: configmap-reload, k8sgpt, secrets-store-csi-driver-provider-gcp, kaf, ksops, wireguard-go, go, neuvector-scanner, aws-ebs-csi-driver, guac, http-echo, capslock, git-lfs, grafana-rollout-operator, gobump, sops, kubernetes-dns-node-cache, kubeadm-bootstrap-controller,...
6.5AI Score
0.0004EPSS
GHSA-236W-P7WF-5PH8 vulnerabilities
Vulnerabilities for packages: configmap-reload, k8sgpt, dagger, k8ssandra-operator, nri-cassandra, http-echo, gobump, aws-load-balancer-controller, grpcurl, logstash, protoc-gen-go, postgres-operator, neuvector-sigstore-interface, flannel, velero-plugin-for-csi, speedtest-go,...
7.5AI Score
CVE-2023-45290 vulnerabilities
Vulnerabilities for packages: aws-flb-firehose, configmap-reload, nuclei, k8sgpt, dagger, flannel-cni-plugin, secrets-store-csi-driver-provider-gcp, velero, temporal-ui-server, kaf, wireguard-go, wazero, k8ssandra-operator, aws-ebs-csi-driver, nri-discovery-kubernetes, nri-couchbase,...
6AI Score
0.0004EPSS
Unlimited number of NTS-KE connections can crash ntpd-rs server
Summary Missing limit for accepted NTS-KE connections allows an unauthenticated remote attacker to crash ntpd-rs when an NTS-KE server is configured. Non NTS-KE server configurations, such as the default ntpd-rs configuration, are unaffected. Details Operating systems have a limit for the number...
7.5CVSS
7AI Score
EPSS
CVE-2024-39302 Some bbb-record-core files installed with wrong file permission
BigBlueButton is an open-source virtual classroom designed to help teachers teach and learners learn. An attacker may be able to exploit the overly elevated file permissions in the /usr/local/bigbluebutton/core/vendor/bundle/ruby/2.7.0/gems/resque-2.6.0 directory with the goal of privilege...
3.7CVSS
EPSS
Metasploit Weekly Wrap-Up 06/28/2024
Unauthenticated Command Injection in Netis Router This week's Metasploit release includes an exploit module for an unauthenticated command injection vulnerability in the Netis MW5360 router which is being tracked as CVE-2024-22729. The vulnerability stems from improper handling of the password...
9.8CVSS
9AI Score
0.005EPSS
CVE-2024-38518 bbb-web API additional parameters considered
BigBlueButton is an open-source virtual classroom designed to help teachers teach and learners learn. An attacker with a valid join link to a meeting can trick BigBlueButton into generating a signed join link with additional parameters. One of those parameters may be "role=moderator", allowing an.....
4.6CVSS
EPSS
televizori.ba Cross Site Scripting vulnerability OBB-3939488
Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...
6.2AI Score
Vanna v0.3.4 is vulnerable to SQL injection in its DuckDB integration exposed to its Flask Web APIs. Attackers can inject malicious SQL training data and generate corresponding queries to write arbitrary files on the victim's file system, such as backdoor.php with contents <?php system($_GET[0])...
9.8CVSS
10AI Score
EPSS
Vanna v0.3.4 is vulnerable to SQL injection in its DuckDB integration exposed to its Flask Web APIs. Attackers can inject malicious SQL training data and generate corresponding queries to write arbitrary files on the victim's file system, such as backdoor.php with contents <?php system($_GET[0])...
9.8CVSS
EPSS
nptd-rs is a tool for synchronizing your computer's clock, implementing the NTP and NTS protocols. There is a missing limit for accepted NTS-KE connections. This allows an unauthenticated remote attacker to crash ntpd-rs when an NTS-KE server is configured. Non NTS-KE server configurations, such...
7.5CVSS
EPSS
nptd-rs is a tool for synchronizing your computer's clock, implementing the NTP and NTS protocols. There is a missing limit for accepted NTS-KE connections. This allows an unauthenticated remote attacker to crash ntpd-rs when an NTS-KE server is configured. Non NTS-KE server configurations, such...
7.5CVSS
7.6AI Score
EPSS
artgalleryfabrics.com Cross Site Scripting vulnerability OBB-3939486
Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...
6.2AI Score
CVE-2024-38528 Unlimited number of NTS-KE connections can crash ntpd-rs server
nptd-rs is a tool for synchronizing your computer's clock, implementing the NTP and NTS protocols. There is a missing limit for accepted NTS-KE connections. This allows an unauthenticated remote attacker to crash ntpd-rs when an NTS-KE server is configured. Non NTS-KE server configurations, such...
7.5CVSS
EPSS
CVE-2024-5827 Arbitrary File Write by Prompt Injection via DuckDB SQL in vanna-ai/vanna
Vanna v0.3.4 is vulnerable to SQL injection in its DuckDB integration exposed to its Flask Web APIs. Attackers can inject malicious SQL training data and generate corresponding queries to write arbitrary files on the victim's file system, such as backdoor.php with contents <?php system($_GET[0])...
9.8CVSS
EPSS
The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Before deserializing CycloneDX Bill of Materials in XML format, cyclonedx-core-java leverages XPath expressions to determine the schema version of the...
7.5CVSS
7.7AI Score
EPSS
NextChat is a cross-platform ChatGPT/Gemini UI. There is a Server-Side Request Forgery (SSRF) vulnerability due to a lack of validation of the endpoint GET parameter on the WebDav API endpoint. This SSRF can be used to perform arbitrary HTTPS request from the vulnerable instance (MKCOL, PUT and...
7.4CVSS
EPSS
NextChat is a cross-platform ChatGPT/Gemini UI. There is a Server-Side Request Forgery (SSRF) vulnerability due to a lack of validation of the endpoint GET parameter on the WebDav API endpoint. This SSRF can be used to perform arbitrary HTTPS request from the vulnerable instance (MKCOL, PUT and...
7.4CVSS
7.6AI Score
EPSS
IBM Storage Defender - Resiliency Service 2.0.0 through 2.0.4 agent username and password error response discrepancy exposes product to brute force enumeration. IBM X-Force ID: ...
5.3CVSS
5.3AI Score
EPSS