GHSA-8R3F-844C-MC37 vulnerabilities
Vulnerabilities for packages: buf, terraform-docs, restic, spire-server, melange, istio-pilot-agent, amass, cri-tools, kwok, cadvisor, secrets-store-csi-driver-provider-aws, grype, prometheus-mongodb-exporter, crossplane, dex, step-ca, k3d, spark-operator, prometheus-bind-exporter, opentofu,...
7.5AI Score
CVE-2024-24789 vulnerabilities
Vulnerabilities for packages: flyte, istio-pilot-agent, cadvisor, grype, paranoia, nri-mssql, dex, step-ca, trivy, zarf, protoc-gen-go, cortex, flux-helm-controller, metacontroller, gatekeeper, docker-credential-ecr-login, gitness, flux, k9s, render-template, kubeadm-bootstrap-controller, k8sgpt,.....
6.5AI Score
0.0004EPSS
CVE-2023-45288 vulnerabilities
Vulnerabilities for packages: flyte, melange, istio-pilot-agent, cadvisor, paranoia, nri-mssql, dex, step-ca, spark-operator, trivy, zarf, protoc-gen-go, cortex, flux-helm-controller, metacontroller, gatekeeper, docker-credential-ecr-login, gitness, flux, k9s, render-template,...
6.8AI Score
0.0004EPSS
CVE-2024-24786 vulnerabilities
Vulnerabilities for packages: buf, terraform-docs, restic, spire-server, melange, istio-pilot-agent, amass, cri-tools, kwok, cadvisor, secrets-store-csi-driver-provider-aws, grype, prometheus-mongodb-exporter, crossplane, dex, step-ca, k3d, spark-operator, prometheus-bind-exporter, opentofu,...
6.7AI Score
0.0004EPSS
GHSA-4V7X-PQXF-CX7M vulnerabilities
Vulnerabilities for packages: flyte, melange, istio-pilot-agent, cadvisor, paranoia, nri-mssql, dex, step-ca, spark-operator, trivy, zarf, protoc-gen-go, cortex, flux-helm-controller, metacontroller, gatekeeper, docker-credential-ecr-login, gitness, flux, k9s, render-template,...
7.5AI Score
CVE-2024-24790 vulnerabilities
Vulnerabilities for packages: flyte, istio-pilot-agent, cadvisor, grype, paranoia, nri-mssql, dex, step-ca, trivy, zarf, protoc-gen-go, cortex, flux-helm-controller, metacontroller, gatekeeper, docker-credential-ecr-login, gitness, flux, k9s, render-template, kubeadm-bootstrap-controller, k8sgpt,.....
6.5AI Score
0.0004EPSS
GHSA-9763-4F94-GFCH vulnerabilities
Vulnerabilities for packages: wolfictl, spire-server, melange, flux-kustomize-controller, flux-notification-controller, crossplane-provider-aws, crossplane, terragrunt, aactl, zarf, policy-controller, vexctl, keda, kaniko, pulumi-kubernetes-operator, zot, falco, tekton-chains, rclone,...
7.5AI Score
GHSA-49GW-VXVF-FC2G vulnerabilities
Vulnerabilities for packages: flyte, istio-pilot-agent, cadvisor, grype, paranoia, nri-mssql, dex, step-ca, trivy, zarf, protoc-gen-go, cortex, flux-helm-controller, metacontroller, gatekeeper, docker-credential-ecr-login, gitness, flux, k9s, render-template, kubeadm-bootstrap-controller, k8sgpt,.....
7.5AI Score
GHSA-236W-P7WF-5PH8 vulnerabilities
Vulnerabilities for packages: flyte, istio-pilot-agent, cadvisor, grype, paranoia, nri-mssql, dex, step-ca, trivy, zarf, protoc-gen-go, cortex, flux-helm-controller, metacontroller, gatekeeper, docker-credential-ecr-login, gitness, flux, k9s, render-template, kubeadm-bootstrap-controller, k8sgpt,.....
7.5AI Score
CyberChef is a simple, intuitive web app for carrying out all manner of "cyber" operations within a web browser. These operations include simple encoding like XOR and Base64, more complex encryption like AES, DES and Blowfish, creating binary and hexdumps, compression and decompression of data,...
6.9AI Score
Analysis of user password strength
The processing power of computers keeps growing, helping users to solve increasingly complex problems faster. A side effect is that passwords that were impossible to guess just a few years ago can be cracked by hackers within mere seconds in 2024. For example, the RTX 4090 GPU is capable of...
6.9AI Score
The Annual SaaS Security Report: 2025 CISO Plans and Priorities
Seventy percent of enterprises are prioritizing investment in SaaS security by establishing dedicated teams to secure SaaS applications, as part of a growing trend of maturity in this field of cybersecurity, according to a new survey released this month by the Cloud Security Alliance (CSA)....
7.2AI Score
Summary Vulnerabilities in multiple JAR files affect Transparent Cloud Tiering in IBM SAN Volume Controller, IBM Storwize, IBM Storage Virtualize and IBM FlashSystem products. The vulnerabilities are not thought to be exploitable but IBM recommends upgrade for users of Transparent Cloud Tiering...
9.8CVSS
9.4AI Score
0.939EPSS
CVE-2024-5899 Improper trust check in Bazel Build intellij plugin
When Bazel Plugin in intellij imports a project (either using "import project" or "Auto import") the dialog for trusting the project is not displayed. This comes from the fact that both call the method ProjectBuilder.createProject which then calls ProjectManager.getInstance().createProject. This...
7.1AI Score
EPSS
CVE-2024-5899 Improper trust check in Bazel Build intellij plugin
When Bazel Plugin in intellij imports a project (either using "import project" or "Auto import") the dialog for trusting the project is not displayed. This comes from the fact that both call the method ProjectBuilder.createProject which then calls ProjectManager.getInstance().createProject. This...
EPSS
An open redirect issue was discovered in Kibana that could lead to a user being redirected to an arbitrary website if they use a maliciously crafted Kibana...
6.1CVSS
6.2AI Score
0.001EPSS
DoS in KAS in GitLab CE/EE affecting all versions from 16.10.0 prior to 16.10.6 and 16.11.0 prior to 16.11.3 allows an attacker to crash KAS via crafted gRPC...
3.1CVSS
6.3AI Score
0.0004EPSS
An open redirect issue was discovered in Kibana that could lead to a user being redirected to an arbitrary website if they use a maliciously crafted Kibana...
6.1CVSS
6.2AI Score
0.001EPSS
Use of Web Browser Cache Containing Sensitive Information vulnerability in Apache Airflow. Airflow did not return "Cache-Control" header for dynamic content, which in case of some browsers could result in potentially storing sensitive data in local cache of the browser.This issue affects Apache...
6.1AI Score
0.0004EPSS
Malicious code in rb-info-banner (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (b4418457e7570184ceb88f4adbd3857b2c1f0272bdac5533354efc091d1b726b) The OpenSSF Package Analysis project identified 'rb-info-banner' @ 1.0.0 (npm) as malicious. It is considered malicious because: The package...
7.1AI Score
Malicious code in rb-accordion (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (92f6b37cf2d8d698234663a0312bdadd85f0034ac2bf9d6ae20cdcbc1d5dd69a) The OpenSSF Package Analysis project identified 'rb-accordion' @ 1.0.0 (npm) as malicious. It is considered malicious because: The package...
7.1AI Score
Malicious code in rb-payment-input (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (e2609ed37d97239b7a1cf44a814e27f11d2a31ffa84f2c47f51a83f6e39166d3) The OpenSSF Package Analysis project identified 'rb-payment-input' @ 1.0.0 (npm) as malicious. It is considered malicious because: The package...
7.1AI Score
This Week in Spring - June 18th, 2024
Hi, Spring fans! Welcome to another installment of This Week in Spring! I've just come from Paris, France, and now I'm in equally beautiful Krakow, Poland, for the amazing Devoxx PL event. We've got a ton of good stuff to dive into, so let's get going! In last week's installment of Spring Tips, I.....
7.3AI Score
Rancher's RKE1 Encryption Config kept in plain-text within cluster AppliedSpec
Impact This issue is only relevant to clusters provisioned using RKE1 with secrets encryption configuration enabled. A vulnerability has been identified in which an RKE1 cluster keeps constantly reconciling when secrets encryption configuration is enabled (please see the RKE documentation). When...
6.1AI Score
EPSS
Rancher's External RoleTemplates can lead to privilege escalation
Impact A vulnerability has been identified whereby privilege escalation checks are not properly enforced for RoleTemplateobjects when external=true, which in specific scenarios can lead to privilege escalation. The bug in the webhook rule resolver ignores rules from a ClusterRole for external...
6.5AI Score
EPSS
rke's credentials are stored in the RKE1 Cluster state ConfigMap
Impact When RKE provisions a cluster, it stores the cluster state in a configmap called full-cluster-state inside the kube-system namespace of the cluster itself. This cluster state object contains information used to set up the K8s cluster, which may include the following sensitive data: ...
6AI Score
EPSS
Impact A vulnerability has been identified in which Rancher does not automatically clean up a user which has been deleted from the configured authentication provider (AP). This characteristic also applies to disabled or revoked users, Rancher will not reflect these modifications which may leave...
6.5AI Score
EPSS
Summary If an attacker can successfully authenticate through SSO/Access Code, they can obtain the real backend API Key by modifying the base URL to their own attack URL on the frontend and setting up a server-side request. Details The attack process is described above. PoC Frontend: 1. Pass basic.....
5.7CVSS
6.9AI Score
0.0004EPSS
Firefly III has a MFA bypass in oauth flow
Impact A MFA bypass in the Firefly III OAuth flow may allow malicious users to bypass the MFA-check. This allows malicious users to use password spraying to gain access to your Firefly III data using passwords stolen from other sources. As OAuth applications are easily enumerable using an...
5.9CVSS
7.2AI Score
0.0004EPSS
urllib3's Proxy-Authorization request header isn't stripped during cross-origin redirects
When using urllib3's proxy support with ProxyManager, the Proxy-Authorization header is only sent to the configured proxy, as expected. However, when sending HTTP requests without using urllib3's proxy support, it's possible to accidentally configure the Proxy-Authorization header even though it...
4.4CVSS
7AI Score
0.0004EPSS
LNbits improperly handles potential network and payment failures when using Eclair backend
Summary Paying invoices in Eclair that do not get settled within the internal timeout (about 30s) lead to a payment being considered failed, even though it may still be in flight. Details Using blocking: true on the API call will lead to a timeout error if a payment does not get settled in the 30s....
8.1CVSS
6.7AI Score
0.0004EPSS
DeepJavaLibrary API absolute path traversal
Summary DeepJavaLibrary(DJL) versions 0.1.0 through 0.27.0 do not prevent absolute path archived artifacts from inserting archived files directly into the system, overwriting system files. This is fixed in DJL 0.28.0 and patched in DJL Large Model Inference containers 0.27.0. Impacted versions:...
10CVSS
6.7AI Score
0.0004EPSS
Malvertising Campaign Leads to Execution of Oyster Backdoor
The following analysts contributed to this blog: Thomas Elkins, Daniel Thiede, Josh Lockwood, Tyler McGraw, and Sasha Kovalev. Executive Summary Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and.....
7.1AI Score
6.8AI Score
0.0004EPSS
almela obx before v.0.0.4 has a Prototype Pollution issue which allows arbitrary code execution via the obx/build/index.js:656), reduce (@almela/obx/build/index.js:470), Object.set (obx/build/index.js:269)...
7.7AI Score
0.0004EPSS
Object Resolver Prototype Pollution
apphp js-object-resolver < 3.1.1 is vulnerable to Prototype Pollution via...
6.7AI Score
0.0004EPSS
flatten-json Prototype Pollution
A Prototype Pollution issue in flatten-json 1.0.1 allows an attacker to execute arbitrary code via module.exports.unflattenJSON...
7.7AI Score
0.0004EPSS
It was discovered that Ghostscript did not properly restrict eexec seeds to those specified by the Type 1 Font Format standard when SAFER mode is used. An attacker could use this issue to bypass SAFER restrictions and cause unspecified impact. (CVE-2023-52722) This issue only affected Ubuntu 20.04....
7.5AI Score
EPSS
Malicious code in delta0231 (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (7df399fa1580fb8e64d7cd2481b0212f607aa8146a1b904b83a7af05ebb8031b) The OpenSSF Package Analysis project identified 'delta0231' @ 100.0.0 (npm) as malicious. It is considered malicious because: The package...
7.3AI Score
Malicious code in commando333333 (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (3da17f518475bb94d3d0740d0e1fc486dcce1f4fd1c8f86b9578176c4ea04a03) The OpenSSF Package Analysis project identified 'commando333333' @ 10.0.0 (npm) as malicious. It is considered malicious because: The package...
7.3AI Score
Malicious code in dc-test1-asdf (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (04026ef40e4abce9afd70341d1bbb7d8907a917e7a6bd0fd6b7ffb15623a30c0) The OpenSSF Package Analysis project identified 'dc-test1-asdf' @ 1.0.1 (npm) as malicious. It is considered malicious because: The package...
7.3AI Score
object-deep-assign Prototype Pollution
alexbinary object-deep-assign 1.0.11 is vulnerable to Prototype Pollution via the extend() method of Module.deepAssign...
6.8AI Score
0.0004EPSS
Badger Database Prototype Pollution
A Prototype Pollution issue in abw badger-database 1.2.1 allows an attacker to execute arbitrary code via...
7.7AI Score
0.0004EPSS
A Prototype Pollution issue in cdr0 sg 1.0.10 allows an attacker to execute arbitrary...
7.5AI Score
0.0004EPSS
A defect was discovered in the Python “ssl” module where there is a memory race condition with the ssl.SSLContext methods “cert_store_stats()” and “get_ca_certs()”. The race condition can be triggered if the methods are called at the same time as certificates are loaded into the SSLContext, such...
6.6AI Score
0.0004EPSS
The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and...
6.7AI Score
0.0004EPSS
ruby2.7, ruby3.0, ruby3.1, ruby3.2 vulnerabilities
It was discovered that Ruby RDoc incorrectly parsed certain YAML files. If a user or automated system were tricked into parsing a specially crafted .rdoc_options file, a remote attacker could possibly use this issue to execute arbitrary code. (CVE-2024-27281) It was discovered that the Ruby regex.....
7AI Score
EPSS
It was discovered that Rack incorrectly handled Multipart MIME parsing. A remote attacker could possibly use this issue to cause Rack to consume resources, leading to a denial of service. This issue only affected Ubuntu 23.10. (CVE-2023-27530) It was discovered that Rack incorrectly parsed certain....
7.5CVSS
7AI Score
0.001EPSS
It was discovered that SSSD did not always correctly apply the GPO policy for authenticated users, contrary to expectations. This could result in improper authorization or improper access to...
7.1CVSS
6.9AI Score
0.0004EPSS
Malicious code in importlib-metadate (PyPI)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (540e9c9d054904f5342d684bd5cabf212fdbe7e4d20bac7407c937a6b8264cab) The OpenSSF Package Analysis project identified 'importlib-metadate' @ 99.99 (pypi) as malicious. It is considered malicious because: The package...
7.4AI Score