56 matches found
Directory Traversal
Overview shamefile is a Turn linter suppressions from silent technical debt into reviewable, documented decisions. Affected versions of this package are vulnerable to Directory Traversal via the shame next process when processing a user-controlled shamefile.yaml. An attacker can disclose the...
Directory Traversal
Overview shamefile is an A cli tool to enforce documentation for code suppressions Affected versions of this package are vulnerable to Directory Traversal via the shame next process when processing a user-controlled shamefile.yaml. An attacker can disclose the contents of files outside the intend...
GHSA-X6P3-76F2-XXVH Shamefile has an arbitrary file read via shamefile.yaml in shame next
Impact A path traversal vulnerability in shame next allows an attacker-controlled shamefile.yaml to disclose contents of files outside the repository, one line at a time, to the terminal of a user who runs the command. See patch commit for technical details. Patches Fixed in 0.1.7. Upgrade to...
Shamefile has an arbitrary file read via shamefile.yaml in shame next
Impact A path traversal vulnerability in shame next allows an attacker-controlled shamefile.yaml to disclose contents of files outside the repository, one line at a time, to the terminal of a user who runs the command. See patch commit for technical details. Patches Fixed in 0.1.7. Upgrade to...
PT-2026-44550
Impact A path traversal vulnerability in shame next allows an attacker-controlled shamefile.yaml to disclose contents of files outside the repository, one line at a time, to the terminal of a user who runs the command. See patch commit for technical details. Patches Fixed in 0.1.7. Upgrade to...
Information Disclosure
Argo CD is vulnerable to Information Exposure. The vulnerability is due to missing authorization and insufficient data masking in the ServerSideDiff endpoint, which allows an attacker with read-only access to extract plaintext Kubernetes Secret data through the Server-Side Apply dry-run mechanism...
CVE-2026-42880
A flaw was found in Argo CD, a GitOps continuous delivery tool for Kubernetes. A missing authorization and data-masking gap in the ServerSideDiff endpoint allows an attacker with read-only access to extract sensitive Kubernetes Secret data. This information disclosure occurs by leveraging the...
BIT-ARGO-CD-2026-42880 ArgoCD ServerSideDiff is vulnerable to Kubernetes Secret Extraction
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext...
CVE-2026-42880
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext...
CVE-2026-42880 ArgoCD ServerSideDiff is vulnerable to Kubernetes Secret Extraction
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext...
CVE-2026-42880 ArgoCD ServerSideDiff is vulnerable to Kubernetes Secret Extraction
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext...
ArgoCD ServerSideDiff is vulnerable to Kubernetes Secret Extraction
Summary There is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism. Details Argo CD masks Secret...
GHSA-3V3M-WC6V-X4X3 ArgoCD ServerSideDiff is vulnerable to Kubernetes Secret Extraction
Summary There is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism. Details Argo CD masks Secret...
Argo CD 信息泄露漏洞
Argo CD is an open-source tool developed by Argo for Kubernetes, designed for declarative GitOps continuous delivery. Versions of Argo CD prior to 3.2.11 and 3.3.0–3.3.9 contained a vulnerability related to information leakage. This vulnerability stemmed from a lack of authorization and data...
CVE-2026-32237
A data exposure flaw has been discovered in the @backstage/plugin-scaffolder-backend npm library. Authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log outp...
CVE-2026-32237
Backstage is an open framework for building developer portals. Prior to 3.1.5, authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all...
CVE-2026-32237
Backstage is an open framework for building developer portals. Prior to 3.1.5, authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all...
CVE-2026-32237 @backstage/plugin-scaffolder-backend: Possible exposure of defaultEnvironment secrets using dry-run endpoint
Backstage is an open framework for building developer portals. Prior to 3.1.5, authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all...
CVE-2026-32237
Backstage vulnerability CVE-2026-32237 affects the @backstage/plugin-scaffolder-backend prior to 3.1.5. Authenticated users with permission to run scaffolder dry-runs can access server-configured environment secrets via the dry-run API response; secrets are redacted in logs but not in all respons...
CVE-2026-32237 @backstage/plugin-scaffolder-backend: Possible exposure of defaultEnvironment secrets using dry-run endpoint
Backstage is an open framework for building developer portals. Prior to 3.1.5, authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all...