CVE-2023-28434 MinIO is vulnerable to privilege escalation on Linux/MacOS

Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing PostPolicyBucket. To carry out this attack, the attacker requires credentials wit...

CVE-2023-28434

CVE-2023-28434 (MinIO) affects MinIO’s object storage framework. A security feature bypass allows an attacker with credentials for arn:aws:s3:::* and Console API access to bypass metadata bucket name checking during PostPolicyBucket and place objects into arbitrary buckets. This can impact confid...

PT-2023-4759 · Minio +2 · Minio +2

Name of the Vulnerable Software and Affected Versions: Minio versions prior to RELEASE.2023-03-20T20-16-18Z Description: The issue is related to the PostPolicyBucket component of the Minio Multi-Cloud Object Storage framework. An attacker can use crafted requests to bypass metadata bucket name...

CVE-2023-0223

An issue has been discovered in GitLab affecting all versions starting from 15.5 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. Non-project members could retrieve release descriptions via the API, even if the release visibility is...

CVE-2023-0223

An issue has been discovered in GitLab affecting all versions starting from 15.5 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. Non-project members could retrieve release descriptions via the API, even if the release visibility is...

PT-2023-19776 · Funadmin · Funadmin

Name of the Vulnerable Software and Affected Versions: Funadmin version 3.2.0 Description: The issue is related to a SQL injection vulnerability. It can be exploited via the id parameter at the "/databases/table/list" API endpoint. Recommendations: For Funadmin version 3.2.0, consider restricting...

Wordfence Intelligence: Because Community Created Vulnerabilities Are Community Property

Last August, at Black Hat 2022 in Las Vegas, we launched Wordfence Intelligence, a product designed to provide large enterprise customers with rich IP threat data, malware signatures, malware hashes, and vulnerability data to help keep enterprise customers and networks secure. Our mission at...

GitLab 安全漏洞

GitLab is an open source, end-to-end software development platform from GitLab, Inc. with built-in version control, issue tracking, code review, CI/CD continuous integration and continuous delivery, and other features. GitLab suffers from a security vulnerability that stems from the fact that...

CVE-2022-46257 Information disclosure in GitHub Enterprise Server leading to unauthorized viewing of private repository names

An information disclosure vulnerability was identified in GitHub Enterprise Server that allowed private repositories to be added to a GitHub Actions runner group via the API by a user who did not have access to those repositories, resulting in the repository names being shown in the UI. To exploi...

Qualys VMDR & Jira Integration Now Available

The increasing number of vulnerabilities poses a significant challenge for most organizations trying to effectively manage and mitigate Cyber risks. According to NVD, the number of vulnerabilities in 2022 increased by approximately 25% as compared to 2021. As we are in start of March the...

PT-2023-13000 · Fortinet · Fortiweb

Name of the Vulnerable Software and Affected Versions: FortiWeb versions 6.0 through 7.0.1 FortiWeb versions 6.1 FortiWeb versions 6.2 FortiWeb versions 6.3.0 through 6.3.19 FortiWeb versions 6.4 Description: A path traversal issue in the API of FortiWeb may allow an authenticated attacker to...

SUSE CVE-2022-1708

A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with access to the Kube API. The ExecSync request runs commands in a container and logs the output of the command. This output is then read by CRI-O after command execution, and it is read in a...

CVE-2021-36225

Western Digital My Cloud devices before OS5 allow REST API access by low-privileged accounts, as demonstrated by API commands for firmware uploads and installation...

CVE-2021-36225

Western Digital My Cloud devices before OS5 allow REST API access by low-privileged accounts, as demonstrated by API commands for firmware uploads and installation...

CVE-2022-43976

An issue was discovered in FC46-WebBridge on GE Grid Solutions MS3000 devices before 3.7.6.25p03.2.2.17p04.7p0. Direct access to the API is possible on TCP port 8888 via programs located in the cgi-bin folder without any authentication...

GE Grid Solutions MS3000 安全漏洞

GE Grid Solutions MS3000 is a transformer monitoring system from GE Grid Solutions, France. A security vulnerability exists in the GE Grid Solutions MS3000 versions prior to 3.7.6.25p03.2.2.17p04.7p0, which stems from the ability to directly access the API on TCP port 8888 without any...

CVE-2022-43976

An issue was discovered in FC46-WebBridge on GE Grid Solutions MS3000 devices before 3.7.6.25p03.2.2.17p04.7p0. Direct access to the API is possible on TCP port 8888 via programs located in the cgi-bin folder without any authentication...

KubeOperator 授权问题漏洞

KubeOperator is an open source, lightweight Kubernetes distribution focused on helping organizations plan, deploy, and operate production-grade K8s clusters. An authorization issue vulnerability exists in KubeOperator versions prior to 3.16.4, which stems from the API interacting with an...

PT-2023-18530 · Kubepi · Kubepi

Name of the Vulnerable Software and Affected Versions: KubePi versions prior to 1.6.4 Description: The issue allows unauthorized access to system API interfaces, potentially leaking sensitive information. This is due to a flaw in how online applications handle routing permissions. There are no...

CVE-2022-39042

aEnrich a+HRD has improper validation for login function. An unauthenticated remote attacker can exploit this vulnerability to bypass authentication and access API function to perform arbitrary system command or disrupt service...