MAL-2024-11659 Malicious code in platform-harness-ecr-configmap (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 7812939dfec5496e941d5bd252e8f536d2b2e38984c285fd5881230dd705d928 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

GO-2024-2930 RKE credentials are stored in the RKE1 Cluster state ConfigMap in github.com/rancher/rke

When RKE provisions a cluster, it stores the cluster state in a configmap called "full-cluster-state" inside the "kube-system" namespace of the cluster itself. This cluster state object contains information used to set up the K8s cluster, which may include sensitive data...

Sensitive Information Disclosure

github.com/rancher/rke is vulnerable to Sensitive Information Disclosure. The vulnerability exists due to insecure cluster state storage in a publicly accessible configmap called full-cluster-state inside the kube-system namespace, which allows an attacker without administrative privileges to...

rke's credentials are stored in the RKE1 Cluster state ConfigMap

Impact When RKE provisions a cluster, it stores the cluster state in a configmap called full-cluster-state inside the kube-system namespace of the cluster itself. This cluster state object contains information used to set up the K8s cluster, which may include the following sensitive data: -...

PT-2024-4208 · Rancher · Rancher Kubernetes Engine +1

Name of the Vulnerable Software and Affected Versions: Rancher Kubernetes Engine RKE versions prior to 1.4.19 Rancher Kubernetes Engine RKE versions prior to 1.5.10 Rancher versions prior to 2.7.14 Rancher versions prior to 2.8.5 Description: The issue is related to the storage of cluster state i...

CVE-2024-24788 vulnerabilities

Vulnerabilities for packages: falcoctl, k9s, rclone, buildkitd, rabbitmq-default-user-credential-updater, stern, secrets-store-csi-driver, go-licenses, s5cmd, vt-cli, flyte, libnvidia-container, ipfs, spark-operator, dive, confluent-common-docker, cfssl, tekton-chains-fips, dockerize,...

GHSA-8R3F-844C-MC37 vulnerabilities

Vulnerabilities for packages: kor, goreleaser, crossplane-provider-family-aws, grafana-agent-operator, kubernetes-csi-driver-hostpath, newrelic-infrastructure-agent, configmap-reload, mc, rclone, pulumi-language-dotnet, hubble-ui, litefs, golangci-lint, kubescape, rqlite,...

SUSE CVE-2023-32191

When RKE provisions a cluster, it stores the cluster state in a configmap called full-cluster-state inside the kube-system namespace of the cluster itself. The information available in there allows non-admin users to escalate to admin...

Sensitive Information Disclosure

laf-client-sdk is vulnerable to Sensitive Information Disclosure. The vulnerability is caused due to directly inserting env variables into the the template while constructing the deployment instance of the app. Sensitive information in the secret and configmap can be read through the k8s envFrom...

CVE-2023-48225 Laf env causes sensitive information disclosure

Laf is a cloud development platform. Prior to version 1.0.0-beta.13, the control of LAF app enV is not strict enough, and in certain scenarios of privatization environment, it may lead to sensitive information leakage in secret and configmap. In ES6 syntax, if an obj directly references another...

Laf Information Disclosure Vulnerability

Laf is a cloud development platform from labring labs. An information disclosure vulnerability exists in versions prior to Laf 1.0.0-beta.13. The vulnerability stems from lax control of the LAF application enV, which leads to the disclosure of sensitive information in the configmap...

PT-2023-30742 · Laf · Laf

Name of the Vulnerable Software and Affected Versions: Laf versions prior to 1.0.0-beta.13 Description: Laf is a cloud development platform where the control of LAF app environment variables is not strict enough, potentially leading to sensitive information leakage in secret and configmap. This...

olcne security update

conmon 2.1.3-7 - Resolve CVE-2023-39325 2.1.3-6 - Add ol8baseoslatest, and ol9baseoslatest, to Jenkinsfile 2.1.3-5 - Add systemd-devel as build requirement 2.1.3-4 - Add support ARM build 2.1.3.3 - Add OL9 support 2.1.3.2 - Update inline with Linux team building conmon for all but OL7. cri-o...

GHSA-4374-P667-P6C8 vulnerabilities

Vulnerabilities for packages: prometheus-stackdriver-exporter, nodetaint, pulumi, falcoctl, prometheus-adapter, smarter-device-manager-fips, runc, prometheus-postgres-exporter, kots, cue, buildkitd, gke-gcloud-auth-plugin, falco, prometheus-node-exporter, flux-image-automation-controller, up,...

CVE-2023-44392

Garden provides automation for Kubernetes development and testing. Prior tov ersions 0.13.17 and 0.12.65, Garden has a dependency on the cryo library, which is vulnerable to code injection due to an insecure implementation of deserialization. Garden stores serialized objects using cryo in the...

Deserialization of untrusted data

Garden provides automation for Kubernetes development and testing. Prior tov ersions 0.13.17 and 0.12.65, Garden has a dependency on the cryo library, which is vulnerable to code injection due to an insecure implementation of deserialization. Garden stores serialized objects using cryo in the...

CVE-2023-44392 Arbitrary code execution vulnerability when using shared Kubernetes cluster

Garden provides automation for Kubernetes development and testing. Prior tov ersions 0.13.17 and 0.12.65, Garden has a dependency on the cryo library, which is vulnerable to code injection due to an insecure implementation of deserialization. Garden stores serialized objects using cryo in the...

CVE-2023-44392

CVE-2023-44392 affects Garden prior to versions 0.13.17 (Bonsai) and 0.12.65 (Acorn). The vulnerability arises from the cryo library’s insecure deserialization, used by Garden to cache test/run results in Kubernetes ConfigMaps named with prefixes like test-result and run-result stored in either t...

CVE-2023-44392 Arbitrary code execution vulnerability when using shared Kubernetes cluster

Garden provides automation for Kubernetes development and testing. Prior tov ersions 0.13.17 and 0.12.65, Garden has a dependency on the cryo library, which is vulnerable to code injection due to an insecure implementation of deserialization. Garden stores serialized objects using cryo in the...

CVE-2023-44392 Arbitrary code execution vulnerability when using shared Kubernetes cluster

Garden provides automation for Kubernetes development and testing. Prior tov ersions 0.13.17 and 0.12.65, Garden has a dependency on the cryo library, which is vulnerable to code injection due to an insecure implementation of deserialization. Garden stores serialized objects using cryo in the...