219 matches found
CVE-2022-41918
OpenSearch has a vulnerability where fine-grained access controls (document-level security, field-level security, and field masking) are not correctly applied to the indices backing data streams, potentially allowing incorrect access authorization. The issue affects OpenSearch prior to the patche...
CVE-2022-41918
OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. There is an issue with the implementation of fine-grained access control rules document-level security, field-level security and field masking where they are not correctly applied to the indices that back data streams...
SUSE-SU-2022:3495-1 Security update for libgit2
This update for libgit2 fixes the following issues: - Fixed DoS by oob write in constructed commit object with a very large number of parents bsc1158981. - CVE-2019-1352: Fixed git on Windows being unaware of NTFS Alternate Data Streams bnc1158790. - CVE-2022-24765: Fixed potential command...
CVE-2022-38176
An issue was discovered in YSoft SAFEQ 6 before 6.0.72. Incorrect privileges were configured as part of the installer package for the Client V3 services, allowing for local user privilege escalation by overwriting the executable file via an alternative data stream. NOTE: this is not the same as...
YSoft SAFEQ 6 安全漏洞
YSoft SAFEQ 6 is an Enterprise Print Management Suite solution platform from YSoft Czech Republic. A security vulnerability exists in YSoft SAFEQ 6 versions prior to 6.0.72, which stems from incorrect permissions being configured as part of the installer package for the Client V3 service, and can...
[SECURITY] Fedora 34 Update: protobuf-3.14.0-7.fc34
Protocol Buffers are a way of encoding structured data in an efficient yet extensible format. Google uses Protocol Buffers for almost all of its internal RPC protocols and file formats. Protocol buffers are a flexible, efficient, automated mechanism for serializing structured data...
[SECURITY] Fedora 35 Update: protobuf-3.14.0-7.fc35
Protocol Buffers are a way of encoding structured data in an efficient yet extensible format. Google uses Protocol Buffers for almost all of its internal RPC protocols and file formats. Protocol buffers are a flexible, efficient, automated mechanism for serializing structured data...
InsightCloudSec Supports 12 New AWS Services Announced at re:Invent
In case you didn’t hear, Amazon hosted AWS re:Invent in Las Vegas last week. As has come to be expected at the annual mega-event, Amazon made a number of huge announcements and launched a significant number of improvements and brand-new services and settings to enhance their public cloud platform...
A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host
Impact The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security...
A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host
Impact The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security...
OESA-2021-1282 libgit2 security update
libgit2 is a portable, pure C implementation of the Git core methods provided as a re-entrant linkable library with a solid API, allowing you to write native speed custom Git applications in any language which supports C bindings. Security Fixes: An issue was discovered in libgit2 before 0.28.4 a...
GHSA-HVV8-336G-RX3M A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host
Impact The processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a...
Server-Side Request Forgery (SSRF)
xstream is vulnerable to Server-Side Forgery Request. The processed stream at unmarshalling time contains information to recreate the formerly written objects, allowing an attacker to manipulate data streams referencing a resource in an intranet or the local host...
CentOS 8 : git (CESA-2019:4356)
The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2019:4356 advisory. - git: Arbitrary path overwriting via export-marks in-stream command feature CVE-2019-1348 - git: Recursive submodule cloning allows using git director...
Security Bulletin: Node.js module upgrade for IBM Cloud Pak for Data Streams Flows
Summary A Node.js module has released an update that addresses a security issue. It is recommended to upgrade the module. Vulnerability Details Third Party Entry: 183560 DESCRIPTION: Node.js lodash module denial of service CVSS Base score: 7.5 CVSS Temporal Score: See:...
Security Bulletin: Node.js upgrade for IBM Cloud Pak for Data Streams Flows
Summary Node.js have released a security update that addresses several issues. It is recommended to upgrade the Node.js runtime. Vulnerability Details CVEID: CVE-2020-8201 DESCRIPTION: Node.js is vulnerable to HTTP request smuggling, caused by CR-to-Hyphen conversion. By sending specially crafted...
Security Bulletin: Node.js upgrade for IBM Cloud Pak for Data Streams Flows
Summary Node.js have released a security update that addresses several issues. It is recommended to upgrade the Node.js runtime. Vulnerability Details CVEID: CVE-2020-8237 DESCRIPTION: Node.js json-bigint module is vulnerable to a denial of service, caused by a prototype pollution flaw. By adding...
Security Bulletin: The web server or application server are configured in an insecure way in IBM Cloud Pak for Data Streams
Summary We have detected a low severity issue where our web server or application server are configured in an insecure way in IBM Cloud Pak for Data Streams. This is an internal feature only where users have no access to it but we have decided to address it. Vulnerability Details Third Party Entr...
Security Bulletin: Lucky 13 Attack Vulnerability in IBM Cloud Pak for Data Streams
Summary The Lucky Thirteen attack is a crystallographic timing attack against implementations of the Transport Layer Security TLS protocol that use the CBC mode of operation. An attacker could perform man in the middle attacks to successfully obtain plain text from the secure channel. Vulnerabili...
Security Bulletin: TLS Protocol DHE_EXPORT Ciphers Downgrade MitM (Logjam) vulnerability in IBM Cloud Pak for Data Streams
Summary The Transport Layer Security TLS protocol contains a flaw that is triggered when handling DiffieHellman key exchanges defined with the DHEEXPORT cipher. A man-in-the middle attacker may be able to downgrade the session to use EXPORTDHE cipher suites. Thus, it is recommended to remove...