DSA-6028-1 lxd - security update

Bulletin has no description...

CVE-2025-54287

Template Injection in instance snapshot creation component in Canonical LXD = 4.0 allows an attacker with instance configuration permissions to read arbitrary files on the host system via specially crafted snapshot pattern templates using the Pongo2 template engine...

CVE-2025-54288

Information Spoofing in devLXD Server in Canonical LXD versions 4.0 and above on Linux container platforms allows attackers with root privileges within any container to impersonate other containers and obtain their metadata, configuration, and device information via spoofed process names in the...

EUVD-2025-32103

Malicious code in bioql PyPI...

EUVD-2025-32098

Malicious code in bioql PyPI...

EUVD-2022-1023

Malicious code in bioql PyPI...

EUVD-2022-0920

Malicious code in bioql PyPI...

SUSE CVE-2025-54287

Template Injection in instance snapshot creation component in Canonical LXD = 4.0 allows an attacker with instance configuration permissions to read arbitrary files on the host system via specially crafted snapshot pattern templates using the Pongo2 template engine...

CVE-2025-54293 Path Traversal in LXD Instance Log File Retrieval

Path Traversal in the log file retrieval function in Canonical LXD 5.0 LTS on Linux allows authenticated remote attackers to read arbitrary files on the host system via crafted log file names or symbolic links...

CVE-2025-54289

Privilege Escalation in operations API in Canonical LXD 6.5 on multiple platforms allows attacker with read permissions to hijack terminal or console sessions and execute arbitrary commands via WebSocket connection hijacking format...

DEBIAN-CVE-2025-54288

Information Spoofing in devLXD Server in Canonical LXD versions 4.0 and above on Linux container platforms allows attackers with root privileges within any container to impersonate other containers and obtain their metadata, configuration, and device information via spoofed process names in the...

UBUNTU-CVE-2025-54287

Template Injection in instance snapshot creation component in Canonical LXD = 4.0 allows an attacker with instance configuration permissions to read arbitrary files on the host system via specially crafted snapshot pattern templates using the Pongo2 template engine...

CVE-2025-54288

CVE-2025-54288 affects Canonical LXD devLXD server on Linux container platforms. The issue arises from a vulnerability in how the devLXD code identifies containers via process cmdline information, allowing attackers with root privileges inside one container to impersonate other containers and rea...

CVE-2025-54288

Information Spoofing in devLXD Server in Canonical LXD versions 4.0 and above on Linux container platforms allows attackers with root privileges within any container to impersonate other containers and obtain their metadata, configuration, and device information via spoofed process names in the...

LXD 安全漏洞

LXD is a Canonical open source container for managing applications on Linux-based systems. A security vulnerability exists in LXD 4.0 and later versions, which stems from information spoofing in the devLXD server that could lead to container impersonation and information disclosure...

PT-2025-40326

Name of the Vulnerable Software and Affected Versions Canonical LXD versions 5.0 and later Description A Cross-Site Request Forgery CSRF issue exists in LXD-UI. This allows an attacker to create and start container instances without user consent by submitting crafted HTML forms that exploit clien...

PT-2025-40340

Name of the Vulnerable Software and Affected Versions Canonical LXD version 5.0 LTS Description An issue exists in the log file retrieval function that allows authenticated remote attackers to read arbitrary files on the host system. This occurs through crafted log file names or symbolic links. T...

Docker Desktop 安全漏洞

Docker Desktop is a desktop software for lightweight deployment of applications based on container technology from Docker Inc. in the United States. The product provides a desktop environment that supports creating a container lightweight virtual machine and deploying and running applications on...

CVE-2021-21432

Vela is a Pipeline Automation CI/CD framework built on Linux container technology written in Golang. An authentication mechanism added in version 0.7.0 enables some malicious user to obtain secrets utilizing the injected credentials within the /.netrc file. Refer to the referenced GitHub Security...

CVE-2025-27616

Vela is a Pipeline Automation CI/CD framework built on Linux container technology written in Golang. Prior to versions 0.25.3 and 0.26.3, by spoofing a webhook payload with a specific set of headers and body data, an attacker could transfer ownership of a repository and its repo level secrets to ...