759 matches found
CVE-2024-52003 X-Forwarded-Prefix Header still allows for Open Redirect in traefik
Traefik pronounced traffic is an HTTP reverse proxy and load balancer. There is a vulnerability in Traefik that allows the client to provide the X-Forwarded-Prefix header from an untrusted source. This issue has been addressed in versions 2.11.14 and 3.2.1. Users are advised to upgrade. There are...
CVE-2024-52003
CVE-2024-52003 – Traefik : Traefik versions 2.11.14 and 3.2.1 fix a vulnerability where an attacker can inject the untrusted X-Forwarded-Prefix header. The issue, as described, arises from the header handling by the HTTP reverse proxy/load balancer, enabling an external source to influence reques...
RHEL 8 : haproxy (RHSA-2024:9945)
The remote Redhat Enterprise Linux 8 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2024:9945 advisory. The haproxy packages provide a reliable, high-performance network load balancer for TCP and HTTP-based applications. Security Fixes: haproxy: untrimm...
CVE-2024-52307
CVE-2024-52307 affects the open-source identity provider authentik. A non-constant time comparison on the per-tenant/endpoint path "/-/metrics/" enables brute-forcing the SECRET_KEY used to authenticate that endpoint. The metrics endpoint serves Prometheus data and is not intended for public acce...
CVE-2024-52307 authentik allows a timing attack due to missing constant time comparison for metrics view
authentik is an open-source identity provider. Due to the usage of a non-constant time comparison for the /-/metrics/ endpoint it was possible to brute-force the SECRETKEY, which is used to authenticate the endpoint. The /-/metrics/ endpoint returns Prometheus metrics and is not intended to be...
Moderate: Red Hat Security Advisory: haproxy security update
An update for haproxy is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for...
RHEL 8 : haproxy (RHSA-2024:8874)
The remote Redhat Enterprise Linux 8 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2024:8874 advisory. The haproxy packages provide a reliable, high-performance network load balancer for TCP and HTTP-based applications. Security Fixes: haproxy: untrimm...
Moderate: Red Hat Security Advisory: haproxy security update
An update for haproxy is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service. Red Hat Product Security has rated this update as...
kernel: gso: do not skip outer ip header in case of ipip and net_failover
In the Linux kernel, the following vulnerability has been resolved: gso: do not skip outer ip header in case of ipip and netfailover We encounter a tcp drop issue in our cloud environment. Packet GROed in host forwards to a VM virtionet nic with netfailover enabled. VM acts as a IPVS LB with ipip...
Moderate: haproxy security update
The haproxy packages provide a reliable, high-performance network load balancer for TCP and HTTP-based applications. Security Fixes: haproxy: untrimmed URI fragments may lead to exposure of confidential data on static servers CVE-2023-45539 For more details about the security issues, including th...
GO-2024-3212 AWS Load Balancer Controller automatically detaches externally associated web ACL from Application Load Balancers in sigs.k8s.io/aws-load-balancer-controller
AWS Load Balancer Controller automatically detaches externally associated web ACL from Application Load Balancers in sigs.k8s.io/aws-load-balancer-controller. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module...
GHSA-RJFV-PJVX-MJGV AWS Load Balancer Controller automatically detaches externally associated web ACL from Application Load Balancers
Summary The AWS Load Balancer Controller includes an optional, default-enabled feature that manages WAF WebACLs on Application Load Balancers ALBs on your behalf. In versions 2.8.1 and earlier, if the WebACL annotation 1 alb.ingress.kubernetes.io/wafv2-acl-arn or...
AWS Load Balancer Controller automatically detaches externally associated web ACL from Application Load Balancers
Summary The AWS Load Balancer Controller includes an optional, default-enabled feature that manages WAF WebACLs on Application Load Balancers ALBs on your behalf. In versions 2.8.1 and earlier, if the WebACL annotation 1 alb.ingress.kubernetes.io/wafv2-acl-arn or...
CVE-2024-10125
The Amazon.ApplicationLoadBalancer.Identity.AspNetCore repo https://github.com/awslabs/aws-alb-identity-aspnetcorevalidatetokensignature contains Middleware that can be used in conjunction with the Application Load Balancer ALB OpenId Connect integration and can be used in any ASP.NET...
CVE-2024-10125
CVE-2024-10125 concerns the Amazon.ApplicationLoadBalancer.Identity.AspNetCore middleware used with ALB OpenID Connect in ASP.NET Core deployments. The root cause is that JWT handling performs signature validation but fails to validate the JWT issuer and signer identity, enabling a signed token f...
CVE-2024-10125 Lack of JWT issuer and signer validation
The Amazon.ApplicationLoadBalancer.Identity.AspNetCore repo https://github.com/awslabs/aws-alb-identity-aspnetcorevalidatetokensignature contains Middleware that can be used in conjunction with the Application Load Balancer ALB OpenId Connect integration and can be used in any ASP.NET...
Amazon.ApplicationLoadBalancer.Identity.AspNetCore 安全漏洞
Amazon.ApplicationLoadBalancer.Identity.AspNetCore is an open source load balancer for Amazon Web Services. A security vulnerability exists in Amazon.ApplicationLoadBalancer.Identity.AspNetCore that stems from an inability to verify the identity of the JWT issuer and signer in the JWT processing...
AWS ALB Route Directive Adapter For Istio 安全漏洞
AWS ALB Route Directive Adapter For Istio is an AWS ALB Route Directive Adapter for Istio open source by Amazon Web Services. A security vulnerability exists in AWS ALB Route Directive Adapter For Istio v1.0 and v1.1 that stems from the use of a JWT for authentication that lacks proper signer and...
PT-2024-39308 · Amazon +1 · Aws Alb Route Directive Adapter For Istio +1
Name of the Vulnerable Software and Affected Versions: AWS ALB Route Directive Adapter For Istio affected versions not specified Description: The issue concerns a lack of proper signer and issuer validation in the JWT authentication mechanism used by the AWS ALB Route Directive Adapter For Istio...
Allow HTTP Strict Transport Security (HSTS) to be configured in Bamboo 10
h3. Issue Summary This is reproducible on Data Center: / Up until Bamboo 9.6, HTTP Strict Transport Security|https://tools.ietf.org/html/rfc6797 was configurable in Bamboo by following the steps outlined in this KB article: How do I enable HSTS and other HTTP Security Headers in Bamboo Data...