118 matches found
SUSE-SU-2026:0327-1 Security update for alloy
This update for alloy fixes the following issues: Update to 1.12.2: Security fixes: - CVE-2025-68156: github.com/expr-lang/expr/builtin: Fixed potential DoS via unbounded recursion bsc1255333: - CVE-2025-31133, CVE-2025-52565, CVE-2025-52881: github.com/opencontainers/runc: Fixed container...
Grafana Loki Path Traversal - CVE-2021-36156 Bypass
The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/namespace Thanks to Prasanth Sundararajan for reporting this vulnerability...
PT-2026-21013
Name of the Vulnerable Software and Affected Versions Loki affected versions not specified Description An issue in the log aggregation and storage system exists due to improper restriction of the directory path name. By using double encoding to bypass validation of the namespace parameter for pat...
GHSA-7C64-F9JR-V9H2 vulnerabilities
Vulnerabilities for packages: image-factory-fips, spicedb-operator, knative-serving, rancher-system-upgrade-controller, crossplane-provider-kubernetes-fips, gitlab-cng, quic-go-fips, src-fingerprint, envoy-gateway-fips, pdfcpu, vertical-pod-autoscaler-fips, gobump, rancher-telemetry, nri-couchbas...
CVE-2025-61729 vulnerabilities
Vulnerabilities for packages: image-factory-fips, spicedb-operator, knative-serving, rancher-system-upgrade-controller, crossplane-provider-kubernetes-fips, gitlab-cng, quic-go-fips, src-fingerprint, envoy-gateway-fips, pdfcpu, vertical-pod-autoscaler-fips, gobump, rancher-telemetry, nri-couchbas...
EUVD-2005-1945
Malware in sbrugna...
EUVD-2021-2065
Malware in sbrugna...
Malicious code in @amber-team/create-loki-report (npm)
The package @amber-team/create-loki-report was found to contain malicious code...
MAL-2025-7051 Malicious code in @amber-team/create-loki-report (npm)
The package @amber-team/create-loki-report was found to contain malicious code...
Malicious code in loki-release (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 75940c2d0ed836d2725549e9704eaefe1d989aa5349c7b27fdf2556be16e32a2 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
MAL-2025-5935 Malicious code in loki-release (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 75940c2d0ed836d2725549e9704eaefe1d989aa5349c7b27fdf2556be16e32a2 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
GHSA-FGQ5-Q76C-GX78 vulnerabilities
Vulnerabilities for packages: nerdctl, src, aws-load-balancer-controller, aws-flb-kinesis, s5cmd, task, runc, kubernetes-dashboard-metrics-scraper, scorecard, crossplane, nri-discovery-kubernetes, secrets-store-csi-driver-provider-azure, dex, kind, helm-operator, prometheus-blackbox-exporter,...
Loki: a new private agent for the popular Mythic framework
In July 2024, we discovered the previously unknown Loki backdoor, which was used in a series of targeted attacks. By analyzing the malicious file and open sources, we determined that Loki is a private version of an agent for the open-source Mythic framework. One of the agent's decrypted strings O...
CVE-2024-35255 vulnerabilities
Vulnerabilities for packages: trivy, goreleaser, flux-source-controller, datadog-agent, rook, cluster-autoscaler, falcoctl, flyte, kubescape, rekor, k8sgpt, ksops, py3-cassandra-medusa, cosign, bank-vaults, secrets-store-csi-driver-provider-azure, tekton-chains, guac, terragrunt, sqlpad,...
CVE-2024-24789 vulnerabilities
Vulnerabilities for packages: kubevela, kyverno-policy-reporter, falcosidekick, mage, neuvector-scanner, src-fingerprint, gobump, cluster-proportional-autoscaler, grpcurl, nri-couchbase, hubble-ui-backend-fips, actions-runner-controller-fips, xcaddy, flannel-cni-plugin, nats-server, ollama,...
GHSA-XW73-RW38-6VJC vulnerabilities
Vulnerabilities for packages: kubevela, cadvisor-fips, skaffold, kpt, aactl, cadvisor, loki, flux-helm-controller, k3d, cert-manager-fips, kots, pulumi, cert-manager, scorecard, dagger, trivy, falcoctl, helm-fips, k9s, docker-machine-driver-harvester, eksctl, falcoctl-fips, falco, k8sgpt, kargo,...
CVE-2024-24557 vulnerabilities
Vulnerabilities for packages: kubevela, cadvisor-fips, skaffold, kpt, aactl, cadvisor, loki, flux-helm-controller, k3d, cert-manager-fips, kots, pulumi, cert-manager, scorecard, dagger, trivy, falcoctl, helm-fips, k9s, docker-machine-driver-harvester, eksctl, falcoctl-fips, falco, k8sgpt, kargo,...
CVE-2023-36649
Insertion of sensitive information in the centralized Grafana logging system in ProLion CryptoSpike 3.0.15P2 allows remote attackers to impersonate other users in web management and the REST API by reading JWT tokens from logs as a Granafa authenticated user or from the Loki REST API without...
CVE-2023-36649
Insertion of sensitive information in the centralized Grafana logging system in ProLion CryptoSpike 3.0.15P2 allows remote attackers to impersonate other users in web management and the REST API by reading JWT tokens from logs as a Granafa authenticated user or from the Loki REST API without...
CVE-2023-36649
Insertion of sensitive information in the centralized Grafana logging system in ProLion CryptoSpike 3.0.15P2 allows remote attackers to impersonate other users in web management and the REST API by reading JWT tokens from logs as a Granafa authenticated user or from the Loki REST API without...