Lucene search
K

148 matches found

OSV
OSV
added 2022/05/16 6:13 p.m.33 views

GHSA-VVMQ-FWMG-2GJC Improper kubeconfig validation allows arbitrary code execution

Flux2 can reconcile the state of a remote cluster when provided with a kubeconfig with the correct access rights. Kubeconfig files can define commands to be executed to generate on-demand authentication tokens. A malicious user with write access to a Flux source or direct access to the target...

9.9CVSS10AI score0.01044EPSS
Exploits0References3
NVD
NVD
added 2022/05/06 1:15 a.m.27 views

CVE-2022-24877

Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious kustomization.yaml allows an attacker to expose sensitive data from the controller’s pod filesystem and possibly privilege escalation in multi-tenancy deployments...

9.9CVSS0.01108EPSS
Exploits0References1
Prion
Prion
added 2022/05/06 1:15 a.m.10 views

Path traversal

Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious kustomization.yaml allows an attacker to expose sensitive data from the controller’s pod filesystem and possibly privilege escalation in multi-tenancy deployments...

6.5CVSS8.6AI score0.01108EPSS
Exploits0References1Affected Software2
Prion
Prion
added 2022/05/06 12:15 a.m.10 views

Code injection

Flux2 is an open and extensible continuous delivery solution for Kubernetes. Flux2 versions between 0.1.0 and 0.29.0, helm-controller 0.1.0 to v0.19.0, and kustomize-controller 0.1.0 to v0.23.0 are vulnerable to Code Injection via malicious Kubeconfig. In multi-tenancy deployments this can also...

6.5CVSS9.6AI score0.01044EPSS
Exploits0References1Affected Software3
Github Security Blog
Github Security Blog
added 2022/05/04 6:4 p.m.29 views

Improper path handling in kustomization files allows path traversal

The kustomize-controller enables the use of Kustomize’s functionality when applying Kubernetes declarative state onto a cluster. A malicious user can use built-in features and a specially crafted kustomization.yaml to expose sensitive data from the controller’s pod filesystem. In multi-tenancy...

9.9CVSS0.1AI score0.01108EPSS
Exploits0References5Affected Software2
CVE
CVE
added 2022/02/22 7:55 p.m.734 views

CVE-2022-23652

Capsule-proxy (the reverse proxy for Capsule Operator) is affected. In versions prior to 0.2.1, an attacker with proper authentication can send a malicious Connection header to escalate privileges toward the Kubernetes API Server, exploiting the cluster-admin role bound to capsule-proxy. Multiple...

8.8CVSS8.8AI score0.01375EPSS
Exploits1References3Affected Software1
CNVD
CNVD
added 2022/02/10 12:0 a.m.17 views

Apache Pulsar Input Validation Error Vulnerability

Apache Pulsar is the United States Apache Apache Foundation for cloud environments, set of messages, storage, lightweight functional computing as one of the distributed message flow platform. The software supports multi-tenant, persistent storage, multi-machine room cross-region data replication,...

6.5CVSS6.3AI score0.01775EPSS
Exploits1References1
OSV
OSV
added 2022/02/08 5:23 p.m.239 views

GHSA-G6W6-R76C-28J7 Incorrect Authorization in NATS nats-server

This advisory is canonically Problem Description NATS nats-server through 2022-02-04 has Incorrect Access Control, with unchecked ability for clients to authorize into any account, because of a coding error in a long-extant experimental feature. A client crafting the initial protocol-level...

8.8CVSS8.7AI score0.01305EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2022/02/08 5:23 p.m.26 views

Incorrect Authorization in NATS nats-server

This advisory is canonically Problem Description NATS nats-server through 2022-02-04 has Incorrect Access Control, with unchecked ability for clients to authorize into any account, because of a coding error in a long-extant experimental feature. A client crafting the initial protocol-level...

9CVSS1.1AI score0.01305EPSS
Exploits0References5Affected Software2
Github Security Blog
Github Security Blog
added 2021/11/15 5:35 p.m.27 views

Privilege escalation to cluster admin on multi-tenant environments

Users that can create Kubernetes Secrets, Service Accounts and Flux Kustomization objects, could execute commands inside the kustomize-controller container by embedding a shell script in a Kubernetes Secret. This can be used to run kubectl commands under the Service Account of kustomize-controlle...

9CVSS1.9AI score0.01766EPSS
Exploits1References3Affected Software1
NVD
NVD
added 2021/08/25 2:15 a.m.18 views

CVE-2021-40088

An issue was discovered in PrimeKey EJBCA before 7.6.0. CMP RA Mode can be configured to use a known client certificate to authenticate enrolling clients. The same RA client certificate is used for revocation requests as well. While enrollment enforces multi tenancy constraints by verifying that...

5.4CVSS0.0036EPSS
Exploits0References1
Prion
Prion
added 2021/08/25 2:15 a.m.13 views

Code injection

An issue was discovered in PrimeKey EJBCA before 7.6.0. CMP RA Mode can be configured to use a known client certificate to authenticate enrolling clients. The same RA client certificate is used for revocation requests as well. While enrollment enforces multi tenancy constraints by verifying that...

4.9CVSS5.5AI score0.0036EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2021/08/25 1:24 a.m.57 views

CVE-2021-40088

PrimeKey EJBCA CMP RA Mode (versions prior to 7.6.0) can be configured to authenticate enrollments with a known client certificate, and the same certificate is used for revocation requests. The multi-tenancy access check applied during enrollment is not performed during revocation authentication,...

5.4CVSS5.4AI score0.0036EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2021/08/25 1:24 a.m.29 views

CVE-2021-40088

An issue was discovered in PrimeKey EJBCA before 7.6.0. CMP RA Mode can be configured to use a known client certificate to authenticate enrolling clients. The same RA client certificate is used for revocation requests as well. While enrollment enforces multi tenancy constraints by verifying that...

5.7AI score0.0036EPSS
Exploits0References1
NVD
NVD
added 2021/08/13 4:15 p.m.23 views

CVE-2021-29880

IBM QRadar SIEM 7.4.3 GA - 7.4.3 Fix Pack 1 when using domains or multi-tenancy could be vulnerable to information disclosure between tenants by routing SIEM data to the incorrect domain. IBM X-Force ID: 206979...

6.5CVSS0.00852EPSS
Exploits0References2
OSV
OSV
added 2021/08/13 4:15 p.m.4 views

CVE-2021-29880

IBM QRadar SIEM 7.4.3 GA - 7.4.3 Fix Pack 1 when using domains or multi-tenancy could be vulnerable to information disclosure between tenants by routing SIEM data to the incorrect domain. IBM X-Force ID: 206979...

6.5CVSS5.8AI score0.00852EPSS
Exploits0References2
Prion
Prion
added 2021/08/13 4:15 p.m.18 views

Information disclosure

IBM QRadar SIEM 7.4.3 GA - 7.4.3 Fix Pack 1 when using domains or multi-tenancy could be vulnerable to information disclosure between tenants by routing SIEM data to the incorrect domain. IBM X-Force ID: 206979...

4CVSS6AI score0.00852EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2021/08/13 3:50 p.m.67 views

CVE-2021-29880

Summary: CVE-2021-29880 affects IBM QRadar SIEM 7.4.3 GA to 7.4.3 Fix Pack 1 in multi-domain/multi-tenant deployments. The vulnerability allows inter-tenant information disclosure by routing SIEM data to the wrong domain. The issue is documented with a CVSS base score of 5.3 (3.0 vector = CVSS:3....

6.5CVSS6AI score0.00852EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2021/08/13 3:50 p.m.22 views

CVE-2021-29880

IBM QRadar SIEM 7.4.3 GA - 7.4.3 Fix Pack 1 when using domains or multi-tenancy could be vulnerable to information disclosure between tenants by routing SIEM data to the incorrect domain. IBM X-Force ID: 206979...

5.3CVSS6.1AI score0.00852EPSS
Exploits0References2
The Hacker News
The Hacker News
added 2021/02/16 12:33 p.m.5 views

Managed Service Provider? Watch This Video to Learn about Autonomous XDR

As managed security service providers, you're always on the lookout for new platforms. One that can generate further business, enables you to scale easily without investing in more human resources and provides that value immediately. In the meanwhile, your clients are constantly demanding more...

5.8AI score
Exploits0
Rows per page
Query Builder