CVE-2024-1086

A flaw was found in the Netfilter subsystem in the Linux kernel. This issue occurs in the nftverdictinit function, allowing positive values as a drop error within the hook verdict, therefore, the nfhookslow function can cause a double-free vulnerability when NFDROP is issued with a drop error tha...

CVE-2024-1085

A double-free flaw was found in how the Linux kernel's NetFilter system marks whether a catch-all element is enabled. A local user could use this flaw to crash the system. Mitigation 1. This flaw can be mitigated by preventing the affected netfilter nftables kernel module from being loaded. For...

HashiCorp Vault Improper Privilege Management

HashiCorp Vault and Vault Enterprise versions 0.11.0 through 1.3.3 may, under certain circumstances, have existing nested-path policies grant access to Namespaces created after-the-fact. Fixed in 1.3.4...

CVE-2023-7192

A memory leak problem was found in ctnetlinkcreateconntrack in net/netfilter/nfconntracknetlink.c in the Linux Kernel. This issue may allow a local attacker with CAPNETADMIN privileges to cause a denial of service DoS attack due to a refcount overflow...

Fedora: Security Advisory (FEDORA-2023-817ecc703f)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

CVE-2023-7192

A memory leak problem was found in ctnetlinkcreateconntrack in net/netfilter/nfconntracknetlink.c in the Linux Kernel. This issue may allow a local attacker with CAPNETADMIN privileges to cause a denial of service DoS attack due to a refcount overflow. Mitigation Triggering this issue requires th...

containerd allows RAPL to be accessible to a container

/sys/devices/virtual/powercap accessible by default to containers Intel's RAPL Running Average Power Limit feature, introduced by the Sandy Bridge microarchitecture, provides software insights into hardware energy consumption. To facilitate this, Intel introduced the powercap framework in Linux...

GHSA-7WW5-4WQC-M92C containerd allows RAPL to be accessible to a container

/sys/devices/virtual/powercap accessible by default to containers Intel's RAPL Running Average Power Limit feature, introduced by the Sandy Bridge microarchitecture, provides software insights into hardware energy consumption. To facilitate this, Intel introduced the powercap framework in Linux...

CVE-2023-6932

A use-after-free vulnerability in the Linux kernel's ipv4: igmp component can be exploited to achieve local privilege escalation. A race condition can be exploited to cause a timer be mistakenly registered on a RCU read locked object which is freed by another thread. We recommend upgrading past...

CVE-2023-6817

A use-after-free flaw was found in the Netfilter subsystem in the Linux kernel via the nftpipapowalk function. This issue may allow a local user with CAPNETADMIN capability to trigger an application crash, information disclosure, or local privilege escalation. Mitigation In order to trigger the...

CVE-2023-5056

A flaw was found in the Skupper operator, which may permit a certain configuration to create a service account that would allow an authenticated attacker in the adjacent cluster to view deployments in all namespaces in the cluster. This issue permits unauthorized viewing of information outside of...

CVE-2023-5056

A flaw was found in the Skupper operator, which may permit a certain configuration to create a service account that would allow an authenticated attacker in the adjacent cluster to view deployments in all namespaces in the cluster. This issue permits unauthorized viewing of information outside of...

CVE-2023-5056 Skupper-operator: privelege escalation via config map

A flaw was found in the Skupper operator, which may permit a certain configuration to create a service account that would allow an authenticated attacker in the adjacent cluster to view deployments in all namespaces in the cluster. This issue permits unauthorized viewing of information outside of...

capsule-proxy service discloses Namespaces of colliding tenants to owners of different tenants with the same ServiceAccount name

Summary A bug in the RoleBinding reflector used by capsule-proxy gives ServiceAccount tenant owners the right to list Namespaces of other tenants backed by the same owner kind and name. Details - Tenant solar, owned by a ServiceAccount named tenant-owner in the Namespace solar - Tenant wind, owne...

runc: integer overflow in netlink bytemsg length field allows attacker to override netlink-based container configuration

An integer overflow vulnerability was found in runC. This issue occurs due to an incorrect netlink encoder handling the possibility of an integer overflow in the 16-bit length field for the byte array attribute type. This flaw allows an attacker who can include a large enough malicious byte array...

Information Disclosure

github.com/clastix/capsule-proxy is vulnerable to Information Disclosure. The vulnerability is present in rolebindings.go which grants ServiceAccount tenant owners the privilege to list namespaces of other tenants that share the same owner kind and name. Consequently, this allows owners of...

CVE-2023-46254 Service accounts can see namespaces of other tenants in capsule-proxy

capsule-proxy is a reverse proxy for Capsule kubernetes multi-tenancy framework. A bug in the RoleBinding reflector used by capsule-proxy gives ServiceAccount tenant owners the right to list Namespaces of other tenants backed by the same owner kind and name. For example consider two tenants solar...

Rocky Linux 8 : kernel-rt (RLSA-2022:0176)

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2022:0176 advisory. - A data leak flaw was found in the way XFSIOCALLOCSP IOCTL in the XFS filesystem allowed for size increase of files with unaligned size. A local attack...

GHSA-JQ35-85CJ-FJ4P /sys/devices/virtual/powercap accessible by default to containers

Intel's RAPL Running Average Power Limit feature, introduced by the Sandy Bridge microarchitecture, provides software insights into hardware energy consumption. To facilitate this, Intel introduced the powercap framework in Linux kernel 3.13, which reads values via relevant MSRs model specific...

[SECURITY] Fedora 37 Update: mingw-xerces-c-3.2.4-1.fc37

Xerces-C is a validating XML parser written in a portable subset of C++. Xerces-C makes it easy to give your application the ability to read and write XML data. A shared library is provided for parsing, generating, manipulating, and validating XML documents. Xerces-C is faithful to the XML 1.0...