CVE-2024-24830

CVE-2024-24830 affects OpenObserve. The vulnerability lies in the "/api/{org_id}/users" endpoint, where the payload allows an authenticated regular user (member) to create new users with elevated privileges, including the root role. The root cause is that the user creation process does not valida...

CVE-2024-25106

OpenObserve CVE-2024-25106 affects OpenObserve versions prior to 0.8.0. The issue is an Authorization flaw in the remove_user_from_org flow exposed at /api/{org_id}/users/{email_id}, allowing any authenticated organizational member to remove any other member (including Admin/Root), due to insuffi...

Security Bulletin: IBM Observability with Instana is affected by Multiple Security Vulnerabilities

Summary Multiple vulnerabilities were remediated in IBM Observability with Instana build 265. Vulnerability Details CVEID:CVE-2023-20861 DESCRIPTION: VMware Tanzu Spring Framework is vulnerable to a denial of service. By sending a specially crafted SpEL expression, a remote attacker could exploit...

Security Bulletin: IBM Instana Observability is affected by Vulnerabilities in Apache RocketMQ

Summary Vulnerabilities in Apache RocketMQ were remediated in IBM Observability with Instana build 255. Vulnerability Details CVEID:CVE-2023-33246 DESCRIPTION: Apache RocketMQ could allow a remote attacker to execute arbitrary commands on the system, caused by a flaw when using the update...

Security Bulletin: IBM Observability with Instana is affected by Multiple Security Vulnerabilities

Summary Multiple vulnerabilities were addressed in IBM Observability with Instana in build 261 Vulnerability Details CVEID:CVE-2022-41881 DESCRIPTION: Netty is vulnerable to a denial of service, caused by a StackOverflowError in HAProxyMessageDecoder. By sending a specially-crafted message, a...

Security Bulletin: IBM Observability with Instana is affected by multiple vulnerabilities

Summary Multiple vulnerabilities were addressed in IBM Observability with Instana : CVE-2023-43646, CVE-2023-2454, CVE-2022-31197, CVE-2023-39533, CVE-2021-20218 Vulnerability Details CVEID:CVE-2023-43646 DESCRIPTION: Chai.js Assertion Library get-func-name is vulnerable to a denial of service,...

Security Bulletin: IBM Instana Observability is affected by Vulnerabilities in Golang GO and VMware Tanzu Spring Framework

Summary Vulnerabilities in GolangGo and VMware Tanzu Spring Framework were remediated in IBM Observability with Instana build 261. Vulnerability Details CVEID:CVE-2023-29405 DESCRIPTION: Golang Go could allow a remote attacker to execute arbitrary code on the system, caused by a flaw when running...

CVE-2023-42829

The issue was addressed with additional restrictions on the observability of app states. This issue is fixed in macOS Big Sur 11.7.9, macOS Monterey 12.6.8, macOS Ventura 13.5. An app may be able to access SSH passphrases...

Spring Tips: Spring Boot 3.2

Hi, Spring fans! In this installment of Spring Tips, I look at the new Spring Boot 3.2 release, due to drop today, the 23rd of November 2023! 23-11-23! We're diving into the cool new features of Spring Boot 3.2 and Java 21. We'll explore how virtual threads from Project Loom make your code run...

This Week in Spring - Spring Boot 3.2 edition - November 21st, 2023

Hi, Spring fans! Welcome to another epic installment of This Week in Spring! As amazing as the week's already been, it's all leading up to this Thursday - Thanksgiving day! - when we release Spring Boot 3.2! and yes, I am very grateful. This release is stuffed to the gills with a ton of new...

Cross site scripting

Grafana is an open-source platform for monitoring and observability. The WorldMap panel plugin, versions before 1.0.4 contains a DOM XSS vulnerability...

CVE-2023-3010

Grafana is an open-source platform for monitoring and observability. The WorldMap panel plugin, versions before 1.0.4 contains a DOM XSS vulnerability...

BIT-2023-4399

Grafana is an open-source platform for monitoring and observability. In Grafana Enterprise, Request security is a deny list that allows admins to configure Grafana in a way so that the instance doesn’t call specific hosts.However, the restriction can be bypassed used punycode encoding of the...

Security Bulletin: Remote code execution / denial of service attack is possible in IBM Observability with Instana (Self-hosted on Docker) due to use of Apache Kafka

Summary Apache Kafka is used by IBM Observability with Instana Self-hosted on Docker as part of it's container images. CVE-2023-25194 Vulnerability Details CVEID:CVE-2023-25194 DESCRIPTION: Apache Kafka could allow a remote authenticated attacker to execute arbitrary code on the system, caused by...

Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Observability with Instana (Agent container image)

Summary OpenSSL is used by IBM Observability with Instana Self-hosted on Docker as part of it's container images. CVE-2023-0286, CVE-2022-4304, CVE-2023-0215, CVE-2022-4450, CVE-2022-4203, CVE-2023-0216, CVE-2023-0217, CVE-2023-0401 Vulnerability Details CVEID:CVE-2023-0286 DESCRIPTION: OpenSSL i...

CVE-2023-4399

Grafana is an open-source platform for monitoring and observability. In Grafana Enterprise, Request security is a deny list that allows admins to configure Grafana in a way so that the instance doesn’t call specific hosts. However, the restriction can be bypassed used punycode encoding of the...

CVE-2023-4457

Grafana is an open-source platform for monitoring and observability. The Google Sheets data source plugin for Grafana, versions 0.9.0 to 1.2.2 are vulnerable to an information disclosure vulnerability. The plugin did not properly sanitize error messages, making it potentially expose the Google...

Grafana privilege escalation vulnerability

Grafana is an open-source platform for monitoring and observability. The vulnerability impacts instances with several organizations, and allows a user with Organization Admin permissions in one organization to change the permissions associated with Organization Viewer, Organization Editor and...

CVE-2023-43810

OpenTelemetry, also known as OTel for short, is a vendor-neutral open-source Observability framework for instrumenting, generating, collecting, and exporting telemetry data such as traces, metrics, logs. Autoinstrumentation out of the box adds the label httpmethod that has unbound cardinality. It...

CVE-2023-43810

CVE-2023-43810 concerns OpenTelemetry instrumentation. Autoinstrumentation may expose an unbounded http_method label, enabling memory exhaustion under large numbers of crafted requests. Affected if the application is instrumented for HTTP handlers and does not filter non-standard methods at CDN/L...