Security Bulletin: IBM Observability with Instana using third-party Kubernetes Operators is affected by Multiple Security Vulnerabilities

Summary Multiple vulnerabilities were remediated in IBM Observability with Instana using third-party Kubernetes Operators build 283 Vulnerability Details CVEID:CVE-2024-35195 DESCRIPTION: Psf Requests could allow a local authenticated attacker to bypass security restrictions, caused by an incorre...

Malicious code in plugin-transform-logical-assignment-operators (npm)

--- -= Per source details. Do not edit below this line.=-...

CVE-2024-9180 Vault Operators in Root Namespace May Elevate Their Privileges

A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s privileges to Vault’s root policy. Fixed in Vault Community Edition 1.18.0 and Vault Enterprise 1.18.0, 1.17.7, 1.16.11, and 1.15.16...

How to handle vulnerability reports in aviation

TL;DR Always thank researchers for reporting vulnerabilities. Acknowledging their efforts can set the right tone. Lead all communications with researchers. Don’t let legal or PR teams take over. Provide regular updates to avoid miscommunication. Keep researchers informed throughout the process. W...

PT-2024-7519 · Unknown · Python-Sql

Name of the Vulnerable Software and Affected Versions: python-sql affected versions not specified Description: A vulnerability was found in python-sql where unary operators do not escape non-Expression, such as And and Or. This makes any system exposing those vulnerable to an SQL injection attack...

September 10, 2024—KB5043067 (OS Build 22000.3197)

September 10, 2024—KB5043067 OS Build 22000.3197 07/09/24---END OF SERVICE NOTICE ---IMPORTANT All editions of Windows 11, version 21H2 will reach end of service on October 8, 2024. After that date, these devices will not receive monthly security and non-security updates. These updates contain...

CVE-2024-34158 vulnerabilities

Vulnerabilities for packages: cri-tools, opentelemetry-collector-contrib, harbor-cli, caddy, multus-cni-fips, gcsfuse, src, docker-credential-gcr, crossplane-provider-aws-firehose, cert-manager, spicedb, thanos, gomplate-fips, kyverno-policy-reporter-ui, rook, ko, tkn-fips, opentelemetry-collecto...

[SECURITY] Fedora 40 Update: onnx-1.14.1-3.fc40

onnx provides an open source format for AI models, both deep learning and traditional ML. It defines an extensible computation graph model, as well as definitions of built-in operators and standard data types...

Improper Access Control

directus is vulnerable to Improper Access Control. The vulnerability is due to improper handling of in and nin operators, which allows an attacker to query expressions with empty arrays, which are evaluated as valid, resulting in unauthorized access...

GHSA-HXGM-GHMV-XJJM Directus incorrectly handles `_in` filter

Summary Directus =9.23.0, .role matches any of ". Which should fail. This instead passes in Directus =v9.23.0 PoC "role": "in": $CURRENTUSER.somefield field validation would pass if $CURRENTUSER.somefield is null. Real scenario: Using https://github.com/u12206050/directus-extension-role-chooser...

Directus incorrectly handles `_in` filter

Summary Directus =9.23.0, .role matches any of ". Which should fail. This instead passes in Directus =v9.23.0 PoC "role": "in": $CURRENTUSER.somefield field validation would pass if $CURRENTUSER.somefield is null. Real scenario: Using https://github.com/u12206050/directus-extension-role-chooser...

Directus Security Vulnerabilities

Directus is a real-time Api and application dashboard. It is used to manage Sql database content. A security vulnerability exists in Directus versions 9.23.0 through 10.5.3 that stems from incorrect handling of the in, nin operators...

CVE-2024-24791 vulnerabilities

Vulnerabilities for packages: cri-tools, opentelemetry-collector-contrib, harbor-cli, caddy, multus-cni-fips, gcsfuse, src, docker-credential-gcr, cert-manager, spicedb, thanos, gomplate-fips, kyverno-policy-reporter-ui, ko, tkn-fips, opentelemetry-collector, xcaddy, fluent-bit-plugin-loki,...

Google to Block Entrust Certificates in Chrome Starting November 2024

Google has announced that it's going to start blocking websites that use certificates from Entrust starting around November 1, 2024, in its Chrome browser, citing compliance failures and the certificate authority's inability to address security issues in a timely manner. "Over the past several...

Malicious code in data-platform-airflow-operators (PyPI)

--- -= Per source details. Do not edit below this line.=-...

MAL-2024-5026 Malicious code in data-platform-airflow-operators (PyPI)

--- -= Per source details. Do not edit below this line.=-...

Security Bulletin: IBM Observability with Instana using third-party Kubernetes Operators is affected by Multiple Security Vulnerabilities

Summary Multiple vulnerabilities were remediated in IBM Observability with Instana using third-party Kubernetes Operators build 273. Vulnerability Details CVEID:CVE-2023-6516 DESCRIPTION: ISC BIND is vulnerable to a denial of service, caused by an out-of-memory condition. By using specific...

CVE-2024-35225 Jupyter Server Proxy has a reflected XSS issue in host parameter

Jupyter Server Proxy allows users to run arbitrary external processes alongside their notebook server and provide authenticated web access to them. Versions of 3.x prior to 3.2.4 and 4.x prior to 4.2.0 have a reflected cross-site scripting XSS issue. The /proxy endpoint accepts a host path segmen...

CVE-2024-35225

Jupyter Server Proxy (jupyter-server-proxy) has a reflected XSS in the host parameter of the /proxy endpoint. Affected versions: 3.x prior to 3.2.4 and 4.x prior to 4.2.0. The issue occurs when an invalid host value is echoed back, enabling a phishing link to execute arbitrary JavaScript in a use...

Security Bulletin: IBM Observability with Instana using third-party Kubernetes Operators is affected by Multiple Security Vulnerabilities

Summary Multiple vulnerabilities were remediated in IBM Observability with Instana using third-party Kubernetes Operators build 271. Vulnerability Details CVEID:CVE-2024-1023 DESCRIPTION: Eclipse Vert.x is vulnerable to a denial of service, caused by a memory leak due to the use of Netty...