Low: Red Hat Security Advisory: Red Hat OpenShift Data Foundation 4.16.4 security and bug fix update

Updated images that fix several bugs are now available for Red Hat OpenShift Data Foundation 4.16.4 on Red Hat Enterprise Linux 9 from Red Hat Container Registry. Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Data Foundation...

Over 300K Prometheus Instances Exposed: Credentials and API Keys Leaking Online

Cybersecurity researchers are warning that thousands of servers hosting the Prometheus monitoring and alerting toolkit are at risk of information leakage and exposure to denial-of-service DoS as well as remote code execution RCE attacks. "Prometheus servers or exporters, often lacking proper...

CVE-2024-12564

Exposure of Sensitive Information to an Unauthorized Actor vulnerability was discovered in Open Design Alliance CDE inWEB SDK before 2025.3. Installing CDE Server with default settings allows unauthorized users to visit prometheus metrics page. This can allow attackers to understand more things...

CVE-2024-12564 Exposure of Sensitive Information to an Unauthorized Actor vulnerability in ODA CDE inWEB SDK before 2025.3

Exposure of Sensitive Information to an Unauthorized Actor vulnerability was discovered in Open Design Alliance CDE inWEB SDK before 2025.3. Installing CDE Server with default settings allows unauthorized users to visit prometheus metrics page. This can allow attackers to understand more things...

CVE-2024-45337 vulnerabilities

Vulnerabilities for packages: step-fips, falcoctl-fips, helm-operator, velero-plugin-for-microsoft-azure, kyverno-fips, prometheus-podman-exporter, rqlite, cloudnative-pg, cert-manager-istio-csr, falcosidekick-fips, kubernetes-dashboard-auth-fips, terraform-provider-aws,...

PT-2024-17656

Name of the Vulnerable Software and Affected Versions: Open Design Alliance CDE inWEB SDK versions prior to 2025.3 Description: A vulnerability was discovered that allows exposure of sensitive information to an unauthorized actor. Installing CDE Server with default settings enables unauthorized...

Open Design Alliance CDE inWEB SDK 安全漏洞

Open Design Alliance CDE inWEB SDK is an application organized by the Open Design Alliance ODA. Web application for editing, creating and viewing DWGs. A security vulnerability exists in versions of the Open Design Alliance CDE inWEB SDK prior to 2025.3, which arises from the installation of CDE...

GHSA-V778-237X-GJRC vulnerabilities

Vulnerabilities for packages: step-fips, falcoctl-fips, helm-operator, velero-plugin-for-microsoft-azure, kyverno-fips, prometheus-podman-exporter, rqlite, cloudnative-pg, cert-manager-istio-csr, falcosidekick-fips, kubernetes-dashboard-auth-fips, terraform-provider-aws,...

Moderate: Red Hat Security Advisory: Cost Management Metrics Operator Update

Cost Management Metrics Operator version 3.3.2 release. The Cost Management Metrics Operator is a component of the Red Hat Cost Managment service for Openshift. The operator runs on the latest supported versions of Openshift. This operator obtains OpenShift usage data by querying Prometheus every...

CVE-2024-24786 affecting package prometheus for versions less than 2.45.4-6

CVE-2024-24786 affecting package prometheus for versions less than 2.45.4-6. A patched version of the package is available...

zhmc-prometheus-exporter (=0.6.1), zhmccli (=0.21.2) potentially affected by CVE-2024-53865 via zhmcclient (=0.30.2)

zhmcclient PYPI version =0.30.2 is affected by a known vulnerability. The following packages have a transitive dependency on zhmcclient and may be impacted: - zhmc-prometheus-exporter =0.6.1 - zhmccli =0.21.2 Source cves: CVE-2024-53865 Source advisory: OSV:GHSA-P57H-3CMC-XPJQ...

Malicious code in fe-prometheus-report (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 985893f86a88110b578b46b480afeeea3cece69b7d81e7ce6c54a5bb36d54ed7 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2024-11038 Malicious code in fe-prometheus-report (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 985893f86a88110b578b46b480afeeea3cece69b7d81e7ce6c54a5bb36d54ed7 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

CVE-2024-52307 authentik allows a timing attack due to missing constant time comparison for metrics view

authentik is an open-source identity provider. Due to the usage of a non-constant time comparison for the /-/metrics/ endpoint it was possible to brute-force the SECRETKEY, which is used to authenticate the endpoint. The /-/metrics/ endpoint returns Prometheus metrics and is not intended to be...

CVE-2024-52307 authentik allows a timing attack due to missing constant time comparison for metrics view

authentik is an open-source identity provider. Due to the usage of a non-constant time comparison for the /-/metrics/ endpoint it was possible to brute-force the SECRETKEY, which is used to authenticate the endpoint. The /-/metrics/ endpoint returns Prometheus metrics and is not intended to be...

openSUSE Security Advisory (SUSE-SU-2024:4011-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Security update for SUSE Manager Client Tools

This update fixes the following issues: golang-github-lusitaniae-apacheexporter was updated from version 1.0.1 to 1.0.8: Security issues fixed: CVE-2023-3978: Fixed security bug in x/net dependency in version 1.0.2 bsc1213933 Bugs fixed: Require Go 1.20 when building for RedHat derivatives Versio...

Security update for SUSE Manager Client Tools

This update fixes the following issues: golang-github-lusitaniae-apacheexporter: Security issues fixed: CVE-2023-3978: Fixed security bug in x/net dependency bsc1213933 Other changes and issues fixed: Delete unpackaged debug files for RHEL Do not include source files in the package for RHEL 9...

SUSE-SU-2024:4011-1 Security update for SUSE Manager Client Tools

This update fixes the following issues: golang-github-lusitaniae-apacheexporter: - Security issues fixed: CVE-2023-3978: Fixed security bug in x/net dependency bsc1213933 - Other changes and issues fixed: Delete unpackaged debug files for RHEL Do not include source files in the package for RHEL 9...

Fedora 41 : golang-github-prometheus-alertmanager (2024-8580c06716)

The remote Fedora 41 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2024-8580c06716 advisory. Automatic update for golang-github-prometheus-alertmanager-0.27.0-1.fc41. Changelog Thu Apr 18 2024 Mikel Olasagasti Uranga - 0.27.0-1 - Update to 0.27.0 -...