Lucene search
K

296 matches found

F5 Networks
F5 Networks
added 2024/09/12 4:22 a.m.36 views

K000141047: Multiple Node.js vulnerabilities

Security Advisory Description CVE-2024-22018 A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API...

8.1CVSS7.1AI score0.01387EPSS
Exploits0
NVD
NVD
added 2024/09/04 9:15 p.m.19 views

CVE-2024-45395

sigstore-go, a Go library for Sigstore signing and verification, is susceptible to a denial of service attack in versions prior to 0.6.1 when a verifier is provided a maliciously crafted Sigstore Bundle containing large amounts of verifiable data, in the form of signed transparency log entries, R...

7.5CVSS0.00441EPSS
Exploits0References5
OSV
OSV
added 2024/09/04 8:18 p.m.9 views

GHSA-CQ38-JH5F-37MQ sigstore-go has an unbounded loop over untrusted input can lead to endless data attack

Impact sigstore-go is susceptible to a denial of service attack when a verifier is provided a maliciously crafted Sigstore Bundle containing large amounts of verifiable data, in the form of signed transparency log entries, RFC 3161 timestamps, and attestation subjects. The verification of these...

3.1CVSS5.3AI score0.00441EPSS
Exploits0References7
Cvelist
Cvelist
added 2024/09/04 8:15 p.m.20 views

CVE-2024-45395 Unbounded loop over untrusted input can lead to endless data attack

sigstore-go, a Go library for Sigstore signing and verification, is susceptible to a denial of service attack in versions prior to 0.6.1 when a verifier is provided a maliciously crafted Sigstore Bundle containing large amounts of verifiable data, in the form of signed transparency log entries, R...

3.1CVSS0.00441EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2024/09/04 8:15 p.m.11 views

CVE-2024-45395 Unbounded loop over untrusted input can lead to endless data attack

sigstore-go, a Go library for Sigstore signing and verification, is susceptible to a denial of service attack in versions prior to 0.6.1 when a verifier is provided a maliciously crafted Sigstore Bundle containing large amounts of verifiable data, in the form of signed transparency log entries, R...

3.1CVSS6.9AI score0.00441EPSS
Exploits0References5
OSV
OSV
added 2024/08/22 7:27 p.m.27 views

BIT-KEYDB-2022-24735 Lua scripts can be manipulated to overcome ACL rules in Redis

Redis is an in-memory database that persists on disk. By exploiting weaknesses in the Lua script execution environment, an attacker with access to Redis prior to version 7.0.0 or 6.2.7 can inject Lua code that will execute with the potentially higher privileges of another Redis user. The Lua scri...

7.8CVSS6.5AI score0.02189EPSS
Exploits1References11
Talos Blog
Talos Blog
added 2024/08/19 10:0 a.m.30 views

How multiple vulnerabilities in Microsoft apps for macOS pave the way to stealing permissions

Cisco Talos has identified eight vulnerabilities in Microsoft applications for the macOS operating system. An adversary could exploit these vulnerabilities by injecting malicious libraries into Microsofts applications to gain their entitlements and user-granted permissions. Permissions regulate...

7.3AI score0.00881EPSS
Exploits8
Github Security Blog
Github Security Blog
added 2024/07/29 4:38 p.m.24 views

Magento LTS vulnerable to stored Cross-site Scripting (XSS) in admin system configs

Impact This XSS vulnerability is about the system configs design/header/welcome design/header/logosrc design/header/logosrcsmall design/header/logoalt They are intended to enable admins to set a text in the two cases, and to define an image url for the other two cases. But because of previously...

4.8CVSS6.1AI score0.00361EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2024/07/17 9:30 a.m.29 views

GHSA-G5HV-R743-V8PM Apache Airflow has DAG Author Code Execution possibility in airflow-scheduler

Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability that allows authenticated DAG authors to craft a docmd parameter in a way that could execute arbitrary code in the scheduler context, which should be forbidden according to the Airflow Security model. Users should upgrade to...

8.8CVSS8.7AI score0.01726EPSS
Exploits0References7
OSV
OSV
added 2024/07/17 7:54 a.m.20 views

CVE-2024-39877 Apache Airflow: DAG Author Code Execution possibility in airflow-scheduler

Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability that allows authenticated DAG authors to craft a docmd parameter in a way that could execute arbitrary code in the scheduler context, which should be forbidden according to the Airflow Security model. Users should upgrade to...

8.8CVSS7.4AI score0.01726EPSS
Exploits0References6
Vulnrichment
Vulnrichment
added 2024/07/17 7:54 a.m.41 views

CVE-2024-39877 Apache Airflow: DAG Author Code Execution possibility in airflow-scheduler

Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability that allows authenticated DAG authors to craft a docmd parameter in a way that could execute arbitrary code in the scheduler context, which should be forbidden according to the Airflow Security model. Users should upgrade to...

7.4AI score0.01726EPSS
Exploits0References2
OSV
OSV
added 2024/06/17 7:18 a.m.21 views

BIT-ELASTICSEARCH-2024-23445 Elasticsearch Remote Cluster Search Cross Cluster API Key insufficient restrictions

It was identified that if a cross-cluster API key https://www.elastic.co/guide/en/elasticsearch/reference/8.14/security-api-create-cross-cluster-api-key.htmlsecurity-api-create-cross-cluster-api-key-request-body restricts search for a given index using the query or the fieldsecurity parameter, an...

6.5CVSS6.4AI score0.00456EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2024/06/12 3:31 p.m.43 views

Elasticsearch Remote Cluster Search Cross Cluster API Key insufficient restrictions

It was identified that if a cross-cluster API key https://www.elastic.co/guide/en/elasticsearch/reference/8.14/security-api-create-cross-cluster-api-key.htmlsecurity-api-create-cross-cluster-api-key-request-body restricts search for a given index using the query or the fieldsecurity parameter, an...

6.5CVSS7AI score0.00456EPSS
Exploits0References3Affected Software1
NVD
NVD
added 2024/06/12 2:15 p.m.49 views

CVE-2024-23445

It was identified that if a cross-cluster API key https://www.elastic.co/guide/en/elasticsearch/reference/8.14/security-api-create-cross-cluster-api-key.htmlsecurity-api-create-cross-cluster-api-key-request-body restricts search for a given index using the query or the fieldsecurity parameter, an...

6.5CVSS0.00456EPSS
Exploits0References1
CVE
CVE
added 2024/06/12 1:58 p.m.329 views

CVE-2024-23445

CVE-2024-23445 affects Elasticsearch remote-cluster API key security model (GA 8.14.0). The issue: a cross-cluster API key that restricts index search via query or field_security and also grants replication for the same index may not enforce search restrictions during cross-cluster search, potent...

6.5CVSS6.5AI score0.00456EPSS
Exploits0References1Affected Software1
Vulnrichment
Vulnrichment
added 2024/06/12 1:58 p.m.16 views

CVE-2024-23445 Elasticsearch Remote Cluster Search Cross Cluster API Key insufficient restrictions

It was identified that if a cross-cluster API key https://www.elastic.co/guide/en/elasticsearch/reference/8.14/security-api-create-cross-cluster-api-key.htmlsecurity-api-create-cross-cluster-api-key-request-body restricts search for a given index using the query or the fieldsecurity parameter, an...

6.5CVSS7.3AI score0.00456EPSS
Exploits0References1
Cvelist
Cvelist
added 2024/06/12 1:58 p.m.25 views

CVE-2024-23445 Elasticsearch Remote Cluster Search Cross Cluster API Key insufficient restrictions

It was identified that if a cross-cluster API key https://www.elastic.co/guide/en/elasticsearch/reference/8.14/security-api-create-cross-cluster-api-key.htmlsecurity-api-create-cross-cluster-api-key-request-body restricts search for a given index using the query or the fieldsecurity parameter, an...

6.5CVSS0.00456EPSS
Exploits0References1
OSV
OSV
added 2024/03/06 11:1 a.m.12 views

BIT-ENVOY-2020-11767

Istio through 1.5.1 and Envoy through 1.14.1 have a data-leak issue. If there is a TCP connection negotiated with SNI over HTTPS to .example.com, a request for a domain concurrently configured explicitly e.g., abc.example.com is sent to the servers listening behind .example.com. The outcome shoul...

3.1CVSS3.6AI score0.01774EPSS
Exploits1References5
OSV
OSV
added 2024/03/06 10:52 a.m.17 views

BIT-EJBCA-2020-28942

An issue exists in PrimeKey EJBCA before 7.4.3 when enrolling with EST while proxied through an RA over the Peers protocol. As a part of EJBCA's domain security model, the peer connector allows the restriction of client certificates for the RA, not the end user to a limited set of allowed CAs, th...

4.3CVSS4.4AI score0.00361EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2023/11/14 8:28 p.m.69 views

Fabric vulnerable to crosslinking transaction attack

Short summary Combining two molecules to one another, called "cross-linking" results in a molecule with a chemical formula that is composed of all atoms of the original two molecules. In Fabric, one can take a block of transactions and cross-link the transactions in a way that alters the way the...

7.1CVSS6.6AI score0.00519EPSS
Exploits1References9Affected Software1
Rows per page
Query Builder