Renovate vulnerable to arbitrary command injection via npm manager and malicious Renovate configuration

Summary The user-provided string packageName in the npm manager is appended to the npm install command during lock maintenance without proper sanitization. Details Adversaries can provide a maliciously crafted Renovate configuration file to trick Renovate to execute arbitrary code. The...

Medium: containerd

Issue Overview: crypto/x509: excluded subdomain constraint does not restrict wildcard SANs An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not...

Medium: php8.2

Issue Overview: NOTE: https://github.com/php/php-src/security/advisories/GHSA-3237-qqm7-mfv7 NOTE: https://github.com/php/php-src/commit/c5f28c7cf0a052f48e47877c7aa5c5bcc54f1cfc DEBIANBUG: 1123574 CVE-2025-14177 NOTE: https://github.com/php/php-src/security/advisories/GHSA-h96m-rvf9-jgm2 NOTE:...

Important: openvpn

Issue Overview: HMAC verification check: fix incorrect memcmp call NOTE: https://community.openvpn.net/Security%20Announcements/CVE-2025-13086 CVE-2025-13086 Affected Packages: openvpn Issue Correction: Run dnf update openvpn --releasever 2023.9.20251208 or dnf update --advisory ALAS2023-2025-131...

Medium: aws-cfn-bootstrap

Issue Overview: Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc...

Medium: containerd

Issue Overview: containerd is an open-source container runtime. Versions 0.1.0 through 1.7.28, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4 and 2.2.0-beta.0 through 2.2.0-rc.1 have an overly broad default permission vulnerability. Directory paths /var/lib/containerd,...

Advisory ROSA-SA-2025-3082

Software: httpd 2.4.6 OS: rosa-server79 unaffected versions = httpd-2.4.6-99.0.7.res7.1 affected versions httpd-2.4.6-99.0.7.res7.1 CVE-ID: CVE-2024-47252 BDU-ID: 2025-08958 CVE-Crit: HIGH CVE-DESC.: A vulnerability in the modssl function of the Apache HTTP Server web server is related to a failu...

Advisory ROSA-SA-2025-3083

Software: ImageMagick 6.9.10.68 OS: rosa-server79 unaffected versions = ImageMagick-6.9.10.68-7.0.3.res7 affected versions ImageMagick-6.9.10.68-7.0.3.res7 CVE-ID: CVE-2025-55154 BDU-ID: 2025-10835 CVE-Crit: CRITICAL. CVE-DESC.: Vulnerability in the ImageMagick console graphical editor related to...

Advisory ROSA-SA-2025-3041

Software: cups 2.2.6 OS: ROSA Virtualization 3.0 unaffected versions = cups-2.2.6-63.rv30 affected versions cups-2.2.6-63.rv30 CVE-ID: CVE-2025-58060 BDU-ID: 2025-11019 CVE-Crit: HIGH CVE-DESC.: A vulnerability in the CUPS Common UNIX Printing System is related to flaws in the authentication...

Medium: cuda-runtime-12-9

Issue Overview: NVIDIA nvJPEG library contains a vulnerability where an attacker can cause an out-of-bounds read by means of a specially crafted JPEG file. A successful exploit of this vulnerability might lead to information disclosure or denial of service. CVE-2025-23272 Affected Packages:...

Medium: amazon-cloudwatch-agent

Issue Overview: go-viper's mapstructure May Leak Sensitive Information in Logs When Processing Malformed Data CVE-2025-11065 Affected Packages: amazon-cloudwatch-agent Note: This advisory is applicable to Amazon Linux 2 AL2 Core repository. Visit this FAQ section for the difference between AL2 Co...

Medium: cuda-minimal-build-12-9

Issue Overview: NVIDIA nvJPEG library contains a vulnerability where an attacker can cause an out-of-bounds read by means of a specially crafted JPEG file. A successful exploit of this vulnerability might lead to information disclosure or denial of service. CVE-2025-23272 Affected Packages:...

EUVD-2018-7358

Malware in sbrugna...

EUVD-2021-19906

Malware in sbrugna...

Advisory ROSA-SA-2025-3019

software: git 2.51.0 WASP: ROSA-CHROME unaffected versions = git-2.51.0-1 affected versions git-2.51.0-1 CVE-ID: CVE-2025-48384 BDU-ID: 2025-08691 CVE-Crit: HIGH CVE-DESC.: A vulnerability in the Git distributed version control system of the Microsoft Visual Studio software development tool is...

Advisory ROSA-SA-2025-3015

Software: dovecot 2.3.21.1 OS: ROSA-CHROME unaffected versions = dovecot-2.3.21.1-6 affected versions dovecot-2.3.21.1-6 CVE-ID: CVE-2022-30550 BDU-ID: 2022-04273 CVE-Crit: MEDIUM CVE-DESC.: A vulnerability in the passdb account database of the Dovecot mail server is related to configuration...

Advisory ROSA-SA-2025-3014

software: cert-sh-functions 1.0.6 WASP: ROSA-CHROME unaffected versions = cert-sh-functions-1.0.6-5 affected versions cert-sh-functions-1.0.6-5 CVE-ID: CVE-2022-30550 BDU-ID: 2022-04273 CVE-Crit: MEDIUM CVE-DESC.: A vulnerability in the passdb account database of the Dovecot mail server is relate...

Advisory ROSA-SA-2025-3008

software: mono 6.12.0 WASP: ROSA-CHROME unaffected versions = mono-6.12.0-206.1 affected versions mono-6.12.0-206.1 CVE-ID: CVE-2021-24112 BDU-ID: 2021-00929 CVE-Crit: HIGH CVE-DESC.: A vulnerability in the .NET Core software platform is related to insufficient input validation. Exploitation of t...

Medium: loupe

Issue Overview: tracing is a framework for instrumenting Rust programs to collect structured, event-based diagnostic information. Prior to version 0.3.20, tracing-subscriber was vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be...

Medium: rust-cargo-c

Issue Overview: tracing is a framework for instrumenting Rust programs to collect structured, event-based diagnostic information. Prior to version 0.3.20, tracing-subscriber was vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be...