GHSA-G85V-WF27-67XC Harden-Runner has a command injection weaknesses in `setup.ts` and `arc-runner.ts`

Summary Versions of step-security/harden-runner prior to v2.10.2 contain multiple command injection weaknesses via environment variables that could potentially be exploited under specific conditions. However, due to the current execution order of pre-steps in GitHub Actions and the placement of...

Harden-Runner has a command injection weaknesses in `setup.ts` and `arc-runner.ts`

Summary Versions of step-security/harden-runner prior to v2.10.2 contain multiple command injection weaknesses via environment variables that could potentially be exploited under specific conditions. However, due to the current execution order of pre-steps in GitHub Actions and the placement of...

CVE-2024-52587

StepSecurity's Harden-Runner provides network egress filtering and runtime security for GitHub-hosted and self-hosted runners. Versions of step-security/harden-runner prior to v2.10.2 contain multiple command injection weaknesses via environment variables that could potentially be exploited under...

CVE-2024-52587

The CVE applies to StepSecurity Harden-Runner. Versions prior to v2.10.2 contain multiple command-injection weaknesses via environment variables in setup.ts and arc-runner.ts, exploitable under specific conditions. However, the documentation notes that due to GitHub Actions pre-step execution ord...

CVE-2024-52587 Harden-Runner has command injection weaknesses in `setup.ts` and `arc-runner.ts`

StepSecurity's Harden-Runner provides network egress filtering and runtime security for GitHub-hosted and self-hosted runners. Versions of step-security/harden-runner prior to v2.10.2 contain multiple command injection weaknesses via environment variables that could potentially be exploited under...

ansible-core: Exposure of Sensitive Information in Ansible Vault Files Due to Improper Logging

A flaw was found in Ansible, where sensitive information stored in Ansible Vault files can be exposed in plaintext during the execution of a playbook. This occurs when using tasks such as includevars to load vaulted variables without setting the nolog: true parameter, resulting in sensitive data...

CVE-2024-10979

A flaw was found in PostgreSQL PL/Perl. This vulnerability allows an unprivileged database user to change sensitive process environment variables e.g., PATH via incorrect control of environment variables. Mitigation Currently the following options exist to help mitigate the impact of this...

Harden-Runner 操作系统命令注入漏洞

Harden-Runner is an open source program from StepSecurity. It provides web exit filtering and runtime security for GitHub hosted and self-hosted runners. An operating system command injection vulnerability exists in Harden-Runner versions prior to v2.10.2, which stems from the inclusion of multip...

PT-2024-35384 · Unknown · Step-Security/Harden-Runner

Name of the Vulnerable Software and Affected Versions: step-security/harden-runner versions prior to v2.10.2 Description: The issue concerns command injection weaknesses via environment variables in step-security/harden-runner. These weaknesses could potentially be exploited under specific...

BIT-POSTGRESQL-2024-10979 PostgreSQL PL/Perl environment variable changes execute arbitrary code

Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables e.g. PATH. That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions...

Apache Airflow: Sensitive configuration values are not masked in the logs by default

Apache Airflow versions before 2.10.3 contain a vulnerability that could expose sensitive configuration variables in task logs. This vulnerability allows DAG authors to unintentionally or intentionally log sensitive configuration variables. Unauthorized users could access these logs, potentially...

CVE-2024-45784

Apache Airflow versions before 2.10.3 contain a vulnerability that could expose sensitive configuration variables in task logs. This vulnerability allows DAG authors to unintentionally or intentionally log sensitive configuration variables. Unauthorized users could access these logs, potentially...

CVE-2024-45784

Summary (CVE-2024-45784): Apache Airflow versions before 2.10.3 may log sensitive configuration variables in task logs, risking exposure to unauthorized users. The underlying issue is that secrets were not masked in logging output. Version 2.10.3 and later mask secrets in task logs, mitigating th...

OpenBSD 安全漏洞

OpenBSD is a cross-platform, BSD-based, UNIX-like operating system from the Canadian OpenBSD organization. A security vulnerability exists in OpenBSD that stems from the use of uninitialized variables, which could lead to the existence of a double release...

The vulnerability of the PL/Perl environment in the PostgreSQL database management system allows a hacker to execute arbitrary code.

The vulnerability in the PL/Perl environment of the PostgreSQL database management system is related to errors in system configuration or settings. Exploiting this vulnerability allows a malicious actor to execute arbitrary code by modifying system environment variables, such as PATH...

PT-2024-9206 · Apache · Apache Airflow

Name of the Vulnerable Software and Affected Versions: Apache Airflow versions before 2.10.3 Description: The issue is related to the exposure of sensitive configuration variables in task logs. This could allow unauthorized users to access critical data, potentially compromising the security of t...

Ubuntu: Security Advisory (USN-7109-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

CVE-2024-39707

Insyde IHISI function 0x49 can restore factory defaults for certain UEFI variables without further authentication by default, which could lead to a possible roll-back attack in certain platforms. This is fixed in: kernel 5.2, version 05.29.19; kernel 5.3, version 05.38.19; kernel 5.4, version...

USN-7109-1 golang-1.18 vulnerabilities

Philippe Antoine discovered that Go incorrectly handled crafted HTTP/2 streams. An attacker could possibly use this issue to cause a denial of service. CVE-2022-41723 Marten Seemann discovered that Go did not properly manage memory under certain circumstances. An attacker could possibly use this...

ALPINE-CVE-2024-10979

Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables e.g. PATH. That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions...