Expected Behavior Violation

@backstage/plugin-app-backend is vulnerable to Expected Behavior Violation. The vulnerability is due to the handling of APPCONFIG environment variables, which ignores the visibility defined in the configuration schema. Note: This was an intended feature of the APPCONFIG way of supplying...

Check Point Response to CVE-2024-24914 - TCL substitution of global parameter values

Symptoms - After logging in to Gaia Portal, authenticated users local Gaia users and RADIUS / TACACS users may cause code injection in Gaia Portal because of unprotected global variables usage when processing the HTTP request in the TCL process. This issue received the ID CVE-2024-24914. Solution...

The vulnerability of the mt76_connac_mcu_add_nested_tlv() function in the MediaTek kernel driver for Linux operating systems allows attackers to compromise the confidentiality, integrity, and accessibility of protected information.

The vulnerability of the mt76connacmcuaddnestedtlv function in the drivers/net/wireless/mediatek/mt76/mt76connacmcu.c file of the MediaTek Linux kernel driver is related to the absence of initialization for variables. Exploiting this vulnerability could allow a remote attacker to compromise the...

The vulnerability of the BPF_CORE_READ_BITFIELD macro definition of the bpf component in the Linux operating system’s kernel allows a attacker to compromise the confidentiality, integrity, and accessibility of the protected information.

The vulnerability of the BPFCOREREADBITFIELD macro definition in the tools/lib/bpf/bpfcoreread.h file of the Linux kernel’s bpf component is related to the absence of initialization for variables. Exploiting this vulnerability could allow an attacker to compromise the confidentiality, integrity,...

CVE-2024-47762

A flaw was found in the backstage/plugin-app-backend package. Configurations supplied through APPCONFIG environment variables unexpectedly ignore the visibility defined in the configuration schema, potentially exposing sensitive configuration details intended to remain private or restricted to...

CVE-2024-47762

Backstage is an open framework for building developer portals. Configuration supplied through APPCONFIG environment variables, for example APPCONFIGbackendlistenport=7007, where unexpectedly ignoring the visibility defined in configuration schema. This occurred even if the configuration schema...

CVE-2024-47762 Unexpected visibility of environment variable configurations in @backstage/plugin-app-backend

Backstage is an open framework for building developer portals. Configuration supplied through APPCONFIG environment variables, for example APPCONFIGbackendlistenport=7007, where unexpectedly ignoring the visibility defined in configuration schema. This occurred even if the configuration schema...

CVE-2024-47762 Unexpected visibility of environment variable configurations in @backstage/plugin-app-backend

Backstage is an open framework for building developer portals. Configuration supplied through APPCONFIG environment variables, for example APPCONFIGbackendlistenport=7007, where unexpectedly ignoring the visibility defined in configuration schema. This occurred even if the configuration schema...

OpenTofu potential leaking of secret variable values when using static evaluation in v1.8

Impact Users who have opted into static evaluation of module sources, versions, and backend configurations may be at risk of exposing sensitive variables and locals. This is a workflow that should not be possible and explicitly show errors. Workarounds Check that you are not using sensitive...

GHSA-WPR2-J6GR-PJW9 OpenTofu potential leaking of secret variable values when using static evaluation in v1.8

Impact Users who have opted into static evaluation of module sources, versions, and backend configurations may be at risk of exposing sensitive variables and locals. This is a workflow that should not be possible and explicitly show errors. Workarounds Check that you are not using sensitive...

PT-2024-32800 · Unknown · @Backstage/Plugin-App-Backend

Name of the Vulnerable Software and Affected Versions: @backstage/plugin-app-backend versions prior to 0.3.75 Description: The issue concerns the configuration supplied through APP CONFIG environment variables, where the visibility defined in the configuration schema is unexpectedly ignored. This...

Exploit for Path Traversal in Jenkins

Jenkins File Read Vulnerability - CVE-2024-23897 !My Shop...

The vulnerability of the JavaScript script handler in Google Chrome’s V8 engine allows attackers to execute arbitrary code.

The vulnerability of the JavaScript script handler in Google Chrome’s V8 engine is related to the use of uninitialized variables. Exploiting this vulnerability allows a remote attacker to execute arbitrary code through a specially created HTML page...

CLSA-2024-1727374287 python3.9: Fix of CVE-2024-4032

CVE-2024-4032: fix missing and incorrect ip address ranges in privatenetwork variables...

The vulnerability of the PDF-XChange PDF document viewing and editing program, related to the use of uninitialized variables, allows a hacker to execute arbitrary code.

The vulnerability of the PDF document viewing and editing software PDF-XChange is related to the use of uninitialized variables. Exploiting this vulnerability could allow a malicious actor to execute arbitrary code using a specially created RTF file...

CVE-2024-45599

CVE-2024-45599 affects Cursor prior to 0.41.0 on macOS. If a user has granted Cursor access to the camera or microphone, an attacker could leverage a DyLib Injection via the DYLD_INSERT_LIBRARIES environment variable to allow any running program on the machine to access those peripherals, bypassi...

SUSE SLES15: libpython3_6m1_0 / python3 / python3-base / python3-curses / etc (SUSE-SU-2024:3302-1)

The remote SUSE Linux SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:3302-1 advisory. - CVE-2024-6923: Fixed uncontrolled CPU resource consumption when in http.cookies module bsc1228780. - CVE-2024-7592: Fixed Email...

CVE-2024-40842

CVE-2024-40842 affects macOS Sequoia 15 where an issue with the validation of environment variables could allow an app to access user-sensitive data. The fixed version is macOS Sequoia 15. The available connected documents confirm the root cause as input validation for environment variables and t...

AZL-53163 CVE-2024-8775 affecting package ansible for versions less than 2.17.11-1

A flaw was found in Ansible, where sensitive information stored in Ansible Vault files can be exposed in plaintext during the execution of a playbook. This occurs when using tasks such as includevars to load vaulted variables without setting the nolog: true parameter, resulting in sensitive data...

PT-2024-21894 · Gitlab · Gitlab

Name of the Vulnerable Software and Affected Versions: GitLab-EE versions 13.3 through 17.1.7 GitLab-EE versions 17.2 through 17.2.5 GitLab-EE versions 17.3 through 17.3.2 Description: An issue was discovered in GitLab-EE that would allow an attacker to modify an on-demand DAST scan without...