6 Ways to Simplify SaaS Identity Governance

With SaaS applications now making up the vast majority of technology used by employees in most organizations, tasks related to identity governance need to happen across a myriad of individual SaaS apps. This presents a huge challenge for centralized IT teams who are ultimately held responsible fo...

CVE-2024-1482 Improper Authorization in GitHub Enterprise Server allowed unauthorized workflow execution

An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to create new branches in public repositories and run arbitrary GitHub Actions workflows with permissions from the GITHUBTOKEN. To exploit this vulnerability, an attacker would need access...

Argus - A Framework for Staged Static Taint Analysis of GitHub Workflows and Actions

This repo contains the code for our USENIX Security '23 paper "ARGUS: A Framework for Staged Static Taint Analysis of GitHub Workflows and Actions". Argus is a comprehensive security analysis tool specifically designed for GitHub Actions. Built with an aim to enhance the security of CI/CD...

GHSA-XW73-RW38-6VJC vulnerabilities

Vulnerabilities for packages: timoni, crane, flux, flux-image-reflector-controller, helm-operator, flux-helm-controller, k3s, cadvisor-fips, k9s, ctop, cosign, k8sgpt, kubevela, buildkitd, falcoctl, pulumi, trivy, ko-fips, docker-credential-gcr, helm, helm-fips, newrelic-infrastructure-agent,...

CVE-2024-24557 vulnerabilities

Vulnerabilities for packages: timoni, crane, flux, flux-image-reflector-controller, helm-operator, flux-helm-controller, k3s, cadvisor-fips, k9s, ctop, cosign, k8sgpt, kubevela, buildkitd, falcoctl, pulumi, trivy, ko-fips, docker-credential-gcr, helm, helm-fips, newrelic-infrastructure-agent,...

CVE-2023-34063

Aria Automation contains a Missing Access Control vulnerability. An authenticated malicious actor may exploit this vulnerability leading to unauthorized access to remote organizations and workflows...

CVE-2023-34063

Aria Automation contains a Missing Access Control vulnerability. An authenticated malicious actor may exploit this vulnerability leading to unauthorized access to remote organizations and workflows...

CVE-2023-34063

Aria Automation contains a Missing Access Control vulnerability. An authenticated malicious actor may exploit this vulnerability leading to unauthorized access to remote organizations and workflows...

CVE-2023-34063

Aria Automation contains a Missing Access Control vulnerability. An authenticated malicious actor may exploit this vulnerability leading to unauthorized access to remote organizations and workflows...

VMware Aria Automation and VMware Cloud Foundation Security Vulnerabilities

VMware Cloud Foundation and VMware Aria Automation are both products of VMware, Inc. VMware Cloud Foundation is an all-in-one hybrid cloud platform. VMware Cloud Foundation is an all-in-one hybrid cloud platform that includes operations automation, infrastructure auto-configuration, and integrate...

PT-2024-1101 · Vmware · Vmware Cloud Foundation +1

Name of the Vulnerable Software and Affected Versions: VMware Aria Automation formerly vRealize Automation versions prior to the fixed version VMware Cloud Foundation formerly Aria Automation versions prior to the fixed version Description: The issue is related to a Missing Access Control...

PT-2023-9220 · Nextcloud +2 · Nextcloud Enterprise Server +3

Name of the Vulnerable Software and Affected Versions: Nextcloud Server versions prior to 26.0.9 and 27.1.4 Nextcloud Enterprise Server versions prior to 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4 Description: The issue is related to Nextcloud Server, an open source cloud platform, wher...

CVE-2023-6804

Improper privilege management allowed arbitrary workflows to be committed and run using an improperly scoped PAT. To exploit this, a workflow must have already existed in the target repo. This vulnerability affected all versions of GitHub Enterprise Server since 3.8 and was fixed in version 3.8.1...

Input validation

Improper privilege management allowed arbitrary workflows to be committed and run using an improperly scoped PAT. To exploit this, a workflow must have already existed in the target repo. This vulnerability affected all versions of GitHub Enterprise Server since 3.8 and was fixed in version 3.8.1...

CVE-2023-6804 Improper Privilege Management allows for arbitrary workflows to be run

Improper privilege management allowed arbitrary workflows to be committed and run using an improperly scoped PAT. To exploit this, a workflow must have already existed in the target repo. This vulnerability affected all versions of GitHub Enterprise Server since 3.8 and was fixed in version 3.8.1...

CVE-2023-6804 Improper Privilege Management allows for arbitrary workflows to be run

Improper privilege management allowed arbitrary workflows to be committed and run using an improperly scoped PAT. To exploit this, a workflow must have already existed in the target repo. This vulnerability affected all versions of GitHub Enterprise Server since 3.8 and was fixed in version 3.8.1...

CVE-2023-6804

CVE-2023-6804 (GitHub Enterprise Server) : Improper privilege management allows arbitrary workflows to be committed and run using an improperly scoped Personal Access Token, provided a workflow already exists in the target repo. Affected: GitHub Enterprise Server versions 3.8–3.11.x (before fixes...

GitHub Enterprise Server Security Vulnerability

GitHub Enterprise Server is a U.S. GitHub open source application. Provides a platform for setting up your own GitHub instance as a virtual appliance, thus providing a scalable, easy-to-manage platform. A security vulnerability exists in GitHub Enterprise Server versions prior to 3.8.12, prior to...

PT-2023-32779 · Github · Github Enterprise Server

Name of the Vulnerable Software and Affected Versions: GitHub Enterprise Server versions 3.8 through 3.8.11 GitHub Enterprise Server versions 3.9 through 3.9.6 GitHub Enterprise Server versions 3.10 through 3.10.3 GitHub Enterprise Server versions 3.11 through 3.11.0 Description: Improper privile...

GHSA-3F2Q-6294-FMQ5 vulnerabilities

Vulnerabilities for packages: task, pulumi-kubernetes-operator, melange, snyk-cli, flux-notification-controller, argo-workflows, argo-events, argo-events-fips...