apko has a path traversal in apko dirFS which allows filesystem writes outside base

A Path Traversal vulnerability was discovered in apko's dirFS filesystem abstraction. An attacker who can supply a malicious APK package e.g., via a compromised or typosquatted repository could create directories or symlinks outside the intended installation root. The MkdirAll, Mkdir, and Symlink...

TinyCBOR Library Advisory

Summary: Potential security vulnerabilities in the TinyCBOR library maintained by Intel® may allow elevation of privilege or denial of service. Intel is releasing software updates to mitigate these potential vulnerabilities . Vulnerability Details: CVEID: CVE-2025-24302 Description: Uncontrolled...

GHSA-33CR-M232-XQCH cheqd-node affected by Non-deterministic JSON Unmarshalling of IBC Acknowledgement

Description An issue was discovered in IBC-Go's deserialization of acknowledgements that results in non-deterministic behavior which can halt a chain. Any user that can open an IBC channel can introduce this state to the chain. This an upstream dependency used in cheqd-node, rather than a custom...

Cilium's CIDR deny policies may not take effect when a more narrow CIDR allow is present

Impact A policy rule denying a prefix that is broader than /32 may be ignored if there is - A policy rule referencing a more narrow prefix CIDRSet or toFQDN and - This narrower policy rule specifies either enableDefaultDeny: false or - toEntities: all Note that a rule specifying toEntities: world...

Keycloak Services has a potential bypass of brute force protection

If an attacker launches many login attempts in parallel then the attacker can have more guesses at a password than the brute force protection configuration permits. This is due to the brute force check occurring before the brute force protector has locked the user. Acknowledgements: Special thank...

MSMS-PHP 1.0 Insecure Settings

============================================================================================================================================= | Title : MSMS-PHP v1.0 Insecure Settings Vulnerability | | Author : indoushka | | Tested on : windows 10 FrPro / browser : Mozilla firefox 125.0.1 64 bits...

Policy bypass for Host Firewall policy due to race condition in Cilium agent

Impact A race condition in the Cilium agent can cause the agent to ignore labels that should be applied to a node. This could in turn cause CiliumClusterwideNetworkPolicies intended for nodes with the ignored label to not apply, leading to policy bypass. Patches This issue was fixed in...

CVE-2022-48804 vt_ioctl: fix array_index_nospec in vt_setactivate

In the Linux kernel, the following vulnerability has been resolved: vtioctl: fix arrayindexnospec in vtsetactivate arrayindexnospec ensures that an out-of-bounds value is set to zero on the transient path. Decreasing the value by one afterwards causes a transient integer underflow. vsa.console...

CVE-2022-48804

In the Linux kernel, the following vulnerability has been resolved: vtioctl: fix arrayindexnospec in vtsetactivate arrayindexnospec ensures that an out-of-bounds value is set to zero on the transient path. Decreasing the value by one afterwards causes a transient integer underflow. vsa.console...

CVE-2022-48804 vt_ioctl: fix array_index_nospec in vt_setactivate

In the Linux kernel, the following vulnerability has been resolved: vtioctl: fix arrayindexnospec in vtsetactivate arrayindexnospec ensures that an out-of-bounds value is set to zero on the transient path. Decreasing the value by one afterwards causes a transient integer underflow. vsa.console...

Moderate: Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 8.0 security update

A security update is now available for Red Hat JBoss Enterprise Application Platform 8.0. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

Keycloak's admin API allows low privilege users to use administrative functions

Users with low privileges just plain users in the realm are able to utilize administrative functionalities within Keycloak admin interface. This issue presents a significant security risk as it allows unauthorized users to perform actions reserved for administrators, potentially leading to data...

Grafana API IDOR

Today we are releasing Grafana 8.3.5 and 7.5.14. This patch release includes MEDIUM severity security fix for Grafana Teams API IDOR. Release v.8.3.5, only containing security fixes: - Download Grafana 8.3.5 - Release notes Release v.7.5.15, only containing security fixes: - Download Grafana 7.5....

Keycloak Authorization Bypass vulnerability

Due to a permissive regular expression hardcoded for filtering allowed hosts to register a dynamic client, a malicious user with enough information about the environment could benefit and jeopardize an environment with this specific Dynamic Client Registration with TrustedDomain configuration...

GHSA-V6Q2-4QR3-5CW6 Unencrypted traffic between nodes when using WireGuard and L7 policies

Impact In Cilium clusters with WireGuard enabled and traffic matching Layer 7 policies: - Traffic that should be WireGuard-encrypted is sent unencrypted between a node's Envoy proxy and pods on other nodes. - Traffic that should be WireGuard-encrypted is sent unencrypted between a node's DNS prox...

Unencrypted traffic between nodes when using IPsec and L7 policies

Impact In Cilium clusters with IPsec enabled and traffic matching Layer 7 policies: - Traffic that should be IPsec-encrypted between a node's Envoy proxy and pods on other nodes is sent unencrypted - Traffic that should be IPsec-encrypted between a node's DNS proxy and pods on other nodes is sent...

Scrapy authorization header leakage on cross-domain redirect

Impact When you send a request with the Authorization header to one domain, and the response asks to redirect to a different domain, Scrapy’s built-in redirect middleware creates a follow-up redirect request that keeps the original Authorization header, leaking its content to that second domain...

Intel® ISPC Software Advisory

Summary: A potential security vulnerability in some Intel® Implicit SPMD Program Compiler ISPC software may allow escalation of privilege. Intel is releasing software updates to mitigate this potential vulnerability. Vulnerability Details: CVEID: CVE-2023-38566 Description: Uncontrolled search pa...

Intel® PM Software Advisory

Summary: A potential security vulnerability in some Intel® Performance Maximizer PM software may allow escalation of privilege. Intel is not releasing updates to mitigate this potential vulnerability and has issued a Product Discontinuation Notice for Intel® PM. Vulnerability Details: CVEID:...

Intel® Unite® Software Advisory

Summary: A potential security vulnerability in some Intel Unite® Client software may allow escalation of privilege. Intel is releasing software updates to mitigate this potential vulnerability. Vulnerability Details: CVEID: CVE-2023-40161 Description: Improper access control in some Intel Unite®...