942 matches found
CVE-2024-3684 Improper Privilege Management was identified in GitHub Enterprise Server that allowed privilege escalation in the Management Console
A server side request forgery vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain admin access to the appliance when configuring the Artifacts & Logs and Migrations Storage. Exploitation of this vulnerability...
PT-2024-27175 · Github · Github Enterprise Server
Name of the Vulnerable Software and Affected Versions: GitHub Enterprise Server versions prior to 3.12 GitHub Enterprise Server versions 3.9 through 3.9.12 GitHub Enterprise Server versions 3.10 through 3.10.9 GitHub Enterprise Server versions 3.11 through 3.11.7 Description: A server side reques...
PT-2024-4739 · Gitlab · Gitlab Ce/Ee +1
Name of the Vulnerable Software and Affected Versions: GitLab CE/EE versions 16.7 through 16.11.5 GitLab CE/EE versions 17.0 through 17.0.3 GitLab CE/EE versions 17.1 through 17.1.1 Description: An issue in GitLab CE/EE allows private job artifacts to be accessed by any user due to improper...
SUSE CVE-2024-29903
Cosign provides code signing and transparency for containers and binaries. Prior to version 2.2.4, maliciously-crafted software artifacts can cause denial of service of the machine running Cosign thereby impacting all services on the machine. The root cause is that Cosign creates slices based on...
Denial Of Service (DOS)
github.com/sigstore/cosign is vulnerable to a Denial of Service DoS. The vulnerability is due to allocating excessive memory when creating slices based on the number of signatures, manifests, or attestations in untrusted artifacts. This flaw allows an attacker to trigger a Denial of Service via...
The vulnerability of the Jenkins Red Hat Dependency Analytics plugin, related to improper input handling during the creation of web pages, allows attackers to execute XSS attacks with control over files in the working areas.
The vulnerability of the Jenkins Red Hat Dependency Analytics plugin is related to the lack of Content-Security-Policy protection for user-generated content in working areas, archived artifacts, etc., which Jenkins provides for loading. Exploiting this vulnerability allows a malicious actor to...
GHSA-95PR-FXF5-86GV Cosign malicious artifacts can cause machine-wide DoS
Maliciously-crafted software artifacts can cause denial of service of the machine running Cosign, thereby impacting all services on the machine. The root cause is that Cosign creates slices based on the number of signatures, manifests or attestations in untrusted artifacts. As such, the untrusted...
CVE-2024-29903 Cosign vulnerable to machine-wide denial of service via malicious artifacts
Cosign provides code signing and transparency for containers and binaries. Prior to version 2.2.4, maliciously-crafted software artifacts can cause denial of service of the machine running Cosign thereby impacting all services on the machine. The root cause is that Cosign creates slices based on...
CVE-2024-29903
Cosign provides code signing and transparency for containers and binaries. Prior to version 2.2.4, maliciously-crafted software artifacts can cause denial of service of the machine running Cosign thereby impacting all services on the machine. The root cause is that Cosign creates slices based on...
PT-2024-23124 · Cosign +1 · Cosign +1
Name of the Vulnerable Software and Affected Versions: Cosign versions prior to 2.2.4 Description: Cosign provides code signing and transparency for containers and binaries. Maliciously-crafted software artifacts can cause denial of service of the machine running Cosign, thereby impacting all...
Cross-Site Scripting (XSS)
Jenkins is vulnerable to Cross-site scripting XSS. The vulnerability is due to improper handling of workspaces and archived artifacts, allowing remote authenticated users to inject arbitrary web scripts or HTML...
CVE-2024-30246
Tuleap is an Open Source Suite to improve management of software developments and collaboration. A malicious user could exploit this issue on purpose to delete information on the instance or possibly gain access to restricted artifacts. It is however not possible to control exactly which...
CVE-2024-30246
CVE-2024-30246 affects Tuleap Community Edition before 15.7.99.6 and Tuleap Enterprise Edition before 15.7-2, 15.6-5, 15.5-6, 15.4-8, 15.3-6, 15.2-5, 15.1-9, 15.0-9, 14.12-6. The vulnerability lets a malicious user delete information on the instance and may lead to disclosure of restricted artifa...
RedCurl Cybercrime Group Abuses Windows PCA Tool for Corporate Espionage
The Russian-speaking cybercrime group called RedCurl is leveraging a legitimate Microsoft Windows component called the Program Compatibility Assistant PCA to execute malicious commands. "The Program Compatibility Assistant Service pcalua.exe is a Windows service designed to identify and address...
Fedora: Security Advisory for maven-dependency-plugin (FEDORA-2024-129d8ca6fc)
The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
[SECURITY] Fedora 40 Update: maven-dependency-analyzer-1.13.2-6.fc40
Analyzes the dependencies of a project for undeclared or unused artifacts. Warning: Analysis is not done at source but bytecode level, then some cases a re not detected constants, annotations with source-only retention, links in javadoc which can lead to wrong result if they are the only use of a...
BIT-GITLAB-2020-13274
A security issue allowed achieving Denial of Service attacks through memory exhaustion by uploading malicious artifacts in all previous GitLab versions through 13.0.1...
BIT-GITLAB-2022-2501
An improper access control issue in GitLab EE affecting all versions from 12.0 prior to 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1 allows an attacker to bypass IP allow-listing and download artifacts. This attack only bypasses IP allow-listing, proper permissions are still required...
BIT-JENKINS-2021-21615
Jenkins LTS 2.263.2 allows reading arbitrary files using the file browser for workspaces and archived artifacts due to a time-of-check to time-of-use TOCTOU race condition...
BIT-ORAS-2021-21272 zip slip in ORAS
ORAS is open source software which enables a way to push OCI Artifacts to OCI Conformant registries. ORAS is both a CLI for initial testing and a Go Module. In ORAS from version 0.4.0 and before version 0.9.0, there is a "zip-slip" vulnerability. The directory support feature allows the downloade...