128 matches found
PYSEC-2022-42993
GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior to v0.1.8 are vulnerable to arbitrary file write when scanning a specially-crafted remote PyPI package. Extracting files using shutil.unpackarchive from a potentially malicious tarball without validating that the destinati...
CVE-2022-23530
CVE-2022-23530 affects GuardDog prior to v0.1.8, where scanning a remotely fetched PyPI package could trigger arbitrary file writes. The root cause is using shutil.unpack_archive() on a crafted tarball without validating that extracted paths stay within the destination directory, allowing writes ...
CVE-2022-24441 Code Injection
The package snyk before 1.1064.0 are vulnerable to Code Injection when analyzing a project. An attacker who can convince a user to scan a malicious project can include commands in a build file such as build.gradle or gradle-wrapper.jar, which will be executed with the privileges of the applicatio...
CVE-2022-24441
CVE-2022-24441 relates to a code injection flaw in Snyk when analyzing a project. According to the provided description, snyk before 1.1064.0 can be leveraged by convincing a user to scan a malicious project, including commands in build files (e.g., build.gradle or gradle-wrapper.jar), which will...
Oracle Linux 9 : runc (ELSA-2022-8090)
The remote Oracle Linux 9 host has a package installed that is affected by a vulnerability as referenced in the ELSA-2022-8090 advisory. 4:1.1.4-1 - update to https://github.com/opencontainers/runc/releases/tag/v1.1.4 - Related: 2061316 Tenable has extracted the preceding description block direct...
AlmaLinux 8 : container-tools:rhel8 (ALSA-2022:7457)
The remote AlmaLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2022:7457 advisory. golang: net/http/httputil: panic due to racy read of persistConn after handler panic CVE-2021-36221 cri-o: memory exhaustion on the node when access to th...
SUSE SLES15: kubevirt-container-disk / kubevirt-manifests / kubevirt-tests / etc (SUSE-SU-2022:3333-1)
The remote SUSE Linux SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:3333-1 advisory. The kubevirt stack was updated to version 0.54.0 Release notes...
Huawei EulerOS: Security Advisory for docker-runc (EulerOS-SA-2022-2283)
The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
Integrating Cloud Security With DevOps and CI/CD Tools
This is the latest post in our blog series on shifting left in cloud security. In our last post, we kicked off the series with a high-level overview about Rapid7’s approach to shifting cloud security into the application development lifecycle. For this post, we’ll dive into a key aspect of our...
EulerOS 2.0 SP10 : docker-engine (EulerOS-SA-2022-2240)
According to the versions of the docker-engine package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby Docker Engine where attempti...
[SECURITY] Fedora 36 Update: golang-github-martinhoefling-goxkcdpwgen-0.1.0-3.fc36
xkcd style password generator library and cli tool...
CVE-2022-32498
Dell EMC PowerStore, Versions prior to v3.0.0.0 contain a DLL Hijacking vulnerability in PSTCLI. A local attacker can potentially exploit this vulnerability to execute arbitrary code, escalate privileges, and bypass software allow list solutions, leading to system takeover or IP exposure...
[SECURITY] Fedora 35 Update: golang-github-martinhoefling-goxkcdpwgen-0.1.0-2.fc35
xkcd style password generator library and cli tool...
SUSE SLES15 Security Update : containerd, docker and runc (SUSE-SU-2022:2341-1)
The remote SUSE Linux SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:2341-1 advisory. - runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. A bug was found in runc prior...
CVE-2022-2264
A heap buffer overflow vulnerability was found in Vim's inc function of misc2.c. This issue occurs because Vim reads beyond the end of the line with a put command. This flaw allows an attacker to trick a user into opening a specially crafted file, triggering an out-of-bounds read that causes a...
[SECURITY] Fedora 36 Update: golang-github-martinhoefling-goxkcdpwgen-0.1.0-2.fc36
xkcd style password generator library and cli tool...
Fedora: Security Advisory for golang-github-opencontainers-runc (FEDORA-2022-d1f55f8fd0)
The remote host is missing an update for the Copyright C 2022 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...
Fedora: Security Advisory for golang-github-opencontainers-runc (FEDORA-2022-e980dc71b1)
The remote host is missing an update for the Copyright C 2022 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...
Fedora: Security Advisory for golang-github-opencontainers-runc (FEDORA-2022-91b747a0d7)
The remote host is missing an update for the Copyright C 2022 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...
CVE-2022-29162
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. A bug was found in runc prior to version 1.1.2 where runc exec --cap created processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling...