CVE-2023-38495

Crossplane versions prior to 1.11.5, 1.12.3, and 1.13.0 have a flaw in the image backend where the byte contents of packages are not validated, allowing tampering to go undetected. The vulnerability is fixed in 1.11.5, 1.12.3, and 1.13.0. Workarounds include using images from trusted sources and ...

CVE-2023-38495 Crossplane vulnerable to possible image tampering from missing image validation for Packages

Crossplane is a framework for building cloud native control planes without needing to write code. In versions prior to 1.11.5, 1.12.3, and 1.13.0, Crossplane's image backend does not validate the byte contents of Crossplane packages. As such, Crossplane does not detect if an attacker has tampered...

CVE-2023-37900 Crossplane vulnerable to denial of service from large image

Crossplane is a framework for building cloud native control planes without needing to write code. In versions prior to 1.11.5, 1.12.3, and 1.13.0, a high-privileged user could create a Package referencing an arbitrarily large image containing that Crossplane would then parse, possibly resulting i...

CVE-2023-37900

Crossplane vulnerability CVE-2023-37900 allows a high-privilege user to create a Package referencing an arbitrarily large image, which Crossplane may parse and exhaust memory, potentially causing the container to be OOMKilled. Impact is mitigated by the need for high privileges and the eventual c...

CVE-2023-35943

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, the CORS filter will segfault and crash Envoy when the origin header is removed and deleted between decodeHeadersand encodeHeaders. Versions 1.27....

Code injection

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, the CORS filter will segfault and crash Envoy when the origin header is removed and deleted between decodeHeadersand encodeHeaders. Versions 1.27....

CVE-2023-35944 Envoy vulnerable to incorrect handling of HTTP requests and responses with mixed case schemes

Envoy is an open source edge and service proxy designed for cloud-native applications. Envoy allows mixed-case schemes in HTTP/2, however, some internal scheme checks are case-sensitive. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, this can lead to the rejection of requests wit...

CVE-2023-35944

CVE-2023-35944 affects Envoy. The issue arises from case-sensitive internal HTTP/2 scheme checks, allowing mixed-case schemes (e.g., htTp, htTps) to be rejected or to bypass certain requests over unencrypted connections. The vulnerability exists prior to fixed releases and is mitigated by a patch...

CVE-2023-35944 Envoy vulnerable to incorrect handling of HTTP requests and responses with mixed case schemes

Envoy is an open source edge and service proxy designed for cloud-native applications. Envoy allows mixed-case schemes in HTTP/2, however, some internal scheme checks are case-sensitive. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, this can lead to the rejection of requests wit...

Design/Logic Flaw

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, a malicious client is able to construct credentials with permanent validity in some specific scenarios. This is caused by the some rare scenarios ...

CVE-2023-35941

Envoy CVE-2023-35941 affects vulnerable OAuth2 filter handling across multiple pre-fix releases (Envoy 1.27.0, 1.26.4, 1.25.9, 1.24.10, 1.23.12 and earlier). The issue allows a malicious client to construct credentials with permanent validity in specific scenarios where HMAC payload validation co...

CVE-2023-35941 Envoy vulnerable to OAuth2 credentials exploit with permanent validity

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, a malicious client is able to construct credentials with permanent validity in some specific scenarios. This is caused by the some rare scenarios ...

Vulnerabilities fixed in Oracle Communications

Vulnerabilities have been fixed in Oracle Communications products. A malicious party can exploit the vulnerabilities to launch attacks execute attacks that can result in the following categories of damage: Denial-of-Service DoS. Remote code execution Administrator/Root rights Remote code executio...

CVE-2023-35945 Envoy vulnerable to HTTP/2 memory leak in nghttp2 codec

Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy’s HTTP/2 codec may leak a header map and bookkeeping structures upon receiving RSTSTREAM immediately followed by the GOAWAY frames from an upstream server. In nghttp2, cleanup of pending requests due to receipt of the GOAWA...

IBM Cloud Pak for Data 安全漏洞

IBM Cloud Pak for Data is a cloud-native solution from International Business Machines IBM that allows customers to use data and analyze it quickly and efficiently. A denial of service vulnerability exists in IBM Cloud Pak for Data, which can be exploited by attackers to cause a denial of service...

Silentbob Campaign: Cloud-Native Environments Under Attack

Cybersecurity researchers have unearthed an attack infrastructure that's being used as part of a "potentially massive campaign" against cloud-native environments. "This infrastructure is in early stages of testing and deployment, and is mainly consistent of an aggressive cloud worm, designed to...

Multicloud Strategies Must Evolve to Meet the Needs of Global IT Leaders

In a Forrester study commissioned by Akamai, global IT leaders explain why they are adopting cloud-native architecture and distributing apps and workloads...

Quarkus 安全漏洞

Quarkus is a cloud-native Linux container-first framework for writing Java applications. A security vulnerability exists in Quarkus that stems from the unenforced use of the TLS protocol and the ability of a client to force an option to support a weaker TLS protocol...

ROS-20230619-05

A vulnerability in the pip module of the Python programming language is related to incorrect input validation in the Policy component python-pip in Oracle Communications Cloud Native Core Policy. Exploitation The vulnerability could allow an attacker acting remotely to manipulate data. The...

Expanding horizons—Microsoft Security’s continued commitment to multicloud

Multicloud strategies have become the new norm for most enterprises, with more than 90 percent of organizations adopting multiple cloud infrastructures, platforms, and services to run their businesses.1 However, a lack of visibility into their digital infrastructure exposes them to significant...