224 matches found
SUSE CVE-2022-45157
A vulnerability has been identified in the way that Rancher stores vSphere's CPI Cloud Provider Interface and CSI Container Storage Interface credentials used to deploy clusters through the vSphere cloud provider. This issue leads to the vSphere CPI and CSI passwords being stored in a plaintext...
CVE-2024-28180 affecting package kube-vip-cloud-provider for versions less than 0.0.2-19
CVE-2024-28180 affecting package kube-vip-cloud-provider for versions less than 0.0.2-19. A patched version of the package is available...
CVE-2024-24786 affecting package kube-vip-cloud-provider for versions less than 0.0.10-1
CVE-2024-24786 affecting package kube-vip-cloud-provider for versions less than 0.0.10-1. An upgraded version of the package is available that resolves this issue...
CVE-2023-39325 affecting package kube-vip-cloud-provider for versions less than 0.0.10-1
CVE-2023-39325 affecting package kube-vip-cloud-provider for versions less than 0.0.10-1. An upgraded version of the package is available that resolves this issue...
CVE-2023-45288 affecting package kube-vip-cloud-provider for versions less than 0.0.10-1
CVE-2023-45288 affecting package kube-vip-cloud-provider for versions less than 0.0.10-1. An upgraded version of the package is available that resolves this issue...
CVE-2023-47108 affecting package kube-vip-cloud-provider for versions less than 0.0.10-1
CVE-2023-47108 affecting package kube-vip-cloud-provider for versions less than 0.0.10-1. A patched version of the package is available...
CVE-2023-45142 affecting package kube-vip-cloud-provider for versions less than 0.0.10-1
CVE-2023-45142 affecting package kube-vip-cloud-provider for versions less than 0.0.10-1. An upgraded version of the package is available that resolves this issue...
GHSA-6GR4-52W6-VMQX rke's credentials are stored in the RKE1 Cluster state ConfigMap
Impact When RKE provisions a cluster, it stores the cluster state in a configmap called full-cluster-state inside the kube-system namespace of the cluster itself. This cluster state object contains information used to set up the K8s cluster, which may include the following sensitive data: -...
[SECURITY] Fedora 39 Update: rust-afterburn-5.5.1-4.fc39
A simple cloud provider agent...
The Ticketmaster Data Breach May Be Just the Beginning
Data breaches at Ticketmaster and financial services company Santander have been linked to attacks against cloud provider Snowflake. Researchers fear more breaches will soon be uncovered...
[SECURITY] Fedora 40 Update: rust-afterburn-5.5.1-4.fc40
A simple cloud provider agent...
CVE-2024-3744 Kubernetes azure-file-csi-driver in versions before 1.29.4 and 1.30.1 discloses service account tokens in logs
A security issue was discovered in azure-file-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions. Tokens are only logged whe...
Sensitive Information leak via Log File in Kubernetes
In Kubernetes clusters using VSphere as a cloud provider, with a logging level set to 4 or above, VSphere cloud credentials will be leaked in the cloud controller manager's log. This affects v1.19.3...
AZL-38623 CVE-2023-45288 affecting package kube-vip-cloud-provider for versions less than 0.0.10-1
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no...
CVE-2023-44487 affecting package kube-vip-cloud-provider for versions less than 0.0.2-12
CVE-2023-44487 affecting package kube-vip-cloud-provider for versions less than 0.0.2-12. A patched version of the package is available...
AZL-35844 CVE-2024-28180 affecting package kube-vip-cloud-provider for versions less than 0.0.2-19
Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if t...
CVE-2021-44716 affecting package kube-vip-cloud-provider for versions less than 0.0.2-16
CVE-2021-44716 affecting package kube-vip-cloud-provider for versions less than 0.0.2-16. A patched version of the package is available...
CVE-2023-6221
The cloud provider MachineSense uses for integration and deployment for multiple MachineSense devices, such as the programmable logic controller PLC, PumpSense, PowerAnalyzer, FeverWarn, and others is insufficiently protected against unauthorized access. An attacker with access to the internal...
Command injection
The cloud provider MachineSense uses for integration and deployment for multiple MachineSense devices, such as the programmable logic controller PLC, PumpSense, PowerAnalyzer, FeverWarn, and others is insufficiently protected against unauthorized access. An attacker with access to the internal...
CVE-2023-6221 MachineSense FeverWarn Missing Authentication for Critical Function
The cloud provider MachineSense uses for integration and deployment for multiple MachineSense devices, such as the programmable logic controller PLC, PumpSense, PowerAnalyzer, FeverWarn, and others is insufficiently protected against unauthorized access. An attacker with access to the internal...