Lucene search
K

192 matches found

OSV
OSV
added 2023/07/06 9:15 p.m.18 views

GHSA-2RX4-9F5H-9GJF Apache Airflow CNCF Kubernetes Provider: KubernetesPodOperator RCE via connection configuration

Arbitrary code execution in Apache Airflow CNCF Kubernetes provider version 5.0.0 allows user to change xcom sidecar image and resources via Airflow connection. In order to exploit this weakness, a user would already need elevated permissions Op or Admin to change the connection object in this...

7.2CVSS7.1AI score0.01531EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2023/07/06 9:15 p.m.31 views

Apache Airflow CNCF Kubernetes Provider: KubernetesPodOperator RCE via connection configuration

Arbitrary code execution in Apache Airflow CNCF Kubernetes provider version 5.0.0 allows user to change xcom sidecar image and resources via Airflow connection. In order to exploit this weakness, a user would already need elevated permissions Op or Admin to change the connection object in this...

7.2CVSS7.4AI score0.01531EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2023/06/06 4:45 p.m.26 views

notation-go's verification bypass can cause users to verify the wrong artifact

Impact An attacker who controls or compromises a registry can lead a user to verify the wrong artifact. Patches The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation-go library to v1.0.0-rc.6 or above. Workarounds User should use secure and trusted container...

8.8CVSS6.7AI score0.00354EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2023/06/06 4:44 p.m.14 views

Notation's default `maxSignatureAttempts` in `notation verify` enables an endless data attack

Impact An attacker who controls or compromises a registry can make the registry serve an infinite number of signatures for the artifact, causing a denial of service to the host machine running notation verify. Patches The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade the...

6.5CVSS6.6AI score0.00485EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2023/06/06 4:43 p.m.13 views

GHSA-9M3V-V4R5-PPX7 Notation vulnerable to denial of service from high number of artifact signatures

Impact An attacker who controls or compromises a registry can make the registry serve an infinite number of signatures for the artifact, causing a denial of service to the host machine running notation verify. Patches The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade the...

5.7CVSS5.5AI score0.00506EPSS
Exploits0References5
Veracode
Veracode
added 2023/06/01 1:1 p.m.18 views

Arbitrary Code Execution

Apache Airflow CNCF Kubernetes is vulnerable to Arbitrary Code Execution. The vulnerability exists because the xcom sidecar image and resources are not properly restricted which allows an attacker to inject arbitrary codes to change the connection object and perform unauthorized actions...

7.2CVSS7AI score0.01531EPSS
Exploits0References1Affected Software1
NVD
NVD
added 2023/05/30 11:15 a.m.9 views

CVE-2023-33234

Arbitrary code execution in Apache Airflow CNCF Kubernetes provider version 5.0.0 allows user to change xcom sidecar image and resources via Airflow connection. In order to exploit this weakness, a user would already need elevated permissions Op or Admin to change the connection object in this...

7.2CVSS7.2AI score0.01531EPSS
Exploits0References1
Prion
Prion
added 2023/05/30 11:15 a.m.19 views

Code injection

Arbitrary code execution in Apache Airflow CNCF Kubernetes provider version 5.0.0 allows user to change xcom sidecar image and resources via Airflow connection. In order to exploit this weakness, a user would already need elevated permissions Op or Admin to change the connection object in this...

5.8CVSS7.2AI score0.01531EPSS
Exploits0References1Affected Software1
Vulnrichment
Vulnrichment
added 2023/05/30 10:56 a.m.19 views

CVE-2023-33234 Apache Airflow CNCF Kubernetes Provider: KubernetesPodOperator RCE via connection configuration

Arbitrary code execution in Apache Airflow CNCF Kubernetes provider version 5.0.0 allows user to change xcom sidecar image and resources via Airflow connection. In order to exploit this weakness, a user would already need elevated permissions Op or Admin to change the connection object in this...

7.2AI score0.01531EPSS
Exploits0References1
CVE
CVE
added 2023/05/30 10:56 a.m.71 views

CVE-2023-33234

CVE-2023-33234 affects the Apache Airflow CNCF Kubernetes provider (version 5.0.0). Affected component: xcom sidecar image and resources via a misconfigured Airflow connection, enabling arbitrary code execution. Exploitation requires elevated permissions (Operator/Admin) to alter the connection. ...

7.2CVSS7.1AI score0.01531EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2023/05/30 10:56 a.m.13 views

CVE-2023-33234 Apache Airflow CNCF Kubernetes Provider: KubernetesPodOperator RCE via connection configuration

Arbitrary code execution in Apache Airflow CNCF Kubernetes provider version 5.0.0 allows user to change xcom sidecar image and resources via Airflow connection. In order to exploit this weakness, a user would already need elevated permissions Op or Admin to change the connection object in this...

7.4AI score0.01531EPSS
Exploits0References1
OSV
OSV
added 2023/05/11 7:40 p.m.16 views

GHSA-PQJ7-JX24-WJ7W VTAdmin users that can create shards can deny access to other functions

Impact Users can either intentionally or inadvertently create a shard containing / characters from VTAdmin such that from that point on, anyone who tries to create a new shard from VTAdmin will receive an error. Attempting to view the keyspaces will also no longer work. Creating a shard using...

4.1CVSS4.3AI score0.00983EPSS
Exploits1References8
Github Security Blog
Github Security Blog
added 2023/05/11 7:40 p.m.36 views

VTAdmin users that can create shards can deny access to other functions

Impact Users can either intentionally or inadvertently create a shard containing / characters from VTAdmin such that from that point on, anyone who tries to create a new shard from VTAdmin will receive an error. Attempting to view the keyspaces will also no longer work. Creating a shard using...

4.3CVSS6.2AI score0.00983EPSS
Exploits1References8Affected Software1
OSV
OSV
added 2023/04/11 9:12 p.m.21 views

GHSA-735R-HV67-G38F vitess allows users to create keyspaces that can deny access to already existing keyspaces

Impact Users can either intentionally or inadvertently create a keyspace containing / characters such that from that point on, anyone who tries to view keyspaces from VTAdmin will receive an error. Trying to list all the keyspaces using vtctldclient GetKeyspaces will also return an error. Note th...

4.1CVSS3.9AI score0.00782EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2023/04/11 9:12 p.m.25 views

vitess allows users to create keyspaces that can deny access to already existing keyspaces

Impact Users can either intentionally or inadvertently create a keyspace containing / characters such that from that point on, anyone who tries to view keyspaces from VTAdmin will receive an error. Trying to list all the keyspaces using vtctldclient GetKeyspaces will also return an error. Note th...

4.1CVSS4.6AI score0.00782EPSS
Exploits0References5Affected Software1
Tenable Nessus
Tenable Nessus
added 2023/03/28 12:0 a.m.43 views

CBL Mariner 2.0 Security Update: helm (CVE-2022-36055)

The version of helm installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2022-36055 advisory. - Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. Fuzz testing,...

6.5CVSS7.5AI score0.00874EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2023/03/13 8:53 p.m.27 views

fieldpath's Paved.SetValue allows growing arrays up to arbitrary sizes in crossplane-runtime

Summary Fuzz testing on crossplane/crossplane, by Ada Logics and sponsored by the CNCF, identified input to a function in the fieldpath package that can cause an out of memory panic. Applications that use the Paved type's SetValue method with user provided input without proper validation might us...

7.5CVSS7.3AI score0.00798EPSS
Exploits0References6Affected Software1
OSV
OSV
added 2023/03/13 8:53 p.m.30 views

GHSA-VFVJ-3M3G-M532 fieldpath's Paved.SetValue allows growing arrays up to arbitrary sizes in crossplane-runtime

Summary Fuzz testing on crossplane/crossplane, by Ada Logics and sponsored by the CNCF, identified input to a function in the fieldpath package that can cause an out of memory panic. Applications that use the Paved type's SetValue method with user provided input without proper validation might us...

5.9CVSS6.5AI score0.00798EPSS
Exploits0References6
OSV
OSV
added 2023/03/10 11:47 p.m.20 views

GHSA-V829-X6HH-CQFQ Crossplane-runtime contains Improper Input Validation via Compositions

Summary Fuzz testing, by Ada Logics and sponsored by the CNCF, identified a vulnerability in the fieldpath package from crossplane/crossplane-runtime that an already highly privileged Crossplane user able to create or update Compositions could leverage to cause an out of memory panic in Crossplan...

6.2CVSS5.7AI score0.00678EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2023/02/22 12:3 a.m.20 views

notation-go has excessive memory allocation on verification

Impact notation-go users will find their application using excessive memory when verifying signatures and the application will be finally killed, and thus availability is impacted. Patches The problem has been patched in the release v1.0.0-rc.3. Users should upgrade their notation-go packages to...

7.5CVSS7.2AI score0.0044EPSS
Exploits0References5Affected Software1
Rows per page
Query Builder