192 matches found
GHSA-2RX4-9F5H-9GJF Apache Airflow CNCF Kubernetes Provider: KubernetesPodOperator RCE via connection configuration
Arbitrary code execution in Apache Airflow CNCF Kubernetes provider version 5.0.0 allows user to change xcom sidecar image and resources via Airflow connection. In order to exploit this weakness, a user would already need elevated permissions Op or Admin to change the connection object in this...
Apache Airflow CNCF Kubernetes Provider: KubernetesPodOperator RCE via connection configuration
Arbitrary code execution in Apache Airflow CNCF Kubernetes provider version 5.0.0 allows user to change xcom sidecar image and resources via Airflow connection. In order to exploit this weakness, a user would already need elevated permissions Op or Admin to change the connection object in this...
notation-go's verification bypass can cause users to verify the wrong artifact
Impact An attacker who controls or compromises a registry can lead a user to verify the wrong artifact. Patches The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation-go library to v1.0.0-rc.6 or above. Workarounds User should use secure and trusted container...
Notation's default `maxSignatureAttempts` in `notation verify` enables an endless data attack
Impact An attacker who controls or compromises a registry can make the registry serve an infinite number of signatures for the artifact, causing a denial of service to the host machine running notation verify. Patches The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade the...
GHSA-9M3V-V4R5-PPX7 Notation vulnerable to denial of service from high number of artifact signatures
Impact An attacker who controls or compromises a registry can make the registry serve an infinite number of signatures for the artifact, causing a denial of service to the host machine running notation verify. Patches The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade the...
Arbitrary Code Execution
Apache Airflow CNCF Kubernetes is vulnerable to Arbitrary Code Execution. The vulnerability exists because the xcom sidecar image and resources are not properly restricted which allows an attacker to inject arbitrary codes to change the connection object and perform unauthorized actions...
CVE-2023-33234
Arbitrary code execution in Apache Airflow CNCF Kubernetes provider version 5.0.0 allows user to change xcom sidecar image and resources via Airflow connection. In order to exploit this weakness, a user would already need elevated permissions Op or Admin to change the connection object in this...
Code injection
Arbitrary code execution in Apache Airflow CNCF Kubernetes provider version 5.0.0 allows user to change xcom sidecar image and resources via Airflow connection. In order to exploit this weakness, a user would already need elevated permissions Op or Admin to change the connection object in this...
CVE-2023-33234 Apache Airflow CNCF Kubernetes Provider: KubernetesPodOperator RCE via connection configuration
Arbitrary code execution in Apache Airflow CNCF Kubernetes provider version 5.0.0 allows user to change xcom sidecar image and resources via Airflow connection. In order to exploit this weakness, a user would already need elevated permissions Op or Admin to change the connection object in this...
CVE-2023-33234
CVE-2023-33234 affects the Apache Airflow CNCF Kubernetes provider (version 5.0.0). Affected component: xcom sidecar image and resources via a misconfigured Airflow connection, enabling arbitrary code execution. Exploitation requires elevated permissions (Operator/Admin) to alter the connection. ...
CVE-2023-33234 Apache Airflow CNCF Kubernetes Provider: KubernetesPodOperator RCE via connection configuration
Arbitrary code execution in Apache Airflow CNCF Kubernetes provider version 5.0.0 allows user to change xcom sidecar image and resources via Airflow connection. In order to exploit this weakness, a user would already need elevated permissions Op or Admin to change the connection object in this...
GHSA-PQJ7-JX24-WJ7W VTAdmin users that can create shards can deny access to other functions
Impact Users can either intentionally or inadvertently create a shard containing / characters from VTAdmin such that from that point on, anyone who tries to create a new shard from VTAdmin will receive an error. Attempting to view the keyspaces will also no longer work. Creating a shard using...
VTAdmin users that can create shards can deny access to other functions
Impact Users can either intentionally or inadvertently create a shard containing / characters from VTAdmin such that from that point on, anyone who tries to create a new shard from VTAdmin will receive an error. Attempting to view the keyspaces will also no longer work. Creating a shard using...
GHSA-735R-HV67-G38F vitess allows users to create keyspaces that can deny access to already existing keyspaces
Impact Users can either intentionally or inadvertently create a keyspace containing / characters such that from that point on, anyone who tries to view keyspaces from VTAdmin will receive an error. Trying to list all the keyspaces using vtctldclient GetKeyspaces will also return an error. Note th...
vitess allows users to create keyspaces that can deny access to already existing keyspaces
Impact Users can either intentionally or inadvertently create a keyspace containing / characters such that from that point on, anyone who tries to view keyspaces from VTAdmin will receive an error. Trying to list all the keyspaces using vtctldclient GetKeyspaces will also return an error. Note th...
CBL Mariner 2.0 Security Update: helm (CVE-2022-36055)
The version of helm installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2022-36055 advisory. - Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. Fuzz testing,...
fieldpath's Paved.SetValue allows growing arrays up to arbitrary sizes in crossplane-runtime
Summary Fuzz testing on crossplane/crossplane, by Ada Logics and sponsored by the CNCF, identified input to a function in the fieldpath package that can cause an out of memory panic. Applications that use the Paved type's SetValue method with user provided input without proper validation might us...
GHSA-VFVJ-3M3G-M532 fieldpath's Paved.SetValue allows growing arrays up to arbitrary sizes in crossplane-runtime
Summary Fuzz testing on crossplane/crossplane, by Ada Logics and sponsored by the CNCF, identified input to a function in the fieldpath package that can cause an out of memory panic. Applications that use the Paved type's SetValue method with user provided input without proper validation might us...
GHSA-V829-X6HH-CQFQ Crossplane-runtime contains Improper Input Validation via Compositions
Summary Fuzz testing, by Ada Logics and sponsored by the CNCF, identified a vulnerability in the fieldpath package from crossplane/crossplane-runtime that an already highly privileged Crossplane user able to create or update Compositions could leverage to cause an out of memory panic in Crossplan...
notation-go has excessive memory allocation on verification
Impact notation-go users will find their application using excessive memory when verifying signatures and the application will be finally killed, and thus availability is impacted. Patches The problem has been patched in the release v1.0.0-rc.3. Users should upgrade their notation-go packages to...