This Week in Spring - November 14th, 2023

Hi, Spring fans! Welcome to another installment of This Week in Spring! It's November 14th, and you know what that means? NINE MORE DAYS until Spring Boot 3.2 drops on the day of the US holiday of Thanksgiving, no less! Some key features include: virtual threads initial CRaC support more...

Exploit for Injection in Discourse

Table of contents ================= CVE-2023-47119cve...

AZL-35440 CVE-2023-47108 affecting package docker-compose for versions less than 2.27.0-1

OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Starting in version 0.37.0 and prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels net.peer.sock.addr and net.peer.sock.port that have unbound cardinality. It leads to the...

CVE-2023-47108 vulnerabilities

Vulnerabilities for packages: kine, temporal, envoy-ratelimit, temporal-server, kubevela, buildkitd, cri-tools, k3s, docker-compose, kubernetes, kubernetes-csi-external-resizer, metrics-server, kubescape, volume-modifier-for-k8s...

GHSA-FJHG-96CP-6FCW Kimai (Authenticated) SSTI to RCE by Uploading a Malicious Twig File

Description The laters version of Kimai is found to be vulnerable to a critical Server-Side Template Injection SSTI which can be escalated to Remote Code Execution RCE. The vulnerability arises when a malicious user uploads a specially crafted Twig file, exploiting the software's PDF and HTML...

Kimai (Authenticated) SSTI to RCE by Uploading a Malicious Twig File

Description The laters version of Kimai is found to be vulnerable to a critical Server-Side Template Injection SSTI which can be escalated to Remote Code Execution RCE. The vulnerability arises when a malicious user uploads a specially crafted Twig file, exploiting the software's PDF and HTML...

CVE-2023-39325 affecting package moby-compose for versions less than 2.17.2-5

CVE-2023-39325 affecting package moby-compose for versions less than 2.17.2-5. A patched version of the package is available...

CVE-2023-44487 affecting package moby-compose for versions less than 2.17.2-5

CVE-2023-44487 affecting package moby-compose for versions less than 2.17.2-5. A patched version of the package is available...

AZL-31645 CVE-2023-39325 affecting package moby-compose for versions less than 2.17.2-5

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a ne...

AZL-31327 CVE-2023-44487 affecting package moby-compose for versions less than 2.17.2-5

The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023...

AZL-35441 CVE-2023-44487 affecting package docker-compose for versions less than 2.27.0-1

The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023...

Sirius - First Truly Open-Source General Purpose Vulnerability Scanner

Sirius is the first truly open-source general purpose vulnerability scanner. Today, the information security community remains the best and most expedient source for cybersecurity intelligence. The community itself regularly outperforms commercial vendors. This is the primary advantage Sirius Sca...

My SpringOne 2023 Recap

Hi, Spring fans! Look, it's Monday after the first in-person SpringOne of the 2020s and the first since the pandemic, and, being honest, I'm bushed! Vegas is a dizzying, sensational, overwhelming, exciting experience, and SpringOne is too. But it was worth it. The SpringOne show surpassed all...

PT-2023-23589

Name of the Vulnerable Software and Affected Versions Netmaker versions prior to 0.17.1 Netmaker versions 0.18.0 through 0.18.5 Description An Insecure Direct Object Reference IDOR vulnerability was found in the user update function, allowing an attacker to update another user's password by...

AiCEF - An AI-assisted cyber exercise content generation framework using named entity recognition

AiCEF is a tool implementing the accompanying framework 1 in order to harness the intelligence that is available from online resources, as well as threat groups' activities, arsenal eg. MITRE, to create relevant and timely cybersecurity exercise content. This way, we abstract the events from the...

COMpose-IT CMS 2.0 SQL Injection

==================================================================================================================================== | Title : COMpose-IT CMS v2.0 SQL injection Vulnerability | | Author : indoushka | | Tested on : windows 10 Français V.Pro / browser : Mozilla firefox 68.032-bit | ...

COMpose-IT CMS 2.0 Insecure Settings

==================================================================================================================================== | Title : COMpose-IT CMS v2.0 Insecure Settings Vulnerability | | Author : indoushka | | Tested on : windows 10 Français V.Pro / browser : Mozilla firefox 68.032-bi...

Exploit for Code Injection in Apache Airflow

Apache Airflow official report description says: A vulnerab...

Auto-GPT 代码注入漏洞

Auto-GPT is an artificial intelligence software agent program open-sourced by Significant Gravitas. A code injection vulnerability exists in Auto-GPT versions prior to 0.4.3, which stems from a docker-compose.yml file located in the repository root directory that installs itself into a docker...

PT-2023-25876 · Autogpt · Autogpt

Name of the Vulnerable Software and Affected Versions: Auto-GPT versions prior to 0.4.3 Description: The issue arises from the use of a different docker-compose.yml file when running Auto-GPT by cloning the git repo and executing docker compose run auto-gpt in the repo root. This file mounts itse...