3 matches found
Improper Enforcement Of Security Policy
github.com/forgekeep/nebula-mesh is vulnerable to Improper Enforcement of Security Policy. The vulnerability is due to the Web UI host-creation endpoint hardcoding a 24-hour enrollment token lifetime instead of enforcing the configured server-wide or per-network enrollment token TTL, which allows...
GHSA-GHMH-JHMJ-WCMF nebula-mesh's stores enrollment tokens unhashed in SQLite
internal/store/sqlite.go:1177,1192,1221,1245 — the enrollmenttokens.token column holds the raw UUID token. ConsumeToken does WHERE token = ? against the raw string. Compare with operatorapikeys.keyhash, which is SHA-256 hex constructed in internal/api/middleware.go:51-53. Affected All released...
Fleet Server v8.10.3 Security Update
Fleet Server Insertion of Sensitive Information into Log File ESA-2023-20 An issue was discovered in Fleet Server = v8.10.0 and = v8.10.0 and v8.10.3 Solutions and Mitigations: If an affected version is being utilized then upgrade to Fleet Server v8.10.3 or above. If there are ephemeral container...