CVE-2024-32487

less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the...

CVE-2024-32487

less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the...

CVE-2024-32487

less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the...

CVE-2024-32487

CVE-2024-32487 affects the less utility. The issue allows OS command execution via a newline character in a file name due to faulty quoting in filename.c (affecting versions up to 653). Exploitation typically requires attacker-controlled file names (e.g., from an untrusted archive) and the LESSOP...

CVE-2024-32003 Dusk plugin may allow unfettered user authentication in misconfigured installs

wn-dusk-plugin Dusk plugin is a plugin which integrates Laravel Dusk browser testing into Winter CMS. The Dusk plugin provides some special routes as part of its testing framework to allow a browser environment such as headless Chrome to act as a user in the Backend or User plugin without having ...

Cosign malicious attachments can cause system-wide denial of service

Summary A remote image with a malicious attachment can cause denial of service of the host machine running Cosign. This can impact other services on the machine that rely on having memory available such as a Redis database which can result in data loss. It can also impact the availability of othe...

GHSA-88JX-383Q-W4QC Cosign malicious attachments can cause system-wide denial of service

Summary A remote image with a malicious attachment can cause denial of service of the host machine running Cosign. This can impact other services on the machine that rely on having memory available such as a Redis database which can result in data loss. It can also impact the availability of othe...

Critical 'BatBadBut' Rust Vulnerability Exposes Windows Systems to Attacks

A critical security flaw in the Rust standard library could be exploited to target Windows users and stage command injection attacks. The vulnerability, tracked as CVE-2024-24576, has a CVSS score of 10.0, indicating maximum severity. That said, it only impacts scenarios where batch files are...

CVE-2024-29905

DIRAC is an interware, meaning a software framework for distributed computing. Prior to version 8.0.41, during the proxy generation process e.g., when using dirac-proxy-init, it is possible for unauthorized users on the same machine to gain read access to the proxy. This allows the user to then...

CVE-2024-29905 DIRAC: Unauthorized users can read proxy contents during generation

DIRAC is an interware, meaning a software framework for distributed computing. Prior to version 8.0.41, during the proxy generation process e.g., when using dirac-proxy-init, it is possible for unauthorized users on the same machine to gain read access to the proxy. This allows the user to then...

CVE-2024-29905 DIRAC: Unauthorized users can read proxy contents during generation

DIRAC is an interware, meaning a software framework for distributed computing. Prior to version 8.0.41, during the proxy generation process e.g., when using dirac-proxy-init, it is possible for unauthorized users on the same machine to gain read access to the proxy. This allows the user to then...

CVE-2024-29905

Summary: CVE-2024-29905 affects DIRAC prior to version 8.0.41. During the proxy generation process (e.g., dirac-proxy-init), unauthorized users on the same machine could gain read access to the proxy for a sub-millisecond window, enabling actions as if using the original proxy. The issue is mitig...

DIRAC: Unauthorized users can read proxy contents during generation

Impact During the proxy generation process e.g., when using dirac-proxy-init it is possible for unauthorized users on the same machine to gain read access to the proxy. This allows the user to then perform any action that is possible with the original proxy. This vulnerability only exists for a...

The vulnerability of the CRI-O Container Engine’s application programming interface allows a attacker to compromise the confidentiality, integrity, and accessibility of protected information.

The vulnerability of the CRI-O Container Engine’s application programming interface, a software platform for managing clusters of virtual machines in Kubernetes, stems from the ability to add arbitrary strings to the /etc/passwd file using a specially created environment variable. Exploiting this...

CLSA-2024-1711562715 systemd: Fix of CVE-2023-26604

Moved tuxcare patches from 219-78.7.tuxcare.els1 - CVE-2023-26604: use only less as a pager and restrict its functionality e.g stop running external shell unless environment variable SYSTEMDPAGERSECURE is defined...

BIT-PHP-2022-4900 Potential buffer overflow in php_cli_server_startup_workers

A vulnerability was found in PHP where setting the environment variable PHPCLISERVERWORKERS to a large value leads to a heap buffer overflow...

BIT-POSTGRESQL-JDBC-DRIVER-2022-41946 TemporaryFolder on unix-like systems does not limit access to created files in pgjdbc

pgjdbc is an open source postgresql JDBC Driver. In affected versions a prepared statement using either PreparedStatement.setTextint, InputStream or PreparedStatemet.setByteaint, InputStream will create a temporary file if the InputStream is larger than 2k. This will create a temporary file which...

BIT-NODE-2023-30585

A vulnerability has been identified in the Node.js .msi version installation process, specifically affecting Windows users who install Node.js using the .msi installer. This vulnerability emerges during the repair operation, where the "msiexec.exe" process, running under the NT AUTHORITY\SYSTEM...

Missing TTLS Encryption

github.com/edgelesssys/marblerun is vulnerable to Missing TTLS Encryption. The vulnerability is due to unsecured plain TCP connections between Marbles if the parameters don't include an environment variable. This flaw allows an attacker intercept and manipulate the communication between Marbles...

CVE-2023-7245

The nodejs framework in OpenVPN Connect 3.0 through 3.4.3 Windows/3.4.7 macOS was not properly configured, which allows a local user to execute arbitrary code within the nodejs process context via the ELECTRONRUNASNODE environment variable...