Important: Red Hat Security Advisory: OpenShift Container Platform 4.15.37 bug fix and security update

Red Hat OpenShift Container Platform release 4.15.37 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.15. Red Hat Product Security has rated this update as having a...

@adobe/git-server (>=0.9.17 <=1.0.5), @adobe/helix-cli (>=0.3.0-SNAPSHOT.293 <=6.1.0) +69 more potentially affected by CVE-2024-48964 via snyk-gradle-plugin (>=1.0.2 <=3.9.0)

snyk-gradle-plugin NPM version =1.0.2, =0.9.17, =0.3.0-SNAPSHOT.293, =2.6.0, =1.0.5-SNAPSHOT.105, =0.0.4, =8.0.36, =5.0.22, =3.10.42, =0.0.70, =0.5.8, =3.2.4, =0.1.3, =0.0.2, =0.0.3 and more Source cves: CVE-2024-48964 Source advisory: OSV:GHSA-QQQW-GM93-QF6M...

CVE-2024-45309

OneDev is a Git server with CI/CD, kanban, and packages. A vulnerability in versions prior to 11.0.9 allows unauthenticated users to read arbitrary files accessible by the OneDev server process. This issue has been fixed in version 11.0.9...

CVE-2024-45309

OneDev.io prior to 11.0.9 is vulnerable to an unauthenticated arbitrary file read via directory traversal, exposing files accessible by the server process. Affected versions are ≤11.0.8 (per the Nuclei template) with the fix in 11.0.9. Impact is exposure of host files; exploitation details are no...

CVE-2024-45309 OneDev vulnerable to arbitrary file reading for unauthenticated user

OneDev is a Git server with CI/CD, kanban, and packages. A vulnerability in versions prior to 11.0.9 allows unauthenticated users to read arbitrary files accessible by the OneDev server process. This issue has been fixed in version 11.0.9...

The vulnerability of Git servers in Soft Serve mode arises from the lack of measures to neutralize special elements used in the operating system’s command line. This allows attackers to execute arbitrary code.

The vulnerability of the Git server in Soft Serve relates to the lack of measures taken to neutralize special elements used in the operating system’s command set. Exploiting this vulnerability allows a malicious actor to execute arbitrary code by sending a specially created malware file through t...

go-git: Maliciously crafted Git server replies can lead to path traversal and RCE on go-git clients

A path traversal vulnerability was discovered in the go library go-git. This issue may allow an attacker to create and amend files across the filesystem when applications are using the default ChrootOS, potentially allowing remote code execution...

CVE-2024-6886

A flaw was found in Gitea. This issue may allow cross-site scripting XSS due to improper input sanitization, which can allow an attacker to inject a malicious script into web pages viewed by other users. Mitigation Red Hat has investigated whether a possible mitigation exists for this issue, and...

Gitea Cross-site Scripting Vulnerability

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in Gitea Gitea Open Source Git Server allows Stored XSS.This issue affects Gitea Open Source Git Server: 1.22.0...

CVE-2024-6886

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in Gitea Gitea Open Source Git Server allows Stored XSS.This issue affects Gitea Open Source Git Server: 1.22.0...

CVE-2024-6886

Summary: CVE-2024-6886 is a stored XSS vulnerability in Gitea 1.22.0 that allows authenticated attackers to inject JavaScript via repository descriptions, which is stored on the server and executed in other users’ sessions. The Nuclei template, Exploit-DB entry, and OSV entries confirm the issue ...

CVE-2024-6886 Inproper Sanitation of field leading to stored XSS

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in Gitea Gitea Open Source Git Server allows Stored XSS.This issue affects Gitea Open Source Git Server: 1.22.0...

CVE-2024-6886 Inproper Sanitation of field leading to stored XSS

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in Gitea Gitea Open Source Git Server allows Stored XSS.This issue affects Gitea Open Source Git Server: 1.22.0...

CVE-2024-41956

Soft Serve is a self-hostable Git server for the command line. Prior to 0.7.5, it is possible for a user who can commit files to a repository hosted by Soft Serve to execute arbitrary code via environment manipulation and Git. The issue is that Soft Serve passes all environment variables given by...

CVE-2024-41956 Soft Serve allows arbitrary code execution by crafting git-lfs requests

Soft Serve is a self-hostable Git server for the command line. Prior to 0.7.5, it is possible for a user who can commit files to a repository hosted by Soft Serve to execute arbitrary code via environment manipulation and Git. The issue is that Soft Serve passes all environment variables given by...

CVE-2024-41956 Soft Serve allows arbitrary code execution by crafting git-lfs requests

Soft Serve is a self-hostable Git server for the command line. Prior to 0.7.5, it is possible for a user who can commit files to a repository hosted by Soft Serve to execute arbitrary code via environment manipulation and Git. The issue is that Soft Serve passes all environment variables given by...

CVE-2024-41956

The CVE-2024-41956 issue affects Soft Serve (a self-hostable Git server). It allows an attacker who can commit to a repository to execute arbitrary code by abusing environment variables passed to git subprocesses (notably LD_PRELOAD). This is possible because the server forwards client-provided e...

Soft Serve 安全漏洞

Soft Serve is a self-hostable command-line Git server from Charm Open Source. A security vulnerability exists in Soft Serve versions prior to 0.7.5 that stems from improper handling of environment variables. Users could execute arbitrary code via environment manipulation and Git while committing...

RHEL 8 : Red Hat Product OCP Tools 4.15 OpenShift Jenkins (RHSA-2024:4597)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:4597 advisory. Jenkins is a continuous integration server that monitors the execution of recurring jobs, such as software builds or cron jobs. Security...

jenkins-2-plugins: git-server plugin arbitrary file read vulnerability

A flaw was found in the Git Server Plugin for Jenkins. This issue could allow an attacker to read the first two lines of arbitrary files on the server's file system...