GO-2024-2853 sshpiper's enabling of proxy protocol without proper feature flagging allows faking source address in github.com/tg123/sshpiper

sshpiper's enabling of proxy protocol without proper feature flagging allows faking source address in github.com/tg123/sshpiper...

GO-2024-2791 CRI-O vulnerable to an arbitrary systemd property injection in github.com/cri-o/cri-o

CRI-O vulnerable to an arbitrary systemd property injection in github.com/cri-o/cri-o...

GO-2024-2690 HashiCorpVault does not correctly validate OCSP responses in github.com/hashicorp/vault

HashiCorpVault does not correctly validate OCSP responses in github.com/hashicorp/vault...

GO-2024-2703 Kopia: Storage connection credentials written to console on "repository status" CLI command with JSON output in github.com/kopia/kopia

Kopia: Storage connection credentials written to console on "repository status" CLI command with JSON output in github.com/kopia/kopia...

GO-2024-2814 Pterodactyl Wings vulnerable to Arbitrary File Write/Read in github.com/pterodactyl/wings

Pterodactyl Wings vulnerable to Arbitrary File Write/Read in github.com/pterodactyl/wings...

GO-2024-2863 wolfictl leaks GitHub tokens to remote non-GitHub git servers in github.com/wolfi-dev/wolfictl

wolfictl leaks GitHub tokens to remote non-GitHub git servers in github.com/wolfi-dev/wolfictl...

GO-2024-2723 Apache Solr Operator liveness and readiness probes may leak basic auth credentials in github.com/apache/solr-operator

Apache Solr Operator liveness and readiness probes may leak basic auth credentials in github.com/apache/solr-operator...

GO-2024-2716 SpiceDB: LookupSubjects may return partial results if a specific kind of relation is used in github.com/authzed/spicedb

SpiceDB: LookupSubjects may return partial results if a specific kind of relation is used in github.com/authzed/spicedb...

GO-2024-2728 Argo CD's API server does not enforce project sourceNamespaces in github.com/argoproj/argo-cd

Argo CD's API server does not enforce project sourceNamespaces in github.com/argoproj/argo-cd...

GO-2024-2846 Containers started with non-empty inheritable Linux process capabilities in github.com/containerd/containerd

Containers started with non-empty inheritable Linux process capabilities in github.com/containerd/containerd...

GO-2024-2701 Minder GetRepositoryByName data leak in github.com/stacklok/minder

Minder GetRepositoryByName data leak in github.com/stacklok/minder...

GO-2024-2636 1Panel is vulnerable to command injection in github.com/1Panel-dev/1Panel

1Panel is vulnerable to command injection in github.com/1Panel-dev/1Panel...

BIT-HUBBLE-2022-29178

Cilium is open source software for providing and securing network connectivity and loadbalancing between application workloads. Cilium prior to versions 1.9.16, 1.10.11, and 1.11.15 contains an incorrect default permissions vulnerability. Operating Systems with users belonging to the group ID 100...

CVE-2024-4253

A command injection vulnerability exists in the gradio-app/gradio repository, specifically within the 'test-functional.yml' workflow. The vulnerability arises due to improper neutralization of special elements used in a command, allowing for unauthorized modification of the base repository or...

CVE-2024-5564

A vulnerability was found in libndp. This flaw allows a local malicious user to cause a buffer overflow in NetworkManager, triggered by sending a malformed IPv6 router advertisement packet. This issue occurred as libndp was not correctly validating the route length information...

Russian Hackers Target Europe with HeadLace Malware and Credential Harvesting

The Russian GRU-backed threat actor APT28 has been attributed as behind a series of campaigns targeting networks across Europe with the HeadLace malware and credential-harvesting web pages. APT28, also known by the names BlueDelta, Fancy Bear, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pa...

Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Checkpoint Quantum_Spark_Firmware

CVE-2024-24919 Usage - Usage: ./CVE-2024-24919.sh -i -p...

FlyingYeti Exploits WinRAR Vulnerability to Deliver COOKBOX Malware in Ukraine

Cloudflare on Thursday said it took steps to disrupt a month-long phishing campaign orchestrated by a Russia-aligned threat actor called FlyingYeti targeting Ukraine. "The FlyingYeti campaign capitalized on anxiety over the potential loss of access to housing and utilities by enticing targets to...

CVE-2024-3924 Code Injection in huggingface/text-generation-inference

A code injection vulnerability exists in the huggingface/text-generation-inference repository, specifically within the autodocs.yml workflow file. The vulnerability arises from the insecure handling of the github.headref user input, which is used to dynamically construct a command for installing ...

Nautobot dynamic-group-members doesn't enforce permission restrictions on member objects

Impact What kind of vulnerability is it? Who is impacted? A user with permissions to view Dynamic Group records extras.viewdynamicgroup permission can use the Dynamic Group detail UI view /extras/dynamic-groups// and/or the members REST API view /api/extras/dynamic-groups//members/ to list the...