CVE-2024-10007

A path collision and arbitrary code execution vulnerability was identified in GitHub Enterprise Server that allowed container escape to escalate to root via ghe-firejail path. Exploitation of this vulnerability requires Enterprise Administrator access to the GitHub Enterprise Server instance. Thi...

CVE-2024-10007 Pre-Receive Hook Path Collision Vulnerability in GitHub Enterprise Server Allowing Privilege Escalation

A path collision and arbitrary code execution vulnerability was identified in GitHub Enterprise Server that allowed container escape to escalate to root via ghe-firejail path. Exploitation of this vulnerability requires Enterprise Administrator access to the GitHub Enterprise Server instance. Thi...

CVE-2024-10007

GitHub Enterprise Server CVE-2024-10007 is a path collision and arbitrary code execution flaw enabling container escape to root via ghe-firejail. Exploitation requires Enterprise Administrator access. Affected: all versions before 3.15. Remediations are to upgrade to fixed versions: 3.14.3, 3.13....

GO-2024-3254 Osmedeus Web Server Vulnerable to Stored XSS, Leading to RCE in github.com/j3ssie/osmedeus

Osmedeus Web Server Vulnerable to Stored XSS, Leading to RCE in github.com/j3ssie/osmedeus...

GO-2024-3251 Safearchive Path Traversal vulnerability in github.com/google/safearchive

Safearchive Path Traversal vulnerability in github.com/google/safearchive...

GO-2024-3253 LocalAI Cross-site Scripting vulnerability in github.com/mudler/LocalAI

LocalAI Cross-site Scripting vulnerability in github.com/mudler/LocalAI...

Symfony vulnerable to command execution hijack on Windows with Process class

Description On Windows, when an executable file named cmd.exe is located in the current working directory it will be called by the Process class when preparing command arguments, leading to possible hijacking. Resolution The Process class now uses the absolute path to cmd.exe. The patch for this...

GHSA-QQ5C-677P-737Q Symfony vulnerable to command execution hijack on Windows with Process class

Description On Windows, when an executable file named cmd.exe is located in the current working directory it will be called by the Process class when preparing command arguments, leading to possible hijacking. Resolution The Process class now uses the absolute path to cmd.exe. The patch for this...

CVE-2024-51746 Use of incorrect Rekor entries during verification in gitsign

Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. gitsign may select the wrong Rekor entry to use during online verification when multiple entries are returned by the log. gitsign uses Rekor's search API to fetch entries that apply to a signature...

container-tools:ol8 security update

aardvark-dns buildah cockpit-podman conmon containernetworking-plugins containers-common 1-82.0.1 - Updated removed references Orabug: 33473101 Alex Burmashev - Adjust registries.conf Nikita Gerasimov - remove references to RedHat registry Nikita Gerasimov container-selinux criu crun fuse-overlay...

GO-2024-3239 NVIDIA Container Toolkit contains a Time-of-check Time-of-Use (TOCTOU) vulnerability in github.com/NVIDIA/nvidia-container-toolkit

NVIDIA Container Toolkit contains a Time-of-check Time-of-Use TOCTOU vulnerability in github.com/NVIDIA/nvidia-container-toolkit...

GO-2024-3240 Grafana org admin can delete pending invites in different org in github.com/grafana/grafana

Grafana org admin can delete pending invites in different org in github.com/grafana/grafana...

GO-2024-3233 Mattermost Server Path Traversal vulnerability that leads to Cross-Site Request Forgery in github.com/mattermost/mattermost-server

Mattermost Server Path Traversal vulnerability that leads to Cross-Site Request Forgery in github.com/mattermost/mattermost-server...

GO-2024-3235 Mattermost server allows authenticated user to delete arbitrary post in github.com/mattermost/mattermost-server

Mattermost server allows authenticated user to delete arbitrary post in github.com/mattermost/mattermost-server...

GO-2024-3241 Hashicorp Consul Improper Neutralization of HTTP Headers for Scripting Syntax vulnerability in github.com/hashicorp/consul

Hashicorp Consul Improper Neutralization of HTTP Headers for Scripting Syntax vulnerability in github.com/hashicorp/consul...

Critical Flaws in Ollama AI Framework Could Enable DoS, Model Theft, and Poisoning

Cybersecurity researchers have disclosed six security flaws in the Ollama artificial intelligence AI framework that could be exploited by a malicious actor to perform various actions, including denial-of-service, model poisoning, and model theft. "Collectively, the vulnerabilities could allow an...

Information Disclosure

github.com/graph-gophers/graphql-go is vulnerable to Information Disclosure. The vulnerability is due to improper access controls on the GraphQL introspection query, allowing unauthorized users to access a complete list of available queries and mutations...

Exploit for Untrusted Search Path in Yandex Yandex_Browser

CVE-2024-6473 PoC Yandex Browser for Desktop before 24.7...

GO-2024-3244 Gnark out-of-memory during deserialization with crafted inputs in github.com/consensys/gnark

Gnark out-of-memory during deserialization with crafted inputs in github.com/consensys/gnark...

Laravel Reverb Missing API Signature Verification

Impact A community member disclosed an issue where verification signatures for requests sent to Reverb's Pusher-compatible API were not being verified. This API is used in scenarios such as broadcasting a message from a backend service or for obtaining statistical information such as number of...