GO-2024-2907 Files or Directories Accessible to External Parties in ProjectDiscovery in github.com/projectdiscovery/interactsh

Files or Directories Accessible to External Parties in ProjectDiscovery in github.com/projectdiscovery/interactsh...

GO-2024-2913 Unexpected chmod of host files via 'docker cp' in Moby Docker Engine in github.com/docker/docker

Unexpected chmod of host files via 'docker cp' in Moby Docker Engine in github.com/docker/docker...

North Korean Hackers Target Brazilian Fintech with Sophisticated Phishing Tactics

Threat actors linked to North Korea have accounted for one-third of all the phishing activity targeting Brazil since 2020, as the country's emergence as an influential power has drawn the attention of cyber espionage groups. "North Korean government-backed actors have targeted the Brazilian...

Improper Authentication

github.com/rancher/rancher is vulnerable to Improper Authentication. The vulnerability is due to the default admin user being recreated with a well-known password after Rancher restarts...

Information Disclosure

github.com/cilium/cilium is vulnerable to Information Disclosure. The vulnerability is due to the output of cilium-bugtool containing sensitive data when the tool is run with the --envoy-dump flag in deployments where the Envoy proxy is enabled. Attackers who gain access to this output could...

Arbitrary File Read/Write

github.com/projectdiscovery/interactsh is vulnerable to Arbitrary File Read/Write. The vulnerability is due to improper smb server restrictions which allows an attacker to read/write any files in the directory and subdirectories of where the victim runs interactsh-server via anonymous login...

Improper Authorization

github.com/hashicorp/vault is vulnerable to Improper Authorization. The vulnerability is due to the JWT auth method improperly validating the audience and role-bound claims, allowing invalid logins to succeed when they should have been rejected...

Exploit for Insufficiently Protected Credentials in Kyocera Net_Viewer

kygocera CVE-2022-1026 Improved Golang Version of Rapid7 PoC...

Traefik has unexpected behavior with IPv4-mapped IPv6 addresses

Impact There is a vulnerability in Go managing various Is methods IsPrivate, IsLoopback, etc for IPv4-mapped IPv6 addresses. They didn't work as expected returning false for addresses which would return true in their traditional IPv4 forms. References - CVE-2024-24790 Patches -...

Exploit for Insufficiently Protected Credentials in Jetbrains Aqua

CVE-2024-37051-EXP CVE-2024-3...

GitHub: CVE-2024-29187 WiX Burn-based bundles are vulnerable to binary hijack when run as SYSTEM

Improper access control in Visual Studio allows an authorized attacker to elevate privileges locally...

Incorrect Calculation

github.com/evmos/evmos is vulnerable to Incorrect Calculation. The vulnerability is due to a failure to update the spendable balance correctly when delegating vested tokens, allowing attackers with clawback vesting accounts to manipulate the system to treat unvested tokens as though they were...

Improper Authorization

github.com/evmos/evmos is vulnerable to Improper Authorization. The vulnerability is due to the absence of proper checks to prevent the delegation of unvested tokens, which enables attackers to prematurely access and utilize these tokens in ways not intended by the vesting agreements...

buildah security and bug fix update

1.33.7-2.0.1 - Drop nmap-ncat requirement and skip ignore-socket test case Orabug: 34117178 2:1.33.7-2 - update to the latest content of https://github.com/containers/buildah/tree/release-1.33 https://github.com/containers/buildah/commit/997beea - Resolves: RHEL-28731...

GO-2024-2815 Pterodactyl Wings vulnerable to Server-Side Request Forgery during remote file pull in github.com/pterodactyl/wings

Pterodactyl Wings vulnerable to Server-Side Request Forgery during remote file pull in github.com/pterodactyl/wings...

GO-2024-2858 Grafana Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins in github.com/grafana/grafana

Grafana Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is...

GO-2024-2801 Calico privilege escalation vulnerability in github.com/projectcalico/calico

Calico privilege escalation vulnerability in github.com/projectcalico/calico. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerability scanners, please...

GO-2024-2784 Rancher Recreates Default User With Known Password Despite Deletion in github.com/rancher/rancher

Rancher Recreates Default User With Known Password Despite Deletion in github.com/rancher/rancher...

GO-2024-2699 Ollama DNS rebinding vulnerability in github.com/jmorganca/ollama

Ollama DNS rebinding vulnerability in github.com/jmorganca/ollama...

CVE-2024-37051

CVE-2024-37051 describes insufficient protection of GitHub access tokens in multiple JetBrains IDEs, allowing potential exposure of tokens to third-party sites. Affected products/versions include IntelliJ IDEA, Aqua, CLion, DataGrip, DataSpell, GoLand, MPS, PhpStorm, PyCharm, Rider, RubyMine, Rus...