Remote Code Execution (RCE)

quarkus-vertx-http is vulnerable to remote code execution. The vulnerability exists in multiple functions due to drive-by localhost attacks which allows an attacker to inject and execute malicious query parameters via the Dev UI Config Editor...

GHSA-G56W-CWG4-HXX9 Code injection in quarkus dev ui config editor

A vulnerability was found in quarkus. This security flaw happens in Dev UI Config Editor which is vulnerable to drive-by localhost attacks leading to remote code execution...

Code injection in quarkus dev ui config editor

A vulnerability was found in quarkus. This security flaw happens in Dev UI Config Editor which is vulnerable to drive-by localhost attacks leading to remote code execution...

CVE-2022-4116

A vulnerability was found in quarkus. This security flaw happens in Dev UI Config Editor which is vulnerable to drive-by localhost attacks leading to remote code execution...

CVE-2022-4116

A vulnerability was found in quarkus. This security flaw happens in Dev UI Config Editor which is vulnerable to drive-by localhost attacks leading to remote code execution...

Remote code execution

A vulnerability was found in quarkus. This security flaw happens in Dev UI Config Editor which is vulnerable to drive-by localhost attacks leading to remote code execution...

CVE-2022-4116

A vulnerability was found in quarkus. This issue occurs in Dev UI Config Editor, which is vulnerable to drive-by localhost attacks leading to remote code execution...

CVE-2022-4116

A vulnerability was found in quarkus. This security flaw happens in Dev UI Config Editor which is vulnerable to drive-by localhost attacks leading to remote code execution...

PT-2022-6100 · Quarkus · Quarkus

Name of the Vulnerable Software and Affected Versions: quarkus affected versions not specified Description: The issue is related to the Dev UI Config Editor component of the quarkus Java framework, which is vulnerable to remote code execution due to incorrect code generation management. This can...

CVE-2022-4116

A vulnerability was found in quarkus. This security flaw happens in Dev UI Config Editor which is vulnerable to drive-by localhost attacks leading to remote code execution...

Oracle Linux 9 : podman (ELSA-2022-7954)

The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2022-7954 advisory. 2:4.2.0-3.0.1 - Drop nmap-ncat requirement and skip ignore-socket test case Orabug: 34117404 2:4.2.0-3 - fix dependency in test subpackage - Related:...

podman: Remote traffic to rootless containers is seen as orginating from localhost

A flaw was found in podman. Rootless containers receive all traffic with a source IP address of 127.0.0.1 including from remote hosts which impact containerized applications that trust localhost 127.0.01 connections by default and do not require authentication. The highest threat from this...

Improper Access Control

github.com/istio/istio is vulnerable to improper access control due to the isTrustedAddress function of xfccauthenticator.go. An attacker with access to the localhost Istiod control plane can impersonate any workload identity within the service mesh...

CVE-2022-39388 Istio may allow identity impersonation if user has localhost access

Istio is an open platform to connect, manage, and secure microservices. In versions on the 1.15.x branch prior to 1.15.3, a user can impersonate any workload identity within the service mesh if they have localhost access to the Istiod control plane. Version 1.15.3 contains a patch for this issue...

CVE-2022-39388 Istio may allow identity impersonation if user has localhost access

Istio is an open platform to connect, manage, and secure microservices. In versions on the 1.15.x branch prior to 1.15.3, a user can impersonate any workload identity within the service mesh if they have localhost access to the Istiod control plane. Version 1.15.3 contains a patch for this issue...

GHSA-6C6P-H79F-G6P4 Istio may allow identity impersonation if user has localhost access

Impact User can impersonate any workload identity within the service mesh if they have localhost access to the Istiod control plane. Patches 1.15.3 Workarounds No. If using 1.15.2 please upgrade to 1.15.3 or later. References None at this time. For more information If you have any questions or...

Istio may allow identity impersonation if user has localhost access

Impact User can impersonate any workload identity within the service mesh if they have localhost access to the Istiod control plane. Patches 1.15.3 Workarounds No. If using 1.15.2 please upgrade to 1.15.3 or later. References None at this time. For more information If you have any questions or...

PT-2022-24947 · Istio · Istio

Name of the Vulnerable Software and Affected Versions: Istio versions 1.15.x prior to 1.15.3 Description: A user can impersonate any workload identity within the service mesh if they have localhost access to the Istiod control plane. Recommendations: For versions prior to 1.15.3, upgrade to versi...

curl: CVE-2022-43552: HTTP Proxy deny use-after-free

Issues reported by Trail of Bits. This is either one or two issues. Summary: ./src/curl 0 -x0:80 telnet:/j-uj-u//0 -m 01 ./src/curl 0 -x0:80 smb:/j-uj-u//0 -m 01 Both command line ends up having libcurl access and use already freed heap-memory. For read and write. Steps To Reproduce: See above, r...

Cross-site Scripting in actionpack

actionpack from the Ruby on Rails project is vulnerable to Cross-site Scripting in the Route Error Page. This issue has been patched with this commit. This vulnerability is disputed by the Rails security team. It requires that the developer is tricked into copy pasting a malicious...