Malicious code in @opengov/qa-record-types-api (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0be39ed161d642824f2ce1f8511e03759918909ba0218265174294129a172d01 The package @opengov/qa-record-types-api was found to contain malicious code. Source: google-open-source-security...

CVE-2024-45497 Openshift-api: openshift-controller-manager/build: build process in openshift allows overwriting of node pull credentials

A flaw was found in the OpenShift build process, where the docker-build container is configured with a hostPath volume mount that maps the node's /var/lib/kubelet/config.json file into the build pod. This file contains sensitive credentials necessary for pulling images from private repositories...

Code injection

BTCPay Server 1.3.0 through 1.5.3 allows a remote attacker to obtain sensitive information when a public Point of Sale app is exposed. The sensitive information, found in the HTML source code, includes the xpub of the store. Also, if the store isn't using the internal lightning node, the...

CVE-2022-32984

BTCPay Server 1.3.0–1.5.3 is affected by CVE-2022-32984. The issue allows a remote attacker viewing a publicly exposed Point of Sale app to access sensitive data contained in the HTML source, including the store’s xpub and, if an internal lightning node isn’t used, lightning node credentials. The...

openstack-ironic: Ironic Node information including credentials exposed to unauthenticated users

An authentication vulnerability was found in openstack-ironic. A client with network access to the ironic-api service could bypass OpenStack Identity authentication, and retrieve all information about any node registered with OpenStack Bare Metal. If an unprivileged attacker knew or was able to...