Lucene search
K

24 matches found

OSV
OSV
added 2024/06/14 1:59 p.m.21 views

RLSA-2024:2961 Moderate: Image builder components bug fix, enhancement and security update

Image Builder is a service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood. Security Fixes: osbuild-composer: race condition may disable GPG verification for package repositories CVE-2024-2307 For more details about the security issues,...

6.1CVSS6.1AI score0.00188EPSS
Exploits0References2
RedHat Linux
RedHat Linux
added 2024/05/22 9:29 a.m.4 views

osbuild-composer: race condition may disable GPG verification for package repositories

A flaw was found in osbuild-composer. A condition can be triggered that disables GPG verification for package repositories, which can expose the build phase to a Man-in-the-Middle attack, allowing untrusted code to be installed into an image being built...

6.1CVSS5.7AI score0.00188EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 2024/04/30 10:41 a.m.4 views

osbuild-composer: race condition may disable GPG verification for package repositories

A flaw was found in osbuild-composer. A condition can be triggered that disables GPG verification for package repositories, which can expose the build phase to a Man-in-the-Middle attack, allowing untrusted code to be installed into an image being built...

6.1CVSS5.7AI score0.00188EPSS
Exploits0References4
OSV
OSV
added 2024/04/30 12:0 a.m.22 views

ALSA-2024:2119 Moderate: Image builder components bug fix, enhancement and security update

Image Builder is a service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood. Security Fixes: osbuild-composer: race condition may disable GPG verification for package repositories CVE-2024-2307 For more details about the security issues,...

6.1CVSS6.1AI score0.00188EPSS
Exploits0References4
AlmaLinux
AlmaLinux
added 2024/04/30 12:0 a.m.49 views

Moderate: Image builder components bug fix, enhancement and security update

Image Builder is a service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood. Security Fixes: osbuild-composer: race condition may disable GPG verification for package repositories CVE-2024-2307 For more details about the security issues,...

6.1CVSS6.7AI score0.00188EPSS
Exploits0References4
Snyk
Snyk
added 2024/03/19 4:41 p.m.1 views

Race Condition

Overview Affected versions of this package are vulnerable to Race Condition that leads to disabling GPG verification for package repositories. This vulnerability exposes the build phase to a Man-in-the-Middle attack, allowing untrusted code to be installed into an image being built. Remediation...

6.1CVSS5.8AI score0.00188EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2024/03/19 4:16 p.m.16 views

CVE-2024-2307 Osbuild-composer: race condition may disable gpg verification for package repositories

A flaw was found in osbuild-composer. A condition can be triggered that disables GPG verification for package repositories, which can expose the build phase to a Man-in-the-Middle attack, allowing untrusted code to be installed into an image being built...

6.1CVSS6.7AI score0.00188EPSS
Exploits0References4
Cvelist
Cvelist
added 2024/03/19 4:16 p.m.21 views

CVE-2024-2307 Osbuild-composer: race condition may disable gpg verification for package repositories

A flaw was found in osbuild-composer. A condition can be triggered that disables GPG verification for package repositories, which can expose the build phase to a Man-in-the-Middle attack, allowing untrusted code to be installed into an image being built...

6.1CVSS6.3AI score0.00188EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2024/03/19 4:11 p.m.26 views

CVE-2024-2307

A flaw was found in osbuild-composer. A condition can be triggered that disables GPG verification for package repositories, which can expose the build phase to a Man-in-the-Middle attack, allowing untrusted code to be installed into an image being built. Mitigation Mitigation for this issue is...

6.1CVSS6AI score0.00188EPSS
Exploits0References3
The Hacker News
The Hacker News
added 2024/02/20 12:30 p.m.39 views

New Malicious PyPI Packages Caught Using Covert Side-Loading Tactics

Cybersecurity researchers have discovered two malicious packages on the Python Package Index PyPI repository that were found leveraging a technique called DLL side-loading to circumvent detection by security software and run malicious code. The packages, named NP6HelperHttptest and NP6HelperHttpe...

9.8CVSS7.7AI score0.12661EPSS
Exploits0
The Hacker News
The Hacker News
added 2024/02/12 10:41 a.m.31 views

CISA and OpenSSF Release Framework for Package Repository Security

The U.S. Cybersecurity and Infrastructure Security Agency CISA announced that it's partnering with the Open Source Security Foundation OpenSSF Securing Software Repositories Working Group to publish a new framework to secure package repositories. Called the Principles for Package Repository...

7.4AI score
Exploits0
OSSF Malicious Packages
OSSF Malicious Packages
added 2023/02/25 11:15 p.m.4 views

Malicious code in selfrandlgtb (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: checkmarx 9f2973b172c975c7bec29f5105a3311c94b5ca63258c74492418c157617201e9 EsqueleSquad group published nearly 6000 malicious PyPi and NPM packages, executing spyware and information-stealing malware...

7AI score
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added 2023/02/25 11:0 p.m.2 views

Malicious code in py-nvidiacandy (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: checkmarx 79f27d3b85655e4350ae9efac0ebcc28dfb4dc16f90d60fd262e72c0315e8d10 EsqueleSquad group published nearly 6000 malicious PyPi and NPM packages, executing spyware and information-stealing malware...

7AI score
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added 2023/02/25 4:57 p.m.4 views

Malicious code in tpultrainfo (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: checkmarx 40a4127dc30f5507174a701ce526fdd092b3ee61d141a08b464d98c9616247c1 EsqueleSquad group published nearly 6000 malicious PyPi and NPM packages, executing spyware and information-stealing malware...

7AI score
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added 2023/02/24 5:0 p.m.4 views

Malicious code in controlcv (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: checkmarx 8baf73d0ce9873d5809d230312ba4d2e05783d40de0cd45e44b17699cd93a30b EsqueleSquad group published nearly 6000 malicious PyPi and NPM packages, executing spyware and information-stealing malware...

7AI score
Exploits0References1
SUSE CVE
SUSE CVE
added 2023/02/15 5:32 a.m.6 views

SUSE CVE-2014-0040

OpenStack Heat Templates heat-templates, as used in Red Hat Enterprise Linux OpenStack Platform 4.0, uses an HTTP connection to download 1 packages and 2 signing keys from Yum repositories, which allows man-in-the-middle attackers to prevent updates via unspecified vectors...

4.3CVSS6.9AI score0.01466EPSS
Exploits1References3
Kitploit
Kitploit
added 2021/04/22 9:30 p.m.253 views

Vulnerablecode - A Free And Open Vulnerabilities Database And The Packages They Impact And The Tools To Aggregate And Correlate These Vulnerabilities

VulnerableCode is a free and open database of FOSS software package vulnerabilities and the tools to create and keep the data current. It is made by the FOSS community to improve and secure the open source software ecosystem. Why? The existing solutions are commercial proprietary vulnerability...

7.5AI score
Exploits0References7
Kitploit
Kitploit
added 2021/03/15 8:30 p.m.53 views

Confused - Tool To Check For Dependency Confusion Vulnerabilities In Multiple Package Management Systems

A tool for checking for lingering free namespaces for private package names referenced in dependency configuration for Python pypi requirements.txt, JavaScript npm package.json, PHP composer composer.json or MVN maven pom.xml. What is this all about? On 9th of February 2021, a security researcher...

7.5AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 2021/02/25 12:0 a.m.2 views

PT-2021-15665 · Python +2 · Pip +3

Name of the Vulnerable Software and Affected Versions: Bundler versions 1.16.0 through 2.2.9 Bundler versions 2.2.11 through 2.2.17 Python/pip affected versions not specified .NET/NuGet affected versions not specified Java/Maven affected versions not specified JavaScript/npm affected versions not...

9.3CVSS7.3AI score0.06307EPSS
Exploits1References16
Schneier on Security
Schneier on Security
added 2021/02/23 12:18 p.m.49 views

Dependency Confusion: Another Supply-Chain Vulnerability

Alex Birsan writes about being able to install malware into proprietary corporate software by naming the code files to be identical to internal corporate code files. From a ZDNet article: Today, developers at small or large companies use package managers to download and import libraries that are...

1AI score
Exploits0
Rows per page
Query Builder