PT-2024-5971 · Couchbase · Couchbase Server

Name of the Vulnerable Software and Affected Versions: Couchbase Server versions prior to 7.2.5 Couchbase Server versions 7.6.0 through 7.6.0 Description: The issue is related to insufficient encryption of data in the Key-Value KV service of Couchbase Server. This could allow a remote attacker to...

OESA-2024-1645 skopeo security update

A command line utility that performs various operations on container images and image repositories Security Fixes: Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used lar...

ALPINE-CVE-2024-32465

Git is a revision control system. The Git project recommends to avoid working in untrusted repositories, and instead to clone it first with git clone --no-local to obtain a clean copy. Git has specific protections to make that a safe operation even with an untrusted source repository, but...

AZL-43038 CVE-2024-32002 affecting package git for versions less than 2.45.2-1

Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a .git/ directory...

PT-2024-3335 · Ruby +7 · Ruby +7

Name of the Vulnerable Software and Affected Versions: Ruby versions 3.0.0 through 3.3.0 Description: The issue is related to a buffer overflow in the heap of the Ruby programming language interpreter. It allows an attacker to impact the confidentiality, integrity, and availability of protected...

UBUNTU-CVE-2024-32459

FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients and servers that use a version of FreeRDP prior to 3.5.0 or 2.11.6 are vulnerable to out-of-bounds read. Versions 3.5.0 and 2.11.6 patch the issue. No known workarounds are available...

GHSA-2Q59-H24C-W6FG Voilà Local file inclusion

Impact Any deployment of voilà dashboard allow local file inclusion, that is to say any file on a filesystem that is readable by the user that runs the voilà dashboard server can be downloaded by someone with network access to the server. Whether this still requires authentication depends on how...

AZL-35839 CVE-2024-28180 affecting package containerized-data-importer for versions less than 1.55.0-20

Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if t...

AZL-35881 CVE-2024-28180 affecting package influxdb for versions less than 2.7.3-9

Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if t...

AZL-39600 CVE-2024-28180 affecting package cri-o for versions less than 1.21.7-2

Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if t...

AZL-35837 CVE-2024-28180 affecting package cert-manager for versions less than 1.11.2-14

Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if t...

PT-2024-15381 · Gitlab · Gitlab

Name of the Vulnerable Software and Affected Versions: GitLab versions 11.3 through 16.7.6 GitLab versions 16.7.6 through 16.8.3 GitLab versions 16.8.3 through 16.9.1 Description: An authorization bypass vulnerability was discovered in GitLab, allowing an attacker to bypass CODEOWNERS by utilizin...

Important: composer

Issue Overview: Composer is a dependency Manager for the PHP language. In affected versions several files within the local working directory are included during the invocation of Composer and in the context of the executing user. As such, under certain conditions arbitrary code execution may lead...

CVE-2024-24821 Code execution and possible privilege escalation via compromised InstalledVersions.php or installed.php in Composer

Composer is a dependency Manager for the PHP language. In affected versions several files within the local working directory are included during the invocation of Composer and in the context of the executing user. As such, under certain conditions arbitrary code execution may lead to local...

PT-2024-12302 · Rancher · Rancher

Name of the Vulnerable Software and Affected Versions: Rancher versions 2.6.0 through 2.6.13 Rancher versions 2.7.0 through 2.7.9 Rancher versions 2.8.0 through 2.8.1 Description: A vulnerability has been identified when granting a create or global role for a resource type of "namespaces". This c...

SUSE CVE-2023-46118

RabbitMQ is a multi-protocol messaging and streaming broker. HTTP API did not enforce an HTTP request body limit, making it vulnerable for denial of service DoS attacks with very large messages. An authenticated user with sufficient credentials can publish a very large messages over the HTTP API...

Cosmos packet-forward-middleware vulnerable to chain-halt

The Cosmos SDK is used for Inter-Blockchain Communication Protocol IBC applications and middleware. The packet-forward-middleware module is an IBC middleware module built for Cosmos blockchains utilizing the IBC protocol allowing routing of incoming IBC packets from a source chain to a destinatio...

PT-2023-6408 · Spring · Spring Amqp

Name of the Vulnerable Software and Affected Versions: Spring AMQP versions 1.0.0 through 2.4.16 Spring AMQP versions 3.0.0 through 3.0.9 Description: The issue is related to shortcomings in the deserialization mechanism of the Spring AMQP RabbitMQ application. This could allow a remote attacker ...

AZL-31108 CVE-2023-43804 affecting package python-urllib3 for versions less than 1.26.18-1

urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the Cookie HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a Cookie header and unknowingly leak...

GHSA-6HVV-J432-23CV Weave GitOps Terraform Controller Information Disclosure Vulnerability

Impact A vulnerability has been identified in Weave GitOps Terraform Controller which could allow an authenticated remote attacker to view sensitive information. This vulnerability stems from Weave GitOps Terraform Runners tf-runner, where sensitive data is inadvertently printed - potentially...