Duplicate Advisory: Pebble service manager's file pull API allows access by any user

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-4685-2x5r-65pj. This link is maintained to preserve external references. Original Description It was discovered that Pebble's read-file API and the associated pebble pull command, before v1.10.2, allowed...

CVE-2024-3250

It was discovered that Canonical's Pebble service manager read-file API and the associated pebble pull command, before v1.10.2, allowed unprivileged local users to read files with root-equivalent permissions when Pebble was running as root. Fixes are also available as backports to v1.1.1, v1.4.2,...

Security Bulletin: IBM Security Verify Access is vulnerable to a specially crafted HTTP request

Summary IBM Security Verify Access Appliance/Container and IBM Application Gateway are vulnerable to information disclosure or denial of service due to a specially crafted HTTP request. This bulletin identifies the steps to take to address the vulnerability. Vulnerability Details...

CVE-2024-1139

A credentials leak vulnerability was found in the cluster monitoring operator in OCP. This issue may allow a remote attacker who has basic login credentials to check the pod manifest to discover a repository pull secret...

[TagAwareCipher] - Decryption Failure (Regex Match)

Impact Vulnerability in SecureProps involves a regex failing to detect tags during decryption of encrypted data. This occurs when the encrypted data has been encoded with NullEncoder and passed to TagAwareCipher, and contains special characters such as \n. As a result, the decryption process is...

GHSA-RJ29-J2G4-77Q8 [TagAwareCipher] - Decryption Failure (Regex Match)

Impact Vulnerability in SecureProps involves a regex failing to detect tags during decryption of encrypted data. This occurs when the encrypted data has been encoded with NullEncoder and passed to TagAwareCipher, and contains special characters such as \n. As a result, the decryption process is...

DEBIAN-CVE-2024-26641

In the Linux kernel, the following vulnerability has been resolved: ip6tunnel: make sure to pull inner header in ip6tnlrcv syzbot found ip6tnlrcv could access unitiliazed data 1. Call pskbinetmaypull to fix this, and initialize ipv6h variable after this call as it can change skb-head. 1 BUG: KMSA...

UBUNTU-CVE-2024-26641

In the Linux kernel, the following vulnerability has been resolved: ip6tunnel: make sure to pull inner header in ip6tnlrcv syzbot found ip6tnlrcv could access unitiliazed data 1. Call pskbinetmaypull to fix this, and initialize ipv6h variable after this call as it can change skb-head. 1 BUG: KMSA...

GHSA-W5WX-6G2R-R78Q Nuclei allows unsigned code template execution through workflows

Overview A significant security oversight was identified in Nuclei v3, involving the execution of unsigned code templates through workflows. This vulnerability specifically affects users utilizing custom workflows, potentially allowing the execution of malicious code on the user's system. This...

CVE-2024-28236 Insecure Variable Substitution in Vela

Vela is a Pipeline Automation CI/CD framework built on Linux container technology written in Golang. Vela pipelines can use variable substitution combined with insensitive fields like parameters, image and entrypoint to inject secrets into a plugin/image and — by using common substitution string...

[SECURITY] Fedora 40 Update: xmlpull-1.2.0-9.fc40

XmlPull v1 API is a simple to use XML pull parsing API that was designed for simplicity and very good performance both in constrained environment such as defined by J2ME and on server side when used in J2EE application servers. %javadocpackage...

GHSA-M4RM-X2RR-357W Jenkins Bitbucket Branch Source Plugin has incorrect trust policy behavior for pull requests

In Jenkins Bitbucket Branch Source Plugin 866.vdea7dcd3008e and earlier, except 848.850.v6aa2a234ac81, when discovering pull requests from forks, the trust policy "Forks in the same account" allows changes to Jenkinsfiles from users without write access to the project when using Bitbucket Server...

Jenkins Bitbucket Branch Source Plugin has incorrect trust policy behavior for pull requests

In Jenkins Bitbucket Branch Source Plugin 866.vdea7dcd3008e and earlier, except 848.850.v6aa2a234ac81, when discovering pull requests from forks, the trust policy "Forks in the same account" allows changes to Jenkinsfiles from users without write access to the project when using Bitbucket Server...

CVE-2024-28152

In Jenkins Bitbucket Branch Source Plugin 866.vdea7dcd3008e and earlier, except 848.850.v6aa2a234ac81, when discovering pull requests from forks, the trust policy "Forks in the same account" allows changes to Jenkinsfiles from users without write access to the project when using Bitbucket Server...

CVE-2024-28152

In Jenkins Bitbucket Branch Source Plugin 866.vdea7dcd3008e and earlier, except 848.850.v6aa2a234ac81, when discovering pull requests from forks, the trust policy "Forks in the same account" allows changes to Jenkinsfiles from users without write access to the project when using Bitbucket Server...

CVE-2024-28152

In Jenkins Bitbucket Branch Source Plugin 866.vdea7dcd3008e and earlier, except 848.850.v6aa2a234ac81, when discovering pull requests from forks, the trust policy "Forks in the same account" allows changes to Jenkinsfiles from users without write access to the project when using Bitbucket Server...

BIT-GITLAB-2021-22206

An issue has been discovered in GitLab affecting all versions starting from 11.6. Pull mirror credentials are exposed that allows other maintainers to be able to view the credentials in plain-text,...

BIT-MINIO-2022-24842 Improper Privilege Management in MinIO

MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. A security issue was found where an non-admin user is able to create service accounts for root or other admin users and then is able to assume their access policies via the generated credentials. Thi...

Jenkins Bitbucket Branch Source Plugin Security Vulnerability

Jenkins and Jenkins Plugin are both Jenkins open source products.Jenkins is a software application . An open source automation server Jenkins provides hundreds of plugins to support building, deploying, and automating any project.Jenkins Plugin is a software application. A security vulnerability...

PT-2024-22298 · Jenkins · Jenkins Bitbucket Branch Source Plugin

Name of the Vulnerable Software and Affected Versions: Jenkins Bitbucket Branch Source Plugin versions 866.vdea 7dcd3008e and earlier, except version 848.850.v6a a 2a 234a c81 Description: The issue allows changes to Jenkinsfiles from users without write access to the project when using Bitbucket...