222 matches found
CVE-2023-36867 Visual Studio Code GitHub Pull Requests and Issues Extension Remote Code Execution Vulnerability
...
CVE-2023-36867 Visual Studio Code GitHub Pull Requests and Issues Extension Remote Code Execution Vulnerability
...
CVE-2023-36867
CVE-2023-36867 pertains to the Visual Studio Code GitHub Pull Requests and Issues Extension and describes a remote code execution vulnerability . The CVE entry indicates the vulnerability could allow code execution with the attacker’s privileges, with the impact described as arbitrary code execut...
PT-2023-3989 · Microsoft · Visual Studio Code Github Pull Requests/Issues Extension
Name of the Vulnerable Software and Affected Versions: Visual Studio Code GitHub Pull Requests and Issues Extension affected versions not specified Description: The issue is related to errors in processing input data in the Visual Studio Code GitHub Pull Requests and Issues Extension. Exploitatio...
Security Update for Microsoft Visual Studio Code GitHub Pull Requests and Isssues Extension (July 2023)
The Microsoft Visual Studio Code GitHub Pull Requests and Issues Extension is prior to version 0.66.2. It is, therefore, affected by a remote code execution vulnerability. By persuading a victim to open specially-crafted content, an attacker could exploit this vulnerability to execute arbitrary...
GHSA-757P-7HP5-PQMR Apache InLong Insufficient Session Expiration vulnerability
Insufficient Session Expiration vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.6.0. An old session can be used by an attacker even after the user has been deleted or the password has been changed. Users are advised to upgrade to...
PT-2023-23129 · Apache · Apache Inlong
Name of the Vulnerable Software and Affected Versions: Apache InLong versions 1.4.0 through 1.6.0 Description: The issue is related to insufficient session expiration, allowing an old session to be used by an attacker even after the user has been deleted or the password has been changed...
GHSA-6Q4M-7476-932W github-slug-action vulnerable to arbitrary code execution
Impact This action uses the github.headref parameter in an insecure way. This vulnerability can be triggered by any user on GitHub on any workflow using the action on pull requests. They just need to create a pull request with a branch name, which can contain the attack payload. Note that...
github-slug-action vulnerable to arbitrary code execution
Impact This action uses the github.headref parameter in an insecure way. This vulnerability can be triggered by any user on GitHub on any workflow using the action on pull requests. They just need to create a pull request with a branch name, which can contain the attack payload. Note that...
CVE-2023-27581 github-slug-action vulnerable to arbitrary code execution
github-slug-action is a GitHub Action to expose slug value of GitHub environment variables inside of one's GitHub workflow. Starting in version 4.0.0 and prior to version 4.4.1, this action uses the github.headref parameter in an insecure way. This vulnerability can be triggered by any user on...
Libraries: Untrusted users can modify some Pipeline libraries in Pipeline Shared Groovy Libraries Plugin
A flaw was found in the Jenkins Pipeline: Shared Groovy Libraries plugin. The Jenkins Pipeline: Shared Groovy Libraries plugin allows attackers to submit pull requests. However, the attacker cannot commit directly to the configured Source Control Management SCM to effectively change the Pipeline...
Libraries: Untrusted users can modify some Pipeline libraries in Pipeline Shared Groovy Libraries Plugin
A flaw was found in the Jenkins Pipeline: Shared Groovy Libraries plugin. The Jenkins Pipeline: Shared Groovy Libraries plugin allows attackers to submit pull requests. However, the attacker cannot commit directly to the configured Source Control Management SCM to effectively change the Pipeline...
Brave 操作系统命令注入漏洞
Brave is a fast, private and secure web browser from Brave USA. Brave UX for-the-badge suffers from an operating system command injection vulnerability that stems from several unknown functions in its .github/workflows/combine-prs.yml file that allows an attacker to implement system command...
8x8: Unprotected Atlantis Server at https://152.70.█.█
Atlantis is an application for automating Terraform via pull requests. @shuvam321 reported to us an exposed Atlantis test server in our infrastructure. No sensitive information had been disclosed & we restricted access to the Atlantis service entirely, which resolved the issue...
Default configuration
Vela is a Pipeline Automation CI/CD framework built on Linux container technology written in Golang. In Vela Server and Vela Worker prior to version 0.16.0 and Vela UI prior to version 0.17.0, some default configurations for Vela allow exploitation and container breakouts. Users should upgrade to...
CVE-2022-39395 Vela Insecure Defaults
Vela is a Pipeline Automation CI/CD framework built on Linux container technology written in Golang. In Vela Server and Vela Worker prior to version 0.16.0 and Vela UI prior to version 0.17.0, some default configurations for Vela allow exploitation and container breakouts. Users should upgrade to...
Vela Insecure Defaults
Impact Some current default configurations for Vela allow exploitation and container breakouts. Default Privileged Images Running Vela plugins as privileged Docker containers allows a malicious user to easily break out of the container and gain access to the worker host operating system. On a fre...
Code injection
kartverket/github-workflows are shared reusable workflows for GitHub Actions. Prior to version 2.7.5, all users of the run-terraform reusable workflow from the kartverket/github-workflows repo are affected by a code injection vulnerability. A malicious actor could potentially send a PR with a...
CVE-2022-39326 kartverket/github-workflows's run-terraform allows for RCE via terraform plan
kartverket/github-workflows are shared reusable workflows for GitHub Actions. Prior to version 2.7.5, all users of the run-terraform reusable workflow from the kartverket/github-workflows repo are affected by a code injection vulnerability. A malicious actor could potentially send a PR with a...
CVE-2022-39326 kartverket/github-workflows's run-terraform allows for RCE via terraform plan
kartverket/github-workflows are shared reusable workflows for GitHub Actions. Prior to version 2.7.5, all users of the run-terraform reusable workflow from the kartverket/github-workflows repo are affected by a code injection vulnerability. A malicious actor could potentially send a PR with a...