GHSA-HVV7-HFRH-7GXJ Nezha Monitoring: Nezha WebSocket server stream discloses cross-tenant server telemetry to authenticated members

Summary Any authenticated non-admin member can connect to the server-status WebSocket and receive telemetry for all servers, including servers owned by other users. The normal server list API filters objects by HasPermission, but the WebSocket stream treats the presence of any authenticated user ...

K000148488: MySQL vulnerabilities CVE-2024-21243 and CVE-2024-21237

Security Advisory Description CVE-2024-21243 Vulnerability in the MySQL Server product of Oracle MySQL component: Server: Telemetry. Supported versions that are affected are 8.4.2 and prior and 9.0.1 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access...

UBUNTU-CVE-2024-21243

Vulnerability in the MySQL Server product of Oracle MySQL component: Server: Telemetry. Supported versions that are affected are 8.4.2 and prior and 9.0.1 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL...

Uber: Unsecured Dropwizard Admin Panel on display.uber-adsystem.com exposes sensitive server information

The dropwizard instance running on display.uber-adsystem.com is unsecured, meaning any unauthenticated user can view and use it's admin tools. These tools expose sensitive information on Uber production servers, including the current threads running, info on the CPU, and more server info that...