SUSE CVE-2013-4959

Puppet Enterprise before 3.0.1 uses HTTP responses that contain sensitive information without the "no-cache" setting, which might allow local users to obtain sensitive information such as 1 host name, 2 MAC address, and 3 SSH keys via the web browser cache...

Researchers Uncover Obfuscated Malicious Code in PyPI Python Packages

Four different rogue packages in the Python Package Index PyPI have been found to carry out a number of malicious actions, including dropping malware, deleting the netstat utility, and manipulating the SSH authorizedkeys file. The packages in question are aptx, bingchilling2, httops, and tkint3rs...

Design/Logic Flaw

Wings is Pterodactyl's server control plane. Affected versions are subject to a vulnerability which can be used to create new files and directory structures on the host system that previously did not exist, potentially allowing attackers to change their resource allocations, promote their...

GHSA-CQ4P-VP5Q-4522 Plaintext storage of sensitive data in Rancher API and cluster.management.cattle.io objects

Impact This issue affects Rancher versions from 2.5.0 up to and including 2.5.16, from 2.6.0 up to and including 2.6.9 and 2.7.0. It was discovered that the security advisory CVE-2021-36782 GHSA-g7j7-h4q8-8w2f, previously released by Rancher, missed addressing some sensitive fields, secret tokens...

Plaintext storage of sensitive data in Rancher API and cluster.management.cattle.io objects

Impact This issue affects Rancher versions from 2.5.0 up to and including 2.5.16, from 2.6.0 up to and including 2.6.9 and 2.7.0. It was discovered that the security advisory CVE-2021-36782 GHSA-g7j7-h4q8-8w2f, previously released by Rancher, missed addressing some sensitive fields, secret tokens...

git2-rs fails to verify SSH keys by default

The git2 and libgit2-sys crates are Rust wrappers around the libgit2 C library. It was discovered that libgit2 1.5.0 and below did not verify SSH host keys when establishing an SSH connection, exposing users of the library to Man-In-the-Middle attacks. The libgit2 team assigned CVE-2023-22742 to...

Application allows to add same SSH key among different users

Description With SSH keys, you can connect to Rdiffweb without supplying your username and personal access token at each visit. Rdiffweb allows the same SSH key to be used by multiple users . For Example: User A has used SSH key '1' , the same key can be used by User B , User C . The application ...

Moderate: Red Hat Security Advisory: OpenShift Virtualization 4.11.1 security and bug fix update

Red Hat OpenShift Virtualization release 4.11.1 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which giv...

PT-2022-25982 · Etic Telecom · Etic Telecom Remote Access Server

Name of the Vulnerable Software and Affected Versions: ETIC Telecom Remote Access Server RAS versions 4.5.0 and prior Description: The application programmable interface API of the affected software is vulnerable to directory traversal through several different methods. This could allow an attack...

CVE-2022-41435

OpenWRT LuCI version git-22.140.66206-02913be was discovered to contain a stored cross-site scripting XSS vulnerability in the component /system/sshkeys.js. This vulnerability allows attackers to execute arbitrary web scripts or HTML via crafted public key comments...

Rdiffweb Title Denial of Service Vulnerability

Rdiffweb is a web application by Patrik Dufresne, an individual developer in the USA. Provides quick access to your archives through an efficient web interface. A denial of service vulnerability exists in Rdiffweb versions prior to 2.4.8, which stems from the "title" parameter when adding an SSH...

Hackers Using Fake CircleCI Notifications to Hack GitHub Accounts

GitHub has put out an advisory detailing what may be an ongoing phishing campaign targeting its users to steal credentials and two-factor authentication 2FA codes by impersonating the CircleCI DevOps platform. The Microsoft-owned code hosting service said it learned of the attack on September 16,...

cloud-init bug fix and enhancement update

An update is available for cloud-init. This update affects Rocky Linux 9. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list The cloud-init packages provide a set of init scripts for cloud instances...

Cross-site Request Forgery (CSRF)

Rdiffweb is vulnerable to Cross-Site Request Forgery. The vulnerability is due to the ssh keys endpoint accepting post requests. An attacker can exploit this vulnerability to add unauthorized ssh keys to the system...

GHSA-VQ4H-XRWC-M639 rdiffweb CSRF vulnerability in profile's SSH keys can lead to unauthorized access

rdiffweb prior to 2.4.3 is vulnerable to Cross-Site Request Forgery CSRF. While adding SSH public keys to the profile, the server accepts the GET request, which results in adding an SSH public key to the profile and leads to unauthorized access to the system and backups. Version 2.4.3 contains a...

rdiffweb CSRF vulnerability in profile's SSH keys can lead to unauthorized access

rdiffweb prior to 2.4.3 is vulnerable to Cross-Site Request Forgery CSRF. While adding SSH public keys to the profile, the server accepts the GET request, which results in adding an SSH public key to the profile and leads to unauthorized access to the system and backups. Version 2.4.3 contains a...

Cross Site Request Forgery in profile's "SSH Keys" leads to unauthorized access to the system

Description While adding SSH public keys to the profile, the server accepts the GET request which results in adding an SSH public key to the profile and leads to unauthorised access to the system and backups. Proof of Concept Open the below url after logging in to the demo site.SSH Public key wil...

CVE-2022-34464

A vulnerability has been identified in SICAM GridEdge Classic All versions V2.7.3. The affected application uses an improperly protected file to import SSH keys. This could allow attackers with access to the filesystem of the host on which SICAM GridEdge runs to inject a custom SSH key to that fi...

CVE-2022-34464

A vulnerability has been identified in SICAM GridEdge Classic All versions V2.7.3. The affected application uses an improperly protected file to import SSH keys. This could allow attackers with access to the filesystem of the host on which SICAM GridEdge runs to inject a custom SSH key to that fi...

Design/Logic Flaw

A vulnerability has been identified in SICAM GridEdge Essential ARM All versions, SICAM GridEdge Essential Intel All versions V2.7.3, SICAM GridEdge Essential with GDS ARM All versions, SICAM GridEdge Essential with GDS Intel All versions V2.7.3. Affected software uses an improperly protected fil...