GHSA-5CGX-VHFP-6CF9 Directory traversal in Kubernetes Secrets Store CSI Driver

Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that...

nemo-curator (=0.5.1), neural-sync (>=0.1.0 <=0.1.2) +4 more potentially affected by CVE-2022-22821 via nemo-toolkit (>=0.10.1 <=1.5.1)

nemo-toolkit PYPI version =0.10.1, =0.1.0, =0.1.0, =0.0.1, =0.1.0.dev201117, =0.0.3, =0.0.4 Source cves: CVE-2022-22821 Source advisory: OSV:GHSA-RPX7-33J2-XX9X...

GHSA-G622-R636-QFQH SQL Injection in Couchbase Sync Gateway

The Couchbase Sync Gateway 2.1.2 in combination with a Couchbase Server is affected by a previously undisclosed N1QL-injection vulnerability in the REST API. An attacker with access to the public REST API can insert additional N1QL statements through the parameters ?startkey? and ?endkey? of the...

GO-2022-0629 Directory traversal in sigs.k8s.io/secrets-store-csi-driver

Modifying pod status allows host directory traversal. Kubernetes Secrets Store CSI Driver allows an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under...

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that...

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that...

Multisite User Sync/Unsync < 2.1.2 - Reflected Cross-Site Scripting

The plugin does not sanitise and escape the wmussourceblog and wmusrecordperpage parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues PoC...

Multisite User Sync/Unsync < 2.1.2 - Reflected Cross-Site Scripting

The plugin does not sanitise and escape the wmussourceblog and wmusrecordperpage parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues alert/XSS-sourceblog/' / alert/XSS-record/' /...

January 25, 2022—KB5009596 (OS Builds 19042.1503, 19043.1503, and 19044.1503) Preview

January 25, 2022—KB5009596 OS Builds 19042.1503, 19043.1503, and 19044.1503 Preview 01/11/22 REMINDER Windows 10, version 2004 reached end of servicing on December 14, 2021. To continue receiving security and quality updates, Microsoft recommends that you update to the latest version of Windows...

Moderate: Red Hat Security Advisory: Satellite 6.10.2 Async Bug Fix Update

Updated Satellite 6.10 packages that fix several bugs are now available for Red Hat Satellite. Red Hat Satellite is a system management solution that allows organizations to configure and maintain their systems without the necessity to provide public Internet access to their servers or other clie...

java-17-openjdk security update

1:17.0.2.0.8-4 - Fix FIPS issues in native code and with initialisation of java.security.Security - Related: rhbz2039366 1:17.0.2.0.8-3 - Update tapsets from IcedTea 6.x repository with fix for JDK-8015774 changes heap-heaps and @JAVASPECVER@ - Update icedteasync.sh with a VCS mode that retrieves...

com.nirima:docker-plugin (>=0.17 <=1.0.4), com.testinium.jenkins:testinium (=1.0) +39 more potentially affected by CVE-2022-20616 via org.jenkins-ci.plugins:credentials-binding (>=1.10 <=1.24)

org.jenkins-ci.plugins:credentials-binding MAVEN version =1.10, =0.17, =1.0.43, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =0.1-preview-1, =1.2.7, =0.1.0, =0.1.1, =0.4.2 and more Source cves: CVE-2022-20616 Source advisory: OSV:GHSA-GQM2-2GCX-P88W...

NTP time sync issue on VPX running on VMware platform

For Citrix ADC VPX instances deployed on VMware ESXi hypervisor, the Citrix ADC system time might go out of sync and consequently network time protocol NTP synchronization is lost. This problem occurs due to an issue with VMware ACPI timer emulation. tail -f ntpd.log 6 Dec 01:06:23 ntpd42663:...

nemo-curator (=0.5.1), neural-sync (>=0.1.0 <=0.1.2) +4 more potentially affected by CVE-2022-22821 via nemo-toolkit (>=0.10.1 <=1.5.1)

nemo-toolkit PYPI version =0.10.1, =0.1.0, =0.1.0, =0.0.1, =0.1.0.dev201117, =0.0.3, =0.0.4 Source cves: CVE-2022-22821 Source advisory: OSV:GHSA-9HG3-HMMF-C3GR...

Kalkitech Sync Products Encryption Issue Vulnerability

Kalkitech Sync Products is a range of substation gateways from Kalkitech India. Kalkitech Sync Products suffers from an encryption issue vulnerability that stems from the use of an insecure communication channel by the management tools Easyconnect and SYNC devices, which can be exploited by an...

Out-of-bounds Write and Race Condition in metrics-util

In the affected versions of the crate, AtomicBucket unconditionally implements Send/Sync traits. Therefore, users can create a data race to the inner T: !Sync by using the AtomicBucket::datawith API. Such data races can potentially cause memory corruption or other undefined behavior. The flaw was...

CVE-2021-44564

A security vulnerability originally reported in the SYNC2101 product, and applicable to specific sub-families of SYNC devices, allows an attacker to download the configuration file used in the device and apply a modified configuration file back to the device. The attack requires network access to...

Design/Logic Flaw

A security vulnerability originally reported in the SYNC2101 product, and applicable to specific sub-families of SYNC devices, allows an attacker to download the configuration file used in the device and apply a modified configuration file back to the device. The attack requires network access to...

CVE-2021-44564

The CVE-2021-44564 issue affects Kalkitech Sync SYNC2101/Sync family devices where management communications between Easyconnect and the SYNC device are performed over an unsecured channel. Root cause: insecure communication channel used by the administration tool, enabling attackers with network...

Kalkitech Sync Products 加密问题漏洞

Kalkitech Sync Products is a range of substation gateways from Kalkitech India. Kalkitech Sync Products suffers from an encryption issue vulnerability that stems from the use of an insecure communication channel by the management tools Easyconnect and SYNC devices, which can be exploited by an...