XStream <1.4.6/1.4.10 - Remote Code Execution

Xstream API before 1.4.6 and 1.4.10 is susceptible to remote code execution. If the security framework has not been initialized, an attacker can run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. This can allow an attacker to...

SUSE SLES15 / openSUSE 15 Security Update : ignition (SUSE-SU-2025:03001-1)

The remote SUSE Linux SLES15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2025:03001-1 advisory. - CVE-2022-28948: Fixed an issue during unmarshaling in Go-Yaml v3 can lead to DoS via invalid input bsc1248548 Tenable has extracted the...

SUSE-SU-2025:03000-1 Security update for ignition

This update for ignition fixes the following issues: - CVE-2022-28948: Fixed an issue during unmarshaling in Go-Yaml v3 can lead to DoS via invalid input bsc1248548...

SUSE-SU-2025:02999-1 Security update for ignition

This update for ignition fixes the following issues: - CVE-2022-28948: Fixed an issue during unmarshaling in Go-Yaml v3 can lead to DoS via invalid input bsc1248548...

TencentOS Server 4: podman (TSSA-2024:0684)

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2024:0684 advisory. Package updates are available for TencentOS Server 4 that fix the following vulnerabilities...

Security Bulletin: IBM Storage Ceph is vulnerable to an Infinite Loop in Grafana (CVE-2024-24786)

Summary Protobuf is used by IBM Storage Ceph in Grafana as part of metrics. This bulletin identifies the steps to take to address the vulnerability in Grafana. CVE-2024-24786. Vulnerability Details CVEID:CVE-2024-24786 DESCRIPTION: Protocol Buffers protobuf-go is vulnerable to a denial of service...

Important: docker

Issue Overview: The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set...

Amazon Linux 2 : amazon-cloudwatch-agent (ALAS-2024-2550)

The version of amazon-cloudwatch-agent installed on the remote host is prior to 1.300039.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2024-2550 advisory. An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an...

RLSA-2024:2550 Moderate: buildah bug fix update

The buildah package provides a tool for facilitating building OCI container images. Among other things, buildah enables you to: Create a working container, either from scratch or using an image as a starting point; Create an image, either from a working container or using the instructions in a...

Oracle Linux 9 : buildah (ELSA-2024-2550)

The remote Oracle Linux 9 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2024-2550 advisory. 1.33.7-1.0.1 - Drop nmap-ncat requirement and skip ignore-socket test case Orabug: 34117178 2:1.33.7-1 - update to the latest content of...

RHEL 9 : podman (RHSA-2024:2548)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:2548 advisory. The podman tool manages pods, container images, and containers. It is part of the libpod library, which is for applications that use contain...

RHEL 9 : skopeo (RHSA-2024:2549)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:2549 advisory. The skopeo command lets you inspect images from container image registries, get images and image layers, and use signatures to create and...

Moderate: buildah bug fix update

The buildah package provides a tool for facilitating building OCI container images. Among other things, buildah enables you to: Create a working container, either from scratch or using an image as a starting point; Create an image, either from a working container or using the instructions in a...

RHCOS 4 : OpenShift Container Platform 4.12.54 (RHSA-2024:1574)

The remote Red Hat Enterprise Linux CoreOS 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:1574 advisory. - golang-fips/openssl: Memory leaks in code encrypting and decrypting RSA payloads CVE-2024-1394 - golang-protobuf:...

Infinite Loop

protobuf is vulnerable to an infinite loop. The vulnerability is due to improper handling of malformed JSON structures, specifically when unmarshaling into messages containing a google.protobuf.Any value or when the UnmarshalOptions.DiscardUnknown option is set. This can potentially leads to deni...

Fedora 38 : kubernetes (2024-5bae6c0ea7)

The remote Fedora 38 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2024-5bae6c0ea7 advisory. Updates google.golang.org/protobuf to v1.33.0 to resolve CVE-2024-24786. Kubernetes is now built with go 1.21.8. Tenable has extracted the preceding...

CVE-2024-24786

...

Golang < 1.33.0 DOS

The version of Golang running on the remote host is prior to 1.33.0. It is, therefore, is affected by a Denial of Service vulnerability. A maliciously crafted file could could cause the protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This...

Design/Logic Flaw

The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set...

CVE-2024-24786 Infinite loop in JSON unmarshaling in google.golang.org/protobuf

The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set...