29 matches found
Security Bulletin:ACE Vulnerability in QOS.CH Logback-core 1.5.24: Class Instantiation via Compromised Configuration File
Summary ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file. The instantiation of a...
Security Bulletin: Inadequate Pod Communication Restrictions, affects watsonx.data
Summary A security vulnerability has been identified in IBM watsonx.data due to insufficient restrictions on inter-pod communication. This misconfiguration may allow unauthorized data transfer between pods within the environment. Vulnerability Details CVEID:CVE-2025-36180 DESCRIPTION: IBM Lakehou...
Security Bulletin: Segmentation Fault Vulnerability in Rust time crate on Unix Systems (v0.2.7–v0.2.22) affects watsonx.data
Summary A vulnerability in the Rust time crate v0.2.7–v0.2.22 can cause segmentation faults on Unix-like systems when environment variables are set from a different thread. Windows and WebAssembly targets are unaffected. This can affect watsonx.data. Vulnerability Details CVEID:CVE-2020-26235...
Security Bulletin: Decompression Bomb Vulnerability in Undic, affects watsonx.data
Summary Undici versions prior to 7.18.0 and 6.23.0 are vulnerable to unbounded decompression chains. Malicious servers can exploit this to trigger high CPU usage and excessive memory allocation due to thousands of compression steps. This can affect watsonx.data. Vulnerability Details...
Security Bulletin: LangChain Serialization Injection Vulnerability in dumps()/dumpd() (Fixed in 0.3.81 / 1.2.5) affects watsonx.data
Summary A serialization injection vulnerability in LangChain's dumps and dumpd functions pre-0.3.81 / 1.2.5 allows user-controlled data with 'lc' keys to be deserialized as objects. This issue is fixed in versions 0.3.81 and 1.2.5. This can affect watsonx.data. Vulnerability Details...
Security Bulletin: Certificate Name Constraints Algorithm Vulnerable to Non-Linear Processing DoS affects watsonx.data
Summary A flaw in the certificate name constraints checking algorithm can lead to non-linear processing time, allowing specially crafted certificate chains to cause excessive resource consumption and potential Denial-of-Service DoS. This can affect watsonx.data. Vulnerability Details...
Security Bulletin: Inefficient Regex Complexity Vulnerability in brace-expansion Library (CVE-style Security Advisory), affects watsonx.data
Summary A vulnerability in the brace-expansion library versions up to 1.1.11, 2.0.1, 3.0.0, and 4.0.0 affects the expand function, allowing specially crafted input to trigger inefficient regular expression processing. This can lead to excessive CPU usage ReDoS, potentially degrading performance...
Security Bulletin: Unexpected SSH_AGENT_SUCCESS Response Causes Client Panic and Premature Termination in SSH Client, affects watsonx.data
Summary SH clients receiving SSHAGENTSUCCESS when expecting a typed response will panic and cause early termination of the client process. This can affect watsonx.data. Vulnerability Details CVEID:CVE-2025-47913 DESCRIPTION: SSH clients receiving SSHAGENTSUCCESS when expecting a typed response wi...
Improper Validation of Integrity Check Value
Overview Affected versions of this package are vulnerable to Improper Validation of Integrity Check Value due to missing validation of the AES-GCM authentication tag on encrypted XML nodes. An attacker can decrypt sensitive data and forge arbitrary ciphertexts by brute-forcing the authentication...
Reachable Assertion
Overview Affected versions of this package are vulnerable to Reachable Assertion in the checkType function. An attacker can cause the client to panic and terminate unexpectedly by providing invalid TUF metadata which is valid JSON. The vulnerable parsing happens before signature validation, so a...
Improper Verification of Cryptographic Signature
Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the VerifyDelegate function. An attacker in control of a compromised TUF repository can bypass signature validation and modify metadata files by setting the signature threshold to 0...
PT-2026-3904
Name of the Vulnerable Software and Affected Versions go-tuf versions 2.0.0 through 2.3.0 Description go-tuf, a Go implementation of The Update Framework TUF, is susceptible to a condition where a compromised or misconfigured repository can have signature thresholds set to 0. This effectively...
Relative Path Traversal
Overview Affected versions of this package are vulnerable to Relative Path Traversal due to unsafe path handling. An attacker can access, overwrite, or delete files outside the intended directories by supplying specially crafted names or archive entries containing path traversal sequences...
CVE-2025-59843 FlagForgeCTF Exposes User Emails via Public /api/user/[username] API
Flag Forge is a Capture The Flag CTF platform. From versions 2.0.0 to before 2.3.2, the public endpoint /api/user/username returns user email addresses in its JSON response. The fix, intended for release in 2.3.1 but only available starting in version 2.3.2, removes email addresses from public AP...
PT-2024-23171 · Brocade · Brocade Sannav Ova
Name of the Vulnerable Software and Affected Versions: Brocade SANnav OVA versions prior to 2.3.1 Brocade SANnav OVA version 2.3.0a Description: The issue is related to an insecure file permission setting that makes files world-readable. This could allow a local user without the required privileg...
PT-2024-4306 · Brocade · Brocade Sannav
Name of the Vulnerable Software and Affected Versions: Brocade SANnav versions prior to 2.3.1 Brocade SANnav version 2.3.0a Description: The issue is related to the use of hardcoded credentials in the Brocade SANnav software. This allows a remote attacker to perform a man-in-the-middle MITM attac...
PT-2024-4303 · Brocade · Brocade Sannav Ova
Name of the Vulnerable Software and Affected Versions: Brocade SANnav OVA versions prior to 2.3.1 Brocade SANnav OVA version 2.3.0a Description: The issue is related to the use of hard-coded credentials in the documentation of the Brocade SANnav appliance, which can be used as the root password...
PT-2023-24824 · Jetbrains · Jetbrains Ktor
Name of the Vulnerable Software and Affected Versions: JetBrains Ktor versions prior to 2.3.1 Description: The issue allows headers containing authentication data to be added to the exception's message. This could potentially expose sensitive information. Recommendations: For versions prior to...
SUSE CVE-2020-15210
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b a...
PT-2022-18717 · Apache · Apache Airflow
Name of the Vulnerable Software and Affected Versions: Apache Airflow versions prior to 2.3.1 Description: A vulnerability in the UI of Apache Airflow allows an attacker to view unmasked secrets in rendered template values for tasks that were not executed, such as when tasks were depending on pas...