Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-32187: Invalid Bug ID

An Allocation of Resources Without Limits or Throttling vulnerability in SUSE k3s allows attackers with access to K3s servers’ apiserver/supervisor port (TCP 6443) cause denial of service. This issue affects k3s: from v1.24.0 before v1.24.17+k3s1, from v1.25.0 before v1.25.13+k3s1, from v1.26.0 before v1.26.8+k3s1, from sev1.27.0 before v1.27.5+k3s1, from v1.28.0 before v1.28.1+k3s1.

CVE
Open in Source
#vulnerability#dos

‘CVE-2023-32187https://?cve=title’ is not a valid bug number nor an alias to a bug.

Please press Back and try again.

Related news

GHSA-m4hf-6vgr-75r2: K3s apiserver port is vulnerable to unauthenticated remote denial-of-service (DoS) attack via TLS SAN stuffing attack

### Impact An issue was found in K3s where an attacker with network access to K3s servers' apiserver/supervisor port (TCP 6443) can force the TLS server to add entries to the certificate's Subject Alternative Name (SAN) list, through a stuffing attack, until the certificate grows so large that it exceeds the maximum size allowed by TLS client implementations. OpenSSL for example will raise an `excessive message size` error when this occurs. No authentication is necessary to perform this attack, only the ability to perform a TLS handshake against the apiserver/supervisor port (TCP 6443). Affected servers will continue to operate, but clients (including both external administrative access with `kubectl` and server or agent nodes) will fail to establish new connections, thus leading to a denial of service (DoS) attack. ### Remediation Upgrade to a fixed release: - v1.28.1+k3s1 - v1.27.5+k3s1 - v1.26.8+k3s1 - v1.25.13+k3s1 - v1.24.17+k3s1 If you are using K3s 1.27 or earlier, you mus...

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE