Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-jwv5-8mqv-g387: Cross-site scripting on application summary component

### Summary Due to the improper URL protocols filtering of links specified in the `link.argocd.argoproj.io` annotations in the application summary component, an attacker can achieve cross-site scripting with elevated permissions. ### Impact All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing a malicious user to inject a javascript: link in the UI. When clicked by a victim user, the script will execute with the victim's permissions (up to and including admin). This vulnerability allows an attacker to perform arbitrary actions on behalf of the victim via the API, such as creating, modifying, and deleting Kubernetes resources. ### Patches A patch for this vulnerability has been released in the following Argo CD versions: * v2.10.3 * v2.9.8 * v2.8.12 ### Workarounds There are no completely-safe workarounds besides **upgrading**. The safest alternative, if upgrading is not possible, would be to create a [Kubernetes admis...

ghsa
#xss#vulnerability#git#java#kubernetes#auth
GHSA-32jq-mv89-5rx7: CoreWCF NetFraming based services can leave connections open when they should be closed

### Impact If you have a NetFraming based CoreWCF service, extra system resources could be consumed by connections being left established instead of closing or aborting them. There are two scenarios when this can happen. When a client established a connection to the service and sends no data, the service will wait indefinitely for the client to initiate the NetFraming session handshake. Additionally, once a client has established a session, if the client doesn't send any requests for the period of time configured in the binding ReceiveTimeout, the connection is not properly closed as part of the session being aborted. The bindings affected by this behavior are NetTcpBinding, NetNamedPipeBinding, and UnixDomainSocketBinding. Only NetTcpBinding has the ability to accept non local connections. ### Patches The currently supported versions of CoreWCF are v1.4.x and v1.5.x. The fix can be found in v1.4.2 and v1.5.2 of the CoreWCF packages. ### Workarounds There are no workarounds. ### R...

GHSA-879p-8gw4-mcpw: fgr Vulnerable to Insecure Default Variable Initialization

### Impact Any users whom would not desire a traceback to be included in their logs whenever an error is raised in their code will be affected. If users have inadvertently created a scenario in their code that could cause a traceback to include sensitive information _and_ a malicious entity gained access to their log stream, this could create an issue. ### Patches None yet... users will need to upgrade to `0.4.*` ### Workarounds No particularly reasonable ones at present. ### References * https://cwe.mitre.org/data/definitions/453.html * https://www.invicti.com/web-vulnerability-scanner/vulnerabilities/stack-trace-disclosure-python/

GHSA-w5wx-6g2r-r78q: Nuclei allows unsigned code template execution through workflows

### Overview A significant security oversight was identified in Nuclei v3, involving the execution of unsigned code templates through workflows. This vulnerability specifically affects users utilizing custom workflows, potentially allowing the execution of malicious code on the user's system. This advisory outlines the impacted users, provides details on the security patch, and suggests mitigation strategies. ### Affected Users 1. **CLI Users:** Those executing custom workflows from untrusted sources. This includes workflows authored by third parties or obtained from unverified repositories. 2. **SDK Users:** Developers integrating Nuclei into their platforms, particularly if they permit the execution of custom workflows by end-users. ### Security Patch The vulnerability is addressed in Nuclei v3.2.0. Users are strongly recommended to update to this version to mitigate the security risk. ### Mitigation - **Immediate Upgrade:** The primary recommendation is to upgrade to Nuclei v3.2....

GHSA-494h-9924-xww9: Pterodactyl Wings vulnerable to improper isolation of server file access

### Impact This vulnerability impacts anyone running the affected versions of Wings. The vulnerability can potentially be used to access files and directories on the host system. The full scope of impact is exactly unknown, but reading files outside of a server's base directory (sandbox root) is possible. In order to use this exploit, an attacker must have an existing "server" allocated and controlled by Wings. Details on the exploitation of this vulnerability are embargoed until March 27th, 2024 at 18:00 UTC. ### Resolution In order to mitigate this vulnerability, a full rewrite of the entire server filesystem was necessary. Because of this, the size of the patch is massive, however effort was made to reduce the amount of breaking changes. While tests were written to ensure security and functionality, there may be some semantic differences of certain operations, such as different errors being returned for example. If you notice any major semantic differences, please open an ...

GHSA-5h3x-6gwf-73jm: vantage6 vulnerable to a username timing attack on recover password/MFA token

### Impact Much like https://github.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53, it is possible to find which usernames exist in vantage6 by calling the API routes `/recover/lost` and `/2fa/lost`, which send emails to users if they have lost their password or MFA token. Usernames can be found by assessing response time differences, and additionally, they can be found because the endpoint gives a response "Failed to login" if the username exists. ### Patches No ### Workarounds No

GHSA-4946-85pr-fvxh: vantage6's CORS settings overly permissive

### Impact The vantage6 server has no restrictions on CORS settings. It should be possible for people to set the allowed origins of the server. The impact is limited because v6 does not use session cookies ### Patches No ### Workarounds No

GHSA-wx8q-4gm9-rj2g: Fluid vulnerable to OS Command Injection for Fluid Users with JuicefsRuntime

### Impact OS command injection vulnerability within the Fluid project's JuicefsRuntime can potentially allow an authenticated user, who has the authority to create or update the K8s CRD Dataset/JuicefsRuntime, to execute arbitrary OS commands within the juicefs related containers. This could lead to unauthorized access, modification or deletion of data. ### Patches For users who're using version < 0.9.3 with JuicefsRuntime, upgrade to v0.9.3. ### References _Are there any links users can visit to find out more?_ ### Credits Special thanks to the discovers of this issue: Xiaozheng Zhang [[email protected]]([email protected])

GHSA-g623-jcgg-mhmm: Users with `create` but not `override` privileges can perform local sync

### Impact "Local sync" is an Argo CD feature that allows developers to temporarily override an Application's manifests with locally-defined manifests. Use of the feature should generally be limited to highly-trusted users, since it allows the user to bypass any merge protections in git. An improper validation bug allows users who have `create` privileges but not `override` privileges to sync local manifests on app creation. All other restrictions, including AppProject restrictions are still enforced. The only restriction which is _not_ enforced is that the manifests come from some approved git/Helm/OCI source. The bug was introduced in 1.2.0-rc1 when the local manifest sync feature was added. ### Patches The bug has been patched in the following versions: * 2.10.3 * 2.9.8 * 2.8.12 ### Workarounds To immediately mitigate the risk of branch protection bypass, remove `applications, create` RBAC access. The only way to eliminate the issue without removing RBAC access is to upgrade...

GHSA-r978-9m6m-6gm6: Apache ZooKeeper vulnerable to information disclosure in persistent watchers handling

Information disclosure in persistent watchers handling in Apache ZooKeeper due to missing ACL check. It allows an attacker to monitor child znodes by attaching a persistent watcher (addWatch command) to a parent which the attacker has already access to. ZooKeeper server doesn't do ACL check when the persistent watcher is triggered and as a consequence, the full path of znodes that a watch event gets triggered upon is exposed to the owner of the watcher. It's important to note that only the path is exposed by this vulnerability, not the data of znode, but since znode path can contain sensitive information like user name or login ID, this issue is potentially critical. Users are recommended to upgrade to version 3.9.2, 3.8.4 which fixes the issue.