ghsa

# Microsoft Security Advisory CVE-2024-38167 | .NET Information Disclosure Vulnerability ## <a name="executive-summary"></a>Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A vulnerability exists in .NET runtime TlsStream which may result in Information Disclosure. ## Discussion Discussion for this issue can be found at https://github.com/dotnet/runtime/issues/106359 ## <a name="mitigation-factors"></a>Mitigation factors Microsoft has not identified any mitigating factors for this vulnerability. ## <a name="affected-software"></a>Affected software * Any .NET 8.0 application running on .NET 8.0.7 or earlier. ## <a name="affected-packages"></a>Affected Packages The vulnerability affects any Microsoft .NET Core project if it uses any of affected packages versions listed below ### <a n...

### Summary The bearertokenauth extension's server authenticator performs a simple, non-constant time string comparison of the received & configured bearer tokens. ### Details https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/9128a9258fe1fee36f198f97b1e3371fc7b77a93/extension/bearertokenauthextension/bearertokenauth.go#L189-L196 For background on the type of vulnerability, see https://ropesec.com/articles/timing-attacks/. ### Impact This impacts anyone using the `bearertokenauth` server authenticator. Malicious clients with network access to the collector may perform a timing attack against a collector with this authenticator to guess the configured token, by iteratively sending tokens and comparing the response time. This would allow an attacker to introduce fabricated or bad data into the collector's telemetry pipeline. ### Fix The observable timing vulnerability was fixed by @axw in v0.107.0 (PR https://github.com/open-telemetry/opentelemetry-collector-c...

### Impact The export download route `/filament-excel/{path}` allowed downloading any file without login when the webserver allows `../` in the URL. ### Patches Patched with Version v2.3.3 ### Credits Thanks to Kevin Pohl for reporting this.

### 1. Impacted Products Streamilt Open Source versions before 1.37.0. ### 2. Introduction Snowflake Streamlit open source addressed a security vulnerability via the [static file sharing feature](https://docs.streamlit.io/develop/concepts/configuration/serving-static-files). The vulnerability was patched on Jul 25, 2024, as part of Streamlit open source version 1.37.0. The vulnerability only affects Windows. ### 3. Path Traversal Vulnerability #### 3.1 Description On May 12, 2024, Streamlit was informed via our bug bounty program about a path traversal vulnerability in the open source library. We fixed and merged a patch remediating the vulnerability on Jul 25, 2024. The issue was determined to be in the moderate severity range with a maximum CVSSv3 base score of [5.9](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N) #### 3.2 Scenarios and attack vector(s) Users of hosted Streamlit app(s) on Windows were vulnerable to a path traversal vulnerabi...

Like many other SSH implementations, Apache MINA SSHD suffered from the issue that is more widely known as CVE-2023-48795. An attacker that can intercept traffic between client and server could drop certain packets from the stream, potentially causing client and server to consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack The mitigations to prevent this type of attack were implemented in Apache MINA SSHD 2.12.0, both client and server side. Users are recommended to upgrade to at least this version. Note that both the client and the server implementation must have mitigations applied against this issue, otherwise the connection may still be affected.

### Impact Improper neutralisation of delimiters in the `pattern` input (specifically the command separator `;` and command substitution characters `(` and `)`) mean that arbitrary command injection is possible by modification of the input value used in a workflow. This has the potential for exposure or exfiltration of sensitive information from the workflow runner, such as might be achieved by sending environment variables to an external entity. ### Patches As of this writing, the issue has been patched for versions in the `v1.x.x` release series in release `v1.6.12` (also tagged as `v1.6` and `v1`). The latest available release `v2.0.0` also includes a corresponding patch (also tagged as `v2.0` and `v2`). Users should upgrade to at least the patched version `v1.6.12` or preferably the latest available version `v2.0.0`. Workflows that use the action ref `v1` will automatically receive the patched version `v1.6.12` in future workflow runs. Patch summary: | Release series | Patche...

### Summary _Using an "open at the top" range definition in RBAC for etcd roles leads to some TCPs API servers being able to read, write and delete the data of other control planes._ ### Details The problematic code is this: https://github.com/clastix/kamaji/blob/8cdc6191242f80d120c46b166e2102d27568225a/internal/datastore/etcd.go#L19-L24 The range created by this RBAC setup code looks like this: ``` etcdctl role get example Role example KV Read: [/example/, \0) KV Write: [/example/, \0) ``` The range end `\0` means "everything that comes after" in etcd, so potentially all the key prefixes of controlplanes with a name that comes after "example" when sorting lexically (e.g. `example1`, `examplf`, all the way to `zzzzzzz` if you will). ### PoC 1. Create two TCP in the same Namespace 2. Scale Kamaji to zero to avoid reconciliations 3. change the Kubernetes API Server `--etcd-prefix` flag value to point to the other TCP datastore key 4. wait it for get it up and running 5. use `ku...

Concrete CMS versions 9.0.0 to 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in RSS Displayer when user input is stored and later embedded into responses. A rogue administrator could inject malicious code into fields due to insufficient input validation.

Missing Release of Resource after Effective Lifetime vulnerability in Apache Answer. This issue affects Apache Answer: through 1.3.5. User sends multiple password reset emails, each containing a valid link. Within the link's validity period, this could potentially lead to the link being misused or hijacked. Users are recommended to upgrade to version 1.3.6, which fixes the issue.

Missing Release of Resource after Effective Lifetime vulnerability in Apache Answer. This issue affects Apache Answer: through 1.3.5. The password reset link remains valid within its expiration period even after it has been used. This could potentially lead to the link being misused or hijacked. Users are recommended to upgrade to version 1.3.6, which fixes the issue.