Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-h27c-6xm3-mcqp: Kanister vulnerable to cluster-level privilege escalation

### Details The kanister has a deployment called default-kanister-operator, which is bound with a ClusterRole called edit via ClusterRoleBinding(https://github.com/kanisterio/kanister/blob/master/helm/kanister-operator/templates/rbac.yaml#L49). The "edit" ClusterRole is one of Kubernetes default-created ClusterRole, and it have create/patch/udpate verbs of daemonset resources, create verb of serviceaccount/token resources, and impersonate verb of serviceaccounts resources. If a malicious user can access the worker node which has this component, he/she can: For the create/patch/update verbs of daemonset resources, the malicious user can abuse it to create or modify a set of Pods to mount a high-privilege service account (e.g., the cluster-admin service account). After that, he/she can abuse the high-privilege SA token of created Pod to take over the whole cluster. For the create verb of serviceaccount/token resources, a malicious user can abuse this permission to generate new Service ...

ghsa
#git#kubernetes
GHSA-78x2-cwp9-5j42: Ghost's improper authentication allows access to member information and actions

### Impact Improper authentication on some endpoints used for member actions would allow an attacker to perform member-only actions, and read member information. ### Vulnerable versions This security vulnerability is present in Ghost v4.46.0-v5.89.5. ### Patches v5.89.5 contains a fix for this issue. ### Workarounds None. ### For more information If you have any questions or comments about this advisory: * Email us at [[email protected]](mailto:[email protected])

GHSA-r5ph-4jxm-6j9p: LF Edge eKuiper has a SQL Injection in sqlKvStore

### Summary A user could utilize and exploit SQL Injection to allow the execution of malicious SQL query via Get method in sqlKvStore. ### Details I will use explainRuleHandler ("/rules/{name}/explain") as an example to illustrate. However, this vulnerability also exists in other methods such as sourceManageHandler, asyncTaskCancelHandler, pluginHandler, etc. The SQL injection can happen in the code: https://github.com/lf-edge/ekuiper/blob/d6457d008e129b1cdd54d76b5993992c349d1b80/internal/pkg/store/sql/sqlKv.go#L89-L93 The code to accept user input is: https://github.com/lf-edge/ekuiper/blob/d6457d008e129b1cdd54d76b5993992c349d1b80/internal/server/rest.go#L274-L277 The rule id in the above code can be used to exploit SQL query. Note that the delete function is also vulnerable: https://github.com/lf-edge/ekuiper/blob/d6457d008e129b1cdd54d76b5993992c349d1b80/internal/pkg/store/sql/sqlKv.go#L138-L141 ### PoC ``` import requests from urllib.parse import quote # SELECT val FROM 'xxx'...

GHSA-cf72-vg59-4j4h: Khoj Vulnerable to Stored Cross-site Scripting In Automate (Preview feature)

### Summary The Automation feature allows a user to insert arbitrary HTML inside the task instructions, resulting in a Stored XSS. ### Details The `q` parameter for the `/api/automation` endpoint does not get correctly sanitized when rendered on the page, resulting in the ability of users to inject arbitrary HTML/JS. ### PoC ``` POST /api/automation?q=%22%3E%3C%2Ftextarea%3E%3Cimg%20src%3Dx%20onerror%3Dalert(document.cookie)%3E%3Cscript%3Ealert(2)%3C%2Fscript%3E ``` ### Impact Stored XSS: ![image](https://github.com/khoj-ai/khoj/assets/115566010/6b5b9f60-e05c-448b-82b4-bf010ad8a4f0) ### Fix - Added a Content Security Policy to all config pages on the web client, including the automation page - Used DOM scripting to construct all components on the config pages, including the automation page

GHSA-c6c3-h4f7-3962: apollo-portal has potential unauthorized access issue

### Impact A vulnerability exists in the synchronization configuration feature that allows users to craft specific requests to bypass permission checks. This exploit enables them to modify a namespace without the necessary permissions. ### Patches The issue was addressed with an input parameter check in #5192, which was released in version [2.3.0](https://github.com/apolloconfig/apollo/releases/tag/v2.3.0). ### Workarounds To mitigate the issue without upgrading, follow the recommended practices to prevent Apollo from being exposed to the internet. ### Credits The vulnerability was reported and reproduced by [Lakeswang](https://github.com/Lakes-bitgetsec). ### References For any questions or comments regarding this advisory: * Open an issue in [issue](https://github.com/apolloconfig/apollo/issues) * Email us at [[email protected]](mailto:[email protected])

GHSA-vhr5-g3pm-49fm: matrix-js-sdk will freeze when a user sets a room with itself as a its predecessor

### Impact A malicious homeserver can craft a room or room structure such that the predecessors form a cycle. The matrix-js-sdk's `getRoomUpgradeHistory` function will infinitely recurse in this case, causing the code to hang. This method is public but also called by the 'leaveRoomChain()' method, so leaving a room will also trigger the bug. Even if the CVSS score would be 4.1 ([AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L&version=3.1)) we classify this as High severity issue. ### Patches This was patched in matrix-js-sdk 34.3.1. ### Workarounds Sanity check rooms before passing them to the matrix-js-sdk or avoid calling either `getRoomUpgradeHistory` or `leaveRoomChain`. ### References N/A.

GHSA-mq69-4j5w-3qwp: Capsule tenant owner with "patch namespace" permission can hijack system namespaces

# Attack Vector Then, let me briefly explain the reasons for the errors mentioned above: 1. The 'kubectl edit' command was used to patch the namespace, but this operation requires both 'get' and 'patch' permissions, hence the error. One should use methods like 'curl' to directly send a PATCH request; 2. The webhook does not intercept patch operations on 'kube-system' because 'kube-system' does not have an ownerReference. # Below are my detailed reproduction steps 1. Create a test cluster `kind create cluster --image=kindest/node:v1.24.15 --name=k8s` 2. Install the capsule `helm install capsule projectcapsule/capsule -n capsule-system --create-namespace` 3. Create a tenant ``` kubectl create -f - << EOF apiVersion: capsule.clastix.io/v1beta2 kind: Tenant metadata: name: tenant1 spec: owners: - name: alice kind: User EOF ``` 4. Create user alice ``` ./create-user.sh alice tenant1 capsule.clastix.io export KUBECONFIG=alice-tenant1.kubeconfig ``` 5. Patch kube-system (The first ...

GHSA-hrww-x3fq-xcvh: Umbraco CMS Improper Access Control vulnerability

### Impact As an authenticated user one can access a few unintended endpoints

GHSA-hh8p-374f-qgr5: Grafana plugin data sources vulnerable to access control bypass

Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource. The account must have prior query access to the impacted datasource.

GHSA-77gj-crhp-3gvx: Umbraco CMS vulnerable to Generation of Error Message Containing Sensitive Information

### Impact Some endpoints in the Management API can return stack trace information, even when Umbraco is not in debug mode.