#auth

### Impact Vela pipelines can use variable substitution combined with insensitive fields like `parameters`, `image` and `entrypoint` to inject secrets into a plugin/image and — by using common substitution string manipulation — can bypass log masking and expose secrets without the use of the commands block. This unexpected behavior primarily impacts secrets restricted by the "no commands" option. This can lead to unintended use of the secret value, and increased risk of exposing the secret during image execution bypassing log masking. Given by the following substitution examples: using `parameters` ```yaml steps: - name: example image: <some plugin> secrets: [ example_secret ] parameters: example: $${EXAMPLE_SECRET} ``` using `image` tag ```yaml steps: - name: example image: <some plugin>:latest${EXAMPLE_SECRET} secrets: [ example_secret ] ``` using `entrypoint` as a shim for `commands` ```yaml steps: - name: example image: <some plugin> secre...

### Impact TurboBoost Commands has existing protections in place to guarantee that only public methods on Command classes can be invoked; however, the existing checks aren't as robust as they should be. It's possible for a sophisticated attacker to invoke more methods than should be permitted depending on the the strictness of authorization checks that individual applications enforce. Being able to call some of these methods can have security implications. #### Details Commands verify that the class must be a `Command` and that the method requested is defined as a public method; however, this isn't robust enough to guard against all unwanted code execution. The library should more strictly enforce which methods are considered safe before allowing them to be executed. ### Patches Patched in the following versions. - 0.1.3 - [NPM Package](https://www.npmjs.com/package/@turbo-boost/commands/v/0.1.3) - [Ruby GEM](https://rubygems.org/gems/turbo_boost-commands/versions/0.1.3) - 0.2....

### Summary Due to the improper URL protocols filtering of links specified in the `link.argocd.argoproj.io` annotations in the application summary component, an attacker can achieve cross-site scripting with elevated permissions. ### Impact All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing a malicious user to inject a javascript: link in the UI. When clicked by a victim user, the script will execute with the victim's permissions (up to and including admin). This vulnerability allows an attacker to perform arbitrary actions on behalf of the victim via the API, such as creating, modifying, and deleting Kubernetes resources. ### Patches A patch for this vulnerability has been released in the following Argo CD versions: * v2.10.3 * v2.9.8 * v2.8.12 ### Workarounds There are no completely-safe workarounds besides **upgrading**. The safest alternative, if upgrading is not possible, would be to create a [Kubernetes admis...

### Overview A significant security oversight was identified in Nuclei v3, involving the execution of unsigned code templates through workflows. This vulnerability specifically affects users utilizing custom workflows, potentially allowing the execution of malicious code on the user's system. This advisory outlines the impacted users, provides details on the security patch, and suggests mitigation strategies. ### Affected Users 1. **CLI Users:** Those executing custom workflows from untrusted sources. This includes workflows authored by third parties or obtained from unverified repositories. 2. **SDK Users:** Developers integrating Nuclei into their platforms, particularly if they permit the execution of custom workflows by end-users. ### Security Patch The vulnerability is addressed in Nuclei v3.2.0. Users are strongly recommended to update to this version to mitigate the security risk. ### Mitigation - **Immediate Upgrade:** The primary recommendation is to upgrade to Nuclei v3.2....

For months, US lawmakers have examined every side of a historic surveillance debate. With the introduction of the SAFE Act, all that’s left to do now is vote.

### Impact OS command injection vulnerability within the Fluid project's JuicefsRuntime can potentially allow an authenticated user, who has the authority to create or update the K8s CRD Dataset/JuicefsRuntime, to execute arbitrary OS commands within the juicefs related containers. This could lead to unauthorized access, modification or deletion of data. ### Patches For users who're using version < 0.9.3 with JuicefsRuntime， upgrade to v0.9.3. ### References _Are there any links users can visit to find out more?_ ### Credits Special thanks to the discovers of this issue: Xiaozheng Zhang [[email protected]]([email protected])

Financials by Coda versions prior to 2023Q4 suffer from an incorrect access control authorization bypass vulnerability. The Change Password feature can be abused in order to modify the password of any user of the application.

Financials by Coda versions prior to 2023Q4 suffer from a cross site scripting vulnerability.

HALO version 2.13.1 has an insecure cross-origin resource sharing setting that allows an arbitrary origin.

Membership Management System version 1.0 suffers from remote shell upload and remote SQL injection vulnerabilities.