#docker

## Summary `jupyter-server-proxy` is used to expose ports local to a Jupyter server listening to web traffic to the Jupyter server's _authenticated users_ by proxying web requests and websockets. Dependent packages ([partial list](https://www.wheelodex.org/projects/jupyter-server-proxy/rdepends/)) also use `jupyter-server-proxy` to expose other popular interactive applications (such as [RStudio](https://github.com/jupyterhub/jupyter-rsession-proxy), [Linux Desktop via VNC](https://github.com/jupyterhub/jupyter-remote-desktop-proxy), [Code Server](https://github.com/betatim/vscode-binder), [Panel](https://github.com/holoviz/jupyter-panel-proxy), etc) along with the Jupyter server. This feature is commonly used in hosted environments (such as a JupyterHub) to expose non-Jupyter interactive frontends or APIs to the user. `jupyter-server-proxy` did not check user authentication appropriately when proxying websockets, allowing unauthenticated access to anyone who had network access to the...

### Impact Vela pipelines can use variable substitution combined with insensitive fields like `parameters`, `image` and `entrypoint` to inject secrets into a plugin/image and — by using common substitution string manipulation — can bypass log masking and expose secrets without the use of the commands block. This unexpected behavior primarily impacts secrets restricted by the "no commands" option. This can lead to unintended use of the secret value, and increased risk of exposing the secret during image execution bypassing log masking. Given by the following substitution examples: using `parameters` ```yaml steps: - name: example image: <some plugin> secrets: [ example_secret ] parameters: example: $${EXAMPLE_SECRET} ``` using `image` tag ```yaml steps: - name: example image: <some plugin>:latest${EXAMPLE_SECRET} secrets: [ example_secret ] ``` using `entrypoint` as a shim for `commands` ```yaml steps: - name: example image: <some plugin> secre...

### Impact Vela pipelines can use variable substitution combined with insensitive fields like `parameters`, `image` and `entrypoint` to inject secrets into a plugin/image and — by using common substitution string manipulation — can bypass log masking and expose secrets without the use of the commands block. This unexpected behavior primarily impacts secrets restricted by the "no commands" option. This can lead to unintended use of the secret value, and increased risk of exposing the secret during image execution bypassing log masking. Given by the following substitution examples: using `parameters` ```yaml steps: - name: example image: <some plugin> secrets: [ example_secret ] parameters: example: $${EXAMPLE_SECRET} ``` using `image` tag ```yaml steps: - name: example image: <some plugin>:latest${EXAMPLE_SECRET} secrets: [ example_secret ] ``` using `entrypoint` as a shim for `commands` ```yaml steps: - name: example image: <some plugin> secre...

### Impact Vela pipelines can use variable substitution combined with insensitive fields like `parameters`, `image` and `entrypoint` to inject secrets into a plugin/image and — by using common substitution string manipulation — can bypass log masking and expose secrets without the use of the commands block. This unexpected behavior primarily impacts secrets restricted by the "no commands" option. This can lead to unintended use of the secret value, and increased risk of exposing the secret during image execution bypassing log masking. Given by the following substitution examples: using `parameters` ```yaml steps: - name: example image: <some plugin> secrets: [ example_secret ] parameters: example: $${EXAMPLE_SECRET} ``` using `image` tag ```yaml steps: - name: example image: <some plugin>:latest${EXAMPLE_SECRET} secrets: [ example_secret ] ``` using `entrypoint` as a shim for `commands` ```yaml steps: - name: example image: <some plugin> secre...

### Impact Vela pipelines can use variable substitution combined with insensitive fields like `parameters`, `image` and `entrypoint` to inject secrets into a plugin/image and — by using common substitution string manipulation — can bypass log masking and expose secrets without the use of the commands block. This unexpected behavior primarily impacts secrets restricted by the "no commands" option. This can lead to unintended use of the secret value, and increased risk of exposing the secret during image execution bypassing log masking. Given by the following substitution examples: using `parameters` ```yaml steps: - name: example image: <some plugin> secrets: [ example_secret ] parameters: example: $${EXAMPLE_SECRET} ``` using `image` tag ```yaml steps: - name: example image: <some plugin>:latest${EXAMPLE_SECRET} secrets: [ example_secret ] ``` using `entrypoint` as a shim for `commands` ```yaml steps: - name: example image: <some plugin> secre...

### Impact Vela pipelines can use variable substitution combined with insensitive fields like `parameters`, `image` and `entrypoint` to inject secrets into a plugin/image and — by using common substitution string manipulation — can bypass log masking and expose secrets without the use of the commands block. This unexpected behavior primarily impacts secrets restricted by the "no commands" option. This can lead to unintended use of the secret value, and increased risk of exposing the secret during image execution bypassing log masking. Given by the following substitution examples: using `parameters` ```yaml steps: - name: example image: <some plugin> secrets: [ example_secret ] parameters: example: $${EXAMPLE_SECRET} ``` using `image` tag ```yaml steps: - name: example image: <some plugin>:latest${EXAMPLE_SECRET} secrets: [ example_secret ] ``` using `entrypoint` as a shim for `commands` ```yaml steps: - name: example image: <some plugin> secre...

Red Hat Security Advisory 2024-1270-03 - An update for docker is now available for Red Hat Enterprise Linux 7 Extras.

By Deeba Ahmed Patch Now! One-Day Vulnerabilities Exploited by Magnet Goblin to Deliver Linux Malware! This is a post from HackRead.com Read the original post: Magnet Goblin Hackers Using Ivanti Flaws to Deploy Linux Malware

A cross-site request forgery (CSRF) vulnerability in Jenkins docker-build-step Plugin 2.11 and earlier allows attackers to connect to an attacker-specified TCP or Unix socket URL, and to reconfigure the plugin using the provided connection test parameters, affecting future build step executions.

A missing permission check in an HTTP endpoint in Jenkins docker-build-step Plugin 2.11 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified TCP or Unix socket URL, and to reconfigure the plugin using the provided connection test parameters, affecting future build step executions.