#docker

### Impact The /api/v2/config endpoint exposes message bus credentials to local unauthenticated users. In security-enabled mode, message bus credentials are supposed to be kept in the EdgeX secret store and require authentication to access. This vulnerability bypasses the access controls on message bus credentials when running in security-enabled mode. (No credentials are required when running in security-disabled mode.) As a result, attackers could intercept data or inject fake data into the EdgeX message bus. ### Patches Users should upgrade to EdgeXFoundry Kamakura release (2.2.0) or to the June 2022 EdgeXFoundry LTS Jakarta release (2.1.1). The issue has been patched in the following docker containers and snaps: #### Patched go modules github.com/edgexfoundry/device-sdk-go/v2 >= v2.1.1 github.com/edgexfoundry/app-functions-sdk-go/v2 >= v2.1.1 #### Patched docker containers URL: https://hub.docker.com/r/edgexfoundry - docker.io/edgexfoundry/core-metadata:>=2.1.1 - docker.io/...

An issue was discovered in AgileBits 1Password, involving the method various 1Password apps and integrations used to create connections to the 1Password service. In specific circumstances, this issue allowed a malicious server to convince a 1Password app or integration it is communicating with the 1Password service.

EdgeX Foundry is an open source project for building a common open framework for Internet of Things edge computing. Prior to version 2.1.1, the /api/v2/config endpoint exposes message bus credentials to local unauthenticated users. In security-enabled mode, message bus credentials are supposed to be kept in the EdgeX secret store and require authentication to access. This vulnerability bypasses the access controls on message bus credentials when running in security-enabled mode. (No credentials are required when running in security-disabled mode.) As a result, attackers could intercept data or inject fake data into the EdgeX message bus. Users should upgrade to EdgeXFoundry Kamakura release (2.2.0) or to the June 2022 EdgeXFoundry LTS Jakarta release (2.1.1) to receive a patch. More information about which go modules, docker containers, and snaps contain patches is available in the GitHub Security Advisory. There are currently no known workarounds for this issue.

An unpatched security issue in the Travis CI API has left tens of thousands of developers' user tokens exposed to potential attacks, effectively allowing threat actors to breach cloud infrastructures, make unauthorized code changes, and initiate supply chain attacks. "More than 770 million logs of free tier users are available, from which you can easily extract tokens, secrets, and other

**What are some of the services affected by this vulnerability?** The following table lists some of the affected services, and the changes associated with the remedy for this vulnerability: Affected Product New Version Number Customer action required DSC Patch for Version 3: 3.0.0.7 and Patch for Version 2: 2.71.1.33 No Customer Action required; these are auto updated for all customers. SCOM For 2016: 7.6.1108.0; for 2019: 10.19.1152.0; and for 2022: 10.22.1024.0 Customers need to update MPs 2016, 2019, and 2022. OMS 1.14.13 There are 2 ways to install OMS Agent: Bundle or through VM Extension. Using a Bundle Link and for VM Extensions, through Azure Powershell CMDlets or Azure CLI. ASC 1.14.13 Update via VM extension. Container Monitoring Solution Image tag: microsoft-oms-latest with full ID: sha256:6131e66cdf7bd07f9db3bbb17902ea8695a2f2bda0cf72ff16170aaf93b56f3b See How to Upgrade OMS Docker for details on how to check your current image ID and to upgrade OMS-docke...

Public Travis CI logs loaded with GitHub, AWS, Docker Hub account tokens, and other sensitive data could be leveraged for lateral cloud attacks.

Strapi v3.x.x versions and earlier contain a stored cross-site scripting vulnerability in file upload function. By exploiting this vulnerability, an arbitrary script may be executed on the web browser of the user who is logging in to the product with the administrative privilege.

In the SEOmatic plugin up to 3.4.11 for Craft CMS 3, it is possible for unauthenticated attackers to perform a Server-Side Template Injection, allowing for remote code execution.

Red Hat Security Advisory 2022-4985-01 - New Cryostat 2.1.1 on RHEL 8 container images have been released, containing bug fixes and addressing security vulnerabilities. Issues addressed include a deserialization vulnerability.

New Cryostat 2.1.1 on RHEL 8 container images are now availableThis content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25647: com.google.code.gson-gson: Deserialization of Untrusted Data in com.google.code.gson-gson * CVE-2022-28948: golang-gopkg-yaml: crash when attempting to deserialize invalid input