#git

### Impact When source-controller is configured to use an [Azure SAS token](https://v2-2.docs.fluxcd.io/flux/components/source/buckets/#azure-blob-sas-token-example) when connecting to Azure Blob Storage, the token was logged along with the Azure URL when the controller encountered a connection error. An attacker with access to the source-controller logs could use the token to gain access to the Azure Blob Storage until the token expires. ### Patches This vulnerability was fixed in source-controller **v1.2.5**. ### Workarounds There is no workaround for this vulnerability except for using a different auth mechanism such as [Azure Workload Identity](https://v2-2.docs.fluxcd.io/flux/components/source/buckets/#azure). ### Credits This issue was reported and fixed by Jagpreet Singh Tamber (@jagpreetstamber) from the Azure Arc team. ### References https://github.com/fluxcd/source-controller/pull/1430 ### For more information If you have any questions or comments about this advis...

Cacti versions 1.2.26 and below suffer from a remote code execution execution vulnerability in import.php.

A security issue was discovered in azure-file-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions. Tokens are only logged when TokenRequests is configured in the CSIDriver object and the driver is set to run at log level 2 or greater via the -v flag.

### Summary The way the proxy protocol listener is implemented in sshpiper can allow an attacker to forge their connecting address. ### Details [This commit](https://github.com/tg123/sshpiper/commit/2ddd69876a1e1119059debc59fe869cb4e754430) added the proxy protocol listener as the only listener in sshpiper, with no option to toggle this functionality off. This means that any connection that sshpiper is directly (or in some cases indirectly) exposed to can use proxy protocol to forge its source address. ### PoC You can use a configuration like this in HAProxy: ``` listen w-send-proxy mode tcp log global option tcplog bind *:27654 tcp-request connection set-src ipv4(1.1.1.1) server app1 ssh-piper-hostname:22 send-proxy ``` When connecting through HAProxy, sshpiper will log connections as originating from `1.1.1.1`. The proxy protocol data is designed to survive multiple load balancers or proxies and pass through to sshpiper at the end, so it should only be...

## Summary Nokogiri v1.16.5 upgrades its dependency libxml2 to [2.12.7](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7) from 2.12.6. libxml2 v2.12.7 addresses CVE-2024-34459: - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/720 - patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/2876ac53 ## Impact There is no impact to Nokogiri users because the issue is present only in libxml2's `xmllint` tool which Nokogiri does not provide or expose. ## Timeline - 2024-05-13 05:57 EDT, libxml2 2.12.7 release is announced - 2024-05-13 08:30 EDT, nokogiri maintainers begin triage - 2024-05-13 10:05 EDT, nokogiri [v1.16.5 is released](https://github.com/sparklemotion/nokogiri/releases/tag/v1.16.5) and this GHSA made public

Today we are releasing Grafana 9.2. Alongside with new features and other bug fixes, this release includes a Moderate severity security fix for CVE-2022-39201 We are also releasing security patches for Grafana 9.1.8 and Grafana 8.5.14 to fix these issues. Release 9.2, latest release, also containing security fix: - [Download Grafana 9.2](https://grafana.com/grafana/download/9.2) Release 9.1.8, only containing security fix: - [Download Grafana 9.1.8](https://grafana.com/grafana/download/9.1.8) Release 8.5.14, only containing security fix: - [Download Grafana 8.5.14](https://grafana.com/grafana/download/8.5.14) Appropriate patches have been applied to [Grafana Cloud](https://grafana.com/cloud) and as always, we closely coordinated with all cloud providers licensed to offer Grafana Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana and Azure's Grafana ...

Today we are releasing Grafana 9.2. Alongside with new features and other bug fixes, this release includes a Moderate severity security fix for CVE-2022-39229 We are also releasing security patches for Grafana 9.1.8 and Grafana 8.5.14 to fix these issues. Release 9.2, latest release, also containing security fix: - [Download Grafana 9.2](https://grafana.com/grafana/download/9.2) Release 9.1.8, only containing security fix: - [Download Grafana 9.1.8](https://grafana.com/grafana/download/9.1.8) Release 8.5.14, only containing security fix: - [Download Grafana 8.5.14](https://grafana.com/grafana/download/8.5.14) Appropriate patches have been applied to [Grafana Cloud](https://grafana.com/cloud) and as always, we closely coordinated with all cloud providers licensed to offer Grafana Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana and Azure's Grafana...

To create a snapshot (and insert an arbitrary URL) the built-in role Viewer is sufficient. When a dashboard is shared as a local snapshot, the following three fields are offered in the web UI for a user to fill out: • Snapshotname • Expire • Timeout(seconds) After the user confirms creation of the snapshot (i.e. clicks the ”Local Snapshot” button) an HTTP POST request is sent to the Grafana server. The HTTP request contains additional parameters that are not visible in the web UI. The parameter originalUrl is not visible in the web UI, but sent in the HTTP POST request. The value of the originalUrl parameter is automatically generated. The purpose of the presented originalUrl parameter is to provide a user that views the snapshot the possibility to click on the button in the Grafana web UI and be presented with the dashboard that the snapshot was made out of. The value of the originalUrl parameter can be arbitrarily chosen by a malicious user that creates the snapshot (Note: by editi...

Today we are releasing Grafana 9.2.4. Alongside other bug fixes, this patch release includes critical security fixes for CVE-2022-39328. Release 9.2.4, latest patch, also containing security fix: - [Download Grafana 9.2.4](https://grafana.com/grafana/download/9.2.4) Appropriate patches have been applied to [Grafana Cloud](https://grafana.com/cloud) and as always, we closely coordinated with all cloud providers licensed to offer Grafana Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana and Azure Managed Grafana as a service offering. ## Privilege escalation ### Summary Internal security audit identified a race condition in the Grafana codebase, which allowed an unauthenticated user to query an arbitrary endpoint in Grafana. A race condition in the [HTTP context creation](https://github.com/grafana/grafana/blob/main/pkg/web/router.go#L153) could make a...

Today we are releasing Grafana 9.2. Alongside with new features and other bug fixes, this release includes a Moderate severity security fix for CVE-2022-31130 We are also releasing security patches for Grafana 9.1.8 and Grafana 8.5.14 to fix these issues. Release 9.2, latest release, also containing security fix: - [Download Grafana 9.2](https://grafana.com/grafana/download/9.2) Release 9.1.8, only containing security fix: - [Download Grafana 9.1.8](https://grafana.com/grafana/download/9.1.8) Release 8.5.14, only containing security fix: - [Download Grafana 8.5.14](https://grafana.com/grafana/download/8.5.14) Appropriate patches have been applied to [Grafana Cloud](https://grafana.com/cloud) and as always, we closely coordinated with all cloud providers licensed to offer Grafana Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana and Azure's Grafana ...