Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier transmits the private key in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.

CVE-2023-24440: Jenkins Security Advisory 2023-01-24

Jenkins view-cloner Plugin 1.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

CVE-2023-24450: Jenkins Security Advisory 2023-01-24

Jenkins Kubernetes Credentials Provider Plugin 1.208.v128ee9800c04 and earlier does not set the appropriate context for Kubernetes credentials lookup, allowing attackers with Item/Configure permission to access and potentially capture Kubernetes credentials they are not entitled to.

CVE-2023-24425: Jenkins Security Advisory 2023-01-24

Jenkins Keycloak Authentication Plugin 2.3.0 and earlier does not invalidate the previous session on login.

CVE-2023-24456: Jenkins Security Advisory 2023-01-24

Missing permission checks in Jenkins Orka by MacStadium Plugin 1.31 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVE-2023-24433: Jenkins Security Advisory 2023-01-24

An issue was discovered in the rollback feature of Elastic Endpoint Security for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account.

CVE-2022-38775: Security issues

A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions from 13.5 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. It was possible to exploit a vulnerability in setting the Jira Connect integration which could lead to a reflected XSS that allowed attackers to perform arbitrary actions on behalf of victims.

Skip to content

GitLab

Next

*   *   GitLab: the DevOps platform
    *   Explore GitLab
    *   Install GitLab
    *   How GitLab compares
    *   Get started
    *   GitLab docs
    *   GitLab Learn
    
*   Pricing
*   Talk to an expert

*   /
    
*   

*   Help
    
    *   Help
    *   Support
    *   Community forum
    
    *   Submit feedback
    *   Contribute to GitLab
    
*   *   
    
    Projects Groups Snippets
    
*   Sign up now
*   Login
*   Sign in / Register
    

*   GitLab.org
*   cves
*   Repository

Switch branch/tag

*   cves
*   2022
*   **CVE-2022-3572.json**

Find file BlameHistoryPermalink

*   Publishing 0 updated advisories and 2 new advisories · 8e57563a
    
    🤖 GitLab Bot 🤖 authored Jan 20, 2023
    
    8e57563a

CVE-2022-3572: 2022/CVE-2022-3572.json · master · GitLab.org / cves · GitLab

Red Hat Security Advisory 2023-0237-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: OpenShift Container Platform 4.8.57 security update  
Advisory ID:       RHSA-2023:0237-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0237  
Issue date:        2023-01-25  
CVE Names:         CVE-2022-41912 CVE-2023-21835 CVE-2023-21843  
====================================================================  
1. Summary:

Red Hat OpenShift Container Platform release 4.8.57 is now available with  
updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.  
Security Fix(es):

* crewjam/saml: Authentication bypass when processing SAML responses  
containing multiple Assertion elements (CVE-2022-41912)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

See the following documentation, which will be updated shortly for this  
release, for important instructions on how to upgrade your cluster and  
fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html

You may download the oc tool and use it to inspect release image metadata  
for x86_64, s390x, and ppc64le architectures.

The image digests may be found at  
https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags

The sha values for the release are:

(For x86_64 architecture)  
The image digest is  
sha256:c9dfdaa23f71c5faf6cc88a3cc504f7458840b8c860372a8106584739a15b1f2

(For s390x architecture)  
The image digest is  
sha256:ff2557359193568edf71a6160b0d431c01625578fc29ca6c8894f2e46719b475

(For ppc64le architecture)  
The image digest is  
sha256:cfbc2bf134d9a7754a920164bd8189f2f5b5d802c25c0774ab3b4e9c1998ff51

All OpenShift Container Platform 4.8 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift Console  
or the CLI oc command. Instructions for upgrading a cluster are available  
at  
https://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2149181 - CVE-2022-41912 crewjam/saml: Authentication bypass when processing SAML responses containing multiple Assertion elements

5. JIRA issues fixed (https://issues.jboss.org/):

OCPBUGS-5964 - Placeholder bug for OCP 4.8.0 metadata release  
OCPBUGS-5965 - Placeholder bug for OCP 4.8.0 rpm release

6. References:

https://access.redhat.com/security/cve/CVE-2022-41912  
https://access.redhat.com/security/cve/CVE-2023-21835  
https://access.redhat.com/security/cve/CVE-2023-21843  
https://access.redhat.com/security/updates/classification/#important

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY9FaPdzjgjWX9erEAQg0vw//QzuA21utuuPcMS2hskt1IACyRPrP2e1r  
iWod7sJFac91fcGCq43e4dyc0IUeurEHAh7syX5g9UBaDt1IReTUsF5Fwolbi8js  
Q2xTi8TyYuCqYKpl8yzXXKRu/vd32HfsOhe1W8pyzT77PcPf5QlX329GnMUUsyrr  
l/3eNwRn/eIRWqGXPBFzRM+NVBbLAZ5J17Wpdqu7Ghu+11xSU7cAhrk1BjFaNxHy  
u/s5PLDtz1tCjf8pU8MdkBe/DVWUDCkR1QvPqj5GDRHK/Vq0gyvhX2+m3nDi1VlF  
2XNMy+PVlmnlAoLtRWcaazTvE8VR0aaxyB6iOZQMcDrUMJS+wJD5Oo/zcGjvVNpM  
oXhuSpnkLSEAzb1Z4a0NIdx9hJGP4j252RJYzx4GumwpiNaU4xMr4DoFB/cRE11H  
b2c45+iX1n/Dnj8LaJLUdCSKAHqrFB4gGSjKTlV3KO/xGIYTPn30MSOAGYWR9oDf  
zaPX1AdgNBoQ43gbKP2Uj7/S7iHN575P7t1B1Bfi+Bdgxo6U0sRlgC51LEVCqTtD  
49NkFFzmFQr3KCFIDuHIQaNRyyPU3skAf7mKqUJGblkrbAolZ3Gc+a0RK9kmlx0j  
cdOK6ev73xCs/Ad5SmynJRXTrZB3dmOzh5Gk6QpOAFzPbJr30Qt1dfqAsq7hsVxb  
wNvLA5dg5i8=WVbV  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0237-01

Red Hat Security Advisory 2023-0241-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.10.50.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Low: OpenShift Container Platform 4.10.50 bug and security update  
Advisory ID:       RHSA-2023:0241-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0241  
Issue date:        2023-01-24  
CVE Names:         CVE-2023-0296  
====================================================================  
1. Summary:

Red Hat OpenShift Container Platform release 4.10.50 is now available with  
updates to packages and images that fix several bugs.

Red Hat Product Security has rated this update as having a security impact  
of Low. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container  
Platform 4.10.50. See the following advisory for the RPM packages for this  
release:

https://access.redhat.com/errata/RHBA-2023:0240

Security Fix(es):

* openshift: etcd grpc-proxy vulnerable to The Birthday attack against  
64-bit block cipher (CVE-2023-0296)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Space precludes documenting all of the container images in this advisory.  
See the following Release Notes documentation, which will be updated  
shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html

3. Solution:

For OpenShift Container Platform 4.10 see the following documentation,  
which will be updated shortly for this release, for important instructions  
on how to upgrade your cluster and fully apply this asynchronous errata  
update:

https://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html

You may download the oc tool and use it to inspect release image metadata  
for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests  
may be found at  
https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags

The sha values for the release are:

(For x86_64 architecture)  
The image digest is  
sha256:9301ca818d705bda5981db961904f2b6e3f9adcc51e3c8e258c05950236dfc3d

(For s390x architecture)  
The image digest is  
sha256:88dd6c214ba12eb626301d40fadbf5d6d95eeaebae11f0c0fedfbfcecd1df739

(For ppc64le architecture)  
The image digest is  
sha256:baa7fe33ac04eca046892820342c19b6df02f6998f3f5e4f9471c737f6eeb301

(For aarch64 architecture)  
The image digest is  
sha256:7ac01bfe3554059f81fb573fa04cf41ca8a150b93b54d4209f4c987687e40d81

All OpenShift Container Platform 4.10 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift Console  
or the CLI oc command. Instructions for upgrading a cluster are available  
at  
https://docs.openshift.com/container-platform/4.10/updating/updating-cluster-cli.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2161287 - CVE-2023-0296 openshift: etcd grpc-proxy vulnerable to The Birthday attack against 64-bit block cipher

5. JIRA issues fixed (https://issues.jboss.org/):

OCPBUGS-4467 - [4.10] Improve ironic logging configuration in metal3  
OCPBUGS-4717 - Unable to use application credentials for Cinder CSI after OpenStack credentials update  
OCPBUGS-4810 - MCO does not sync kubeAPIServerServingCAData to controllerconfig if there are not ready nodes  
OCPBUGS-5294 - Backport fix for OCPBUGSM-36848 to 4.10  
OCPBUGS-5299 - [4.10] [OVN]Sometimes after reboot egress node, egress IP cannot be applied anymore.  
OCPBUGS-5415 - [OCP 4.10] ironic container images have old packages  
OCPBUGS-5419 - [release-4.10] Azure: unable to configure EgressIP if an ASG is set  
OCPBUGS-5507 - [vsphere-CSI-Driver-Operator] The storageclass "thin-csi" could not be re-created after deleting  
OCPBUGS-5788 - ClusterResourceQuota values are not reflecting.

6. References:

https://access.redhat.com/security/cve/CVE-2023-0296  
https://access.redhat.com/security/updates/classification/#low

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY8+0QtzjgjWX9erEAQjtJw//Ts6EzkhU5+hsaIaT0j7Yq18Dai3sC7p6  
jCiHlRWPuoAcyzrvZbVv+62G9WaXWhQ9HuXOYjx/cPTCZe92ixeSrE8FQGDh9bgw  
fLVMtqH7F8zOQHRVspIgH8SzooS5A/ZGSCBG5wVSvVbJUCQViXmoz2xOH4DXjOmd  
RT42+aBT0KeTG6Dbj21g3VB/5faLxxrC8u55lVAlBGNyroVmLqKzPKKnlvpibjFV  
WJATXcV0885PXR8FVmF0CSZbkX+u1++7XVHhoqgQ/D8STZCvmIw/W21pcW8owYEc  
u0kBO8eTH8LKqiSbze88ENVogOaX+0HIgKmJ/3aMjyejSVPpIlmz3RA/gOG2Eguc  
vdrRJXwjFCY2kkFgcw0SqeZM/SGHj1VlWNHTjxG9Sj7XnVw6QHpT9cVFByCvFp72  
eL96I3Qb3qnhCBrLdtsIUoA3B/uDkjGFwMysRdNBUFl76HvTEQUQhxWbLAy6q/XC  
VlOnE+e2Kj9pfyWHbSbHHdeD/qXFoUenHWBL+Xow5Hvf8L5oGYo3tFahDrlip+6R  
btZwOF56IEXH5Q4Cy9UaAONPb+6TntvOLsjaTpYqeTToIsHRAOE4NbghIeJBUHM3  
P6i4Iy9vR0DyJRFvpCVRXqw1h1Wlo0Ru4Xo9rQpKyX0TVDHppKrpa1HD+GZgEETk  
aT/bFo7O4rg=aJSj  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0241-01

Orca Security is one of the companies integrating conversational AI technology into its products.

While there are some concerns about how generative AI chatbots such as ChatGPT can be used maliciously — to craft phishing campaigns or write malware — several companies are harnessing the power of conversational AI technology to enhance their product capabilities, including for security.

ChatGPT, a large language model (LLM) developed by OpenAI, uses GPT 3 LLM and relies on large test data sets culled from multiple sources. ChatGPT, which can understand human language, provides detailed answers to simple questions and can handle complex tasks such as creating documents and writing code in response to user queries. It's an example of how conversational AI can be used to organize large volumes of information and enhance user experience and communications.

For instance, a conversational AI tool — whether that's ChatGPT or something else — could serve as the back end of an information concierge that automates the use of threat intelligence in enterprise support, according to IT research and advisory firm Into-Tech Research.

That's the approach Orca Security appears to be taking with Orca Security Platform. The company incorporated OpenAI's GPT3 API, specifically the "Da-Vinci-03" series, to enhance the platform's ability to generate contextual and accurate remediation plans for security alerts, Lior Drihem, Orca's director of innovation, and Itamar Golan, head of data science, wrote in the announcement. 

The new pipeline takes a security alert and preprocesses the data, such as basic information about the risk and its contextual environment — such as affected assets, attack vectors, and potential impact — before feeding the pieces as input to GPT3. The AI then generates a detailed explanation of the best and most practical ways to remediate the issue, Golan and Drihem wrote. These remediation steps can also be embedded in tickets, such as Jira tickets, for teams to reference and implement.

While the AI model can provide inaccurate information (or vague results), "the benefits of utilizing GPT3's natural language generation capabilities outweigh any potential risks, and have seen significant improvements in the efficiency and effectiveness of our remediation efforts," according to Drihem and Golan.

This isn't the first time Orca Security has been working with language models. The company recently integrated GPT3 into its cloud security platform to enhance the remediation information customers receive regarding infosec risks. 

"By fine-tuning these powerful language models with our own security data sets, we have been able to improve the detail and accuracy of our remediation steps — giving you a much better remediation plan and assisting you to optimally solve the issue as fast as possible," Golan and Drihem wrote.

**Harnessing AI & LLM for Applications**

Orca Security joins other companies incorporating language models into its product portfolio. Earlier this week, Gupshup launched Auto Bot Builder, which harnesses GPT-3 to help enterprises build their own advanced conversational chatbots. Auto Bot Builder builds chatbots tailed to the enterprise's specific requirements by using content from the enterprise website, documents, message logs, product catalogs, databases, and other corporate systems, processing the information using GPT-3 LLM (Large Language Model), and fine-tuning it with proprietary industry-specific models. Enterprises can use Auto Bot Builder to build chatbots for marketing lead generation activities, product discovery, product recommendations, shopping advice, troubleshooting, and customer support.

These chatbots differ from ChatGPT, a general-purpose chatbot, but like ChatGPT, they have an "exceptionally high degree of language capability" to engage with end users, according to Gupshup.

The cryptocurrency community is also using ChatGPT to create applications such as trading bots and crypto blogs, Jerrod Piker, a competitive intelligence analyst at Deep Instinct, wrote in an email. Examples include using ChatGPT to write a sample smart contract, and a trading bot that identifies entry and exit points to help automate the process of buying and selling cryptocurrencies.

A generative AI chatbot that can answer questions is not a new concept, but ChatGPT stands out from the others because of the breadth of topics it can handle and its ease of use, says Casey Ellis, founder and CTO of Bugcrowd.

Tag

#jira