#vulnerability

Argo CD v2.11.3 and before, discovering that even if the user's ```p, role:myrole, exec, create, */*, allow``` permissions are revoked, the user can still send any Websocket message, which allows the user to view sensitive information. Even though they shouldn't have such access. ## Description Argo CD has a Web-based terminal that allows you to get a shell inside a running pod, just like you would with kubectl exec. However, when the administrator enables this function and grants permission to the user ```p, role:myrole, exec, create, */*, allow```, even if the user revokes this permission, the user can still perform operations in the container, as long as the user keeps the terminal view open for a long time. CVE-2023-40025 Although the token expiration and revocation of the user are fixed, however, the fix does not address the situation of revocation of only user ```p, role:myrole, exec, create, */*, allow``` permissions, which may still lead to the leakage of sensitive information...

The good news: Only organizations far behind on standard Windows patching have anything to worry about.

Prepay wireless provider TracFone has been slapped on the wrist to the tune of $16 million for insufficient customer data protection

Ubuntu Security Notice 6912-1 - James Henstridge discovered that provd incorrectly handled environment variables. A local attacker could possibly use this issue to run arbitrary programs and escalate privileges.

Gentoo Linux Security Advisory 202407-28 - A vulnerability has been discovered in Freenet, which can lead to deanonymization due to path folding. Versions greater than or equal to 0.7.5_p1497 are affected.

Gentoo Linux Security Advisory 202407-27 - Multiple vulnerabilities have been discovered in ExifTool, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 12.42 are affected.

Ubuntu Security Notice 6906-1 - It was discovered that python-zipp did not properly handle the zip files with malformed names. An attacker could possibly use this issue to cause a denial of service.

SIM Wisuda version 1.0 suffers from an insecure direct object reference vulnerability.

SLiMS CMS version 2.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

Ubuntu Security Notice 6910-1 - Chess Hazlett discovered that Apache ActiveMQ incorrectly handled certain commands. A remote attacker could possibly use this issue to terminate the program, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS. Peter Stoeckli discovered that Apache ActiveMQ incorrectly handled hostname verification. A remote attacker could possibly use this issue to perform a person-in-the-middle attack. This issue only affected Ubuntu 16.04 LTS.