Linux Foundation
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Linux Foundation product.
Products by Linux Foundation Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2025 there have been 0 vulnerabilities in Linux Foundation. Last year, in 2024 Linux Foundation had 26 security vulnerabilities published. Right now, Linux Foundation is on track to have less security vulnerabilities in 2025 than it did last year.
Year | Vulnerabilities | Average Score |
---|---|---|
2025 | 0 | 0.00 |
2024 | 26 | 6.98 |
2023 | 89 | 6.74 |
2022 | 51 | 7.22 |
2021 | 38 | 7.14 |
2020 | 41 | 7.14 |
2019 | 11 | 6.98 |
2018 | 2 | 6.55 |
It may take a day or so for new Linux Foundation vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Linux Foundation Security Vulnerabilities
Harbor Robot Account Permission Bypass Vulnerability
CVE-2022-31667
6.4 - Medium
- November 14, 2024
Harbor fails to validate the user permissions when updating a robot account that belongs to a project that the authenticated user doesnt have access to. By sending a request that attempts to update a robot account, and specifying a robot account id and robot account name that belongs to a different project that the user doesnt have access to, it was possible to revoke the robot account permissions.
AuthZ
Harbor P2P Preheat Policy Update Permission Bypass Vulnerability
CVE-2022-31668
7.7 - High
- November 14, 2024
Harbor fails to validate the user permissions when updating p2p preheat policies. By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn't have access to, the attacker could modify p2p preheat policies configured in other projects.
AuthZ
Harbor: Improper Access Control in Tag Immutability Policy Update
CVE-2022-31669
7.7 - High
- November 14, 2024
Harbor fails to validate the user permissions when updating tag immutability policies. By sending a request to update a tag immutability policy with an id that belongs to a project that the currently authenticated user doesnt have access to, the attacker could modify tag immutability policies configured in other projects.
AuthZ
Harbor Tag Retention Policy Access Control Vulnerability
CVE-2022-31670
7.7 - High
- November 14, 2024
Harbor fails to validate the user permissions when updating tag retention policies. By sending a request to update a tag retention policy with an id that belongs to a project that the currently authenticated user doesnt have access to, the attacker could modify tag retention policies configured in other projects.
AuthZ
Harbor P2P Preheat Execution Logs Permission Bypass Vulnerability
CVE-2022-31671
7.4 - High
- November 14, 2024
Harbor fails to validate user permissions when reading and updating job execution logs through the P2P preheat execution logs. By sending a request that attempts to read/update P2P preheat execution logs and specifying different job IDs, malicious authenticated users could read all the job logs stored in the Harbor database.
AuthZ
The health endpoint is public so everybody can see a list of all services
CVE-2024-9798
5.3 - Medium
- October 10, 2024
The health endpoint is public so everybody can see a list of all services. It is potentially valuable information for attackers.
Cleartext Storage of Sensitive Information
The conformance validation endpoint is public so everybody can verify the conformance of onboarded services
CVE-2024-9802
5.3 - Medium
- October 10, 2024
The conformance validation endpoint is public so everybody can verify the conformance of onboarded services. The response could contain specific information about the service, including available endpoints, and swagger. It could advise about the running version of a service to an attacker. The attacker could also check if a service is running.
Cleartext Storage of Sensitive Information
Dragonfly is an open source P2P-based file distribution and image acceleration system
CVE-2023-27584
9.8 - Critical
- September 19, 2024
Dragonfly is an open source P2P-based file distribution and image acceleration system. It is hosted by the Cloud Native Computing Foundation (CNCF) as an Incubating Level Project. Dragonfly uses JWT to verify user. However, the secret key for JWT, "Secret Key", is hard coded, which leads to authentication bypass. An attacker can perform any action as a user with admin privileges. This issue has been addressed in release version 2.0.9. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Use of Hard-coded Credentials
Backstage is an open framework for building developer portals
CVE-2024-45815
6.5 - Medium
- September 17, 2024
Backstage is an open framework for building developer portals. A malicious actor with authenticated access to a Backstage instance with the catalog backend plugin installed is able to interrupt the service using a specially crafted query to the catalog API. This has been fixed in the `1.26.0` release of the `@backstage/plugin-catalog-backend`. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Prototype Pollution
Backstage is an open framework for building developer portals
CVE-2024-45816
6.5 - Medium
- September 17, 2024
Backstage is an open framework for building developer portals. When using the AWS S3 or GCS storage provider for TechDocs it is possible to access content in the entire storage bucket. This can leak contents of the bucket that are not intended to be accessible, as well as bypass permission checks in Backstage. This has been fixed in the 1.10.13 release of the `@backstage/plugin-techdocs-backend` package. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Directory traversal
Backstage is an open framework for building developer portals
CVE-2024-46976
5.4 - Medium
- September 17, 2024
Backstage is an open framework for building developer portals. An attacker with control of the contents of the TechDocs storage buckets is able to inject executable scripts in the TechDocs content that will be executed in the victim's browser when browsing documentation or navigating to an attacker provided link. This has been fixed in the 1.10.13 release of the `@backstage/plugin-techdocs-backend` package. users are advised to upgrade. There are no known workarounds for this vulnerability.
XSS
In power, there is a possible out of bounds read due to a missing bounds check
CVE-2024-20084
4.4 - Medium
- September 02, 2024
In power, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08944210; Issue ID: MSV-1561.
Out-of-bounds Read
In power, there is a possible out of bounds read due to a missing bounds check
CVE-2024-20085
4.4 - Medium
- September 02, 2024
In power, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08944204; Issue ID: MSV-1560.
Out-of-bounds Read
In wlan, there is a possible denial of service due to incorrect error handling
CVE-2024-20089
7.5 - High
- September 02, 2024
In wlan, there is a possible denial of service due to incorrect error handling. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08861558; Issue ID: MSV-1526.
Improper Check for Unusual or Exceptional Conditions
Incorrect user permission validation in Harbor <v2.9.5 and Harbor <v2.10.3
CVE-2024-22278
4.3 - Medium
- August 02, 2024
Incorrect user permission validation in Harbor <v2.9.5 and Harbor <v2.10.3 allows authenticated users to modify configurations.
A vulnerability in the `download_model_with_test_data` function of the onnx/onnx framework, version 1.16.0
CVE-2024-5187
8.8 - High
- June 06, 2024
A vulnerability in the `download_model_with_test_data` function of the onnx/onnx framework, version 1.16.0, allows for arbitrary file overwrite due to inadequate prevention of path traversal attacks in malicious tar files. This vulnerability enables attackers to overwrite any file on the system, potentially leading to remote code execution, deletion of system, personal, or application files, thus impacting the integrity and availability of the system. The issue arises from the function's handling of tar file extraction without performing security checks on the paths within the tar file, as demonstrated by the ability to overwrite the `/home/kali/.ssh/authorized_keys` file by specifying an absolute path in the malicious tar file.
Directory traversal
Software for Open Networking in the Cloud (SONiC) Elevation of Privilege Vulnerability
CVE-2024-21418
7.8 - High
- March 12, 2024
Software for Open Networking in the Cloud (SONiC) Elevation of Privilege Vulnerability
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification
CVE-2024-21626
8.6 - High
- January 31, 2024
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue.
Exposure of Resource to Wrong Sphere
Dex is an identity service that uses OpenID Connect to drive authentication for other apps
CVE-2024-23656
7.5 - High
- January 25, 2024
Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. `cmd/dex/serve.go` line 425 seemingly sets TLS 1.2 as minimum version, but the whole `tlsConfig` is ignored after `TLS cert reloader` was introduced in v2.37.0. Configured cipher suites are not respected either. This issue is fixed in Dex 2.38.0.
Inadequate Encryption Strength
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes
CVE-2024-22424
8.3 - High
- January 19, 2024
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The Argo CD API prior to versions 2.10-rc2, 2.9.4, 2.8.8, and 2.7.15 are vulnerable to a cross-server request forgery (CSRF) attack when the attacker has the ability to write HTML to a page on the same parent domain as Argo CD. A CSRF attack works by tricking an authenticated Argo CD user into loading a web page which contains code to call Argo CD API endpoints on the victims behalf. For example, an attacker could send an Argo CD user a link to a page which looks harmless but in the background calls an Argo CD API endpoint to create an application running malicious code. Argo CD uses the Lax SameSite cookie policy to prevent CSRF attacks where the attacker controls an external domain. The malicious external website can attempt to call the Argo CD API, but the web browser will refuse to send the Argo CD auth token with the request. Many companies host Argo CD on an internal subdomain. If an attacker can place malicious code on, for example, https://test.internal.example.com/, they can still perform a CSRF attack. In this case, the Lax SameSite cookie does not prevent the browser from sending the auth cookie, because the destination is a parent domain of the Argo CD API. Browsers generally block such attacks by applying CORS policies to sensitive requests with sensitive content types. Specifically, browsers will send a preflight request for POSTs with content type application/json asking the destination API are you allowed to accept requests from my domain? If the destination API does not answer yes, the browser will block the request. Before the patched versions, Argo CD did not validate that requests contained the correct content type header. So an attacker could bypass the browsers CORS check by setting the content type to something which is considered not sensitive such as text/plain. The browser wouldnt send the preflight request, and Argo CD would happily accept the contents (which are actually still JSON) and perform the requested action (such as running malicious code). A patch for this vulnerability has been released in the following Argo CD versions: 2.10-rc2, 2.9.4, 2.8.8, and 2.7.15. The patch contains a breaking API change. The Argo CD API will no longer accept non-GET requests which do not specify application/json as their Content-Type. The accepted content types list is configurable, and it is possible (but discouraged) to disable the content type check completely. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Session Riding
A flaw was found in the Red Hat Developer Hub (RHDH)
CVE-2023-6944
5.7 - Medium
- January 04, 2024
A flaw was found in the Red Hat Developer Hub (RHDH). The catalog-import function leaks GitLab access tokens on the frontend when the base64 encoded GitLab token includes a newline at the end of the string. The sanitized error can display on the frontend, including the raw access token. Upon gaining access to this token and depending on permissions, an attacker could push malicious code to repositories, delete resources in Git, revoke or generate new keys, and sign code illegitimately.
Generation of Error Message Containing Sensitive Information
CubeFS is an open-source cloud-native file storage system
CVE-2023-46739
5.9 - Medium
- January 03, 2024
CubeFS is an open-source cloud-native file storage system. A vulnerability was found during in the CubeFS master component in versions prior to 3.3.1 that could allow an untrusted attacker to steal user passwords by carrying out a timing attack. The root case of the vulnerability was that CubeFS used raw string comparison of passwords. The vulnerable part of CubeFS was the UserService of the master component. The UserService gets instantiated when starting the server of the master component. The issue has been patched in v3.3.1. For impacted users, there is no other way to mitigate the issue besides upgrading.
Side Channel Attack
CubeFS is an open-source cloud-native file storage system
CVE-2023-46740
9.8 - Critical
- January 03, 2024
CubeFS is an open-source cloud-native file storage system. Prior to version 3.3.1, CubeFS used an insecure random string generator to generate user-specific, sensitive keys used to authenticate users in a CubeFS deployment. This could allow an attacker to predict and/or guess the generated string and impersonate a user thereby obtaining higher privileges. When CubeFS creates new users, it creates a piece of sensitive information for the user called the accessKey. To create the "accesKey", CubeFS uses an insecure string generator which makes it easy to guess and thereby impersonate the created user. An attacker could leverage the predictable random string generator and guess a users access key and impersonate the user to obtain higher privileges. The issue has been fixed in v3.3.1. There is no other mitigation than to upgrade.
Use of Insufficiently Random Values
CubeFS is an open-source cloud-native file storage system
CVE-2023-46742
6.5 - Medium
- January 03, 2024
CubeFS is an open-source cloud-native file storage system. CubeFS prior to version 3.3.1 was found to leak users secret keys and access keys in the logs in multiple components. When CubeCS creates new users, it leaks the users secret key. This could allow a lower-privileged user with access to the logs to retrieve sensitive information and impersonate other users with higher privileges than themselves. The issue has been patched in v3.3.1. There is no other mitigation than upgrading CubeFS.
Insertion of Sensitive Information into Log File
CubeFS is an open-source cloud-native file storage system
CVE-2023-46741
9.8 - Critical
- January 03, 2024
CubeFS is an open-source cloud-native file storage system. A vulnerability was found in CubeFS prior to version 3.3.1 that could allow users to read sensitive data from the logs which could allow them escalate privileges. CubeFS leaks configuration keys in plaintext format in the logs. These keys could allow anyone to carry out operations on blobs that they otherwise do not have permissions for. For example, an attacker that has succesfully retrieved a secret key from the logs can delete blogs from the blob store. The attacker can either be an internal user with limited privileges to read the log, or they can be an external user who has escalated privileges sufficiently to access the logs. The vulnerability has been patched in v3.3.1. There is no other mitigation than upgrading.
CubeFS is an open-source cloud-native file storage system
CVE-2023-46738
6.5 - Medium
- January 03, 2024
CubeFS is an open-source cloud-native file storage system. A security vulnerability was found in CubeFS HandlerNode in versions prior to 3.3.1 that could allow authenticated users to send maliciously-crafted requests that would crash the ObjectNode and deny other users from using it. The root cause was improper handling of incoming HTTP requests that could allow an attacker to control the ammount of memory that the ObjectNode would allocate. A malicious request could make the ObjectNode allocate more memory that the machine had available, and the attacker could exhaust memory by way of a single malicious request. An attacker would need to be authenticated in order to invoke the vulnerable code with their malicious request and have permissions to delete objects. In addition, the attacker would need to know the names of existing buckets of the CubeFS deployment - otherwise the request would be rejected before it reached the vulnerable code. As such, the most likely attacker is an inside user or an attacker that has breached the account of an existing user in the cluster. The issue has been patched in v3.3.1. There is no other mitigation besides upgrading.
Allocation of Resources Without Limits or Throttling
A timing condition in Harbor 2.6.x and below, Harbor 2.7.2 and below, Harbor 2.8.2 and below, and Harbor 1.10.17 and below
CVE-2023-20902
6.5 - Medium
- November 09, 2023
A timing condition in Harbor 2.6.x and below, Harbor 2.7.2 and below, Harbor 2.8.2 and below, and Harbor 1.10.17 and below allows an attacker with network access to create jobs/stop job tasks and retrieve job task information.
Race Condition
NATS nats-server before 2.9.23 and 2.10.x before 2.10.2 has an authentication bypass
CVE-2023-47090
6.5 - Medium
- October 30, 2023
NATS nats-server before 2.9.23 and 2.10.x before 2.10.2 has an authentication bypass. An implicit $G user in an authorization block can sometimes be used for unauthenticated access, even when the intention of the configuration was for each user to have an account. The earliest affected version is 2.2.0.
AuthZ
In wlan firmware, there is a possible firmware assertion due to improper input handling
CVE-2023-32820
7.5 - High
- October 02, 2023
In wlan firmware, there is a possible firmware assertion due to improper input handling. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07932637; Issue ID: ALPS07932637.
assertion failure
In apusys, there is a possible out of bounds write due to an integer overflow
CVE-2023-32829
6.7 - Medium
- October 02, 2023
In apusys, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07713478; Issue ID: ALPS07713478.
Integer Overflow or Wraparound
Argo CD is a declarative continuous deployment framework for Kubernetes
CVE-2023-40026
4.3 - Medium
- September 27, 2023
Argo CD is a declarative continuous deployment framework for Kubernetes. In Argo CD versions prior to 2.3 (starting at least in v0.1.0, but likely in any version using Helm before 2.3), using a specifically-crafted Helm file could reference external Helm charts handled by the same repo-server to leak values, or files from the referenced Helm Chart. This was possible because Helm paths were predictable. The vulnerability worked by adding a Helm chart that referenced Helm resources from predictable paths. Because the paths of Helm charts were predictable and available on an instance of repo-server, it was possible to reference and then render the values and resources from other existing Helm charts regardless of permissions. While generally, secrets are not stored in these files, it was nevertheless possible to reference any values from these charts. This issue was fixed in Argo CD 2.3 and subsequent versions by randomizing Helm paths. User's still using Argo CD 2.3 or below are advised to update to a supported version. If this is not possible, disabling Helm chart rendering, or using an additional repo-server for each Helm chart would prevent possible exploitation.
Directory traversal
On boot, the Pillar eve container checks for the existence and content of
/config/authorized_keys
CVE-2023-43631
8.8 - High
- September 21, 2023
On boot, the Pillar eve container checks for the existence and content of /config/authorized_keys. If the file is present, and contains a supported public key, the container will go on to open port 22 and enable sshd with the given keys as the authorized keys for root login. An attacker could easily add their own keys and gain full control over the system without triggering the measured boot mechanism implemented by EVE OS, and without marking the device as UUD (Unknown Update Detected). This is because the /config partition is not protected by measured boot, it is mutable, and it is not encrypted in any way. An attacker can gain full control over the device without changing the PCR values, thus not triggering the measured boot mechanism, and having full access to the vault. Note: This issue was partially fixed in these commits (after disclosure to Zededa), where the config partition measurement was added to PCR13: aa3501d6c57206ced222c33aea15a9169d629141 5fef4d92e75838cc78010edaed5247dfbdae1889. This issue was made viable in version 9.0.0 when the calculation was moved to PCR14 but it was not included in the measured boot.
Insufficiently Protected Credentials
As noted in the VTPM.md file in the eve documentation
CVE-2023-43632
9.9 - Critical
- September 21, 2023
As noted in the VTPM.md file in the eve documentation, VTPM is a server listening on port 8877 in EVE, exposing limited functionality of the TPM to the clients. VTPM allows clients to execute tpm2-tools binaries from a list of hardcoded options The communication with this server is done using protobuf, and the data is comprised of 2 parts: 1. Header 2. Data When a connection is made, the server is waiting for 4 bytes of data, which will be the header, and these 4 bytes would be parsed as uint32 size of the actual data to come. Then, in the function handleRequest this size is then used in order to allocate a payload on the stack for the incoming data. As this payload is allocated on the stack, this will allow overflowing the stack size allocated for the relevant process with freely controlled data. * An attacker can crash the system. * An attacker can gain control over the system, specifically on the vtpm_server process which has very high privileges.
Allocation of Resources Without Limits or Throttling
PCR14 is not in the list of PCRs
CVE-2023-43630
8.8 - High
- September 20, 2023
PCR14 is not in the list of PCRs that seal/unseal the vault key, but due to the change that was implemented in commit 7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4, fixing this issue alone would not solve the problem of the config partition not being measured correctly. Also, the vault key is sealed/unsealed with SHA1 PCRs instead of SHA256. This issue was somewhat mitigated due to all of the PCR extend functions updating both the values of SHA256 and SHA1 for a given PCR ID. However, due to the change that was implemented in commit 7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4, this is no longer the case for PCR14, as the code in measurefs.go explicitly updates only the SHA256 instance of PCR14, which means that even if PCR14 were to be added to the list of PCRs sealing/unsealing the vault key, changes to the config partition would still not be measured. An attacker could modify the config partition without triggering the measured boot, this could result in the attacker gaining full control over the device with full access to the contents of the encrypted vault
Insufficiently Protected Credentials
Vault Key Sealed With SHA1 PCRs
The measured boot solution implemented in EVE OS leans on a PCR locking mechanism
CVE-2023-43635
8.8 - High
- September 20, 2023
Vault Key Sealed With SHA1 PCRs The measured boot solution implemented in EVE OS leans on a PCR locking mechanism. Different parts of the system update different PCR values in the TPM, resulting in a unique value for each PCR entry. These PCRs are then used in order to seal/unseal a key from the TPM which is used to encrypt/decrypt the vault directory. This vault directory is the most sensitive point in the system and as such, its content should be protected. This mechanism is noted in Zededas documentation as the measured boot mechanism, designed to protect said vault. The code thats responsible for generating and fetching the key from the TPM assumes that SHA256 PCRs are used in order to seal/unseal the key, and as such their presence is being checked. The issue here is that the key is not sealed using SHA256 PCRs, but using SHA1 PCRs. This leads to several issues: Machines that have their SHA256 PCRs enabled but SHA1 PCRs disabled, as well as not sealing their keys at all, meaning the vault is not protected from an attacker. SHA1 is considered insecure and reduces the complexity level required to unseal the key in machines which have their SHA1 PCRs enabled. An attacker can very easily retrieve the contents of the vault, which will effectively render the measured boot mechanism meaningless.
Use of a Broken or Risky Cryptographic Algorithm
In EVE OS, the measured boot mechanism prevents a compromised device from accessing
the encrypted data located in the vault
CVE-2023-43636
8.8 - High
- September 20, 2023
In EVE OS, the measured boot mechanism prevents a compromised device from accessing the encrypted data located in the vault. As per the measured boot design, the PCR values calculated at different stages of the boot process will change if any of their respective parts are changed. This includes, among other things, the configuration of the bios, grub, the kernel cmdline, initrd, and more. However, this mechanism does not validate the entire rootfs, so an attacker can edit the filesystem and gain control over the system. As the default filesystem used by EVE OS is squashfs, this is somewhat harder than an ext4, which is easily changeable. This will not stop an attacker, as an attacker can repackage the squashfs with their changes in it and replace the partition altogether. This can also be done directly on the device, as the 003-storage-init container contains the mksquashfs and unsquashfs binaries (with the corresponding libs). An attacker can gain full control over the device without changing the PCR values, thus not triggering the measured boot mechanism, and having full access to the vault. Note: This issue was partially fixed in these commits (after disclosure to Zededa), where the config partition measurement was added to PCR13: aa3501d6c57206ced222c33aea15a9169d629141 5fef4d92e75838cc78010edaed5247dfbdae1889. This issue was made viable in version 9.0.0 when the calculation was moved to PCR14 but it was not included in the measured boot.
Insufficient Verification of Data Authenticity
NATS nats-server 2.2.0 through 2.7.4
CVE-2022-28357
9.8 - Critical
- September 19, 2023
NATS nats-server 2.2.0 through 2.7.4 allows directory traversal because of an unintended path to a management action from a management account.
Directory traversal
Argo CD is a declarative continuous deployment for Kubernetes
CVE-2023-40029
9.6 - Critical
- September 07, 2023
Argo CD is a declarative continuous deployment for Kubernetes. Argo CD Cluster secrets might be managed declaratively using Argo CD / kubectl apply. As a result, the full secret body is stored in`kubectl.kubernetes.io/last-applied-configuration` annotation. pull request #7139 introduced the ability to manage cluster labels and annotations. Since clusters are stored as secrets it also exposes the `kubectl.kubernetes.io/last-applied-configuration` annotation which includes full secret body. In order to view the cluster annotations via the Argo CD API, the user must have `clusters, get` RBAC access. **Note:** In many cases, cluster secrets do not contain any actually-secret information. But sometimes, as in bearer-token auth, the contents might be very sensitive. The bug has been patched in versions 2.8.3, 2.7.14, and 2.6.15. Users are advised to upgrade. Users unable to upgrade should update/deploy cluster secret with `server-side-apply` flag which does not use or rely on `kubectl.kubernetes.io/last-applied-configuration` annotation. Note: annotation for existing secrets will require manual removal.
Insertion of Sensitive Information into Log File
Argo CD is a declarative continuous deployment for Kubernetes
CVE-2023-40584
6.5 - Medium
- September 07, 2023
Argo CD is a declarative continuous deployment for Kubernetes. All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically, the said component extracts a user-controlled tar.gz file without validating the size of its inner files. As a result, a malicious, low-privileged user can send a malicious tar.gz file that exploits this vulnerability to the repo-server, thereby harming the system's functionality and availability. Additionally, the repo-server is susceptible to another vulnerability due to the fact that it does not check the extracted file permissions before attempting to delete them. Consequently, an attacker can craft a malicious tar.gz archive in a way that prevents the deletion of its inner files when the manifest generation process is completed. A patch for this vulnerability has been released in versions 2.6.15, 2.7.14, and 2.8.3. Users are advised to upgrade. The only way to completely resolve the issue is to upgrade, however users unable to upgrade should configure RBAC (Role-Based Access Control) and provide access for configuring applications only to a limited number of administrators. These administrators should utilize trusted and verified Helm charts.
Resource Exhaustion
In imgsys, there is a possible out of bounds read and write due to a missing valid range checking
CVE-2023-20840
6.5 - Medium
- September 04, 2023
In imgsys, there is a possible out of bounds read and write due to a missing valid range checking. This could lead to local escalation of privilege with System execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS07326430; Issue ID: ALPS07326430.
Out-of-bounds Read
In imgsys, there is a possible out of bounds write due to a missing valid range checking
CVE-2023-20841
6.5 - Medium
- September 04, 2023
In imgsys, there is a possible out of bounds write due to a missing valid range checking. This could lead to local escalation of privilege with System execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS07326455; Issue ID: ALPS07326441.
Memory Corruption
In imgsys_cmdq, there is a possible out of bounds write due to a missing valid range checking
CVE-2023-20842
6.5 - Medium
- September 04, 2023
In imgsys_cmdq, there is a possible out of bounds write due to a missing valid range checking. This could lead to local escalation of privilege with System execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS07354259; Issue ID: ALPS07340477.
Memory Corruption
In imgsys_cmdq, there is a possible out of bounds read due to a missing valid range checking
CVE-2023-20848
6.5 - Medium
- September 04, 2023
In imgsys_cmdq, there is a possible out of bounds read due to a missing valid range checking. This could lead to local escalation of privilege with System execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS07340433; Issue ID: ALPS07340433.
Out-of-bounds Read
In wlan driver, there is a possible out of bounds write due to improper input validation
CVE-2023-32806
6.7 - Medium
- September 04, 2023
In wlan driver, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07441589; Issue ID: ALPS07441589.
Memory Corruption
In gnss service, there is a possible out of bounds write due to improper input validation
CVE-2023-32812
6.7 - Medium
- September 04, 2023
In gnss service, there is a possible out of bounds write due to improper input validation. This could lead to local esclation of privileges with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08017365; Issue ID: ALPS08017365.
Memory Corruption
In camsys, there is a possible use after free due to a race condition
CVE-2023-20835
6.4 - Medium
- September 04, 2023
In camsys, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07341261; Issue ID: ALPS07326570.
Race Condition
In nvram, there is a possible out of bounds write due to a missing bounds check
CVE-2023-20821
6.7 - Medium
- September 04, 2023
In nvram, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07937113; Issue ID: ALPS07937113.
Memory Corruption
In gps, there is a possible out of bounds write due to a missing bounds check
CVE-2023-20828
6.7 - Medium
- September 04, 2023
In gps, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08014144; Issue ID: ALPS08014144.
Memory Corruption
In gps, there is a possible out of bounds write due to a missing bounds check
CVE-2023-20829
6.7 - Medium
- September 04, 2023
In gps, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08014144; Issue ID: ALPS08014148.
Memory Corruption
In gps, there is a possible out of bounds write due to a missing bounds check
CVE-2023-20830
6.7 - Medium
- September 04, 2023
In gps, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08014144; Issue ID: ALPS08014156.
Memory Corruption
In gps, there is a possible out of bounds write due to a missing bounds check
CVE-2023-20831
6.7 - Medium
- September 04, 2023
In gps, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08014144; Issue ID: ALPS08014162.
Memory Corruption
In gps, there is a possible out of bounds write due to a missing bounds check
CVE-2023-20832
6.7 - Medium
- September 04, 2023
In gps, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08014144; Issue ID: ALPS08013530.
Memory Corruption
In imgsys_cmdq, there is a possible use after free due to a missing valid range checking
CVE-2023-20849
6.5 - Medium
- September 04, 2023
In imgsys_cmdq, there is a possible use after free due to a missing valid range checking. This could lead to local escalation of privilege with System execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS07340433; Issue ID: ALPS07340350.
Dangling pointer
In imgsys_cmdq, there is a possible out of bounds write due to a missing valid range checking
CVE-2023-20850
6.5 - Medium
- September 04, 2023
In imgsys_cmdq, there is a possible out of bounds write due to a missing valid range checking. This could lead to local escalation of privilege with System execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS07340433; Issue ID: ALPS07340381.
Memory Corruption
In connectivity system driver, there is a possible out of bounds write due to improper input validation
CVE-2023-32811
6.7 - Medium
- September 04, 2023
In connectivity system driver, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07929848; Issue ID: ALPS07929848.
Memory Corruption
Spinnaker is an open source, multi-cloud continuous delivery platform
CVE-2023-39348
5.3 - Medium
- August 28, 2023
Spinnaker is an open source, multi-cloud continuous delivery platform. Log output when updating GitHub status is improperly set to FULL always. It's recommended to apply the patch and rotate the GitHub token used for github status notifications. Given that this would output github tokens to a log system, the risk is slightly higher than a "low" since token exposure could grant elevated access to repositories outside of control. If using READ restricted tokens, the exposure is such that the token itself could be used to access resources otherwise restricted from reads. This only affects users of GitHub Status Notifications. This issue has been addressed in pull request 1316. Users are advised to upgrade. Users unable to upgrade should disable GH Status Notifications, Filter their logs for Echo log data and use read-only tokens that are limited in scope.
Insertion of Sensitive Information into Log File
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes
CVE-2023-40025
7.1 - High
- August 23, 2023
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting from version 2.6.0 have a bug where open web terminal sessions do not expire. This bug allows users to send any websocket messages even if the token has already expired. The most straightforward scenario is when a user opens the terminal view and leaves it open for an extended period. This allows the user to view sensitive information even when they should have been logged out already. A patch for this vulnerability has been released in the following Argo CD versions: 2.6.14, 2.7.12 and 2.8.1.
Insufficient Session Expiration
OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java
CVE-2023-39951
6.5 - Medium
- August 08, 2023
OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. OpenTelemetry Java Instrumentation prior to version 1.28.0 contains an issue related to the instrumentation of Java applications using the AWS SDK v2 with Amazon Simple Email Service (SES) v1 API. When SES POST requests are instrumented, the query parameters of the request are inserted into the trace `url.path` field. This behavior leads to the http body, containing the email subject and message, to be present in the trace request url metadata. Any user using a version before 1.28.0 of OpenTelemetry Java Instrumentation to instrument AWS SDK v2 call to SESs v1 SendEmail API is affected. The e-mail content sent to SES may end up in telemetry backend. This exposes the e-mail content to unintended audiences. The issue can be mitigated by updating OpenTelemetry Java Instrumentation to version 1.28.0 or later.
In imgsys, there is a possible system crash due to a mssing ptr check
CVE-2023-20800
6.5 - Medium
- August 07, 2023
In imgsys, there is a possible system crash due to a mssing ptr check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS07420968; Issue ID: ALPS07420955.
In imgsys, there is a possible memory corruption due to improper input validation
CVE-2023-20803
6.5 - Medium
- August 07, 2023
In imgsys, there is a possible memory corruption due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS07326455; Issue ID: ALPS07326374.
Memory Corruption
In imgsys, there is a possible out of bounds write due to a missing bounds check
CVE-2023-20804
6.7 - Medium
- August 07, 2023
In imgsys, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07199773; Issue ID: ALPS07326384.
Memory Corruption
In imgsys, there is a possible out of bounds write due to a missing bounds check
CVE-2023-20805
6.7 - Medium
- August 07, 2023
In imgsys, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07199773; Issue ID: ALPS07326411.
Memory Corruption
Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge
CVE-2023-37918
7.5 - High
- July 21, 2023
Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. A vulnerability has been found in Dapr that allows bypassing API token authentication, which is used by the Dapr sidecar to authenticate calls coming from the application, with a well-crafted HTTP request. Users who leverage API token authentication are encouraged to upgrade Dapr to 1.10.9 or to 1.11.2. This vulnerability impacts Dapr users who have configured API token authentication. An attacker could craft a request that is always allowed by the Dapr sidecar over HTTP, even if the `dapr-api-token` in the request is invalid or missing. The issue has been fixed in Dapr 1.10.9 or to 1.11.2. There are no known workarounds for this vulnerability.
authentification
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines
CVE-2023-37264
4.3 - Medium
- July 07, 2023
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 0.35.0, pipelines do not validate child UIDs, which means that a user that has access to create TaskRuns can create their own Tasks that the Pipelines controller will accept as the child Task. While the software stores and validates the PipelineRun's (api version, kind, name, uid) in the child Run's OwnerReference, it only store (api version, kind, name) in the ChildStatusReference. This means that if a client had access to create TaskRuns on a cluster, they could create a child TaskRun for a pipeline with the same name + owner reference, and the Pipeline controller picks it up as if it was the original TaskRun. This is problematic since it can let users modify the config of Pipelines at runtime, which violates SLSA L2 Service Generated / Non-falsifiable requirements. This issue can be used to trick the Pipeline controller into associating unrelated Runs to the Pipeline, feeding its data through the rest of the Pipeline. This requires access to create TaskRuns, so impact may vary depending on one Tekton setup. If users already have unrestricted access to create any Task/PipelineRun, this does not grant any additional capabilities. As of time of publication, there are no known patches for this issue.
Insufficient Verification of Data Authenticity
Backstage is an open platform for building developer portals
CVE-2023-35926
9.9 - Critical
- June 22, 2023
Backstage is an open platform for building developer portals. The Backstage scaffolder-backend plugin uses a templating library that requires sandbox, as it by design allows for code injection. The library used for this sandbox so far has been `vm2`, but in light of several past vulnerabilities and existing vulnerabilities that may not have a fix, the plugin has switched to using a different sandbox library. A malicious actor with write access to a registered scaffolder template could manipulate the template in a way that allows for remote code execution on the scaffolder-backend instance. This was only exploitable in the template YAML definition itself and not by user input data. This is vulnerability is fixed in version 1.15.0 of `@backstage/plugin-scaffolder-backend`.
Code Injection
In wlan, there is a possible out of bounds read due to a missing bounds check
CVE-2023-20728
4.4 - Medium
- June 06, 2023
In wlan, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07573603; Issue ID: ALPS07573603.
Out-of-bounds Read
In wlan, there is a possible out of bounds read due to a missing bounds check
CVE-2023-20729
4.4 - Medium
- June 06, 2023
In wlan, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07573552; Issue ID: ALPS07573575.
Out-of-bounds Read
In wlan, there is a possible out of bounds read due to a missing bounds check
CVE-2023-20730
4.4 - Medium
- June 06, 2023
In wlan, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07573552; Issue ID: ALPS07573552.
Out-of-bounds Read
In wlan, there is a possible out of bounds read due to a missing bounds check
CVE-2023-20731
4.4 - Medium
- June 06, 2023
In wlan, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07573495; Issue ID: ALPS07573495.
Out-of-bounds Read
In wlan, there is a possible out of bounds read due to a missing bounds check
CVE-2023-20732
6.7 - Medium
- June 06, 2023
In wlan, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07573480; Issue ID: ALPS07573480.
Memory Corruption
In vcu, there is a possible use after free due to improper locking
CVE-2023-20733
6.7 - Medium
- June 06, 2023
In vcu, there is a possible use after free due to improper locking. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07645149; Issue ID: ALPS07645149.
Improper Locking
In vcu, there is a possible out of bounds write due to a missing bounds check
CVE-2023-20734
6.7 - Medium
- June 06, 2023
In vcu, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07645149; Issue ID: ALPS07645184.
Memory Corruption
In vcu, there is a possible out of bounds write due to a missing bounds check
CVE-2023-20735
6.7 - Medium
- June 06, 2023
In vcu, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07645149; Issue ID: ALPS07645178.
Memory Corruption
In vcu, there is a possible out of bounds write due to a race condition
CVE-2023-20736
6.4 - Medium
- June 06, 2023
In vcu, there is a possible out of bounds write due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07645149; Issue ID: ALPS07645189.
Race Condition
In vcu, there is a possible use after free due to improper locking
CVE-2023-20737
6.7 - Medium
- June 06, 2023
In vcu, there is a possible use after free due to improper locking. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07645149; Issue ID: ALPS07645167.
Improper Locking
In vcu, there is a possible out of bounds write due to a missing bounds check
CVE-2023-20738
6.7 - Medium
- June 06, 2023
In vcu, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07645149; Issue ID: ALPS07645173.
Memory Corruption
In vcu, there is a possible memory corruption due to a logic error
CVE-2023-20740
6.7 - Medium
- June 06, 2023
In vcu, there is a possible memory corruption due to a logic error. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07559819; Issue ID: ALPS07559840.
Memory Corruption
In vcu, there is a possible out of bounds write due to improper locking
CVE-2023-20743
6.7 - Medium
- June 06, 2023
In vcu, there is a possible out of bounds write due to improper locking. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07519142; Issue ID: ALPS07519142.
Improper Locking
In vcu, there is a possible use after free due to a logic error
CVE-2023-20744
6.7 - Medium
- June 06, 2023
In vcu, there is a possible use after free due to a logic error. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07519142; Issue ID: ALPS07519200.
Dangling pointer
In vcu, there is a possible out of bounds write due to improper locking
CVE-2023-20745
6.7 - Medium
- June 06, 2023
In vcu, there is a possible out of bounds write due to improper locking. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07519142; Issue ID: ALPS07560694.
Improper Locking
In vcu, there is a possible out of bounds write due to improper locking
CVE-2023-20746
6.7 - Medium
- June 06, 2023
In vcu, there is a possible out of bounds write due to improper locking. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07519142; Issue ID: ALPS07519217.
Improper Locking
In vcu, there is a possible memory corruption due to type confusion
CVE-2023-20747
4.4 - Medium
- June 06, 2023
In vcu, there is a possible memory corruption due to type confusion. This could lead to local denial of service with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07519103; Issue ID: ALPS07519121.
Object Type Confusion
In wlan, there is a possible out of bounds read due to a missing bounds check
CVE-2023-20727
4.4 - Medium
- June 06, 2023
In wlan, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07588531; Issue ID: ALPS07588531.
Out-of-bounds Read
Lima launches Linux virtual machines, typically on macOS, for running containerd
CVE-2023-32684
2.5 - Low
- May 30, 2023
Lima launches Linux virtual machines, typically on macOS, for running containerd. Prior to version 0.16.0, a virtual machine instance with a malicious disk image could read a single file on the host filesystem, even when no filesystem is mounted from the host. The official templates of Lima and the well-known third party products (Colima, Rancher Desktop, and Finch) are unlikely to be affected by this issue. To exploit this issue, the attacker has to embed the target file path (an absolute or a relative path from the instance directory) in a malicious disk image, as the qcow2 (or vmdk) backing file path string. As Lima refuses to run as the root, it is practically impossible for the attacker to read the entire host disk via `/dev/rdiskN`. Also, practically, the attacker cannot read at least the first 512 bytes (MBR) of the target file. The issue has been patched in Lima in version 0.16.0 by prohibiting using a backing file path in the VM base image.
Files or Directories Accessible to External Parties
Rekor's goals are to provide an immutable tamper resistant ledger of metadata generated within a software projects supply chain
CVE-2023-33199
5.3 - Medium
- May 26, 2023
Rekor's goals are to provide an immutable tamper resistant ledger of metadata generated within a software projects supply chain. A malformed proposed entry of the `intoto/v0.0.2` type can cause a panic on a thread within the Rekor process. The thread is recovered so the client receives a 500 error message and service still continues, so the availability impact of this is minimal. This has been fixed in v1.2.0 of Rekor. Users are advised to upgrade. There are no known workarounds for this vulnerability.
assertion failure
cups-filters contains backends
CVE-2023-24805
8.8 - High
- May 17, 2023
cups-filters contains backends, filters, and other software required to get the cups printing service working on operating systems other than macos. If you use the Backend Error Handler (beh) to create an accessible network printer, this security vulnerability can cause remote code execution. `beh.c` contains the line `retval = system(cmdline) >> 8;` which calls the `system` command with the operand `cmdline`. `cmdline` contains multiple user controlled, unsanitized values. As a result an attacker with network access to the hosted print server can exploit this vulnerability to inject system commands which are executed in the context of the running server. This issue has been addressed in commit `8f2740357` and is expected to be bundled in the next release. Users are advised to upgrade when possible and to restrict access to network printers in the meantime.
Shell injection
Vitess is a database clustering system for horizontal scaling of MySQL through generalized sharding
CVE-2023-29195
4.3 - Medium
- May 11, 2023
Vitess is a database clustering system for horizontal scaling of MySQL through generalized sharding. Prior to version 16.0.2, users can either intentionally or inadvertently create a shard containing `/` characters from VTAdmin such that from that point on, anyone who tries to create a new shard from VTAdmin will receive an error. Attempting to view the keyspace(s) will also no longer work. Creating a shard using `vtctldclient` does not have the same problem because the CLI validates the input correctly. Version 16.0.2, corresponding to version 0.16.2 of the `go` module, contains a patch for this issue. Some workarounds are available. Always use `vtctldclient` to create shards, instead of using VTAdmin; disable creating shards from VTAdmin using RBAC; and/or delete the topology record for the offending shard using the client for your topology server.
Fluid is an open source Kubernetes-native distributed dataset orchestrator and accelerator for data-intensive applications
CVE-2023-30840
7.8 - High
- May 08, 2023
Fluid is an open source Kubernetes-native distributed dataset orchestrator and accelerator for data-intensive applications. Starting in version 0.7.0 and prior to version 0.8.6, if a malicious user gains control of a Kubernetes node running fluid csi pod (controlled by the `csi-nodeplugin-fluid` node-daemonset), they can leverage the fluid-csi service account to modify specs of all the nodes in the cluster. However, since this service account lacks `list node` permissions, the attacker may need to use other techniques to identify vulnerable nodes. Once the attacker identifies and modifies the node specs, they can manipulate system-level-privileged components to access all secrets in the cluster or execute pods on other nodes. This allows them to elevate privileges beyond the compromised node and potentially gain full privileged access to the whole cluster. To exploit this vulnerability, the attacker can make all other nodes unschedulable (for example, patch node with taints) and wait for system-critical components with high privilege to appear on the compromised node. However, this attack requires two prerequisites: a compromised node and identifying all vulnerable nodes through other means. Version 0.8.6 contains a patch for this issue. As a workaround, delete the `csi-nodeplugin-fluid` daemonset in `fluid-system` namespace and avoid using CSI mode to mount FUSE file systems. Alternatively, using sidecar mode to mount FUSE file systems is recommended.
AuthZ
Rekor is an open source software supply chain transparency log
CVE-2023-30551
7.5 - High
- May 08, 2023
Rekor is an open source software supply chain transparency log. Rekor prior to version 1.1.1 may crash due to out of memory (OOM) conditions caused by reading archive metadata files into memory without checking their sizes first. Verification of a JAR file submitted to Rekor can cause an out of memory crash if files within the META-INF directory of the JAR are sufficiently large. Parsing of an APK file submitted to Rekor can cause an out of memory crash if the .SIGN or .PKGINFO files within the APK are sufficiently large. The OOM crash has been patched in Rekor version 1.1.1. There are no known workarounds.
Allocation of Resources Without Limits or Throttling
Baremetal Operator (BMO) is a bare metal host provisioning integration for Kubernetes
CVE-2023-30841
5.5 - Medium
- April 26, 2023
Baremetal Operator (BMO) is a bare metal host provisioning integration for Kubernetes. Prior to version 0.3.0, ironic and ironic-inspector deployed within Baremetal Operator using the included `deploy.sh` store their `.htpasswd` files as ConfigMaps instead of Secrets. This causes the plain-text username and hashed password to be readable by anyone having a cluster-wide read-access to the management cluster, or access to the management cluster's Etcd storage. This issue is patched in baremetal-operator PR#1241, and is included in BMO release 0.3.0 onwards. As a workaround, users may modify the kustomizations and redeploy the BMO, or recreate the required ConfigMaps as Secrets per instructions in baremetal-operator PR#1241.
Cleartext Transmission of Sensitive Information
A flaw was found in the Open Cluster Management (OCM) when a user have access to the worker nodes
CVE-2023-2250
6.7 - Medium
- April 24, 2023
A flaw was found in the Open Cluster Management (OCM) when a user have access to the worker nodes which has the cluster-manager-registration-controller or cluster-manager deployments. A malicious user can take advantage of this and bind the cluster-admin to any service account or using the service account to list all secrets for all kubernetes namespaces, leading into a cluster-level privilege escalation.
An Improper Privilege Management vulnerability in SUSE kubewarden
CVE-2023-22645
8.8 - High
- April 19, 2023
An Improper Privilege Management vulnerability in SUSE kubewarden allows attackers to read arbitrary secrets if they get access to the ServiceAccount kubewarden-controller This issue affects: SUSE kubewarden kubewarden-controller versions prior to 1.6.0.
Improper Privilege Management
The OpenFeature Operator allows users to expose feature flags to applications
CVE-2023-29018
8.8 - High
- April 14, 2023
The OpenFeature Operator allows users to expose feature flags to applications. Assuming the pre-existence of a vulnerability that allows for arbitrary code execution, an attacker could leverage the lax permissions configured on `open-feature-operator-controller-manager` to escalate the privileges of any SA in the cluster. The increased privileges could be used to modify cluster state, leading to DoS, or read sensitive data, including secrets. Version 0.2.32 mitigates this issue by restricting the resources the `open-feature-operator-controller-manager` can modify.
Vitess is a database clustering system for horizontal scaling of MySQL
CVE-2023-29194
2.7 - Low
- April 14, 2023
Vitess is a database clustering system for horizontal scaling of MySQL. Users can either intentionally or inadvertently create a keyspace containing `/` characters such that from that point on, anyone who tries to view keyspaces from VTAdmin will receive an error. Trying to list all the keyspaces using `vtctldclient GetKeyspaces` will also return an error. Note that all other keyspaces can still be administered using the CLI (vtctldclient). This issue is fixed in version 16.0.1. As a workaround, delete the offending keyspace using a CLI client (vtctldclient).
CubeFS through 3.2.1 allows Kubernetes cluster-level privilege escalation
CVE-2023-30512
6.5 - Medium
- April 12, 2023
CubeFS through 3.2.1 allows Kubernetes cluster-level privilege escalation. This occurs because DaemonSet has cfs-csi-cluster-role and can thus list all secrets, including the admin secret.
Incorrect Permission Assignment for Critical Resource
runc is a CLI tool for spawning and running containers according to the OCI specification
CVE-2023-28642
7.8 - High
- March 29, 2023
runc is a CLI tool for spawning and running containers according to the OCI specification. It was found that AppArmor can be bypassed when `/proc` inside the container is symlinked with a specific mount configuration. This issue has been fixed in runc version 1.1.5, by prohibiting symlinked `/proc`. See PR #3785 for details. users are advised to upgrade. Users unable to upgrade should avoid using an untrusted container image.
insecure temporary file
runc is a CLI tool for spawning and running containers according to the OCI specification
CVE-2023-25809
6.3 - Medium
- March 29, 2023
runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons: 1. when runc is executed inside the user namespace, and the `config.json` does not specify the cgroup namespace to be unshared (e.g.., `(docker|podman|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl) or 2. when runc is executed outside the user namespace, and `/sys` is mounted with `rbind, ro` (e.g., `runc spec --rootless`; this condition is very rare). A container may gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host . Other users's cgroup hierarchies are not affected. Users are advised to upgrade to version 1.1.5. Users unable to upgrade may unshare the cgroup namespace (`(docker|podman|nerdctl) run --cgroupns=private)`. This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts. or add `/sys/fs/cgroup` to `maskedPaths`.
Improper Preservation of Permissions
An access control issue in Argo CD v2.4.12 and below
CVE-2022-41354
4.3 - Medium
- March 27, 2023
An access control issue in Argo CD v2.4.12 and below allows unauthenticated attackers to enumerate existing applications.
Side Channel Attack
runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go
CVE-2023-27561
7 - High
- March 03, 2023
runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. NOTE: this issue exists because of a CVE-2019-19921 regression.
Use of Incorrectly-Resolved Name or Reference
A vulnerability in Imperative framework which
CVE-2021-4326
7.8 - High
- March 01, 2023
A vulnerability in Imperative framework which allows already-privileged local actors to execute arbitrary shell commands via plugin install/update commands, or maliciously formed environment variables. Impacts Zowe CLI.