CVSS: 7.5EPSS: 81%CPEs: 444EXPL: 7CVE-2023-44487 – HTTP/2 Rapid Reset Attack Vulnerability
https://notcve.org/view.php?id=CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. El protocolo HTTP/2 permite una denegación de servicio (consumo de recursos del servidor) porque la cancelación de solicitudes puede restablecer muchas transmisiones rápidamente, como se explotó en la naturaleza entre agosto y octubre de 2023. A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. • https://github.com/imabee101/CVE-2023-44487 https://github.com/studiogangster/CVE-2023-44487 https://github.com/bcdannyboy/CVE-2023-44487 https://github.com/sigridou/CVE-2023-44487- https://github.com/ByteHackr/CVE-2023-44487 https://github.com/ReToCode/golang-CVE-2023-44487 http://www.openwall.com/lists/oss-security/2023/10/13/4 http://www.openwall.com/lists/oss-security/2023/10/13/9 http://www.openwall.com/lists/oss-security/2023/10/18/4 http://www. • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.7EPSS: 0%CPEs: 2EXPL: 0CVE-2023-3361 – S3 credentials included when exporting elyra notebook
https://notcve.org/view.php?id=CVE-2023-3361
A flaw was found in Red Hat OpenShift Data Science. When exporting a pipeline from the Elyra notebook pipeline editor as Python DSL or YAML, it reads S3 credentials from the cluster (ds pipeline server) and saves them in plain text in the generated output instead of an ID for a Kubernetes secret. Se encontró una falla en Red Hat OpenShift Data Science. Al exportar un pipeline desde Elyra notebook pipeline editor como Python DSL o YAML, lee las credenciales de S3 del clúster (servidor de pipeline ds) y las guarda en texto plano en la salida generada en lugar de un ID para un secreto de Kubernetes. • https://access.redhat.com/security/cve/CVE-2023-3361 https://bugzilla.redhat.com/show_bug.cgi?id=2216588 https://github.com/opendatahub-io/odh-dashboard/issues/1415 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-0923 – Odh-notebook-controller-container: missing authorization allows for file contents disclosure
https://notcve.org/view.php?id=CVE-2023-0923
A flaw was found in the Kubernetes service for notebooks in RHODS, where it does not prevent pods from other namespaces and applications from making requests to the Jupyter API. This flaw can lead to file content exposure and other issues. Se encontró una falla en el servicio Kubernetes para portátiles en RHODS, donde no impide que los pods de otros espacios de nombres y aplicaciones realicen solicitudes a la API de Jupyter. Esta falla puede provocar la exposición del contenido del archivo y otros problemas. • https://access.redhat.com/errata/RHSA-2023:0977 https://access.redhat.com/security/cve/CVE-2023-0923 https://bugzilla.redhat.com/show_bug.cgi?id=2171870 • CWE-862: Missing Authorization •