CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2023-39348 – Improper log output when using GitHub Status Notifications in spinnaker
https://notcve.org/view.php?id=CVE-2023-39348
Spinnaker is an open source, multi-cloud continuous delivery platform. Log output when updating GitHub status is improperly set to FULL always. It's recommended to apply the patch and rotate the GitHub token used for github status notifications. Given that this would output github tokens to a log system, the risk is slightly higher than a "low" since token exposure could grant elevated access to repositories outside of control. If using READ restricted tokens, the exposure is such that the token itself could be used to access resources otherwise restricted from reads. • https://github.com/spinnaker/echo/pull/1316 https://github.com/spinnaker/spinnaker/security/advisories/GHSA-rq5c-hvw6-8pr7 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 1CVE-2023-40025 – Argo CD web terminal session doesn't expire
https://notcve.org/view.php?id=CVE-2023-40025
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting from version 2.6.0 have a bug where open web terminal sessions do not expire. This bug allows users to send any websocket messages even if the token has already expired. The most straightforward scenario is when a user opens the terminal view and leaves it open for an extended period. This allows the user to view sensitive information even when they should have been logged out already. • https://github.com/argoproj/argo-cd/commit/e047efa8f9518c54d00d2e4493b64bc4dba98478 https://github.com/argoproj/argo-cd/security/advisories/GHSA-c8xw-vjgf-94hr https://access.redhat.com/security/cve/CVE-2023-40025 https://bugzilla.redhat.com/show_bug.cgi?id=2301445 • CWE-613: Insufficient Session Expiration •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-39951 – Instrumentation for AWS SDK v2 captures email content when using Amazon Simple Email Service (SES) v1 API, exposing that content to the telemetry backend
https://notcve.org/view.php?id=CVE-2023-39951
OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. OpenTelemetry Java Instrumentation prior to version 1.28.0 contains an issue related to the instrumentation of Java applications using the AWS SDK v2 with Amazon Simple Email Service (SES) v1 API. When SES POST requests are instrumented, the query parameters of the request are inserted into the trace `url.path` field. This behavior leads to the http body, containing the email subject and message, to be present in the trace request url metadata. Any user using a version before 1.28.0 of OpenTelemetry Java Instrumentation to instrument AWS SDK v2 call to SES’s v1 SendEmail API is affected. • https://github.com/open-telemetry/opentelemetry-java-instrumentation/issues/8956 https://github.com/open-telemetry/opentelemetry-java-instrumentation/pull/8931 https://github.com/open-telemetry/opentelemetry-java-instrumentation/security/advisories/GHSA-hghr-r469-gfq6 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.7EPSS: 0%CPEs: 11EXPL: 0CVE-2023-20805
https://notcve.org/view.php?id=CVE-2023-20805
In imgsys, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07199773; Issue ID: ALPS07326411. • https://corp.mediatek.com/product-security-bulletin/August-2023 • CWE-787: Out-of-bounds Write •
CVSS: 6.7EPSS: 0%CPEs: 11EXPL: 0CVE-2023-20804
https://notcve.org/view.php?id=CVE-2023-20804
In imgsys, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07199773; Issue ID: ALPS07326384. • https://corp.mediatek.com/product-security-bulletin/August-2023 • CWE-787: Out-of-bounds Write •