CVSS: 9.1EPSS: 0%CPEs: 13EXPL: 1CVE-2021-43816 – Improper Preservation of Permissions in containerd
https://notcve.org/view.php?id=CVE-2021-43816
containerd is an open source container runtime. On installations using SELinux, such as EL8 (CentOS, RHEL), Fedora, or SUSE MicroOS, with containerd since v1.5.0-beta.0 as the backing container runtime interface (CRI), an unprivileged pod scheduled to the node may bind mount, via hostPath volume, any privileged, regular file on disk for complete read/write access (sans delete). Such is achieved by placing the in-container location of the hostPath volume mount at either `/etc/hosts`, `/etc/hostname`, or `/etc/resolv.conf`. These locations are being relabeled indiscriminately to match the container process-label which effectively elevates permissions for savvy containers that would not normally be able to access privileged host files. This issue has been resolved in version 1.5.9. • https://github.com/containerd/containerd/commit/a731039238c62be081eb8c31525b988415745eea https://github.com/containerd/containerd/issues/6194 https://github.com/containerd/containerd/security/advisories/GHSA-mvff-h3cj-wj9c https://github.com/dweomer/containerd/commit/f7f08f0e34fb97392b0d382e58916d6865100299 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GD5GH7NMK5VJMA2Y5CYB5O5GTPYMWMLX https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MPDIZMI7ZPERSZE2XO265UCK5IWM7CID https:&# • CWE-281: Improper Preservation of Permissions •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-45115 – django: Denial-of-service possibility in UserAttributeSimilarityValidator
https://notcve.org/view.php?id=CVE-2021-45115
An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack. Se ha detectado un problema en Django versiones 2.2 anteriores a 2.2.26, 3.2 anteriores a 3.2.11 y 4.0 anteriores a 4.0.1. UserAttributeSimilarityValidator incurría en una sobrecarga significativa al evaluar una contraseña enviada que era artificialmente grande en relación con los valores de comparación. • https://docs.djangoproject.com/en/4.0/releases/security https://groups.google.com/forum/#%21forum/django-announce https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV https://security.netapp.com/advisory/ntap-20220121-0005 https://www.djangoproject.com/weblog/2022/jan/04/security-releases https://access.redhat.com/security/cve/CVE-2021-45115 https://bugzilla.redhat.com/show_bug.cgi?id=2037024 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-45116 – django: Potential information disclosure in dictsort template filter
https://notcve.org/view.php?id=CVE-2021-45116
An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure, or an unintended method call, if passed a suitably crafted key. Se ha detectado un problema en Django versiones 2.2 anteriores a 2.2.26, 3.2 anteriores a 3.2.11 y 4.0 anteriores a 4.0.1. Debido al aprovechamiento de la lógica de resolución de variables del lenguaje de plantillas de Django, el filtro de plantillas dictsort era potencialmente vulnerable a una divulgación de información, o a una llamada de método no intencionada, si le es pasada una clave apropiadamente diseñada. An information-disclosure flaw was found in Django, where the dictsort filter in Django's Template Language did not correctly validate user input. • https://docs.djangoproject.com/en/4.0/releases/security https://groups.google.com/forum/#%21forum/django-announce https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV https://security.netapp.com/advisory/ntap-20220121-0005 https://www.djangoproject.com/weblog/2022/jan/04/security-releases https://access.redhat.com/security/cve/CVE-2021-45116 https://bugzilla.redhat.com/show_bug.cgi?id=2037025 • CWE-20: Improper Input Validation CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer •
CVSS: 7.4EPSS: 0%CPEs: 4EXPL: 0CVE-2021-45452 – django: Potential directory-traversal via Storage.save()
https://notcve.org/view.php?id=CVE-2021-45452
Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it. El archivo Storage.save en Django versiones 2.2 anteriores a 2.2.26, 3.2 anteriores a 3.2.11 y 4.0 anteriores a 4.0.1, permite un salto de directorio si le es pasado directamente nombres de archivos diseñados. A directory-traversal flaw was found in Django's Storage.save() method, where a network attacker could possibly traverse restricted paths using suitably crafted file names. • https://docs.djangoproject.com/en/4.0/releases/security https://groups.google.com/forum/#%21forum/django-announce https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV https://security.netapp.com/advisory/ntap-20220121-0005 https://www.djangoproject.com/weblog/2022/jan/04/security-releases https://access.redhat.com/security/cve/CVE-2021-45452 https://bugzilla.redhat.com/show_bug.cgi?id=2037028 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 1CVE-2021-3842 – Inefficient Regular Expression Complexity in nltk/nltk
https://notcve.org/view.php?id=CVE-2021-3842
nltk is vulnerable to Inefficient Regular Expression Complexity nltk es vulnerable a una Complejidad de Expresión Regular Ineficiente • https://github.com/nltk/nltk/commit/2a50a3edc9d35f57ae42a921c621edc160877f4d https://huntr.dev/bounties/761a761e-2be2-430a-8d92-6f74ffe9866a • CWE-1333: Inefficient Regular Expression Complexity •