CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39911 – 1Panel SQL injection
https://notcve.org/view.php?id=CVE-2024-39911
1Panel is a web-based linux server management control panel. 1Panel contains an unspecified sql injection via User-Agent handling. This issue has been addressed in version 1.10.12-lts. Users are advised to upgrade. There are no known workarounds for this vulnerability. 1Panel es un panel de control de gestión de servidores Linux basado en web. 1Panel contiene una inyección de SQL no especificada mediante el manejo de User-Agent. Este problema se solucionó en la versión 1.10.12-lts. • https://blog.mo60.cn/index.php/archives/1Panel_SQLinjection2Rce.html https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-7m53-pwp6-v3f5 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39907 – a sqlinjection in 1Panel
https://notcve.org/view.php?id=CVE-2024-39907
1Panel is a web-based linux server management control panel. There are many sql injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs. These sql injections have been resolved in version 1.10.12-tls. Users are advised to upgrade. There are no known workarounds for these issues. 1Panel es un panel de control de gestión de servidores Linux basado en web. • https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-5grx-v727-qmq6 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37065
https://notcve.org/view.php?id=CVE-2024-37065
Deserialization of untrusted data can occur in versions 0.6 or newer of the skops python library, enabling a maliciously crafted model to run arbitrary code on an end user's system when loaded. La deserialización de datos que no son de confianza puede ocurrir en las versiones 0.6 o posteriores de la librería skops python, lo que permite que un modelo creado con fines malintencionados ejecute código arbitrario en el sistema de un usuario final cuando se carga. • https://hiddenlayer.com/sai-security-advisory/skops-june2024 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-36127 – apko Exposure of HTTP basic auth credentials in log output
https://notcve.org/view.php?id=CVE-2024-36127
apko is an apk-based OCI image builder. apko exposures HTTP basic auth credentials from repository and keyring URLs in log output. This vulnerability is fixed in v0.14.5. apko es un creador de imágenes OCI basado en apk. apko expone las credenciales de autenticación básica HTTP del repositorio y las URL del conjunto de claves en la salida del registro. Esta vulnerabilidad se solucionó en v0.14.5. • https://github.com/chainguard-dev/apko/commit/2c0533e4d52e83031a04f6a83ec63fc2a11eff01 https://github.com/chainguard-dev/apko/security/advisories/GHSA-v6mg-7f7p-qmqp • CWE-522: Insufficiently Protected Credentials CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 4.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-35183 – wolfictl leaks GitHub tokens to remote non-GitHub git servers
https://notcve.org/view.php?id=CVE-2024-35183
wolfictl is a command line tool for working with Wolfi. A git authentication issue in versions prior to 0.16.10 allows a local user’s GitHub token to be sent to remote servers other than `github.com`. Most git-dependent functionality in wolfictl relies on its own `git` package, which contains centralized logic for implementing interactions with git repositories. Some of this functionality requires authentication in order to access private repositories. A central function `GetGitAuth` looks for a GitHub token in the environment variable `GITHUB_TOKEN` and returns it as an HTTP basic auth object to be used with the `github.com/go-git/go-git/v5` library. • https://github.com/wolfi-dev/wolfictl/blob/488b53823350caa706de3f01ec0eded9350c7da7/pkg/update/update.go#L143 https://github.com/wolfi-dev/wolfictl/blob/4dd6c95abb4bc0f9306350a8601057bd7a92bded/pkg/update/deps/cleanup.go#L49 https://github.com/wolfi-dev/wolfictl/blob/6d99909f7b1aa23f732d84dad054b02a61f530e6/pkg/git/git.go#L22 https://github.com/wolfi-dev/wolfictl/commit/0d06e1578300327c212dda26a5ab31d09352b9d0 https://github.com/wolfi-dev/wolfictl/commit/403e93569f46766b4e26e06cf9cd0cae5ee0c2a2 https://github.com/wolfi-dev/wolfictl/security/advisor • CWE-552: Files or Directories Accessible to External Parties CWE-668: Exposure of Resource to Wrong Sphere •