CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2023-38496 – Apptainer's ineffective privileges drop when requesting container network
https://notcve.org/view.php?id=CVE-2023-38496
25 Jul 2023 — Apptainer is an open source container platform. Version 1.2.0-rc.2 introduced an ineffective privilege drop when requesting container network setup, therefore subsequent functions are called with root privileges, the attack surface is rather limited for users but an attacker could possibly craft a starter config to delete any directory on the host filesystems. A security fix has been included in Apptainer 1.2.1. There is no known workaround outside of upgrading to Apptainer 1.2.1. • https://github.com/apptainer/apptainer/pull/1523 • CWE-269: Improper Privilege Management CWE-271: Privilege Dropping / Lowering Errors •
CVSS: 10.0EPSS: 64%CPEs: 2EXPL: 1CVE-2023-3765 – Absolute Path Traversal in mlflow/mlflow
https://notcve.org/view.php?id=CVE-2023-3765
19 Jul 2023 — Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.5.0. • https://github.com/mlflow/mlflow/commit/6dde93758d42455cb90ef324407919ed67668b9b • CWE-36: Absolute Path Traversal •
CVSS: 10.0EPSS: 64%CPEs: 1EXPL: 1CVE-2023-2780 – Path Traversal: '\..\filename' in mlflow/mlflow
https://notcve.org/view.php?id=CVE-2023-2780
17 May 2023 — Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.3.1. • https://github.com/mlflow/mlflow/commit/fae77a525dd908c56d6204a4cef1c1c75b4e9857 • CWE-29: Path Traversal: '\..\filename' •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-30172
https://notcve.org/view.php?id=CVE-2023-30172
11 May 2023 — A directory traversal vulnerability in the /get-artifact API method of the mlflow platform up to v2.0.1 allows attackers to read arbitrary files on the server via the path parameter. • https://github.com/mlflow/mlflow/issues/7166 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 86%CPEs: 1EXPL: 1CVE-2023-2356 – Relative Path Traversal in mlflow/mlflow
https://notcve.org/view.php?id=CVE-2023-2356
28 Apr 2023 — Relative Path Traversal in GitHub repository mlflow/mlflow prior to 2.3.1. • https://github.com/mlflow/mlflow/commit/f73147496e05c09a8b83d95fb4f1bf86696c6342 • CWE-23: Relative Path Traversal •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-30549 – Unpatched extfs vulnerabilities are exploitable through suid-mode Apptainer
https://notcve.org/view.php?id=CVE-2023-30549
25 Apr 2023 — Apptainer is an open source container platform for Linux. There is an ext4 use-after-free flaw that is exploitable through versions of Apptainer < 1.1.0 and installations that include apptainer-suid < 1.1.8 on older operating systems where that CVE has not been patched. That includes Red Hat Enterprise Linux 7, Debian 10 buster (unless the linux-5.10 package is installed), Ubuntu 18.04 bionic and Ubuntu 20.04 focal. Use-after-free flaws in the kernel can be used to attack the kernel for denial of service an... • https://access.redhat.com/security/cve/cve-2022-1184 • CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: 11EXPL: 0CVE-2022-46397
https://notcve.org/view.php?id=CVE-2022-46397
28 Mar 2023 — FP.io VPP (Vector Packet Processor) 22.10, 22.06, 22.02, 21.10, 21.06, 21.01, 20.09, 20.05, 20.01, 19.08, and 19.04 Generates a Predictable IV with CBC Mode. • https://lists.fd.io/g/security-announce/message/2 • CWE-329: Generation of Predictable IV with CBC Mode •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-1176 – Absolute Path Traversal in mlflow/mlflow
https://notcve.org/view.php?id=CVE-2023-1176
24 Mar 2023 — Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.2.2. • https://github.com/mlflow/mlflow/commit/63ef72aa4334a6473ce7f889573c92fcae0b3c0d • CWE-36: Absolute Path Traversal •
CVSS: 10.0EPSS: 93%CPEs: 1EXPL: 7CVE-2023-1177 – Path Traversal: '\..\filename' in mlflow/mlflow
https://notcve.org/view.php?id=CVE-2023-1177
24 Mar 2023 — Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.2.1. • https://github.com/iumiro/CVE-2023-1177-MLFlow • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-29: Path Traversal: '\..\filename' •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 1CVE-2023-23619 – Improper Control of Generation of Code ('Code Injection') in @asyncapi/modelina
https://notcve.org/view.php?id=CVE-2023-23619
26 Jan 2023 — Modelina is a library for generating data models based on inputs such as AsyncAPI, OpenAPI, or JSON Schema documents. Versions prior to 1.0.0 are vulnerable to Code injection. This issue affects anyone who is using the default presets and/or does not handle the functionality themself. This issue has been partially mitigated in version 1.0.0, with the maintainer's GitHub Security Advisory (GHSA) noting "It is impossible to fully guard against this, because users have access to the original raw information. H... • https://github.com/asyncapi/modelina/security/advisories/GHSA-4jg2-84c2-pj95 • CWE-94: Improper Control of Generation of Code ('Code Injection') •