Page 56 of 3715 results (0.017 seconds)

CVSS: 7.0EPSS: 0%CPEs: 5EXPL: 1

CVE-2023-27561 – runc: volume mount race condition (regression of CVE-2019-19921)

https://notcve.org/view.php?id=CVE-2023-27561

runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. NOTE: this issue exists because of a CVE-2019-19921 regression. A flaw was found in runc. An attacker who controls the container image for two containers that share a volume can race volume mounts during container initialization by adding a symlink to the rootfs that points to a directory on the volume. • https://gist.github.com/LiveOverflow/c937820b688922eb127fb760ce06dab9 https://github.com/opencontainers/runc/issues/2197#issuecomment-1437617334 https://github.com/opencontainers/runc/issues/3751 https://lists.debian.org/debian-lts-announce/2023/03/msg00023.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ANUGDBJ7NBUMSUFZUSKU3ZMQYZ2Z3STN https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DHGVGGMKGZSJ7YO67TGGPFEHBYMS63VF https://lists.fedoraproject.org • CWE-41: Improper Resolution of Path Equivalence CWE-706: Use of Incorrectly-Resolved Name or Reference •

CVSS: 8.6EPSS: 0%CPEs: 5EXPL: 1

CVE-2022-4904 – c-ares: buffer overflow in config_sortlist() due to missing string length check

https://notcve.org/view.php?id=CVE-2022-4904

A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity. • https://bugzilla.redhat.com/show_bug.cgi?id=2168631 https://github.com/c-ares/c-ares/issues/496 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/33LDNS6RPOPP36Z4MPWXALUQZXJCWJS2 https://security.gentoo.org/glsa/202401-02 https://access.redhat.com/security/cve/CVE-2022-4904 • CWE-20: Improper Input Validation CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-1284: Improper Validation of Specified Quantity in Input •

CVSS: 3.7EPSS: 0%CPEs: 9EXPL: 0

CVE-2022-41862 – postgresql: Client memory disclosure when connecting with Kerberos to modified server

https://notcve.org/view.php?id=CVE-2022-41862

In PostgreSQL, a modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. In certain conditions a server can cause a libpq client to over-read and report an error message containing uninitialized bytes. A flaw was found In PostgreSQL. A modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. In certain conditions, a server can cause a libpq client to over-read and report an error message containing uninitialized bytes. • https://bugzilla.redhat.com/show_bug.cgi?id=2165722 https://security.netapp.com/advisory/ntap-20230427-0002 https://www.postgresql.org/support/security/CVE-2022-41862 https://access.redhat.com/security/cve/CVE-2022-41862 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 7.6EPSS: 0%CPEs: 13EXPL: 0

CVE-2022-1274 – keycloak: HTML injection in execute-actions-email Admin REST API

https://notcve.org/view.php?id=CVE-2022-1274

A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users. • https://bugzilla.redhat.com/show_bug.cgi?id=2073157 https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725 https://herolab.usd.de/security-advisories/usd-2021-0033 https://access.redhat.com/security/cve/CVE-2022-1274 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •

CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0

CVE-2023-0923 – Odh-notebook-controller-container: missing authorization allows for file contents disclosure

https://notcve.org/view.php?id=CVE-2023-0923

A flaw was found in the Kubernetes service for notebooks in RHODS, where it does not prevent pods from other namespaces and applications from making requests to the Jupyter API. This flaw can lead to file content exposure and other issues. Se encontró una falla en el servicio Kubernetes para portátiles en RHODS, donde no impide que los pods de otros espacios de nombres y aplicaciones realicen solicitudes a la API de Jupyter. Esta falla puede provocar la exposición del contenido del archivo y otros problemas. • https://access.redhat.com/errata/RHSA-2023:0977 https://access.redhat.com/security/cve/CVE-2023-0923 https://bugzilla.redhat.com/show_bug.cgi?id=2171870 • CWE-862: Missing Authorization •