CVSS: 3.3EPSS: 0%CPEs: 5EXPL: 0CVE-2021-3923 – kernel: stack information leak in infiniband RDMA
https://notcve.org/view.php?id=CVE-2021-3923
A flaw was found in the Linux kernel's implementation of RDMA over infiniband. An attacker with a privileged local account can leak kernel stack information when issuing commands to the /dev/infiniband/rdma_cm device node. While this access is unlikely to leak sensitive user information, it can be further used to defeat existing kernel protection mechanisms. A flaw was found in the Linux kernel's implementation of RDMA over infiniband. An attacker with a privileged local account can leak kernel stack information when issuing commands to the /dev/infiniband/rdma_cm device node. • https://bugzilla.redhat.com/show_bug.cgi?id=2019643 https://lore.kernel.org/all/20220204100036.GA12348%40kili https://access.redhat.com/security/cve/CVE-2021-3923 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 3.7EPSS: 0%CPEs: 3EXPL: 0CVE-2023-28858
https://notcve.org/view.php?id=CVE-2023-28858
redis-py before 4.5.3 leaves a connection open after canceling an async Redis command at an inopportune time, and can send response data to the client of an unrelated request in an off-by-one manner. NOTE: this CVE Record was initially created in response to reports about ChatGPT, and 4.3.6, 4.4.3, and 4.5.3 were released (changing the behavior for pipeline operations); however, please see CVE-2023-28859 about addressing data leakage across AsyncIO connections in general. • https://github.com/redis/redis-py/compare/v4.3.5...v4.3.6 https://github.com/redis/redis-py/compare/v4.4.2...v4.4.3 https://github.com/redis/redis-py/compare/v4.5.2...v4.5.3 https://github.com/redis/redis-py/issues/2624 https://github.com/redis/redis-py/pull/2641 https://openai.com/blog/march-20-chatgpt-outage • CWE-193: Off-by-one Error •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2023-28859
https://notcve.org/view.php?id=CVE-2023-28859
redis-py before 4.4.4 and 4.5.x before 4.5.4 leaves a connection open after canceling an async Redis command at an inopportune time, and can send response data to the client of an unrelated request. ... NOTE: the solutions for CVE-2023-28859 address data leakage across AsyncIO connections in general. • https://github.com/redis/redis-py/issues/2665 https://github.com/redis/redis-py/pull/2641 https://github.com/redis/redis-py/pull/2666 https://github.com/redis/redis-py/releases/tag/v4.4.4 https://github.com/redis/redis-py/releases/tag/v4.5.4 • CWE-459: Incomplete Cleanup •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28444 – angular-server-side-configuration information disclosure vulnerability in monorepo with node.js backend
https://notcve.org/view.php?id=CVE-2023-28444
angular-server-side-configuration helps configure an angular application at runtime on the server or in a docker container via environment variables. angular-server-side-configuration detects used environment variables in TypeScript (.ts) files during build time of an Angular CLI project. The detected environment variables are written to a ngssc.json file in the output directory. During deployment of an Angular based app, the environment variables based on the variables from ngssc.json are inserted into the apps index.html (or defined index file). With version 15.0.0 the environment variable detection was widened to the entire project, relative to the angular.json file from the Angular CLI. In a monorepo setup, this could lead to environment variables intended for a backend/service to be detected and written to the ngssc.json, which would then be populated and exposed via index.html. This has NO IMPACT, in a plain Angular project that has no backend component. • https://github.com/kyubisation/angular-server-side-configuration/commit/d701f51260637a84ede278e248934e0437a7ff86 https://github.com/kyubisation/angular-server-side-configuration/releases/tag/v15.1.0 https://github.com/kyubisation/angular-server-side-configuration/security/advisories/GHSA-gwvm-vrp4-4pp5 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2022-41354 – ArgoCD: Authenticated but unauthorized users may enumerate Application names via the API
https://notcve.org/view.php?id=CVE-2022-41354
An information disclosure flaw was found in Argo CD. • http://argo.com https://github.com/argoproj/argo-cd/security/advisories/GHSA-2q5c-qw9c-fmvq https://github.com/chunklhit/cve/blob/master/argo/argo-cd/application_enumeration.md https://access.redhat.com/security/cve/CVE-2022-41354 https://bugzilla.redhat.com/show_bug.cgi?id=2167820 • CWE-203: Observable Discrepancy •