CVE-2024-39700 – Remote Code Execution (RCE) vulnerability in jupyterlab extension template `update-integration-tests` GitHub Action
https://notcve.org/view.php?id=CVE-2024-39700
JupyterLab extension template is a `copier` template for JupyterLab extensions. Repositories created using this template with `test` option include `update-integration-tests.yml` workflow which has an RCE vulnerability. Extension authors hosting their code on GitHub are urged to upgrade the template to the latest version. Users who made changes to `update-integration-tests.yml`, accept overwriting of this file and re-apply your changes later. Users may wish to temporarily disable GitHub Actions while working on the upgrade. • https://github.com/LOURC0D3/CVE-2024-39700-PoC https://github.com/jupyterlab/extension-template/commit/035e78c1c65bcedee97c95bb683abe59c96bc4e6 https://github.com/jupyterlab/extension-template/security/advisories/GHSA-45gq-v5wm-82wg • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2024-6655 – Gtk3: gtk2: library injection from cwd
https://notcve.org/view.php?id=CVE-2024-6655
A flaw was found in the GTK library. Under certain conditions, it is possible for a library to be injected into a GTK application from the current working directory. • https://access.redhat.com/errata/RHSA-2024:6963 https://access.redhat.com/security/cve/CVE-2024-6655 https://bugzilla.redhat.com/show_bug.cgi?id=2297098 https://gitlab.gnome.org/GNOME/gtk/-/merge_requests/7361/diffs?commit_id=3bbf0b6176d42836d23c36a6ac410e807ec0a7a7#diff-content-e3fbe6480add9420b69f82374fb26ccac2c015a0 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2024-4143 – Certain HP PC products using AMI BIOS – Buffer Overflow
https://notcve.org/view.php?id=CVE-2024-4143
A potential security vulnerability has been identified in certain HP PC products using AMI BIOS, which might allow arbitrary code execution. • https://support.hp.com/us-en/document/ish_10914391-10914417-16/hpsbhf03953 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVE-2024-39915 – Authenticated remote code execution in Thruk
https://notcve.org/view.php?id=CVE-2024-39915
Thruk is a multibackend monitoring webinterface for Naemon, Nagios, Icinga and Shinken using the Livestatus API. This authenticated RCE in Thruk allows authorized users with network access to inject arbitrary commands via the URL parameter during PDF report generation. The Thruk web application does not properly process the url parameter when generating a PDF report. An authorized attacker with access to the reporting functionality could inject arbitrary commands that would be executed when the script /script/html2pdf.sh is called. The vulnerability can be exploited by an authorized user with network access. • https://github.com/sni/Thruk/commit/7e7eb251e76718a07639c4781f0d959d817f173b https://github.com/sni/Thruk/security/advisories/GHSA-r7gx-h738-4w6f • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2024-36456 – Symantec Privileged Access Manager Remote Command Execution vulnerability
https://notcve.org/view.php?id=CVE-2024-36456
This vulnerability allows an unauthenticated attacker to achieve remote command execution on the affected PAM system by uploading a specially crafted PAM upgrade file. Esta vulnerabilidad permite a un atacante no autenticado lograr la ejecución remota de comandos en el sistema PAM afectado cargando un archivo de actualización de PAM especialmente manipulado. • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24678 • CWE-94: Improper Control of Generation of Code ('Code Injection') •