CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5023 – Arbitrary File Read Vulnerability in ConsoleMe via Limited Git command RCE
https://notcve.org/view.php?id=CVE-2024-5023
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Netflix ConsoleMe allows Command Injection.This issue affects ConsoleMe: before 1.4.0. La neutralización incorrecta de elementos especiales utilizados en una vulnerabilidad de comando ("Inyección de comando") en Netflix ConsoleMe permite la inyección de comando. Este problema afecta a ConsoleMe: versiones anteriores a 1.4.0. • https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2024-002.md • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 1CVE-2024-4701 – Path Traversal vulnerability via File Uploads in Genie
https://notcve.org/view.php?id=CVE-2024-4701
A path traversal issue potentially leading to remote code execution in Genie for all versions prior to 4.3.18 Un problema de Path Traversal que podría provocar la ejecución remota de código en Genie para todas las versiones anteriores a la 4.3.18 • https://github.com/JoeBeeton/CVE-2024-4701-POC https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2024-001.md • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-40171 – Dispatch writes JWT tokens in error message
https://notcve.org/view.php?id=CVE-2023-40171
Dispatch is an open source security incident management tool. The server response includes the JWT Secret Key used for signing JWT tokens in error message when the `Dispatch Plugin - Basic Authentication Provider` plugin encounters an error when attempting to decode a JWT token. Any Dispatch users who own their instance and rely on the `Dispatch Plugin - Basic Authentication Provider` plugin for authentication may be impacted, allowing for any account to be taken over within their own instance. This could be done by using the secret to sign attacker crafted JWTs. If you think that you may be impacted, we strongly suggest you to rotate the secret stored in the `DISPATCH_JWT_SECRET` envvar in the `.env` file. • https://github.com/Netflix/dispatch/commit/b1942a4319f0de820d86b84a58ebc85398b97c70 https://github.com/Netflix/dispatch/pull/3695 https://github.com/Netflix/dispatch/releases/tag/latest https://github.com/Netflix/dispatch/security/advisories/GHSA-fv3x-67q3-6pg7 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-30797 – Insecure Random Generation in Netflix Lemur
https://notcve.org/view.php?id=CVE-2023-30797
Netflix Lemur before version 1.3.2 used insufficiently random values when generating default credentials. The insufficiently random values may allow an attacker to guess the credentials and gain access to resources managed by Lemur. • https://github.com/Netflix/lemur/commit/666d853212174ee7f4e6f8b3b4b389ede1872238 https://github.com/Netflix/lemur/security/advisories/GHSA-5fqv-mpj8-h7gm https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2023-001.md https://vulncheck.com/advisories/netflix-lemur-weak-rng • CWE-330: Use of Insufficiently Random Values •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-27177
https://notcve.org/view.php?id=CVE-2022-27177
A Python format string issue leading to information disclosure and potentially remote code execution in ConsoleMe for all versions prior to 1.2.2 Un problema de cadena de formato de Python que conllevaba a una divulgación de información y una posible ejecución de código remota en ConsoleMe para todas las versiones anteriores a 1.2.2 • https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2022-001.md • CWE-134: Use of Externally-Controlled Format String •