Articles
Newsflash
22 May 2024 Business and Enterprise Solutions Mautic: AJAX Actions Allow Server-Side Request Forgery

In Mautic a medium severity vulnerability CVE-2024-3448 was detected. This vulnerability allows users with low privileges to improperly perform certain AJAX actions, resulting in a Server-Side Request Forgery. Attackers can exploit this vulnerability to analyze error messages and conduct a port scan in the back-end. At the time of publication of the CVE no patch is available. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-3448/.

Read more
Marketing Automation
21 May 2024 DevOps Apache HTTP Server: Medium Severity Response Splitting Vulnerability

In Apache HTTP Server versions through 2.4.58 a medium severity vulnerability CVE-2024-24795 was detected. This issue allows attackers to add bad response headers to backend apps, causing something called an HTTP desynchronization attack. This vulnerability is fixed in Apache HTTP Server 2.4.59. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-24795/.

Read more
Application Development
20 May 2024 DevOps Apache HTTP Server: Denial-of-Service Risk via nghttp2 Library

In Apache HTTP Server versions apache2/2.4.56-1~deb11u2, apache2/2.4.58-1, apache2/2.4.57-2 a high severity vulnerability CVE-2024-27316 was detected. If someone sends too much information, nghttp2 tries to handle it temporarily to respond correctly. But if they keep sending too much, it can overload nghttp2’s memory and make things stop working. The issue is fixed in version 2.4.59. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-27316/.

Read more
Application Development
19 May 2024 Project and Agile Management Ansible: Information Disclosure via ANSIBLE_NO_LOG Configuration

In version ansible-core 2.14.13-1 a medium severity vulnerability CVE-2024-0690 was detected.
Sometimes ANSIBLE_NO_LOG isn’t followed properly, so tasks like looping through items can still expose sensitive data in the output, like decrypted secret values. The issue is fixed in version 2.16.5-1. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-0690/.

Read more
IT Business Management
18 May 2024 DevOps Kubernetes: Potential Security Bypass in Service Account Secrets Policy

In Kubernetes all versions before 1.20.5 and version 1.20.2-1 a low severity vulnerability CVE-2024-3177 was detected. When using Kubernetes, there is a security issue where users might bypass restrictions and access unauthorized secrets if containers, including init and ephemeral types, use the ‘envFrom’ field, despite policies meant to prevent this. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-3177/.

Read more
Developer Tools
17 May 2024 Communication and Collaboration Mattermost: Denial of Service Risk due to Unrestricted User Preferences

In Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, and 8.1.x before 8.1.11 a medium severity vulnerability CVE-2024-28949 was detected. Failure to limit user preferences allows attackers to send a large volume, potentially causing denial of service by controlling a limited resource and exhausting available resources. Upgrading to version 8.1.11, 9.3.3, 9.4.4, 9.5.2, or 9.6.0 fixes this vulnerability. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-28949/.

Read more
Communication
Case Studies