In HTTP/1.1 client for Node.js (Undici), a low severity vulnerability CVE-2024-30261, was detected. This vulnerability allows attackers to
change a setting to make their fake requests look real, allowing them to sneak in harmful alterations undetected. However, there’s no confidentiality or availability impact. The issue is fixed in versions 5.28.4 and 6.11.1. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-30261/.
In GitLab Enterprise Edition versions before 16.8.6, as well as versions starting from 16.9 before 16.9.4, and from 16.10 before 16.10.2, a medium vulnarability CVE-2023-6678, was detected. It allows attackers to crash a system by putting harmful stuff in a junit test report file. For more information, visit https://avd.aquasec.com/nvd/2023/cve-2023-6678/.
Read more Developer ToolsIn GitLab CE/EE all versions starting from 16.7 to 16.8.6, from 16.9 before 16.9.4, and from 16.10 before 16.10.2, a high severity vulnerability CVE-2024-2279, was detected. Due to this vulnerability attackers could trick the system into executing harmful actions on behalf of other users without their knowledge through a method called stored XSS (cross-site scripting). For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-2279/.
Read more Developer ToolsIn Vault and Vault Enterprise versions 1.14.0 and newer, a medium severity vulnerability CVE-2024-2660, was detected. This vulnerability affects how Vault checks for certificate status, potentially letting someone with network access use a fake certificate to get unauthorized access. The issue is resolved in Vault version 1.16.0 and Vault Enterprise versions 1.16.1, 1.15.7, and 1.14.11. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-2660/.
Read more SecurityIn Ansible versions v3.0.0-v3.10.6, a critical security vulnerability CVE-2024-29202, was detected. This vulnerability allows attackers to steal sensitive data. To address this issue, users are advised to upgrade to v3.10.7. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-29202.
Read more IT Business ManagementIn Dolibarr, a critical security vulnerability CVE-2024-29477, was detected. This vulnarability allows attackers to access your network and execute malicious code during installation. The issue is resolved in Dolibarr version 19.0.1 or newer. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-29477.
Read more ERPIn Elasticsearch, a medium security vulnerability CVE-2024-23451, was detected. This vulnarability affects the API key-based security model for Remote Cluster Security 20. This allows a malicious user with a valid API key to read arbitrary documents from any index on a remote cluster. The issue is resolved in Elasticsearch version 8.13.0. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-23451.
Read more Data AnalyticsIn Apache Airflow package versions 2.8.2 to 2.8.4, a medium security vulnerability CVE-2024-29735, was detected. This vulnarability causes permission issues. The issue is resolved in Apache Airflow versions 2.8.4 or newer. A workaround is to avoid using the root user, upgrade to a newer version, or adjust permissions in the Airflow config file. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-29735.
Read more Data AnalyticsAn information disclosure flaw was discovered in OpenShift Virtualization. The DownwardMetrics feature, enabled by default, exposes host metrics to virtual machine guests. This flaw could potentially disclose limited host metrics to any guest in any namespace without explicit administrator approval.
Read more Developer Tools