Developer Tools

In Jenkins versions 2.478 and earlier, and LTS 2.462.2 and earlier a medium severity vulnerability CVE-2024-47803 was detected. This vulnerability allows attackers to access multi-line secret values that are not redacted in error messages generated for form submissions involving the secretTextarea form field. To address this issue, users must upgrade to version 2.462.3 or 2.479. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-47803.

In Portainer versions earlier than 2.20.2 a high severity vulnerability CVE-2024-33662 was detected. This vulnerability allows attackers to exploit an improper use of an encryption algorithm in the AesEncrypt function. To address this issue, users must upgrade to version 2.20.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-33662.

In GitLab versions from 8.0 up to 16.4 a medium severity vulnerability CVE-2023-3441 was detected, allowing attackers to introduce unreviewed or malicious code into sensitive parts of a GitLab repository, which increases the risk of security breaches or data compromise. To fix this issue, users should upgrade to version 16.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2023-3441.

In OpenShift versions using the bind-propagation option in the Dockerfile RUN –mount instruction a medium severity vulnerability CVE-2024-9407 was detected. This vulnerability allows attackers to pass arbitrary parameters to the mount instruction. This issue can be exploited to mount sensitive directories from the host into a container during the build process and, in some cases, modify the contents of those mounted files. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-9407.

In OpenShift versions using FIPS OpenSSL a medium severity vulnerability CVE-2024-9355 was found. It allows attackers to return an uninitialized buffer in FIPS mode, leading to incorrect hash comparisons and the potential for a derived key to be all zeros. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-9355.

In GitLab versions starting from 16.0 prior to 17.2.8, 17.3 prior to 17.3.4, and 17.4 prior to 17.4.1 a medium severity vulnerability CVE-2024-4099 was detected. This vulnerability allows attackers to exploit an AI feature in GitLab to inject malicious content, potentially compromising the integrity of the system. To fix this issue, users should upgrade GitLab to versions 17.2.8, 17.3.4, or 17.4.1. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-4099.

In Maven Archetype Plugin versions from 3.2.1 before 3.3.0 a medium severity vulnerability CVE-2024-47197 was detected. This vulnerability allows attackers to gain access to sensitive information, including user credentials, stored insecurely in the archetype-settings.xml file. To fix this issue, users must upgrade to version 3.3.0. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-47197.

In GitLab Enterprise Edition versions starting from 16.5 and prior to 17.2.8, from 17.3 and prior to 17.3.4, and from 17.4 and prior to 17.4.1 a medium severity vulnerability CVE-2024-4278 was detected. This vulnerability allows a maintainer to obtain a Dependency Proxy password by editing specific settings. To address this issue, it is recommended to update to versions 17.2.8, 17.3.4, or 17.4.1 or higher. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-4278.

In OpenShift environments using QEMU NBD Server versions a high severity vulnerability CVE-2024-7409 was detected. This vulnerability allows attackers to perform a denial of service (DoS) attack by exploiting improper synchronization during socket closure when a client keeps a socket open as the server is taken offline. Currently, there is no fix version for that issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-7409.