Developer Tools

In Openshift Container Storage a high severity vulnerability CVE-2024-1394 was detected. A memory leak in Golang’s RSA encryption code can cause the system to run out of resources when given harmful data. This problem occurs in the `rsa.go` file at line 113 of the `github.com/golang-fips/openssl/openssl` package because the `pkey` and `ctx` variables aren’t properly released when there’s an error. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-1394.

In Zowe in Command Line Interface (CLI) a medium severity vulnerability CVE-2024-6833 was detected. This vulnerability allows local, privileged actors to store previously entered secure credentials in a plaintext file as part of an auto-init operation. To address this issue users should upgrade to version 7.23.5 or higher. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-6833.

In Kubernetes versions 1.27.15 and prior, 1.28.11 and prior, 1.29.6 and prior, 1.30.2 and prior a medium severity vulnerability CVE-2024-5321 was detected. This vulnerability allows attackers to modify contained logs. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-5321/.

In Zowe in Command Line Interface (CLI) a medium severity vulnerability CVE-2024-6916 was detected. This vulnerability allows local, privileged actors to display securely stored properties in cleartext within a terminal using the ‘–show-inputs-only’ flag. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-6916.

In Zowe in the API Mediation Layer (APIML) Spring Cloud Gateway a critical severity vulnerability CVE-2024-6834 was detected. This vulnerability allows a user to exploit Zowe’s client certificate to sign proxied requests, providing unauthorized access to endpoints that normally require internal client certificates. Consequently, an attacker can manage various components and intercept all communication, including user credentials. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-6834.

In Gitlab versions 17.0 to 17.1.2 a low severity vulnerability CVE-2024-5470 was detected. This vulnerability allows attackers to create project-level deploy tokens as guest users. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-5470/.

In GitLab CE/EE versions 17.0 to 17.0.3 and 17.1 to 17.1.1 a medium severity vulnerability CVE-2024-5257 was detected. A developer with the admin_compliance_framework role could change the URL for a group namespace. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-5257.

In GitLab CE/EE, all versions starting from 16.5 prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2 a low severity vulnerability CVE-2024-2880 was detected. This vulnerability allows a user with admin_group_member custom role permission to ban group members. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-2880/.

In NetworkManager for Red Hat OpenShift Container Platform 4 a low severity vulnerability CVE-2024-6501 was detected. If a system has DEBUG logs on and an interface called eth1 with LLDP enabled, a hacker could send a bad LLDP packet, causing NetworkManager to crash and resulting in a denial of service. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-6501/.