Developer Tools

In Openshift a medium severity vulnerability CVE-2024-0406 was detected. An issue has been identified where certain files, when unpacked from a tar file, could potentially grant unauthorized access or modify files with the user’s permission, so be cautious when extracting files from unknown sources. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-0406/.

In Kubernetes all versions before 1.20.5 and version 1.20.2-1 a low severity vulnerability CVE-2024-3177 was detected. When using Kubernetes, there is a security issue where users might bypass restrictions and access unauthorized secrets if containers, including init and ephemeral types, use the ‘envFrom’ field, despite policies meant to prevent this. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-3177/.

In Jenkins versions 2.441 and earlier a critical severity vulnerability CVE-2024-23897 was detected. Due to this bug, in LTS versions 2.426.2 and earlier, attackers gain access to any file on the Jenkins controller system by using a feature that interprets file paths preceded by the “@” character without requiring authentication. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-23897/.

In GitLab CE/EE versions 16.7.7 prior to 16.8.6, 16.9 prior to 16.9.4 and 16.10 prior to 16.10.2 a medium severity vulnerability CVE-2023-6489 was detected. Due to a bug in GitLab’s chat integration feature lets attackers overload the system, causing slowdowns and service interruptions. For more information, visit https://avd.aquasec.com/nvd/2023/cve-2023-6489/.

In GitLab CE/EE all versions starting from 16.9 before 16.9.4, and from 16.10 before 16.10.2 a high severity vulnerability CVE-2024-3092 was detected. This issue allows attackers to do things on someone else’s behalf by injecting a harmful code. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-3092/.

In GitLab Enterprise Edition versions before 16.8.6 as well as versions starting from 16.9 before 16.9.4, and from 16.10 before 16.10.2 a medium vulnerability CVE-2023-6678 was detected. It allows attackers to crash a system by putting harmful stuff in a junit test report file. For more information, visit https://avd.aquasec.com/nvd/2023/cve-2023-6678.

In GitLab CE/EE all versions starting from 16.7 to 16.8.6, from 16.9 before 16.9.4, and from 16.10 before 16.10.2 a high severity vulnerability CVE-2024-2279 was detected. Due to this vulnerability, attackers could trick the system into executing harmful actions on behalf of other users without their knowledge through a method called stored XSS (cross-site scripting). For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-2279.

In OpenShift Virtualization a medium security vulnerability CVE-2024-31419 was detected. This vulnerability allows attackers to disclose limited host metrics to any guest without administrator consent. The issue is resolved in version Container-native Virtualization 4.15.1. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-31419.

Argo CD users, a critical security flaw in specific versions demands immediate action to prevent unauthorized access. This vulnerability, tied to authentication mechanisms, could allow attackers to bypass login credentials. It’s found in certain session validation configurations, posing a significant risk of unauthorized changes or data access. Review your Argo CD version against official documentation to ensure you’re not vulnerable. Upgrading to the latest version is advised for enhanced security.