Infrastructure and Network

In Keycloak versions <= 24.0.3 a medium severity vulnerability CVE-2024-4629 was detected. This vulnerability allows attackers to guess passwords more quickly than intended by exploiting delays in the system’s login attempts. To fix this problem, users should upgrade Keycloak to version 24.0.4. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-4629.

In Vault versions 1.16.7 and 1.17.3, a medium severity vulnerability CVE-2024-8365 was detected. This vulnerability allows plaintext client tokens and token accessors, which should have been securely hashed, to be stored directly in the audit logs, exposing sensitive information and potentially compromising security. To fix this issue, users must update Vault to versions 1.16.9 or 1.17.5. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-8365.

In the Keycloak package, Undertow version 2.3.8-2, a high severity vulnerability CVE-2024-7885 was detected. Undertow’s vulnerability lets ProxyProtocolReadListener reuse the same StringBuilder for multiple requests, risking data leakage between them. This can cause errors, connection issues, and potential data exposure. There is no fixed version for Debian:unstable undertow. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-7885.

In Authentik versions >= 2024.6.0-rc1, < 2024.6.4 < 2024.4.4, a high severity vulnerability CVE-2024-42490 was detected. The vulnerability allows attackers to potentially access sensitive information, like certificates and private keys, by exploiting endpoints without proper authentication or authorization checks. To fix this issue, users must update Authentik to versions 2024.6.4 or 2024.4.4. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-42490.

In Nextcloud Server versions 25.0.0 to 25.0.6 and 26.0.0 to 26.0.1 a low severity vulnerability CVE-2024-37314 was detected in the Nextcloud Photos app. This vulnerability allows users to remove photos from the albums of registered users. To address this issue, it is recommended to upgrade to Nextcloud Server version 25.0.7 or 26.0.2 and Nextcloud Enterprise Server version 25.0.7 or 26.0.2. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-37314.

In Nextcloud Server versions 27.1.9 and earlier a low severity vulnerability CVE-2024-37887 was detected. This vulnerability allows attackers to read private shared calendar events’ recurrence exceptions. To address this issue, it is recommended to upgrade to Nextcloud Server version 27.1.10, 28.0.6, or 29.0.1, and Nextcloud Enterprise Server to version 27.1.10, 28.0.6, or 29.0.1. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-37887.

In Nextcloud Server versions prior to 26.0.12, 27.1.7 and 28.0.3 a medium severity vulnerability CVE-2024-37884 was detected. This vulnerability allows malicious users to delete old versions of files they only have read permissions for. To address this issue, it is recommended to upgrade Nextcloud Server to version 26.0.12, 27.1.7, or 28.0.3, and Nextcloud Enterprise Server to the same versions. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-37884.

In Nextcloud Server versions prior to 26.0.12, 27.1.7 and 28.0.3 a medium severity vulnerability CVE-2024-37315 was detected. This vulnerability allows attackers with read-only access to restore older versions of a document if the files_versions app is enabled. To address this issue, it is recommended to upgrade to Nextcloud Server version to 26.0.12, 27.1.7 or 28.0.3 and the Nextcloud Enterprise Server versions to 23.0.12.16, 24.0.12.12, 25.0.13.6, 26.0.12, 27.1.7 or 28.0.3 For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-37315.

In Nextcloud Server a high severity vulnerability CVE-2024-37882 was detected. A recipient with read and share permissions can grant themselves additional permissions when resharing the item. To fix this issue, it is recommended to upgrade Nextcloud Server to version 26.0.13, 27.1.8, or 28.0.4, and Nextcloud Enterprise Server to the same versions. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-37882.