Security

In Keycloak versions <= 24.0.3 a medium severity vulnerability CVE-2024-4629 was detected. This vulnerability allows attackers to guess passwords more quickly than intended by exploiting delays in the system’s login attempts. To fix this problem, users should upgrade Keycloak to version 24.0.4. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-4629.

In Vault versions 1.16.7 and 1.17.3, a medium severity vulnerability CVE-2024-8365 was detected. This vulnerability allows plaintext client tokens and token accessors, which should have been securely hashed, to be stored directly in the audit logs, exposing sensitive information and potentially compromising security. To fix this issue, users must update Vault to versions 1.16.9 or 1.17.5. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-8365.

In the Keycloak package, Undertow version 2.3.8-2, a high severity vulnerability CVE-2024-7885 was detected. Undertow’s vulnerability lets ProxyProtocolReadListener reuse the same StringBuilder for multiple requests, risking data leakage between them. This can cause errors, connection issues, and potential data exposure. There is no fixed version for Debian:unstable undertow. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-7885.

In Authentik versions >= 2024.6.0-rc1, < 2024.6.4 < 2024.4.4, a high severity vulnerability CVE-2024-42490 was detected. The vulnerability allows attackers to potentially access sensitive information, like certificates and private keys, by exploiting endpoints without proper authentication or authorization checks. To fix this issue, users must update Authentik to versions 2024.6.4 or 2024.4.4. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-42490.

In Vault and Vault Enterprise versions prior to 1.17.1 and 1.16.5 a medium severity vulnerability CVE-2024-6468 was detected. This vulnerability allows attackers to avoid security barriers and gain access to protected user information. To fix this problem, users should upgrade Vault and Vault Enterprise to versions 1.17.2, 1.16.6, and 1.15.12. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-6468.

In OpenVPN version 2.6.10 a high severity vulnerability CVE-2024-28882 was detected. This vulnerability allows attackers, who already have access, to mess up the server’s ability to close connections. To fix this problem, users should upgrade OpenVPN to version 2.6.11. For more details, visit here.

In OpenVPN version 2.6.9 a high severity vulnerability CVE-2024-27459 was detected. This vulnerability allows attackers to gain higher system privileges by sending oversized messages, which can cause the service to malfunction and grant unauthorized access. To fix this problem, users should upgrade OpenVPN to version 2.6.10. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-27459.

In OpenVPN version 2.6.9, a high-severity vulnerability CVE-2024-24974 was detected. This vulnerability allows attackers to connect to and interact with this service, potentially gaining unauthorized access to the OpenVPN service. To fix this problem, users should upgrade OpenVPN to version 2.6.10. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-24974.

In OpenVPN versions 2.6.9 and earlier a high severity vulnerability CVE-2024-27903 was detected. The plug-ins on Windows can be loaded from any directory, which allows an attacker to load an arbitrary plug-in, enabling interaction with the privileged OpenVPN interactive service. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-27903.