Our news and updates

In GitLab EE versions starting from 17.3 before 17.3.7, starting from 17.4 before 17.4.4 and starting from 17.5 before 17.5.2 a medium severity vulnerability CVE-2024-10240 was detected. This vulnerability allows unauthenticated users to access details about merge requests (MR) in a private project under specific conditions. To fix this issue, users are advised to upgrade GitLab EE to versions 17.6.1, 17.5.3, or 17.4.5. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-10240.

In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, and 8.3.* before 8.3.14 a medium severity vulnerability CVE-2024-11233 was detected. This vulnerability allows attackers to exploit an error in the convert.quoted-printable-decode filter, leading to a buffer overread by one byte. In certain cases, this can cause crashes or disclose content from other memory areas. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-11233.

In Sentry version 24.11.0 a medium severity vulnerability CVE-2024-53253 was detected. A specific error message could expose a plaintext Client ID and Client Secret in the HTTP response. This issue affects self-hosted users with custom integrations. To address this issue, upgrade to the latest version or downgrade to 24.10.0. For Sentry SaaS users, no action is needed as the issue was resolved. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-53253.

In OpenShift version 4 a medium severity vulnerability CVE-2024-6538 was detected. A Server Side Request Forgery (SSRF) attack can occur if an attacker provides a URL for the server to query. This allows the attacker to perform arbitrary HTTP requests, potentially disclosing information or impacting other services within the cluster. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-6538.

In Ansible Automation Platform version 2 a medium severity vulnerability CVE-2024-11483 was detected. Attackers can escalate privileges by misusing read-scoped OAuth2 (Open Authorization 2.0) tokens to gain write access, affecting API endpoints using ansible_base.oauth2_provider. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-11483.

In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, and 8.3.* before 8.3.14 a medium severity vulnerability CVE-2024-11234 was detected. This vulnerability allows attackers to perform HTTP request smuggling due to improper sanitization of the URI when using streams with a proxy and the “request_fulluri” option. This could allow attackers to send arbitrary requests from the server, potentially accessing restricted resources. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-11234.

In Authentik versions prior to 2024.8.5 a medium severity vulnerability CVE-2024-52307 was detected. This vulnerability allows attackers to brute-force the SECRET_KEY, which secures the /-/metrics/ endpoint, due to a flaw in how comparisons are done. To fix this issue, users need to update to versions 2024.8.5 or 2024.10.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-52307.

In Authentik versions prior to 2024.8.5 a high severity vulnerability CVE-2024-52289 was detected. This vulnerability allows attackers to bypass redirect URI validation and potentially redirect users to malicious websites. To fix this issue, users should upgrade Authentik to versions 2024.8.5 and 2024.10.3. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-52289.

In InfluxDB versions through 2.7.10 a high severity vulnerability CVE-2024-30896 was detected. This vulnerability allows administrators with high-level access to view sensitive authentication tokens, potentially exposing them to misuse. No patched version has been officially released at this time. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-30896.