Our news and updates

In Jenkins versions 2.478 and earlier, and LTS 2.462.2 and earlier a medium severity vulnerability CVE-2024-47803 was detected. This vulnerability allows attackers to access multi-line secret values that are not redacted in error messages generated for form submissions involving the secretTextarea form field. To address this issue, users must upgrade to version 2.462.3 or 2.479. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-47803.

In Portainer versions earlier than 2.20.2 a high severity vulnerability CVE-2024-33662 was detected. This vulnerability allows attackers to exploit an improper use of an encryption algorithm in the AesEncrypt function. To address this issue, users must upgrade to version 2.20.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-33662.

In SQLite version 0.1.1 a critical severity vulnerability CVE-2024-46488 was detected. This vulnerability allows attackers to trigger a heap buffer overflow using a specially crafted file, potentially causing a system Denial of Service (DoS). To fix this issue, users should upgrade SQLite to version 0.1.3. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-46488.

In GitLab versions from 8.0 up to 16.4 a medium severity vulnerability CVE-2023-3441 was detected, allowing attackers to introduce unreviewed or malicious code into sensitive parts of a GitLab repository, which increases the risk of security breaches or data compromise. To fix this issue, users should upgrade to version 16.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2023-3441.

In OpenShift versions using the bind-propagation option in the Dockerfile RUN –mount instruction a medium severity vulnerability CVE-2024-9407 was detected. This vulnerability allows attackers to pass arbitrary parameters to the mount instruction. This issue can be exploited to mount sensitive directories from the host into a container during the build process and, in some cases, modify the contents of those mounted files. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-9407.

In OpenShift versions using FIPS OpenSSL a medium severity vulnerability CVE-2024-9355 was found. It allows attackers to return an uninitialized buffer in FIPS mode, leading to incorrect hash comparisons and the potential for a derived key to be all zeros. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-9355.

In Vault Community Edition versions from 1.7.7 up to 1.17.5 and Vault Enterprise from 1.7.7 up to 1.17.5, 1.16.9, and 1.15.14 a medium severity vulnerability CVE-2024-7594 was detected. This vulnerability allows attackers to authenticate as any user on the host by exploiting an SSH certificate requested by an authorized user, potentially leading to unauthorized access to sensitive resources and data. To fix this issue, users should upgrade Vault Community Edition to version 1.17.6 and Vault Enterprise to versions 1.17.6, 1.16.10, and 1.15.15 For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-7594.

In WordPress MDTF plugin versions up to, and including, 1.3.3.3 a high severity vulnerability CVE-2024-8623 was detected. This vulnerability allows attackers to execute arbitrary shortcodes due to improper validation of input values before running the `do_shortcode` function. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-8623.

In Rocket.Chat versions 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8 and earlier a medium severity vulnerability CVE-2024-46934 was detected. This vulnerability allows attackers to inject XSS payloads by exploiting the UpdateOTRAck method in Rocket.Chat. To fix this problem, users should upgrade to version 6.13.0, 6.12.1, and backported to 6.11.3, 6.10.6, 6.9.7, 6.8.7, and 6.7.9. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-46934.