In GitLab CE/EE versions from 13.7 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2 a medium severity vulnerability CVE-2024-8641 was detected. This vulnerability allows attackers with a victim’s CI_JOB_TOKEN to obtain a GitLab session token belonging to the victim. To fix this issue users should upgrade GitLab CE/EE to version 17.1.7, 17.2.5, or 17.3.2 For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-8641.
Read more Developer Tools
In GitLab versions from 16.9.7 to before 17.1.7, 17.2 to before 17.2.5, and 17.3 to before 17.3.2 a medium severity vulnerability CVE-2024-8754 was detected. This vulnerability allows attackers to squat on accounts by linking arbitrary unclaimed provider identities when JWT authentication is configured. To address this issue, update to GitLab version 17.1.7 or later, 17.2.5 or later, or 17.3.2 or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-8754.
Read more Developer Tools
In GitLab versions from 16.11 to before 17.1.7, from 17.2 to before 17.2.5, and from 17.3 to before 17.3.2 a high severity vulnerability CVE-2024-8640 was detected. This vulnerability allows attackers to inject commands into a connected Cube server due to incomplete input filtering. To address this issue, update to GitLab version 17.1.7, 17.2.5, or 17.3.2 or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-8640.
Read more Developer Tools
In GitLab versions from 16.8 before 17.1.7, from 17.2 before 17.2.5, and from 17.3 before 17.3.2 a high severity vulnerability CVE-2024-8635 was detected. This vulnerability allows attackers to make unauthorized requests to internal resources using a custom Maven Dependency Proxy URL. To address this issue, upgrade to GitLab version 17.1.7 or later, 17.2.5 or later, or 17.3.2 or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-8635.
Read more Developer Tools
In GitLab EE versions 16.6 to 17.1.7, 17.2 to 17.2.5, and 17.3 to 17.3.2 a high severity vulnerability CVE-2024-8631 was detected. This vulnerability allows users with the Admin Group Member custom role to escalate their privileges to include other custom roles. To address this issue, users should upgrade to GitLab EE to version 17.1.7, 17.2.5, or 17.3.2. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-8631.
Read more Developer Tools
In PostgreSQL versions before 16.4, 15.8, 14.13, 13.16, 12.20 a high severity vulnerability CVE-2024-7348 was detected. This vulnerability allows attackers to execute SQL functions as a superuser by exploiting a race condition, swapping an object with a view or foreign table during the backup process. To fix this problem, users should upgrade to version 16.4.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-7348.
Read more Database
In Discourse Calendar plugin versions prior to 0.5 a medium severity vulnerability CVE-2024-45303 was detected. This vulnerability allows attackers to perform Cross-Site Scripting (XSS) attacks by exploiting dynamic calendar event names. This issue affects sites with modified or disabled default Content Security Policy in Discourse. To address this issue users should update to version 0.5 of the Discourse Calendar plugin. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-45303.
Read more Communication
In Zabbix versions 5.0.0 – 5.0.42, 6.0.0 – 6.0.30, 6.4.0 – 6.4.15, 7.0.0alpha1 – 7.0.0rc2 a medium severity vulnerability CVE-2024-22122 was detected. This vulnerability allows attackers to execute arbitrary AT commands on a modem through specially crafted input in the “Number” field during SMS notification configuration in Zabbix, due to the lack of validation on both the web interface and server side. To fix this problem, users should upgrade Zabbix to versions 5.0.43rc1, 6.0.31rc1, 6.4.16rc1, and 7.0.0rc3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-22122.
Read more Monitoring
In OpenStack Ironic versions before 21.4.3, from 22.0.0 to 23.0.2, from 23.1.0 to 24.1.2, and from 25.0.0 to 26.0.1 a medium severity vulnerability CVE-2024-44082 was detected. This vulnerability allows attackers to exploit crafted images in OpenStack Ironic, leading to unauthorized access to potentially sensitive data by triggering undesired behaviors in qemu-img. To fix this problem users should upgrade OpenStack Ironic to versions 21.4.3, 23.0.2, 24.1.2, and 26.0.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-44082.
Read more Cloud Computing