Our news and updates

In OpenShift environments using Aardvark-dns versions 1.12.0 and 1.12.1 a high severity vulnerability CVE-2024-8418 was detected. This vulnerability allows attackers to exploit serial processing of TCP DNS queries, causing a denial of service. Malicious clients can keep a TCP connection open indefinitely, leading to timeouts for other DNS queries and disrupting service for all containers using Aardvark-dns. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-8418.

In Flask-AppBuilder versions prior to 4.5.1 a low severity vulnerability CVE-2024-45314 was detected. This issue allows multiple users or processes to share computer resources, such as CPU, memory, or storage. When resources are shared, it increases the risk of interference and security vulnerabilities. To fix this issue, users must upgrade to version 4.5.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-45314.

In Rocket.Chat Electron desktop application versions through 6.3.4 a low severity vulnerability CVE-2024-45621 was detected. This vulnerability allows attackers to execute stored XSS via links in an uploaded file. The issue arises from the failure to use a separate browser when encountering third-party external actions from PDF documents. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-45621.

In Python versions before 3.13.0rc2 a medium severity vulnerability CVE-2024-6232 was detected. This vulnerability, affecting the CPython implementation, allows attackers to trigger ReDoS (Regular Expression Denial of Service) by using specifically-crafted tar archives. The issue occurs due to excessive backtracking during tarfile.TarFile header parsing. To address this issue, update to Python 3.13.0rc2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-6232.

In Keycloak versions <= 24.0.3 a medium severity vulnerability CVE-2024-4629 was detected. This vulnerability allows attackers to guess passwords more quickly than intended by exploiting delays in the system’s login attempts. To fix this problem, users should upgrade Keycloak to version 24.0.4. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-4629.

In Java Technology Edition versions 7.1.0.0 through 7.1.5.18 and 8.0.0.0 through 8.0.8.26 a medium severity vulnerability CVE-2024-27267 was detected. This vulnerability allows a remote denial of service, caused by a race condition in the management of ORB listener threads. To fix this issue, users must upgrade to the latest version. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-27267.

In Discourse a medium severity vulnerability CVE-2024-21658 was detected. This vulnerability allows a malicious actor to cause a Discourse instance to use excessive bandwidth and disk space. This issue has been patched in the main branch. To address this issue, users should upgrade to the latest version of Discourse. For more details, visit the https://nvd.nist.gov/vuln/detail/CVE-2024-21658.

In Lightdash version 0.1024.6 a high severity vulnerability CVE-2024-6586 has been detected. This vulnerability allows users with the necessary permissions to create and share dashboards containing HTML elements that can point to a threat actor-controlled source, which may trigger an SSRF request when exported via a POST request to /api/v1/dashboards//export. To fix this issue, users should upgrade to Lightdash version 0.1027.2. For more details, please visit the https://nvd.nist.gov/vuln/detail/CVE-2024-6586.

In Lightdash version 0.1024.6 a high severity vulnerability (CVE-2024-6585) was detected. This vulnerability allows attackers to inject malicious code into a website, potentially stealing user data or performing harmful actions in their browsers. To fix this problem, users should upgrade Lightdash to version 0.1042.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-6585.