Our news and updates

In CPython versions before 3.12.0 a medium severity vulnerability CVE-2024-7592 was detected. This vulnerability allows attackers to send cookies that use backslashes, causing the system to use excessive CPU and slow down. To fix this problem, users should upgrade CPython to version 3.13.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-7592.

In Grafana versions 1.1.37 to 1.5.1 a critical severity vulnerability CVE-2024-5526 was detected. This vulnerability involves unsanitized inputs in the webhook functionality that can be exploited, allowing attackers to perform a Server Side Request Forgery attack. To fix this problem, users should upgrade Grafana OnCall to version 1.5.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-5526.

In Vault versions 1.16.7 and 1.17.3 a medium severity vulnerability CVE-2024-8365 was detected. This vulnerability allows plaintext client tokens and token accessors, which should have been securely hashed, to be stored directly in the audit logs, exposing sensitive information and potentially compromising security. To fix this issue, users should update Vault to versions 1.16.9 or 1.17.5. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-8365.

In OpenShift AI versions before 2.9 a high severity vulnerability CVE-2024-7557 was detected. This allows attackers to bypass authentication and escalate privileges, gaining unauthorized access to other AI models and APIs within the same namespace by exploiting exposed ServiceAccount tokens. To fix this problem, users should upgrade OpenShift AI to version 2.9. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-7557.

In Magento’s all versions a medium severity vulnerability CVE-2024-4812 was detected. This vulnerability allows storing malicious JavaScript code in the “Description” field of a user account, which can be executed when opening certain pages like Host Collections. To fix this issue, users must upgrade Magento to the latest version. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-4812.

In Magento Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, and 2.4.4-p8 a critical severity vulnerability CVE-2024-34102 was detected. This allows attackers to execute unauthorized code on the server or access sensitive information by sending malicious XML documents, without needing any user interaction. To fix this problem, users should upgrade Magento Adobe Commerce to version 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, and 2.4.4-p9. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-34102.

In Apache Airflow Providers FAB versions 1.2.1 (when used with Apache Airflow 2.9.3), FAB 1.2.0 for all Airflow versions a critical severity vulnerability CVE-2024-42447 was detected. This vulnerability allows attackers to maintain access to the application even after the user attempts to log out by exploiting session persistence. To fix this issue, users who run Apache Airflow 2.9.3 are recommended to upgrade to Apache Airflow Providers FAB version 1.2.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-42447.

In WordPress versions up to 2.1.0 a medium severity vulnerability CVE-2024-7848 was detected. This vulnerability allows authenticated users, even with low-level access, to access other users’ private files due to improper validation. To fix this issue, users must upgrade WordPress to the latest version. For more details, visit: https://nvd.nist.gov/vuln/detail/CVE-2024-7848.

In Mattermost versions 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 a medium severity vulnerability CVE-2024-40884 was detected. This vulnerability allows attackers with team admin access to disable the invite link for new members, even if they don’t have permission to add team members, which can interfere with team management and control. To fix this problem, users should upgrade Mattermost to versions 9.5.8 and 9.10.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-40884.