Our news and updates

In OpenShift versions from 2.6.7 through 2.8.13 a high severity vulnerability CVE-2024-6508 was detected. A flaw in the OpenShift Console’s OAuth2 protocol can allow Cross-Site Request Forgery (CSRF) attacks due to improper use of the state parameter, enabling unauthorized access to accounts. The attack requires initiation from within the local network and no exploit is available. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-6508.

In the CPython “zipfile” module versions from 3.0 through 3.13.0 a high severity vulnerability CVE-2024-8088 was detected. The “zipfile.ZipFile” class is not affected. However, using “zipfile.Path” methods like “namelist()” or “iterdir()” on a malicious zip file can cause an infinite loop, but only in programs that handle user-controlled zip archives. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-8088.

In GitLab versions starting from 12.5 before 17.1.6, versions starting from 17.2 before 17.2.4, and versions starting from 17.3 before 17.3.1 a medium severity vulnerability CVE-2024-3127 was detected. Under certain conditions, unauthorized users might be able to bypass IP restrictions for groups via GraphQL and perform some group-level actions. To fix this problem, users should upgrade to version 17.1.6, 17.2.4, 17.3.1, or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-3127.

In Spring Boot versions 2.7.0 to 2.7.21, 3.0.0 to 3.0.16, 3.1.0 to 3.1.12, 3.2.0 to 3.2.8, and 3.3.0 to 3.3.2 a medium severity vulnerability CVE-2024-38807 was detected. This vulnerability allows for signature forgery, where content that appears to have been signed by one signer has actually been signed by another. To fix this issue, users must upgrade Spring Boot to 2.7.22, 3.0.17, 3.1.13, 3.2.9, or 3.3.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-38807.

In Mattermost Plugin Channel Export versions before 1.0.0 a medium severity vulnerability CVE-2024-43105 was detected. This vulnerability allows attackers to overload the system by running the export command multiple times, which can slow down or crash the server. To fix this problem, users should upgrade Mattermost Plugin Channel Export to version 1.0.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-43105.

In GitLab versions from 8.2 prior to 17.1.6, 17.2 prior to 17.2.4, and 17.3 prior to 17.3.1 a medium severity vulnerability CVE-2024-6502 was detected. This vulnerability allows attackers to create a branch with the same name as a deleted tag. To fix this problem, users should upgrade GitLab to versions 17.1.6, 17.2.4, or 17.3.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-6502.

In Joomla versions 3.4.6-3.10.16-elts, 4.0.0-4.4.6, and 5.0.0-5.1.2 a low severity vulnerability CVE-2024-27184 was detected. If a URL isn’t carefully checked, it might not be clear whether a link is leading someone to a safe, internal page or an external, potentially risky site. To fix this problem, users should upgrade to version 3.10.17-elts, 4.4.7, or 5.1.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-27184.

In CKAN versions 2.7.0 and before 2.10.5 a high severity vulnerability CVE-2024-41675 was detected. This vulnerability allows attackers to inject malicious scripts into the data displayed on a webpage, leading to potential theft of user data, session hijacking, or redirection to harmful sites. To fix this issue, users must update CKAN to versions 2.10.5 or 2.11.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-41675.

In Authentik versions >= 2024.6.0-rc1, < 2024.6.4 < 2024.4.4 a high severity vulnerability CVE-2024-42490 was detected. The vulnerability allows attackers to potentially access sensitive information, like certificates and private keys, by exploiting endpoints without proper authentication or authorization checks. To fix this issue, users should update Authentik to versions 2024.6.4 or 2024.4.4. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-42490.