Our news and updates

In GitLab versions from 13.9 before 17.0.6, from 17.1 before 17.1.4, and 17.2 before 17.2.2 a high severity vulnerability CVE-2024-7554 was detected. This allows attackers to potentially steal sensitive authentication information by exploiting the logging of access tokens during specific API requests. To fix this problem, users should upgrade GitLab to versions 17.0.6, 17.1.4 or 17.2.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-7554.

In GitLab versions from 1.0 before 17.0.6, from 17.1 before 17.1.4, and from 17.2 before 17.2.2 a medium severity vulnerability CVE-2024-5423 was detected. This allows attackers to overload the system and make it unavailable by consuming excessive resources through the Banzai pipeline. To fix this problem, users should upgrade GitLab to versions 17.0.6, 17.1.4 or 17.2.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-5423.

In Zabbix versions 6.0.30, 6.4.15 and 7.0.0 a critical severity vulnerability CVE-2024-36461 was detected. This allows attackers to overload the system and make it unavailable by consuming excessive resources through the Banzai pipeline. To fix this problem, users should upgrade Zabbix to versions 6.0.31rc1, 6.4.16rc1, and 7.0.1rc1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-36461.

In Zabbix versions from 5.0.0 prior to 5.0.42, 6.0.0 prior to 6.0.30, 6.4.0 prior to 6.4.15, and 7.0.0alpha1 prior to 7.0.0 a high severity vulnerability CVE-2024-36460 was detected. This vulnerability allows attackers to view and steal unprotected passwords directly from the audit log, potentially leading to unauthorized access and impersonation. To fix this problem, users should upgrade Zabbix to versions 5.0.43rc1, 6.0.31rc1, 6.4.16rc1 and 7.0.1rc1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-36461.

In Zabbix a critical severity vulnerability CVE-2024-22116 was detected. A restricted-permission admin can exploit the Monitoring Hosts script execution to run arbitrary code via the Ping script, risking infrastructure compromise. To address this issue users should upgrade to versions 6.4.16 RC1 or above, 7.0.0 RC3 or above. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-22116.

In GitLab versions 15.9 before 17.0.6, 17.1 to 17.1.4, 17.2 to 17.2.2 a medium severity vulnerability CVE-2024-7610 was detected. This vulnerability allows an attacker to cause catastrophic backtracking while parsing results from Elasticsearch. To address the issue, users should upgrade GitLab to version 17.2.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-7610.

In Nextcloud Server versions 27.1.9 and earlier a low severity vulnerability CVE-2024-37887 was detected. This vulnerability allows attackers to read private shared calendar events’ recurrence exceptions. To address this issue, it is recommended to upgrade to Nextcloud Server version 27.1.10, 28.0.6, or 29.0.1, and Nextcloud Enterprise Server to version 27.1.10, 28.0.6, or 29.0.1. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-37887.

In Nextcloud Server versions prior to 26.0.12, 27.1.7 and 28.0.3 a medium severity vulnerability CVE-2024-37884 was detected. This vulnerability allows malicious users to delete old versions of files they only have read permissions for. To address this issue, it is recommended to upgrade Nextcloud Server to version 26.0.12, 27.1.7, or 28.0.3, and Nextcloud Enterprise Server to the same versions. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-37884.

In Nextcloud Server versions prior to 26.0.12, 27.1.7 and 28.0.3 a medium severity vulnerability CVE-2024-37315 was detected. This vulnerability allows attackers with read-only access to restore older versions of a document if the files_versions app is enabled. To address this issue, it is recommended to upgrade to Nextcloud Server version to 26.0.12, 27.1.7 or 28.0.3 and the Nextcloud Enterprise Server versions to 23.0.12.16, 24.0.12.12, 25.0.13.6, 26.0.12, 27.1.7 or 28.0.3 For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-37315.