In Apache HTTP Server versions through 2.4.58 a low severity vulnerability CVE-2023-38709 was detected. Weak input validation within Apache’s core can enable malicious or exploitable backend systems or content generators to manipulate and divide HTTP responses. For more information, visit https://avd.aquasec.com/nvd/2023/cve-2023-38709/.
Read more Application Development
In the MySQL Server product of Oracle MySQL in versions 8.0.34 and prior a medium severity vulnerability CVE-2024-21053 was detected. It allows high-privileged attackers with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in the unauthorized ability to cause a hang or crash of MySQL Server. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-21053/.
Read more Database
In NGINX Plus or NGINX OSS a medium severity vulnerability CVE-2024-32760 was detected. This vulnerability allows attackers to use undisclosed HTTP/3 and cause NGINX worker processes to terminate. There are no solutions to it yet. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-32760/.
Read more Application Development
In ‘bson’ module of MongoDB version 4.6.2 a medium severity vulnerability CVE-2024-5629 was detected. This vulnerability allows attackers to have an access to the application memory. There are no solutions for this yet. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-5629/.
Read more Database
In Kanboard version 1.2.36 a high severity vulnerability CVE-2024-36399 was detected. This vulnerability allows attackers to take over any other project. To address this issue, users need to update to version 1.2.37. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-36399/.
Read more Project Management
In Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1, and 8.1.x <= 8.1.12 a medium severity vulnerability CVE-2024-36255 was detected. This flaw lets attackers run task commands as other users by creating fake post actions that trigger unexpected commands in any channel. The web application does not properly check user input. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-36255/.
Read more Communication
In NGINX Plus or NGINX OSS a medium severity vulnerability CVE-2024-34161 was detected. When these apps use a feature called HTTP/3 QUIC, and the network allows big data to move smoothly, certain packets can trick NGINX into releasing memory it’s supposed to keep. Update NGINX Plus or NGINX OSS to a fixed version that resolves the issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-34161.
Read more Application Development
In Argo CD a medium severity vulnerability CVE-2024-37152 was detected. This vulnerability allows unauthorized access to sensitive settings via the /api/v1/settings endpoint without authentication. All sensitive settings are hidden except passwordPattern. The vulnerability is fixed in versions 2.11.3, 2.10.12, and 2.9.17. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-37152.
Read more Developer Tools
In Argo CD a medium severity vulnerability CVE-2024-36106 was detected. This vulnerability allows authenticated users to enumerate cluster names via error messages. It’s also possible to enumerate the names of projects with project-scoped clusters if you know the clusters names. This vulnerability is fixed in versions 2.11.3, 2.10.12, and 2.9.17. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-36106.
Read more Developer Tools