Vulnerabilities

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For Cilium users who are using CRDs to store Cilium state (the default configuration) and Wireguard transparent encryption, traffic to/from the Ingress and health endpoints is not encrypted. This issue affects Cilium v1.14 before v1.14.7 and has been patched in Cilium v1.14.7. There is no workaround to this issue.

This High severity Injection vulnerability was introduced in Assets Discovery 1.0 - 6.2.0 (all versions). <br /> <br /> Assets Discovery, which can be downloaded via Atlassian Marketplace, is a network scanning tool that can be used with or without an agent with Jira Service Management Cloud, Data Center or Server. It detects hardware and software that is connected to your local network and extracts detailed information about each asset. This data can then be imported into Assets in Jira Service Management to help you manage all of the devices and configuration items within your local network.<br /> <br /> This Injection vulnerability, with a CVSS Score of 7.2, allows an authenticated attacker to modify the actions taken by a system call which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction.<br /> <br /> Atlassian recommends that Assets Discovery customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions<br /> <br /> See the release notes (https://confluence.atlassian.com/assetapps/assets-discovery-3-2-1-cloud-6-2-1-data_center-1333987182.html). You can download the latest version of Assets Discovery from the Atlassian Marketplace (https://marketplace.atlassian.com/apps/1214668/assets-discovery?hosting=datacenter&amp;tab=installation).<br /> <br /> This vulnerability was reported via our Penetration Testing program.

A malformed discovery packet sent by a malicious actor with preexisting access to the network could interrupt the functionality of device management and discovery.<br /> <br /> <br /> Affected Products:<br /> UniFi Access Points<br /> UniFi Switches<br /> UniFi LTE Backup<br /> UniFi Express (Only Mesh Mode, Router mode is not affected)<br /> <br /> <br /> Mitigation:<br /> Update UniFi Access Points to Version 6.6.55 or later.<br /> Update UniFi Switches to Version 6.6.61 or later.<br /> Update UniFi LTE Backup to Version 6.6.57 or later.<br /> Update UniFi Express to Version 3.2.5 or later.

Arbitrary Authentication Relay and Session Hijack vulnerabilities in the deprecated VMware Enhanced Authentication Plug-in (EAP) could allow a malicious actor that could trick a target domain user with EAP installed in their web browser into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs).

Session Hijack vulnerability in Deprecated VMware Enhanced Authentication Plug-in could allow a malicious actor with unprivileged local access to a windows operating system can hijack a privileged EAP session when initiated by a privileged domain user on the same system.

Decidim is a participatory democracy framework. Starting in version 0.23.0 and prior to versions 0.27.5 and 0.28.0, the CSRF authenticity token check is disabled for the questionnaire templates preview. The issue does not imply a serious security thread as you need to have access also to the session cookie in order to see this resource. This URL does not allow modifying the resource but it may allow attackers to gain access to information which was not meant to be public. The issue is fixed in version 0.27.5 and 0.28.0. As a workaround, disable the templates functionality or remove all available templates.

Decidim is a participatory democracy framework. Starting in version 0.4.rc3 and prior to version 2.0.9 of the `devise_invitable` gem, the invites feature allows users to accept the invitation for an unlimited amount of time through the password reset functionality. This issue creates vulnerable dependencies starting in version 0.0.1.alpha3 and prior to versions 0.26.9, 0.27.5, and 0.28.0 of the `decidim,` `decidim-admin`, and `decidim-system` gems. When using the password reset functionality, the `devise_invitable` gem always accepts the pending invitation if the user has been invited. The only check done is if the user has been invited but the code does not ensure that the pending invitation is still valid as defined by the `invite_for` expiry period. Decidim sets this configuration to `2.weeks` so this configuration should be respected. The bug is in the `devise_invitable` gem and should be fixed there and the dependency should be upgraded in Decidim once the fix becomes available. `devise_invitable` to version `2.0.9` and above fix this issue. Versions 0.26.9, 0.27.5, and 0.28.0 of the `decidim,` `decidim-admin`, and `decidim-system` gems contain this fix. As a workaround, invitations can be cancelled directly from the database.

Decidim is a participatory democracy framework. Starting in version 0.27.0 and prior to versions 0.27.5 and 0.28.0, the dynamic file upload feature is subject to potential cross-site scripting attacks in case the attacker manages to modify the file names of the records being uploaded to the server. This appears in sections where the user controls the file upload dialogs themselves and has the technical knowledge to change the file names through the dynamic upload endpoint. Therefore I believe it would require the attacker to control the whole session of the particular user but in any case, this needs to be fixed. Successful exploit of this vulnerability would require the user to have successfully uploaded a file blob to the server with a malicious file name and then have the possibility to direct the other user to the edit page of the record where the attachment is attached. The users are able to craft the direct upload requests themselves controlling the file name that gets stored to the database. The attacker is able to change the filename e.g. to `` if they know how to craft these requests themselves. And then enter the returned blob ID to the form inputs manually by modifying the edit page source. Versions 0.27.5 and 0.28.0 contain a patch for this issue. As a workaround, disable dynamic uploads for the instance, e.g. from proposals.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> smb: client: fix potential OOBs in smb2_parse_contexts()<br /> <br /> Validate offsets and lengths before dereferencing create contexts in<br /> smb2_parse_contexts().<br /> <br /> This fixes following oops when accessing invalid create contexts from<br /> server:<br /> <br /> BUG: unable to handle page fault for address: ffff8881178d8cc3<br /> #PF: supervisor read access in kernel mode<br /> #PF: error_code(0x0000) - not-present page<br /> PGD 4a01067 P4D 4a01067 PUD 0<br /> Oops: 0000 [#1] PREEMPT SMP NOPTI<br /> CPU: 3 PID: 1736 Comm: mount.cifs Not tainted 6.7.0-rc4 #1<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS<br /> rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014<br /> RIP: 0010:smb2_parse_contexts+0xa0/0x3a0 [cifs]<br /> Code: f8 10 75 13 48 b8 93 ad 25 50 9c b4 11 e7 49 39 06 0f 84 d2 00<br /> 00 00 8b 45 00 85 c0 74 61 41 29 c5 48 01 c5 41 83 fd 0f 76 55 b7<br /> 7d 04 0f b7 45 06 4c 8d 74 3d 00 66 83 f8 04 75 bc ba 04 00<br /> RSP: 0018:ffffc900007939e0 EFLAGS: 00010216<br /> RAX: ffffc90000793c78 RBX: ffff8880180cc000 RCX: ffffc90000793c90<br /> RDX: ffffc90000793cc0 RSI: ffff8880178d8cc0 RDI: ffff8880180cc000<br /> RBP: ffff8881178d8cbf R08: ffffc90000793c22 R09: 0000000000000000<br /> R10: ffff8880180cc000 R11: 0000000000000024 R12: 0000000000000000<br /> R13: 0000000000000020 R14: 0000000000000000 R15: ffffc90000793c22<br /> FS: 00007f873753cbc0(0000) GS:ffff88806bc00000(0000)<br /> knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: ffff8881178d8cc3 CR3: 00000000181ca000 CR4: 0000000000750ef0<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> ? __die+0x23/0x70<br /> ? page_fault_oops+0x181/0x480<br /> ? search_module_extables+0x19/0x60<br /> ? srso_alias_return_thunk+0x5/0xfbef5<br /> ? exc_page_fault+0x1b6/0x1c0<br /> ? asm_exc_page_fault+0x26/0x30<br /> ? smb2_parse_contexts+0xa0/0x3a0 [cifs]<br /> SMB2_open+0x38d/0x5f0 [cifs]<br /> ? smb2_is_path_accessible+0x138/0x260 [cifs]<br /> smb2_is_path_accessible+0x138/0x260 [cifs]<br /> cifs_is_path_remote+0x8d/0x230 [cifs]<br /> cifs_mount+0x7e/0x350 [cifs]<br /> cifs_smb3_do_mount+0x128/0x780 [cifs]<br /> smb3_get_tree+0xd9/0x290 [cifs]<br /> vfs_get_tree+0x2c/0x100<br /> ? capable+0x37/0x70<br /> path_mount+0x2d7/0xb80<br /> ? srso_alias_return_thunk+0x5/0xfbef5<br /> ? _raw_spin_unlock_irqrestore+0x44/0x60<br /> __x64_sys_mount+0x11a/0x150<br /> do_syscall_64+0x47/0xf0<br /> entry_SYSCALL_64_after_hwframe+0x6f/0x77<br /> RIP: 0033:0x7f8737657b1e

Certain HP LaserJet Pro, HP Enterprise LaserJet, and HP LaserJet Managed Printers are potentially vulnerable to Remote Code Execution due to buffer overflow when rendering fonts embedded in a PDF file.

This High severity Stored XSS vulnerability was introduced in version 2.7.0 of Confluence Data Center.<br /> <br /> This Stored XSS vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary HTML or JavaScript code on a victims browser which has high impact to confidentiality, low impact to integrity, no impact to availability, and requires no user interaction.<br /> Data Center<br /> <br /> Atlassian recommends that Confluence Data Center customers upgrade to the latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions:<br /> ||Affected versions||Fixed versions||<br /> |from 8.7.0 to 8.7.1|8.8.0 recommended or 8.7.2|<br /> |from 8.6.0 to 8.6.1|8.8.0 recommended|<br /> |from 8.5.0 to 8.5.4 LTS|8.8.0 recommended or 8.5.5 LTS or 8.5.6 LTS|<br /> |from 8.4.0 to 8.4.5|8.8.0 recommended or 8.5.6 LTS|<br /> |from 8.3.0 to 8.3.4|8.8.0 recommended or 8.5.6 LTS|<br /> |from 8.2.0 to 8.2.3|8.8.0 recommended or 8.5.6 LTS|<br /> |from 8.1.0 to 8.1.4|8.8.0 recommended or 8.5.6 LTS|<br /> |from 8.0.0 to 8.0.4|8.8.0 recommended or 8.5.6 LTS|<br /> |from 7.20.0 to 7.20.3|8.8.0 recommended or 8.5.6 LTS|<br /> |from 7.19.0 to 7.19.17 LTS|8.8.0 recommended or 8.5.6 LTS or 7.19.18 LTS or 7.19.19 LTS|<br /> |from 7.18.0 to 7.18.3|8.8.0 recommended or 8.5.6 LTS or 7.19.19 LTS|<br /> |from 7.17.0 to 7.17.5|8.8.0 recommended or 8.5.6 LTS or 7.19.19 LTS|<br /> |Any earlier versions|8.8.0 recommended or 8.5.6 LTS or 7.19.19 LTS|<br /> Server<br /> <br /> Atlassian recommends that Confluence Server customers upgrade to the latest 8.5.x LTS version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions:<br /> <br />  <br /> ||Affected versions||Fixed versions||<br /> |from 8.5.0 to 8.5.4 LTS|8.5.5 LTS or 8.5.6 LTS recommended |<br /> |from 8.4.0 to 8.4.5|8.5.6 LTS recommended|<br /> |from 8.3.0 to 8.3.4|8.5.6 LTS recommended|<br /> |from 8.2.0 to 8.2.3|8.5.6 LTS recommended|<br /> |from 8.1.0 to 8.1.4|8.5.6 LTS recommended|<br /> |from 8.0.0 to 8.0.4|8.5.6 LTS recommended|<br /> |from 7.20.0 to 7.20.3|8.5.6 LTS recommended|<br /> |from 7.19.0 to 7.19.17 LTS|8.5.6 LTS recommended or 7.19.18 LTS or 7.19.19 LTS|<br /> |from 7.18.0 to 7.18.3|8.5.6 LTS recommended or 7.19.19 LTS|<br /> |from 7.17.0 to 7.17.5|8.5.6 LTS recommended or 7.19.19 LTS|<br /> |Any earlier versions|8.5.6 LTS recommended or 7.19.19 LTS|<br /> <br /> See the release notes ([https://confluence.atlassian.com/doc/confluence-release-notes-327.html]). You can download the latest version of Confluence Data Center from the download center ([https://www.atlassian.com/software/confluence/download-archives]).<br /> <br /> This vulnerability was reported via our Bug Bounty program.

An arbitrary file upload vulnerability in the component /sysFile/upload of Novel-Plus v4.3.0-RC1 allows attackers to execute arbitrary code via uploading a crafted file.