A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use a newline character to bypass the sanitization of the `spec.rules[].http.paths[].path` field of an Ingress object (in the `networking.k8s.io` or `extensions` API group) to obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.
Category Archives: Advisories
CVE-2021-25749
Windows workloads can run as ContainerAdministrator even when those workloads set the runAsNonRoot option to true.
USN-6106-1: calamares-settings-ubuntu vulnerability
It was discovered that calamares-settings-ubuntu allowed creating the first
user with a blank password, contrary to expectations.
USN-6105-1: ca-certificates update
The ca-certificates package contained outdated CA certificates. This update
refreshes the included certificates to those contained in the 2.60 version
of the Mozilla certificate authority bundle.
USN-6104-1: PostgreSQL vulnerabilities
Alexander Lakhin discovered that PostgreSQL incorrectly handled certain
CREATE privileges. An authenticated user could possibly use this issue to
execute arbitrary code as the bootstrap supervisor. (CVE-2023-2454)
Wolfgang Walther discovered that PostgreSQL incorrectly handled certain row
security policies. An authenticated user could possibly use this issue to
complete otherwise forbidden reads and modifications. (CVE-2023-2455)
c-ares-1.19.1-1.fc38
FEDORA-2023-520848815b
Packages in this update:
c-ares-1.19.1-1.fc38
Update description:
Update to 1.19.1. Fixes CVE-2023-32067, CVE-2023-31130, CVE-2023-31147, CVE-2023-31124
c-ares-1.19.1-1.fc37
FEDORA-2023-ae97529c00
Packages in this update:
c-ares-1.19.1-1.fc37
Update description:
Update to 1.19.1. Fixes CVE-2023-32067, CVE-2023-31130, CVE-2023-31147, CVE-2023-31124
USN-6103-1: JSON Schema vulnerability
It was discovered that JSON Schema incorrectly handled certain inputs. If a
user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to exploit
JavaScript runtimes and cause a denial of service or execute arbitrary code.
USN-6102-1: xmldom vulnerabilities
It was discovered that xmldom incorrectly handled certain inputs. If a
user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to cause
unexpected syntactic changes during XML processing. This issue only affected
Ubuntu 20.04 LTS. (CVE-2021-21366)
It was discovered that xmldom incorrectly handled certain inputs. If a
user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to cause a
denial of service. (CVE-2022-37616, CVE-2022-39353)
USN-6074-3: Firefox regressions
USN-6074-1 fixed vulnerabilities and USN-6074-2 fixed minor regressions in
Firefox. The update introduced several minor regressions. This update fixes
the problem.
We apologize for the inconvenience.
Original advisory details:
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information across domains, or execute arbitrary code. (CVE-2023-32205,
CVE-2023-32207, CVE-2023-32210, CVE-2023-32211, CVE-2023-32212,
CVE-2023-32213, CVE-2023-32215, CVE-2023-32216)
Irvan Kurniawan discovered that Firefox did not properly manage memory
when using RLBox Expat driver. An attacker could potentially exploits this
issue to cause a denial of service. (CVE-2023-32206)
Anne van Kesteren discovered that Firefox did not properly validate the
import() call in service workers. An attacker could potentially exploits
this to obtain sensitive information. (CVE-2023-32208)
Sam Ezeh discovered that Firefox did not properly handle certain favicon
image files. If a user were tricked into opening a malicicous favicon file,
an attacker could cause a denial of service. (CVE-2023-32209)