#git

This is the same vulnerability as https://github.com/edgelesssys/contrast/security/advisories/GHSA-h5f8-crrq-4pw8. The original vulnerability had been fixed for release `v1.8.1`, but the fix was not ported to the main branch and thus not present in releases `v1.9.0` ff. Below is a brief repetition of the relevant sections from the first GHSA, where you can find the full details. ### Impact * [Workload secrets](https://docs.edgeless.systems/contrast/1.11/architecture/secrets#workload-secrets) are visible to Kubernetes users with `get` or `list` permission on `pods/logs`, and thus need to be considered compromised. * Since workload secrets are used for [encrypted storage](https://docs.edgeless.systems/contrast/1.11/howto/encrypted-storage) and [Vault integration](https://docs.edgeless.systems/contrast/1.11/howto/vault), those need to be considered compromised, too. ### Patches Patches: * https://github.com/edgelesssys/contrast/commit/5a5512c4af63c17bb66331e7bd2768a863b2f225 * https...

### Impact When visiting a specific URL, an anonymous user could cause the NodeJS server part of Volto to quit with an error. ### Patches The problem has been patched and the patch has been backported to Volto major versions down until 16. It is advised to upgrade to the latest patch release of your respective current major version: - Volto 16: [16.34.0](https://github.com/plone/volto/releases/tag/16.34.0) - Volto 17: [17.22.1](https://github.com/plone/volto/releases/tag/17.22.1) - Volto 18: [18.24.0](https://github.com/plone/volto/releases/tag/18.24.0) - Volto 19: [19.0.0-alpha4](https://github.com/plone/volto/releases/tag/19.0.0-alpha.4) ### Workarounds Make sure your setup automatically restarts processes that quit with an error. This won't prevent a crash, but it minimises downtime. ### Report The problem was discovered by FHNW, a client of Plone provider kitconcept, who shared it with the Plone Zope Security Team (security@plone.org).

A supply chain attack called “s1ngularity” on Nx versions 20.9.0-21.8.0 stole thousands of developer credentials. The attack targeted…

### Impact Under certain conditions, back end users may be able to edit fields of pages and articles without having the necessary permissions. ### Patches Update to Contao 5.3.38 or 5.6.1. ### Workarounds None. ### For more information If you have any questions or comments about this advisory, open an issue in [contao/contao](https://github.com/contao/contao/issues/new/choose).

### Impact If a news feed contains protected news archives, their news items are not filtered and become publicly available in the RSS feed. ### Patches Update to Contao 5.3.38 or 5.6.1. ### Workarounds Do not add protected news archives to the news feed page. ### For more information If you have any questions or comments about this advisory, open an issue in [contao/contao](https://github.com/contao/contao/issues/new/choose).

### Impact Protected content elements that are rendered as fragments are indexed and become publicly available in the front end search. ### Patches Update to Contao 4.13.56, 5.3.38 or 5.6.1. ### Workarounds Disable the front end search. ### For more information If you have any questions or comments about this advisory, open an issue in [contao/contao](https://github.com/contao/contao/issues/new/choose).

### Impact The table access voter in the back end doesn't check if a user is allowed to access the corresponding module. ### Patches Update to Contao 5.3.38 or 5.6.1. ### Workarounds Do not rely solely on the voter and additionally check `USER_CAN_ACCESS_MODULE`. ### For more information If you have any questions or comments about this advisory, open an issue in [contao/contao](https://github.com/contao/contao/issues/new/choose).

### Summary There is a potential attack of arbitrary code injection vulnerability in `lychee-setup` of the composite action at *action.yml*. ### Details The GitHub Action variable `inputs.lycheeVersion` can be used to execute arbitrary code in the context of the action. ### PoC ```yaml - uses: lycheeverse/lychee@v2 with: lycheeVersion: $(printenv >> $GITHUB_STEP_SUMMARY && echo "v0.16.1") ``` The previous example will just print all the environment variables to the summary of the workflow, but an attacker could potentially use this vector to compromise the security of the target repository, even passing unnotice because the action will run normally. ### Impact Low

Microsoft is rolling out a feature that defaults to saving your documents to the cloud. Consumers are divided.

### Impact A vulnerability exists in NeuVector versions up to and including **5.4.5**, where a fixed string is used as the default password for the built-in `admin` account. If this password is not changed immediately after deployment, any workload with network access within the cluster could use the default credentials to obtain an authentication token. This token can then be used to perform any operation via NeuVector APIs. In earlier versions, NeuVector supports setting the default (bootstrap) password for the `admin` account using a Kubernetes Secret named `neuvector-bootstrap-secret`. This Secret must contain a key named `bootstrapPassword`. However, if NeuVector fails to retrieve this value, it falls back to the fixed default password. ### Patches This issue is resolved in NeuVector version **5.4.6** and later. For rolling upgrades, it's strongly recommended to change the default `admin` password to a secure one. Starting from version **5.4.6**, NeuVector introduces addition...