#git

Red Hat Security Advisory 2024-3369-03 - An update is now available for Red Hat OpenShift GitOps v1.10.6 to address the CVE-2024-31989, Unprivileged pod in a different namespace on the same cluster could connect to the Redis server on port 6379. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section.

Red Hat Security Advisory 2024-3368-03 - An update is now available for Red Hat OpenShift GitOps v1.12.3 to address the CVE-2024-31989, Unprivileged pod in a different namespace on the same cluster could connect to the Redis server on port 6379. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section.

### Impact Attackers can exploit the vulnerability to read and delete files and folders from an arbitrary, writable directory as anyone can set the output folder when submitting the request via the `outputFolder` option. ### Patches The issue was fixed via https://github.com/OpenAPITools/openapi-generator/pull/18652 (included in v7.6.0 release) by removing the usage of the `outputFolder` option. ### Workarounds No workaround available. ### References No other reference available.

A moderate severity security vulnerability has been identified in the Kaminari pagination library for Ruby on Rails, concerning insecure file permissions. This advisory outlines the vulnerability, affected versions, and provides guidance for mitigation. ### Impact This vulnerability is of moderate severity due to the potential for unauthorized write access to particular Ruby files managed by the library. Such access could lead to the alteration of application behavior or data integrity issues. ### Resolution Those who use the `gem install` command, such as `gem install kaminari -v 0.16.1`, `gem unpack kaminari -v 0.16.1`, or `bundle install` to download the package would **_not_** be affected and no action is required. Those who manually download and decompressing the affected versions are advised to update to 0.16.2 or later version of Kaminari where file permissions have been adjusted to enhance security. ### Workarounds If upgrading is not feasible immediately, manually adju...

By Cyber Newswire Cary, United States, 28th May 2024, CyberNewsWire This is a post from HackRead.com Read the original post: INE Security Enables CISOs to Secure Board Support for Cybersecurity Training

By Cyber Newswire Cary, United States, 28th May 2024, CyberNewsWire This is a post from HackRead.com Read the original post: INE Security Enables CISOs to Secure Board Support for Cybersecurity Training

The GraphQL controller lacked any CSRF protection, meaning authenticated users could be forced or tricked into visiting a URL that would send a GET request to the affected web server that could mutate or destroy data without the user knowing.

A potential SQL injection vulnerability was identified by using the silverstripe/postgresql database adapter. While unlikely to be exploitable, we have patched silverstripe/framework to ensure that table names are safely escaped before being passed to database adapters or user code.

A possible denial of service attack vector has been identified in the dev/build system controller. dev/build now has its own URL token, similar to flushtoken, to ensure users are authenticated when running dev/build outside of dev environments.

When running SilverStripe 3.7 or 4.x in dev mode with the mysqli database driver, there is a potential to disclose the connection details. We have blacklisted the sensitive parts of the connection information from being included in dev mode stack traces when database errors occur.