Security
Headlines
HeadlinesLatestCVEs

Tag

#mac

GHSA-f4p5-x4vc-mh4v: Improper use of metav1.Duration allows for Denial of Service

Flux controllers within the affected versions range are vulnerable to a denial of service attack. Users that have permissions to change Flux’s objects, either through a Flux source or directly within a cluster, can provide invalid data to fields `.spec.interval` or `.spec.timeout` (and structured variations of these fields), causing the entire object type to stop being processed. The issue has two root causes: a) the Kubernetes type `metav1.Duration` not being fully compatible with the Go type `time.Duration` as explained on [upstream report](https://github.com/kubernetes/apimachinery/issues/131); b) lack of validation within Flux to restrict allowed values. ### Workarounds Admission controllers can be employed to restrict the values that can be used for fields `.spec.interval` and `.spec.timeout`, however upgrading to the latest versions is still the recommended mitigation. ### Credits This issue was reported by Alexander Block (@codablock) through the Flux security mailing list ...

ghsa
Open in Source
#vulnerability#mac#dos#git#kubernetes
CVE-2022-43022: opencats_zero-days/SQLI_tag_deletion.md at main · hansmach1ne/opencats_zero-days

OpenCATS v0.9.6 was discovered to contain a SQL injection vulnerability via the tag_id variable in the Tag deletion function.

CVE-2022-43021: opencats_zero-days/SQLI_JobOrders.md at main · hansmach1ne/opencats_zero-days

OpenCATS v0.9.6 was discovered to contain a SQL injection vulnerability via the entriesPerPage variable.

CVE-2022-43020: opencats_zero-days/SQLI_in_Tag_Updates.md at main · hansmach1ne/opencats_zero-days

OpenCATS v0.9.6 was discovered to contain a SQL injection vulnerability via the tag_id variable in the Tag update function.

CVE-2022-43019: opencats_zero-days/RCE_via_deserialisation.md at main · hansmach1ne/opencats_zero-days

OpenCATS v0.9.6 was discovered to contain a remote code execution (RCE) vulnerability via the getDataGridPager's ajax functionality.

CVE-2022-43023: opencats_zero-days/SQLI_imports_errors.md at main · hansmach1ne/opencats_zero-days

OpenCATS v0.9.6 was discovered to contain a SQL injection vulnerability via the importID parameter in the Import viewerrors function.

CVE-2022-43017: opencats_zero-days/XSS_in_indexFile.md at main · hansmach1ne/opencats_zero-days

OpenCATS v0.9.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the indexFile component.

CVE-2022-43014: opencats_zero-days/XSS_in_joborderID.md at main · hansmach1ne/opencats_zero-days

OpenCATS v0.9.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the joborderID parameter.

CVE-2022-43015: opencats_zero-days/XSS_in_entriesPerPage.md at main · hansmach1ne/opencats_zero-days

OpenCATS v0.9.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the entriesPerPage parameter.

CVE-2022-43018: opencats_zero-days/XSS_in_checkEmail.md at main · hansmach1ne/opencats_zero-days

OpenCATS v0.9.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the email parameter in the Check Email function.