Security
Headlines
HeadlinesLatestCVEs

Tag

#nginx

CVE-2023-5043: CVE-2023-5043: Ingress nginx annotation injection causes arbitrary command execution · Issue #10571 · kubernetes/ingress-nginx

Ingress nginx annotation injection causes arbitrary command execution.

CVE
Open in Source
#vulnerability#kubernetes#nginx
CVE-2023-45990: WenwenAiCms Vulnerability Testing · Issue #2 · PwnCYN/Wenwenai

Insecure Permissions vulnerability in WenwenaiCMS v.1.0 allows a remote attacker to escalate privileges.

Red Hat Security Advisory 2023-5715-01

Red Hat Security Advisory 2023-5715-01 - An update for the nginx:1.20 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-5712-01

Red Hat Security Advisory 2023-5712-01 - An update for the nginx:1.20 module is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

GHSA-9wmc-rg4h-28wv: github.com/kumahq/kuma affected by CVE-2023-44487

### Impact Envoy and Go HTTP/2 protocol stack is vulnerable to the "Rapid Reset" class of exploits, which send a sequence of HEADERS frames optionally followed by RST_STREAM frames. This can be exercised if you use the builtin gateway and receive untrusted http2 traffic. ### Patches https://github.com/kumahq/kuma/pull/8023 https://github.com/kumahq/kuma/pull/8001 https://github.com/kumahq/kuma/pull/8034 ### Workarounds Disable http2 on the gateway listener with a MeshProxyPatch or ProxyTemplate. ### References https://github.com/advisories/GHSA-qppj-fm5r-hxr3 https://github.com/golang/go/issues/63417 https://github.com/envoyproxy/envoy/security/advisories/GHSA-jhv4-f7mr-xx76 https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/?sf269548684=1 https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge

Warning: Unpatched Cisco Zero-Day Vulnerability Actively Targeted in the Wild

Cisco has warned of a critical, unpatched security flaw impacting IOS XE software that’s under active exploitation in the wild. Rooted in the web UI feature, the zero-day vulnerability is assigned as CVE-2023-20198 and has been assigned the maximum severity rating of 10.0 on the CVSS scoring system. It’s worth pointing out that the shortcoming only affects enterprise networking gear that have

CVE-2023-44388: Malicious requests can fill up the log files resulting in a DoS on the server

Discourse is an open source platform for community discussion. A malicious request can cause production log files to quickly fill up and thus result in the server running out of disk space. This problem has been patched in the 3.1.1 stable and 3.2.0.beta2 versions of Discourse. It is possible to temporarily work around this problem by reducing the `client_max_body_size nginx directive`. `client_max_body_size` will limit the size of uploads that can be uploaded directly to the server.

Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerability

Cisco has identified active exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198) when exposed to the internet or untrusted networks.