#vulnerability

### Impact A race condition in the Cilium agent can cause the agent to ignore labels that should be applied to a node. This could in turn cause CiliumClusterwideNetworkPolicies intended for nodes with the ignored label to not apply, leading to policy bypass. ### Patches This issue was fixed in https://github.com/cilium/cilium/pull/33511. This issue affects: - All versions of Cilium before v1.14.14 - Cilium v1.15 between v1.15.0 and v1.15.7 inclusive This issue has been patched in: - Cilium v1.14.14 - Cilium v1.15.8 ### Workarounds As the underlying issue depends on a race condition, users unable to upgrade can restart the Cilium agent on affected nodes until the affected policies are confirmed to be working as expected. ### Acknowledgements The Cilium community has worked together with members of Google and Isovalent to prepare these mitigations. Special thanks to @skmatti for raising and resolving this issue. ### For more information If you have any questions or comments ...

Stash up to v0.25.1 was discovered to contain a SQL injection vulnerability via the sort parameter.

Insecure Permissions vulnerability in xxl-job v.2.4.1 allows a remote attacker to execute arbitrary code via the Sub-Task ID component.

### Impact Possible vulnerability to XSS injection if .po dictionary definition files is corrupted ### Patches Update gettext.js to 2.0.3 ### Workarounds Make sure you control the origin of the definition catalog to prevent the use of this flaw in the definition of plural forms.

Voting Village co-founder Harri Hursti told Politico the list of vulnerabilities ran “multiple pages.”

Debian Linux Security Advisory 5749-1 - Chris Williams discovered a flaw in the handling of mounts for persistent directories in Flatpak, an application deployment framework for desktop apps. A malicious or compromised Flatpak app using persistent directories could take advantage of this flaw to access files outside of the sandbox.

LG Simple Editor versions 3.21.0 and below suffer from an unauthenticated command injection vulnerability. The vulnerability can be exploited by a remote attacker to inject arbitrary operating system commands which will get executed in the context of NT AUTHORITY\SYSTEM.

This Metasploit module exploits OpenMetadata versions 1.2.3 and below by chaining an API authentication bypass using JWT tokens along with a SpEL injection vulnerability to achieve arbitrary command execution.

This Metasploit module exploits CVE-2024-27348, a remote code execution vulnerability that exists in Apache HugeGraph Server in versions before 1.3.0. An attacker can bypass the sandbox restrictions and achieve remote code execution through Gremlin, resulting in complete control over the server.

Ubuntu Security Notice 6961-1 - It was discovered that BusyBox did not properly validate user input when performing certain arithmetic operations. If a user or automated system were tricked into processing a specially crafted file, an attacker could possibly use this issue to cause a denial of service, or execute arbitrary code. It was discovered that BusyBox incorrectly managed memory when evaluating certain awk expressions. An attacker could possibly use this issue to cause a denial of service, or execute arbitrary code. This issue only affected Ubuntu 24.04 LTS.