From 5a8f8065747f950234c6f8f4807df0bb61a7a82d Mon Sep 17 00:00:00 2001 From: frederickjoi <153292280+frederickjoi@users.noreply.github.com> Date: Tue, 17 Sep 2024 07:37:45 -0700 Subject: [PATCH] docs: 9-15-24 palette cve updates (#3930) * 9-15-24 palette cve updates * ci: auto-formatting prettier issues * chore: fixed symbol issues * chore: fix redirect * chore: vale fixes --------- Co-authored-by: frederickjoi Co-authored-by: Karl Cardenas (cherry picked from commit 8fe8d40d7a54c4180b4ac4d014807a5a6f8f168f) --- .../adding-add-on-packs.md | 2 +- .../reports/cve-2019-9936.md | 2 +- .../reports/cve-2022-28357.md | 46 +++++++++++++++ .../reports/cve-2022-28948.md | 43 ++++++++++++++ .../reports/cve-2022-41724.md | 45 ++++++++++++++ .../reports/cve-2022-41725.md | 59 +++++++++++++++++++ .../reports/cve-2022-45061.md | 7 ++- .../reports/cve-2022-48560.md | 7 ++- .../reports/cve-2022-48565.md | 8 ++- .../reports/cve-2023-24329.md | 5 +- .../reports/cve-2023-24534.md | 47 +++++++++++++++ .../reports/cve-2023-24536.md | 56 ++++++++++++++++++ .../reports/cve-2023-24537.md | 43 ++++++++++++++ .../reports/cve-2023-24538.md | 51 ++++++++++++++++ .../reports/cve-2023-24539.md | 44 ++++++++++++++ .../reports/cve-2023-24540.md | 49 +++++++++++++++ .../reports/cve-2023-29400.md | 49 +++++++++++++++ .../reports/cve-2023-29403.md | 46 +++++++++++++++ .../reports/cve-2023-45287.md | 46 +++++++++++++++ .../reports/cve-2023-52356.md | 44 ++++++++++++++ .../reports/cve-2024-0743.md | 46 +++++++++++++++ .../reports/cve-2024-21626.md | 2 +- .../reports/cve-2024-32002.md | 52 ++++++++++++++++ .../reports/cve-2024-3651.md | 8 ++- .../reports/cve-2024-6232.md | 8 ++- .../security-bulletins/reports/reports.md | 16 +++++ redirects.js | 1 - 27 files changed, 819 insertions(+), 13 deletions(-) create mode 100644 docs/docs-content/security-bulletins/reports/cve-2022-28357.md create mode 100644 docs/docs-content/security-bulletins/reports/cve-2022-28948.md create mode 100644 docs/docs-content/security-bulletins/reports/cve-2022-41724.md create mode 100644 docs/docs-content/security-bulletins/reports/cve-2022-41725.md create mode 100644 docs/docs-content/security-bulletins/reports/cve-2023-24534.md create mode 100644 docs/docs-content/security-bulletins/reports/cve-2023-24536.md create mode 100644 docs/docs-content/security-bulletins/reports/cve-2023-24537.md create mode 100644 docs/docs-content/security-bulletins/reports/cve-2023-24538.md create mode 100644 docs/docs-content/security-bulletins/reports/cve-2023-24539.md create mode 100644 docs/docs-content/security-bulletins/reports/cve-2023-24540.md create mode 100644 docs/docs-content/security-bulletins/reports/cve-2023-29400.md create mode 100644 docs/docs-content/security-bulletins/reports/cve-2023-29403.md create mode 100644 docs/docs-content/security-bulletins/reports/cve-2023-45287.md create mode 100644 docs/docs-content/security-bulletins/reports/cve-2023-52356.md create mode 100644 docs/docs-content/security-bulletins/reports/cve-2024-0743.md create mode 100644 docs/docs-content/security-bulletins/reports/cve-2024-32002.md diff --git a/docs/docs-content/registries-and-packs/adding-add-on-packs.md b/docs/docs-content/registries-and-packs/adding-add-on-packs.md index ecd3381e23..7200bf2b91 100644 --- a/docs/docs-content/registries-and-packs/adding-add-on-packs.md +++ b/docs/docs-content/registries-and-packs/adding-add-on-packs.md @@ -7,7 +7,7 @@ hide_table_of_contents: false sidebar_position: 30 --- -An Add-on Pack defines deployment specifics of a Kubernetes application to be installed on a running Kubernetes cluster. +An Add-on Pack defines deployment specifics of a Kubernetes application to be installed on an active Kubernetes cluster. Palette provides several Add-on packs out of the box for various layers of the Kubernetes stack. For example: - **Logging** - elastic search, fluentd diff --git a/docs/docs-content/security-bulletins/reports/cve-2019-9936.md b/docs/docs-content/security-bulletins/reports/cve-2019-9936.md index 86a20eaafa..00047eeae6 100644 --- a/docs/docs-content/security-bulletins/reports/cve-2019-9936.md +++ b/docs/docs-content/security-bulletins/reports/cve-2019-9936.md @@ -18,7 +18,7 @@ tags: ["security", "cve"] ## NIST CVE Summary -In SQLite 3.27.2, running fts5 prefix queries inside a transaction could trigger a heap-based buffer over-read in +In SQLite 3.27.2, using fts5 prefix queries inside a transaction could trigger a heap-based buffer over-read in fts5HashEntrySort in sqlite3.c, which may lead to an information leak. This is related to ext/fts5/fts5_hash.c. ## Our Official Summary diff --git a/docs/docs-content/security-bulletins/reports/cve-2022-28357.md b/docs/docs-content/security-bulletins/reports/cve-2022-28357.md new file mode 100644 index 0000000000..fb392eda8c --- /dev/null +++ b/docs/docs-content/security-bulletins/reports/cve-2022-28357.md @@ -0,0 +1,46 @@ +--- +sidebar_label: "CVE-2022-28357" +title: "CVE-2022-28357" +description: "Lifecycle of CVE-2022-28357" +hide_table_of_contents: true +sidebar_class_name: "hide-from-sidebar" +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +## CVE Details + +[CVE-2022-28357](https://nvd.nist.gov/vuln/detail/CVE-2022-28357) + +## Last Update + +09/15/2024 + +## NIST CVE Summary + +NATS `nats-server` 2.2.0 through 2.7.4 allows directory traversal because of an unintended path to a management action +from a management account. + +## Our Official Summary + +A vulnerability was found in NATS nats-server up to 2.7.4. The product uses external input to construct a pathname that +is intended to identify a file or directory that is located underneath a restricted parent directory, but the product +does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location +that is outside of the restricted directory. Upgrade of the nats server is needed to fix this vulnerability. + +## CVE Severity + +[9.8](https://nvd.nist.gov/vuln/detail/CVE-2022-28357) + +## Status + +Ongoing + +## Affected Products & Versions + +- Palette VerteX 4.4.18 + +## Revision History + +- 1.0 09/15/2024 Initial Publication +- 2.0 09/15/2024 Added palette VerteX 4.4.18 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2022-28948.md b/docs/docs-content/security-bulletins/reports/cve-2022-28948.md new file mode 100644 index 0000000000..35ec303fa1 --- /dev/null +++ b/docs/docs-content/security-bulletins/reports/cve-2022-28948.md @@ -0,0 +1,43 @@ +--- +sidebar_label: "CVE-2022-28948" +title: "CVE-2022-28948" +description: "Lifecycle of CVE-2022-28948" +hide_table_of_contents: true +sidebar_class_name: "hide-from-sidebar" +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +## CVE Details + +[CVE-2022-28948](https://nvd.nist.gov/vuln/detail/CVE-2022-28948) + +## Last Update + +09/15/2024 + +## NIST CVE Summary + +An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid +input. + +## Our Official Summary + +Investigation is ongoing to determine how this vulnerability affects our products. + +## CVE Severity + +[7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-28948) + +## Status + +Ongoing + +## Affected Products & Versions + +- Palette VerteX 4.4.18 + +## Revision History + +- 1.0 09/15/2024 Initial Publication +- 2.0 09/15/2024 Added palette VerteX 4.4.18 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2022-41724.md b/docs/docs-content/security-bulletins/reports/cve-2022-41724.md new file mode 100644 index 0000000000..a35e2d1643 --- /dev/null +++ b/docs/docs-content/security-bulletins/reports/cve-2022-41724.md @@ -0,0 +1,45 @@ +--- +sidebar_label: "CVE-2022-41724" +title: "CVE-2022-41724" +description: "Lifecycle of CVE-2022-41724" +hide_table_of_contents: true +sidebar_class_name: "hide-from-sidebar" +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +## CVE Details + +[CVE-2022-41724](https://nvd.nist.gov/vuln/detail/CVE-2022-41724) + +## Last Update + +09/15/2024 + +## NIST CVE Summary + +Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records +which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 +clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil +value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert). + +## Our Official Summary + +Investigation is ongoing to determine how this vulnerability affects our products. + +## CVE Severity + +[7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-41724) + +## Status + +Ongoing + +## Affected Products & Versions + +- Palette VerteX 4.4.18 + +## Revision History + +- 1.0 09/15/2024 Initial Publication +- 2.0 09/15/2024 Added palette VerteX 4.4.18 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2022-41725.md b/docs/docs-content/security-bulletins/reports/cve-2022-41725.md new file mode 100644 index 0000000000..c0c05fdae5 --- /dev/null +++ b/docs/docs-content/security-bulletins/reports/cve-2022-41725.md @@ -0,0 +1,59 @@ +--- +sidebar_label: "CVE-2022-41725" +title: "CVE-2022-41725" +description: "Lifecycle of CVE-2022-41725" +hide_table_of_contents: true +sidebar_class_name: "hide-from-sidebar" +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +## CVE Details + +[CVE-2022-41725](https://nvd.nist.gov/vuln/detail/CVE-2022-41725) + +## Last Update + +09/15/2024 + +## NIST CVE Summary + +A denial of service is possible from excessive resource consumption in net/http and mime/multipart. Multipart form +parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also +affects form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and +PostFormValue. ReadForm takes a maxMemory parameter, and is documented as storing "up to maxMemory bytes +10MB (reserved +for non-file parts) in memory". File parts which cannot be stored in memory are stored on disk in temporary files. The +unconfigurable 10MB reserved for non-file parts is excessively large and can potentially open a denial of service vector +on its own. However, ReadForm did not properly account for all memory consumed by a parsed form, such as map entry +overhead, part names, and MIME headers, permitting a maliciously crafted form to consume well over 10MB. In addition, +ReadForm contained no limit on the number of disk files created, permitting a relatively small request body to create a +large number of disk temporary files. With fix, ReadForm now properly accounts for various forms of memory overhead, and +should now stay within its documented limit of 10MB + maxMemory bytes of memory consumption. Users should still be aware +that this limit is high and may still be hazardous. In addition, ReadForm now creates at most one on-disk temporary +file, combining multiple form parts into a single temporary file. The mime/multipart.File interface type's documentation +states, "If stored on disk, the File's underlying concrete type will be an \*os.File.". This is no longer the case when +a form contains more than one file part, due to this coalescing of parts into a single file. The previous behavior of +using distinct files for each form part may be reenabled with the environment variable GODEBUG=multipartfiles=distinct. +Users should be aware that multipart.ReadForm and the http.Request methods that call it do not limit the amount of disk +consumed by temporary files. Callers can limit the size of form data with http.MaxBytesReader. + +## Our Official Summary + +Investigation is ongoing to determine how this vulnerability affects our products. + +## CVE Severity + +[7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-41725) + +## Status + +Ongoing + +## Affected Products & Versions + +- Palette VerteX 4.4.18 + +## Revision History + +- 1.0 09/15/2024 Initial Publication +- 2.0 09/15/2024 Added palette VerteX 4.4.18 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2022-45061.md b/docs/docs-content/security-bulletins/reports/cve-2022-45061.md index 35f546c53d..842e2a23ba 100644 --- a/docs/docs-content/security-bulletins/reports/cve-2022-45061.md +++ b/docs/docs-content/security-bulletins/reports/cve-2022-45061.md @@ -27,7 +27,12 @@ HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, ## Our Official Summary -Investigation is ongoing to determine how this vulnerability affects our products. +This CVE is a vulnerability affecting certain versions of Python, specifically those before version 3.11.1. The issue +lies in an unnecessary quadratic algorithm in one path when processing some inputs to the IDNA (RFC 3490) decoder. This +can lead to slow execution times and potential denial of service attacks on systems using affected Python versions. +Systems that utilize Python's idna module for decoding large strings, such as web servers or applications handling +user-provided hostnames, may be impacted by this vulnerability. There is no known workaround for this vulnerability. +Python version needs to be upgraded in the images reported. ## CVE Severity diff --git a/docs/docs-content/security-bulletins/reports/cve-2022-48560.md b/docs/docs-content/security-bulletins/reports/cve-2022-48560.md index 4bd6f68ecf..b44e99ac4d 100644 --- a/docs/docs-content/security-bulletins/reports/cve-2022-48560.md +++ b/docs/docs-content/security-bulletins/reports/cve-2022-48560.md @@ -14,7 +14,7 @@ tags: ["security", "cve"] ## Last Update -9/13/24 +9/15/24 ## NIST CVE Summary @@ -22,7 +22,10 @@ A use-after-free exists in Python through 3.9 via heappushpop in heapq. ## Our Official Summary -Investigation is ongoing to determine how this vulnerability affects our products. +This CVE affects python versions upto 3.9. The use-after-free vulnerability in Python's heapq module allows an attacker +to manipulate memory after it has been freed, potentially leading to arbitrary code execution or a denial of service. +This vulnerability can be exploited by carefully crafting a malicious input that triggers the use-after-free condition. +There is no known workaround for this vulnerability. Python version needs to be upgraded in the images reported. ## CVE Severity diff --git a/docs/docs-content/security-bulletins/reports/cve-2022-48565.md b/docs/docs-content/security-bulletins/reports/cve-2022-48565.md index f94a35f3c1..e5ad1b2061 100644 --- a/docs/docs-content/security-bulletins/reports/cve-2022-48565.md +++ b/docs/docs-content/security-bulletins/reports/cve-2022-48565.md @@ -14,7 +14,7 @@ tags: ["security", "cve"] ## Last Update -9/13/24 +9/15/24 ## NIST CVE Summary @@ -23,7 +23,11 @@ declarations in XML plist files to avoid XML vulnerabilities. ## Our Official Summary -Investigation is ongoing to determine how this vulnerability affects our products. +This CVE affects users of Python versions up to 3.9.1. This issue lies in the plistlib module, which used to accept +entity declarations in XML plist files, making it susceptible to XXE attacks. This vulnerability is not listed in CISA's +Known Exploited Vulnerabilities Catalog. The possibility of this vulnerability getting exploited in Spectro Cloud +products is low. Need an update from the 3rd party vendor to fix the vulnerability. Investigating possibility of +updating python version to fix this vulnerability. ## CVE Severity diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-24329.md b/docs/docs-content/security-bulletins/reports/cve-2023-24329.md index 0faa8744f6..73ad443e3a 100644 --- a/docs/docs-content/security-bulletins/reports/cve-2023-24329.md +++ b/docs/docs-content/security-bulletins/reports/cve-2023-24329.md @@ -23,7 +23,10 @@ supplying a URL that starts with blank characters. ## Our Official Summary -Investigation is ongoing to determine how this vulnerability affects our products. +An issue in the urllib.parse component of Python before v3.11 allows attackers to bypass blocklisting methods by +supplying a URL that starts with blank characters. urlparse has a parsing problem when the entire URL starts with blank +characters. This problem affects both the parsing of hostname and scheme, and eventually causes any blocklisting methods +to fail. Python version needs to be upgraded in the images reported. ## CVE Severity diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-24534.md b/docs/docs-content/security-bulletins/reports/cve-2023-24534.md new file mode 100644 index 0000000000..6a12c59573 --- /dev/null +++ b/docs/docs-content/security-bulletins/reports/cve-2023-24534.md @@ -0,0 +1,47 @@ +--- +sidebar_label: "CVE-2023-24534" +title: "CVE-2023-24534" +description: "Lifecycle of CVE-2023-24534" +hide_table_of_contents: true +sidebar_class_name: "hide-from-sidebar" +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +## CVE Details + +[CVE-2023-24534](https://nvd.nist.gov/vuln/detail/CVE-2023-24534) + +## Last Update + +09/15/2024 + +## NIST CVE Summary + +HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading +to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME +headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this +behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory +exhaustion and a denial of service. With fix, header parsing now correctly allocates only the memory required to hold +parsed headers. + +## Our Official Summary + +Investigation is ongoing to determine how this vulnerability affects our products. + +## CVE Severity + +[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-24534) + +## Status + +Ongoing + +## Affected Products & Versions + +- Palette VerteX 4.4.18 + +## Revision History + +- 1.0 09/15/2024 Initial Publication +- 2.0 09/15/2024 Added palette VerteX 4.4.18 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-24536.md b/docs/docs-content/security-bulletins/reports/cve-2023-24536.md new file mode 100644 index 0000000000..cb6d0a07a5 --- /dev/null +++ b/docs/docs-content/security-bulletins/reports/cve-2023-24536.md @@ -0,0 +1,56 @@ +--- +sidebar_label: "CVE-2023-24536" +title: "CVE-2023-24536" +description: "Lifecycle of CVE-2023-24536" +hide_table_of_contents: true +sidebar_class_name: "hide-from-sidebar" +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +## CVE Details + +[CVE-2023-24536](https://nvd.nist.gov/vuln/detail/CVE-2023-24536) + +## Last Update + +09/15/2024 + +## NIST CVE Summary + +Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large +numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the total memory a parsed +multipart form can consume. ReadForm can undercount the amount of memory consumed, leading it to accept larger inputs +than intended. 2. Limiting total memory does not account for increased pressure on the garbage collector from large +numbers of small allocations in forms with many parts. 3. ReadForm can allocate a large number of short-lived buffers, +further increasing pressure on the garbage collector. The combination of these factors can permit an attacker to cause +an program that parses multipart forms to consume large amounts of CPU and memory, potentially resulting in a denial of +service. This affects programs that use mime/multipart.Reader.ReadForm, as well as form parsing in the net/http package +with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. With fix, ReadForm now does a +better job of estimating the memory consumption of parsed forms, and performs many fewer short-lived allocations. In +addition, the fixed mime/multipart.Reader imposes the following limits on the size of parsed forms: 1. Forms parsed with +ReadForm may contain no more than 1000 parts. This limit may be adjusted with the environment variable +GODEBUG=multipartmaxparts=. 2. Form parts parsed with NextPart and NextRawPart may contain no more than 10,000 header +fields. In addition, forms parsed with ReadForm may contain no more than 10,000 header fields across all parts. This +limit may be adjusted with the environment variable GODEBUG=multipartmaxheaders=. + +## Our Official Summary + +Investigation is ongoing to determine how this vulnerability affects our products. + +## CVE Severity + +[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-24536) + +## Status + +Ongoing + +## Affected Products & Versions + +- Palette VerteX 4.4.18 + +## Revision History + +- 1.0 09/15/2024 Initial Publication +- 2.0 09/15/2024 Added palette VerteX 4.4.18 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-24537.md b/docs/docs-content/security-bulletins/reports/cve-2023-24537.md new file mode 100644 index 0000000000..b19308b8ee --- /dev/null +++ b/docs/docs-content/security-bulletins/reports/cve-2023-24537.md @@ -0,0 +1,43 @@ +--- +sidebar_label: "CVE-2023-24537" +title: "CVE-2023-24537" +description: "Lifecycle of CVE-2023-24537" +hide_table_of_contents: true +sidebar_class_name: "hide-from-sidebar" +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +## CVE Details + +[CVE-2023-24537](https://nvd.nist.gov/vuln/detail/CVE-2023-24537) + +## Last Update + +09/15/2024 + +## NIST CVE Summary + +Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can +cause an infinite loop due to integer overflow. + +## Our Official Summary + +Investigation is ongoing to determine how this vulnerability affects our products. + +## CVE Severity + +[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-24537) + +## Status + +Ongoing + +## Affected Products & Versions + +- Palette VerteX 4.4.18 + +## Revision History + +- 1.0 09/15/2024 Initial Publication +- 2.0 09/15/2024 Added palette VerteX 4.4.18 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-24538.md b/docs/docs-content/security-bulletins/reports/cve-2023-24538.md new file mode 100644 index 0000000000..9db30ba8b4 --- /dev/null +++ b/docs/docs-content/security-bulletins/reports/cve-2023-24538.md @@ -0,0 +1,51 @@ +--- +sidebar_label: "CVE-2023-24538" +title: "CVE-2023-24538" +description: "Lifecycle of CVE-2023-24538" +hide_table_of_contents: true +sidebar_class_name: "hide-from-sidebar" +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +## CVE Details + +[CVE-2023-24538](https://nvd.nist.gov/vuln/detail/CVE-2023-24538) + +## Last Update + +09/15/2024 + +## NIST CVE Summary + +Templates do not properly consider backticks `` ` `` as Javascript string delimiters, and do not escape them as +expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a +Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary +Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string +interpolation, the decision was made to simply disallow Go template actions from being used inside of them +e.g.`"var a = {{.}}"`, since there is no safe way to allow this behavior. This takes the same approach as +github.com/google/safehtml. With fix, Template.Parse returns an Error when it encounters templates like this, with an +ErrorCode of value 12. This ErrorCode is currently unexported, but will be exported in the release of Go 1.21. Users who +rely on the previous behavior can re-enable it using the GODEBUG flag jstmpllitinterp=1, with the caveat that backticks +will now be escaped. This should be used with caution. + +## Our Official Summary + +Investigation is ongoing to determine how this vulnerability affects our products. + +## CVE Severity + +[9.8](https://nvd.nist.gov/vuln/detail/CVE-2023-24538) + +## Status + +Ongoing + +## Affected Products & Versions + +- Palette VerteX 4.4.18 + +## Revision History + +- 1.0 09/15/2024 Initial Publication +- 2.0 09/15/2024 Added palette VerteX 4.4.18 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-24539.md b/docs/docs-content/security-bulletins/reports/cve-2023-24539.md new file mode 100644 index 0000000000..cd468f1d76 --- /dev/null +++ b/docs/docs-content/security-bulletins/reports/cve-2023-24539.md @@ -0,0 +1,44 @@ +--- +sidebar_label: "CVE-2023-24539" +title: "CVE-2023-24539" +description: "Lifecycle of CVE-2023-24539" +hide_table_of_contents: true +sidebar_class_name: "hide-from-sidebar" +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +## CVE Details + +[CVE-2023-24539](https://nvd.nist.gov/vuln/detail/CVE-2023-24539) + +## Last Update + +09/15/2024 + +## NIST CVE Summary + +Angle brackets `<>` are not considered dangerous characters when inserted into CSS contexts. Templates containing +multiple actions separated by a `/` character can result in unexpectedly closing the CSS context and allowing for +injection of unexpected HTML, if executed with untrusted input. + +## Our Official Summary + +Investigation is ongoing to determine how this vulnerability affects our products. + +## CVE Severity + +[7.3](https://nvd.nist.gov/vuln/detail/CVE-2023-24539) + +## Status + +Ongoing + +## Affected Products & Versions + +- Palette VerteX 4.4.18 + +## Revision History + +- 1.0 09/15/2024 Initial Publication +- 2.0 09/15/2024 Added palette VerteX 4.4.18 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-24540.md b/docs/docs-content/security-bulletins/reports/cve-2023-24540.md new file mode 100644 index 0000000000..8b31659cc0 --- /dev/null +++ b/docs/docs-content/security-bulletins/reports/cve-2023-24540.md @@ -0,0 +1,49 @@ +--- +sidebar_label: "CVE-2023-24540" +title: "CVE-2023-24540" +description: "Lifecycle of CVE-2023-24540" +hide_table_of_contents: true +sidebar_class_name: "hide-from-sidebar" +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +## CVE Details + +[CVE-2023-24540](https://nvd.nist.gov/vuln/detail/CVE-2023-24540) + +## Last Update + +09/15/2024 + +## NIST CVE Summary + +Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace +characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions +may not be properly sanitized during execution. + +## Our Official Summary + +This is a vulnerability affecting the Golang Go software, specifically the html/template package. This issue arises from +improper handling of JavaScript whitespace characters in certain contexts, leading to potential security risks. Systems +using Golang Go versions up to 1.19.9 and from 1.20.0 to 1.20.4 are affected, particularly those using the html/template +package with JavaScript contexts containing actions and specific whitespace characters. The images in which +vulnerabilities are report do not use the html package. So possibility of this vulnerability getting exploited in +Spectro Cloud products is low. There is a upstream fix available, we will upgrade to that version. + +## CVE Severity + +[9.8](https://nvd.nist.gov/vuln/detail/CVE-2023-24540) + +## Status + +Ongoing + +## Affected Products & Versions + +- Palette VerteX 4.4.18 + +## Revision History + +- 1.0 09/15/2024 Initial Publication +- 2.0 09/15/2024 Added palette VerteX 4.4.18 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-29400.md b/docs/docs-content/security-bulletins/reports/cve-2023-29400.md new file mode 100644 index 0000000000..41c1cb5e9b --- /dev/null +++ b/docs/docs-content/security-bulletins/reports/cve-2023-29400.md @@ -0,0 +1,49 @@ +--- +sidebar_label: "CVE-2023-29400" +title: "CVE-2023-29400" +description: "Lifecycle of CVE-2023-29400" +hide_table_of_contents: true +sidebar_class_name: "hide-from-sidebar" +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +## CVE Details + +[CVE-2023-29400](https://nvd.nist.gov/vuln/detail/CVE-2023-29400) + +## Last Update + +09/15/2024 + +## NIST CVE Summary + +Templates containing actions in unquoted HTML attributes e.g. `"attr={{.}}"` executed with empty input can result in +output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary +attributes into tags. + +## Our Official Summary + +The vulnerability in golang arises from the use of unquoted HTML attributes in templates. When these templates are +executed with empty input, the resulting output may be parsed incorrectly due to HTML normalization rules. This can +enable an attacker to inject arbitrary attributes into HTML tags, potentially leading to cross-site scripting (XSS) +attacks or other security vulnerabilities. All the images in which this CVE is reported are 3rd party images, which do +not process HTML data. So possibility of this vulnerability getting exploited in Spectro Cloud products is low. Waiting +on upsteam fixes. + +## CVE Severity + +[7.3](https://nvd.nist.gov/vuln/detail/CVE-2023-29400) + +## Status + +Ongoing + +## Affected Products & Versions + +- Palette VerteX 4.4.18 + +## Revision History + +- 1.0 09/15/2024 Initial Publication +- 2.0 09/15/2024 Added palette VerteX 4.4.18 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-29403.md b/docs/docs-content/security-bulletins/reports/cve-2023-29403.md new file mode 100644 index 0000000000..8e76af18d3 --- /dev/null +++ b/docs/docs-content/security-bulletins/reports/cve-2023-29403.md @@ -0,0 +1,46 @@ +--- +sidebar_label: "CVE-2023-29403" +title: "CVE-2023-29403" +description: "Lifecycle of CVE-2023-29403" +hide_table_of_contents: true +sidebar_class_name: "hide-from-sidebar" +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +## CVE Details + +[CVE-2023-29403](https://nvd.nist.gov/vuln/detail/CVE-2023-29403) + +## Last Update + +09/15/2024 + +## NIST CVE Summary + +On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can +be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file +descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can +result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is +terminated, either via panic or signal, it may leak the contents of its registers. + +## Our Official Summary + +Investigation is ongoing to determine how this vulnerability affects our products. + +## CVE Severity + +[7.8](https://nvd.nist.gov/vuln/detail/CVE-2023-29403) + +## Status + +Ongoing + +## Affected Products & Versions + +- Palette VerteX 4.4.18 + +## Revision History + +- 1.0 09/15/2024 Initial Publication +- 2.0 09/15/2024 Added palette VerteX 4.4.18 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-45287.md b/docs/docs-content/security-bulletins/reports/cve-2023-45287.md new file mode 100644 index 0000000000..0846b971c2 --- /dev/null +++ b/docs/docs-content/security-bulletins/reports/cve-2023-45287.md @@ -0,0 +1,46 @@ +--- +sidebar_label: "CVE-2023-45287" +title: "CVE-2023-45287" +description: "Lifecycle of CVE-2023-45287" +hide_table_of_contents: true +sidebar_class_name: "hide-from-sidebar" +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +## CVE Details + +[CVE-2023-45287](https://nvd.nist.gov/vuln/detail/CVE-2023-45287) + +## Last Update + +09/15/2024 + +## NIST CVE Summary + +Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was +applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it appears +as if the removal of PKCS#1 padding may leak timing information, which in turn could be used to recover session key +bits. In Go 1.20, the crypto/tls library switched to a fully constant time RSA implementation, which we do not believe +exhibits any timing side channels. + +## Our Official Summary + +Investigation is ongoing to determine how this vulnerability affects our products. + +## CVE Severity + +[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-45287) + +## Status + +Ongoing + +## Affected Products & Versions + +- Palette VerteX 4.4.18 + +## Revision History + +- 1.0 09/15/2024 Initial Publication +- 2.0 09/15/2024 Added palette VerteX 4.4.18 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-52356.md b/docs/docs-content/security-bulletins/reports/cve-2023-52356.md new file mode 100644 index 0000000000..4bddf91140 --- /dev/null +++ b/docs/docs-content/security-bulletins/reports/cve-2023-52356.md @@ -0,0 +1,44 @@ +--- +sidebar_label: "CVE-2023-52356" +title: "CVE-2023-52356" +description: "Lifecycle of CVE-2023-52356" +hide_table_of_contents: true +sidebar_class_name: "hide-from-sidebar" +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +## CVE Details + +[CVE-2023-52356](https://nvd.nist.gov/vuln/detail/CVE-2023-52356) + +## Last Update + +09/15/2024 + +## NIST CVE Summary + +A segment fault (SEGV) flaw was found in libtiff that could be triggered by passing a crafted tiff file to the +TIFFReadRGBATileExt() API. This flaw allows a remote attacker to cause a heap-buffer overflow, leading to a denial of +service. + +## Our Official Summary + +Investigation is ongoing to determine how this vulnerability affects our products. + +## CVE Severity + +[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-52356) + +## Status + +Ongoing + +## Affected Products & Versions + +- Palette VerteX 4.4.18 + +## Revision History + +- 1.0 09/15/2024 Initial Publication +- 2.0 09/15/2024 Added palette VerteX 4.4.18 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-0743.md b/docs/docs-content/security-bulletins/reports/cve-2024-0743.md new file mode 100644 index 0000000000..3232b0a5e3 --- /dev/null +++ b/docs/docs-content/security-bulletins/reports/cve-2024-0743.md @@ -0,0 +1,46 @@ +--- +sidebar_label: "CVE-2023-0743" +title: "CVE-2023-0743" +description: "Lifecycle of CVE-2023-0743" +hide_table_of_contents: true +sidebar_class_name: "hide-from-sidebar" +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +## CVE Details + +[CVE-2023-0743](https://nvd.nist.gov/vuln/detail/CVE-2023-0743) + +## Last Update + +09/15/2024 + +## NIST CVE Summary + +An unchecked return value in TLS handshake code could have caused a potentially exploitable crash. This vulnerability +affects Firefox < 122, Firefox ESR < 115.9, and Thunderbird < 115.9. + +## Our Official Summary + +An unchecked return value in TLS handshake code could cause a potentially exploitable crash in certain versions of +Firefox. This CVE is reported on container images where there are no reported instances of TLS handshake code causing +crashes. Risk of this vulnerability getting exploited in Spectro Cloud products is low. Need an update from the 3rd +party vendor to fix the vulnerability. + +## CVE Severity + +[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-0743) + +## Status + +Ongoing + +## Affected Products & Versions + +- Palette VerteX 4.4.18 + +## Revision History + +- 1.0 09/15/2024 Initial Publication +- 2.0 09/15/2024 Added palette VerteX 4.4.18 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-21626.md b/docs/docs-content/security-bulletins/reports/cve-2024-21626.md index 91fcd5e316..88c57b8aff 100644 --- a/docs/docs-content/security-bulletins/reports/cve-2024-21626.md +++ b/docs/docs-content/security-bulletins/reports/cve-2024-21626.md @@ -18,7 +18,7 @@ tags: ["security", "cve"] ## NIST CVE Summary -runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and +runc is a CLI tool for spawning and using containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-32002.md b/docs/docs-content/security-bulletins/reports/cve-2024-32002.md new file mode 100644 index 0000000000..cd00625d21 --- /dev/null +++ b/docs/docs-content/security-bulletins/reports/cve-2024-32002.md @@ -0,0 +1,52 @@ +--- +sidebar_label: "CVE-2024-32002" +title: "CVE-2024-32002" +description: "Lifecycle of CVE-2024-32002" +hide_table_of_contents: true +sidebar_class_name: "hide-from-sidebar" +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +## CVE Details + +[CVE-2024-32002](https://nvd.nist.gov/vuln/detail/CVE-2024-32002) + +## Last Update + +09/15/2024 + +## NIST CVE Summary + +Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, +repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing +files not into the submodule's worktree but into a `.git/` directory. This allows writing a hook that will be executed +while the clone operation is still active, giving the user no opportunity to inspect the code that is being executed. +The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link +support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. As +always, it is best to avoid cloning repositories from untrusted sources. + +## Our Official Summary + +A critical vulnerability in Git has recently been published that could lead to remote command injection. The +exploitation occurs when the victim clones a malicious repository recursively, which would execute hooks contained in +the submodules. The vulnerability lies in the way Git handles symbolic links in repository submodules. There are +currently several PoCs with public exploits that expose the vulnerability. This risk of this vulnerability exploited in +spectrocloud products is very low. + +## CVE Severity + +[9.0](https://nvd.nist.gov/vuln/detail/CVE-2024-32002) + +## Status + +Ongoing + +## Affected Products & Versions + +- Palette VerteX 4.4.18 + +## Revision History + +- 1.0 09/15/2024 Initial Publication +- 2.0 09/15/2024 Added palette VerteX 4.4.18 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-3651.md b/docs/docs-content/security-bulletins/reports/cve-2024-3651.md index 8700be3255..25173823f8 100644 --- a/docs/docs-content/security-bulletins/reports/cve-2024-3651.md +++ b/docs/docs-content/security-bulletins/reports/cve-2024-3651.md @@ -14,7 +14,7 @@ tags: ["security", "cve"] ## Last Update -9/13/24 +9/15/24 ## NIST CVE Summary @@ -26,7 +26,11 @@ the processing time in a quadratic manner relative to the input size. ## Our Official Summary -Investigation is ongoing to determine how this vulnerability affects our products. +The idna package is a Python library that provides support for Internationalized Domain Names in Applications (IDNA). It +allows encoding and decoding of domain names containing non-ASCII characters. This vulnerability affects versions prior +to 3.7 of the idna package. Domain names cannot exceed 253 characters in length, so enforcing this limit can prevent the +resource consumption issue. However, this workaround may not be foolproof as it relies on the higher-level application +performing input validation. Upgrade the package to > 3.7 version to fix the vulnerability. ## CVE Severity diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-6232.md b/docs/docs-content/security-bulletins/reports/cve-2024-6232.md index bd9f0abf20..c2068a70bd 100644 --- a/docs/docs-content/security-bulletins/reports/cve-2024-6232.md +++ b/docs/docs-content/security-bulletins/reports/cve-2024-6232.md @@ -23,7 +23,13 @@ during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-c ## Our Official Summary -Investigation is ongoing to determine how this vulnerability affects any of our products. +This CVE affects all images using the Python's tarfile module. A specificlly crafted tar file which causes excessive +backtracking while tarfile parses headers is needed to exploit this vulnerability. If the vulnerability is exploited, it +can cause a denial of service attack. But from our product point of view, this risk of this vulnerability getting +exploited is very low. This is because it does not enable remote code execution. A user has to compromise of the images +using this library within python module and feed a specially crafted tar file and relies on the underlying system +processing that file, which limits the attack vector. A fix is not available at this time. We will upgrade the library +once the fix becomes available. ## CVE Severity diff --git a/docs/docs-content/security-bulletins/reports/reports.md b/docs/docs-content/security-bulletins/reports/reports.md index 4f2a0a7a11..3c9226fd1c 100644 --- a/docs/docs-content/security-bulletins/reports/reports.md +++ b/docs/docs-content/security-bulletins/reports/reports.md @@ -146,6 +146,22 @@ Click on the CVE ID to view the full details of the vulnerability. | [CVE-2024-0760](./cve-2024-0760.md) | 9/5/24 | 9/5/24 | 4.4.14 & 4.4.18 | Third-party component: ISC | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-0760) | :mag: Ongoing | | [CVE-2024-1737](./cve-2024-1737.md) | 9/5/24 | 9/5/24 | 4.4.14 & 4.4.18 | Third-party component: ISC | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-1737) | :mag: Ongoing | | [CVE-2024-1975](./cve-2024-1975.md) | 9/5/24 | 9/5/24 | 4.4.14 & 4.4.18 | Third-party component: ISC | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-1975) | :mag: Ongoing | +| [CVE-2022-28357](./cve-2022-28357.md) | 9/15/24 | 9/15/24 | 4.4.18 | Third-party component: NATS | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2022-28357) | :mag: Ongoing | +| [CVE-2022-28948](./cve-2022-28948.md) | 9/15/24 | 9/15/24 | 4.4.18 | Third-party component: Go-Yaml | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-28948) | :mag: Ongoing | +| [CVE-2022-41724](./cve-2022-41724.md) | 9/15/24 | 9/15/24 | 4.4.18 | Third-party component: Go Project | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-41724) | :mag: Ongoing | +| [CVE-2022-41725](./cve-2022-41725.md) | 9/15/24 | 9/15/24 | 4.4.18 | Third-party component: Go Project | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-41725) | :mag: Ongoing | +| [CVE-2023-24534](./cve-2023-24534.md) | 9/15/24 | 9/15/24 | 4.4.18 | Third-party component: Go Project | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-24534) | :mag: Ongoing | +| [CVE-2023-24536](./cve-2023-24536.md) | 9/15/24 | 9/15/24 | 4.4.18 | Third-party component: Go Project | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-24536) | :mag: Ongoing | +| [CVE-2023-24537](./cve-2023-24537.md) | 9/15/24 | 9/15/24 | 4.4.18 | Third-party component: Go Project | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-24537) | :mag: Ongoing | +| [CVE-2023-24538](./cve-2023-24538.md) | 9/15/24 | 9/15/24 | 4.4.18 | Third-party component: Go Project | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2023-24538) | :mag: Ongoing | +| [CVE-2023-24539](./cve-2023-24539.md) | 9/15/24 | 9/15/24 | 4.4.18 | Third-party component: Go Project | [7.3](https://nvd.nist.gov/vuln/detail/CVE-2023-24539) | :mag: Ongoing | +| [CVE-2023-24540](./cve-2023-24540.md) | 9/15/24 | 9/15/24 | 4.4.18 | Third-party component: Go Project | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2023-24540) | :mag: Ongoing | +| [CVE-2023-29400](./cve-2023-29400.md) | 9/15/24 | 9/15/24 | 4.4.18 | Third-party component: Go Project | [7.3](https://nvd.nist.gov/vuln/detail/CVE-2023-29400) | :mag: Ongoing | +| [CVE-2023-29403](./cve-2023-29403.md) | 9/15/24 | 9/15/24 | 4.4.18 | Third-party component: Go Project | [7.8](https://nvd.nist.gov/vuln/detail/CVE-2023-29403) | :mag: Ongoing | +| [CVE-2023-45287](./cve-2023-45287.md) | 9/15/24 | 9/15/24 | 4.4.18 | Third-party component: Go Project | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-45287) | :mag: Ongoing | +| [CVE-2023-52356](./cve-2023-52356.md) | 9/15/24 | 9/15/24 | 4.4.18 | Third-party component: Libtiff | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-52356) | :mag: Ongoing | +| [CVE-2024-0743](./cve-2024-0743.md) | 9/15/24 | 9/15/24 | 4.4.18 | Third-party component: Mozilla | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-0743) | :mag: Ongoing | +| [CVE-2024-32002](./cve-2024-32002.md) | 9/15/24 | 9/15/24 | 4.4.18 | Third-party component: Github | [9.0](https://nvd.nist.gov/vuln/detail/CVE-2024-32002) | :mag: Ongoing | diff --git a/redirects.js b/redirects.js index dcc6d8e1df..902ebd4511 100644 --- a/redirects.js +++ b/redirects.js @@ -599,7 +599,6 @@ const redirects = [ "/security-bulletins/reports/cve-2023-0286", "/security-bulletins/reports/cve-2023-52425", "/security-bulletins/reports/cve-2023-5528", - "/security-bulletins/reports/cve-2024-0743", "/security-bulletins/reports/prisma-2022-0227", ], to: "/security-bulletins/reports/",