security advisories for false positive critical CVEs on spectro-drive… (

#2964) (#3009) * security advisories for false positive critical CVEs on spectro-drive image * chore: Proofread the CVE reports * chore: Update the CVE report index * chore: Fix the CVE reports based on SME review --------- Co-authored-by: Karl Cardenas <[email protected]> Co-authored-by: yuliiiah <[email protected]> (cherry picked from commit 06f0787) Co-authored-by: Fayas Ahamed <[email protected]>
spectrocloud · Jun 4, 2024 · 77bfd34 · 77bfd34
1 parent b081c7d
commit 77bfd34
Show file tree

Hide file tree

Showing 2 changed files with 93 additions and 0 deletions.
diff --git a/docs/docs-content/security-bulletins/cve-index.md b/docs/docs-content/security-bulletins/cve-index.md
@@ -13,6 +13,24 @@ The following is an index of all Palette-related CVEs and their disclosure year.
 
 ## 2024
 
+- [June 3, 2024 - CVE-2024-23652 BuildKit Vulnerable to Possible Host System Access from Mount Stub Cleaner - 9.1 CVSS](./cve-reports.md#june-3-2024---cve-2024-23652-buildkit-vulnerable-to-possible-host-system-access-from-mount-stub-cleaner---91-cvss)
+
+- [June 3, 2024 - CVE-2024-23653 BuildKit Interactive Container API Does Not Validate Privileges - 9.8 CVSS](./cve-reports.md#june-3-2024---cve-2024-23653-buildkit-interactive-container-api-does-not-validate-privileges---98-cvss)
+
+- [June 3, 2024 - CVE-2023-49569 Path Traversal and RCE Vulnerability in Go-Git Versions Before v5.11 - 9.8 CVSS](./cve-reports.md#june-3-2024---cve-2023-49569-path-traversal-and-rce-vulnerability-in-go-git-versions-before-v511---98-cvss)
+
+- [April 14, 2024 - CVE-2023-24534 HTTP and MIME Header Parsing Can Allocate Large Amounts of Memory - 7.5 CVSS](./cve-reports.md#april-14-2024---cve-2023-24534-http-and-mime-header-parsing-can-allocate-large-amounts-of-memory---75-cvss)
+
+- [April 14, 2024 - CVE-2023-24536 MIME/Multipart Form Parsing Can Consume Large Amounts of CPU and Memory - 7.5 CVSS](./cve-reports.md#april-14-2024---cve-2023-24536-mimemultipart-form-parsing-can-consume-large-amounts-of-cpu-and-memory---75-cvss)
+
+- [April 14, 2024 - CVE-2023-26159 Improper Input Validation Due to Improper Handling of URLs - 6.1 CVSS](./cve-reports.md#april-14-2024---cve-2023-26159-improper-input-validation-due-to-improper-handling-of-urls---61-cvss)
+
+- [April 14, 2024 - CVE-2023-5764 Ansible Template Injection Vulnerability - 7.8 CVSS](./cve-reports.md#april-14-2024---cve-2023-5764-ansible-template-injection-vulnerability---78-cvss)
+
+- [April 14, 2024 - CVE-2023-42282 SSRF Vulnerability in Node.js - 9.8 CVSS](./cve-reports.md#april-14-2024---cve-2023-42282-ssrf-vulnerability-in-nodejs---98-cvss)
+
+- [April 2, 2024 - CVE-2024-3094 Malicious Code in XZ Utility - 10 CVSS](./cve-reports.md#april-2-2024---cve-2024-3094-malicious-code-in-xz-utility---10-cvss)
+
 - [January 10, 2024- CVE-2023-39323 Bypass CGO Restrictions - 8.1 CVSS](./cve-reports.md#january-10-2024---cve-2023-39323-bypass-cgo-restrictions---81-cvss)
 
 - [January 10, 2024 - CVE-2023-45283 Filepath Package and Special Prefixes - 7.5 CVSS](./cve-reports.md#january-10-2024---cve-2023-45283-filepath-package-and-special-prefixes---75-cvss)

diff --git a/docs/docs-content/security-bulletins/cve-reports.md b/docs/docs-content/security-bulletins/cve-reports.md
@@ -32,6 +32,81 @@ _Are there any links users can visit to find out more?_
 
 -->
 
+## June 3, 2024 - CVE-2024-23652 BuildKit Vulnerable to Possible Host System Access from Mount Stub Cleaner - 9.1 CVSS
+
+A vulnerability found in BuildKit can potentially allow malicious BuildKit frontends and Dockerfiles to remove files
+from the host system outside the container by using the `RUN --mount` command.
+
+### Impact
+
+No impact. Palette and VerteX do not use the impacted symbol.
+
+### Patches
+
+Not applicable.
+
+### Workarounds
+
+Not applicable.
+
+### References
+
+- [CVE-2024-23652](https://nvd.nist.gov/vuln/detail/CVE-2024-23652)
+- [GO-2024-2494](https://pkg.go.dev/vuln/GO-2024-2494)
+
+<br />
+
+## June 3, 2024 - CVE-2024-23653 BuildKit Interactive Container API Does Not Validate Privileges - 9.8 CVSS
+
+A vulnerability was found in the BuildKit API for running interactive containers. In addition to running containers as
+build steps, the API allowed running containers with elevated privileges.
+
+### Impact
+
+No impact. Palette and VerteX do not use the impacted symbol.
+
+### Patches
+
+Not applicable.
+
+### Workarounds
+
+Not applicable.
+
+### References
+
+- [CVE-2024-23653](https://nvd.nist.gov/vuln/detail/CVE-2024-23653)
+- [GO-2024-2497](https://pkg.go.dev/vuln/GO-2024-2497)
+
+<br />
+
+## June 3, 2024 - CVE-2023-49569 Path Traversal and RCE Vulnerability in Go-Git Versions Before v5.11 - 9.8 CVSS
+
+A path traversal vulnerability discovered in Go-Git can allow attackers to create and amend files across the file system
+and, potentially, remotely execute malicious code. Only those applications that use
+[ChrootOS](https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS) are affected.
+
+This is a Go-Git implementation vulnerability, and it does not affect the upstream git CLI.
+
+### Impact
+
+No impact. Palette and VerteX do not use the impacted symbols.
+
+### Patches
+
+Not applicable.
+
+### Workarounds
+
+Not applicable.
+
+### References
+
+- [CVE-2023-49569](https://nvd.nist.gov/vuln/detail/CVE-2023-49569)
+- [GO-2024-2456](https://pkg.go.dev/vuln/GO-2024-2456)
+
+<br />
+
 ## April 14, 2024 - CVE-2023-24534 HTTP and MIME Header Parsing Can Allocate Large Amounts of Memory - 7.5 CVSS
 
 HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading