docs: 10-29-24 cve updates (#4499)

* 10-29-24 cve updates

* ci: auto-formatting prettier issues

---------

Co-authored-by: frederickjoi <[email protected]>
Co-authored-by: Karl Cardenas <[email protected]>

docs/docs-content/security-bulletins/reports/cve-2019-1010022.md

@@ -14,7 +14,7 @@ tags: ["security", "cve"]
 
 ## Last Update
 
-10/10/2024
+10/29/2024
 
 ## NIST CVE Summary
 
@@ -24,7 +24,12 @@ to bypass stack guard. NOTE: Upstream comments indicate "this is being treated a
 
 ## Our Official Summary
 
-Waiting on a fix from third party mongodb vendor.
+The issue relates to a mitigation bypass in the GNU Libc library's NPTL component, allowing attackers to circumvent
+stack guard protection via a stack buffer overflow. This is considered a post-attack mitigation rather than a direct
+vulnerability by many upstream maintainers. In our products, exploiting this vulnerability on the 3rd party images is
+very low since this issue does not directly lead to code execution. Instead, it weakens an additional layer of
+protection after an attack has already occurred, thus classifying it as a post-attack hardening issue. We are waiting on
+an upstream fix from the 3rd party vendors and will upgrade the images once the upstream fix becomes available.
 
 ## CVE Severity
 

docs/docs-content/security-bulletins/reports/cve-2021-39537.md

@@ -14,15 +14,19 @@ tags: ["security", "cve"]
 
 ## Last Update
 
-10/10/2024
+10/29/2024
 
 ## NIST CVE Summary
 
 An issue was discovered in ncurses through v6.2-1. \_nc_captoinfo in captoinfo.c has a heap-based buffer overflow.
 
 ## Our Official Summary
 
-Waiting on a fix from third party mongodb & calico vendors.
+This vulnerability is reported on some 3rd party images used by our products. This flaw results from a lack of proper
+bounds checking during input processing. By exploiting this boundary error, an attacker can create a malicious file,
+deceive the victim into opening it using the affected software, and initiate an out-of-bounds write, potentially
+impacting system availability. We are waiting on an upstream fix from the 3rd party vendor. We will upgrade the images
+once the upstream fix becomes available.
 
 ## CVE Severity
 

docs/docs-content/security-bulletins/reports/cve-2021-46848.md

@@ -14,7 +14,7 @@ tags: ["security", "cve"]
 
 ## Last Update
 
-10/10/24
+10/29/24
 
 ## NIST CVE Summary
 
@@ -24,7 +24,9 @@ GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affe
 
 This is a vulnerability reported in GNU Libtasn1 before version 4.19.0, a library used to manage the ASN.1 data
 structure. This vulnerability is caused by an off-by-one array size check issue, leading to an out-of-bounds read.
-Impacting systems using GNU Libtasn1 before 4.19.0. Waiting on an upstream fix.
+Impacting systems using GNU Libtasn1 before 4.19.0. This flaw enables access to one additional memory byte,
+significantly constraining the potential damage an attacker could inflict. We are waiting on an upstream fix from the
+3rd party vendors and will upgrade the images once the upstream fix becomes available.
 
 ## CVE Severity
 

docs/docs-content/security-bulletins/reports/cve-2023-24540.md

@@ -14,7 +14,7 @@ tags: ["security", "cve"]
 
 ## Last Update
 
-10/10/2024
+10/29/2024
 
 ## NIST CVE Summary
 
@@ -28,8 +28,9 @@ This is a vulnerability affecting the Golang Go software, specifically the html/
 improper handling of JavaScript whitespace characters in certain contexts, leading to potential security risks. Systems
 using Golang Go versions up to 1.19.9 and from 1.20.0 to 1.20.4 are affected, particularly those using the html/template
 package with JavaScript contexts containing actions and specific whitespace characters. The images in which
-vulnerabilities are report do not use the html package. So possibility of this vulnerability getting exploited in
-Spectro Cloud products is low. There is a upstream fix available, we will upgrade to that version.
+vulnerabilities are reported are not directly exposed. This restricts access to the vulnerable golang html/templates to
+authenticated users only, reducing the impact. We are waiting on an upstream fix from the 3rd party vendors. We will
+upgrade the images once the upstream fix becomes available.
 
 ## CVE Severity
 

docs/docs-content/security-bulletins/reports/cve-2023-37920.md

@@ -14,7 +14,7 @@ tags: ["security", "cve"]
 
 ## Last Update
 
-10/10/2024
+10/29/2024
 
 ## NIST CVE Summary
 
@@ -25,7 +25,12 @@ Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store.
 
 ## Our Official Summary
 
-Waiting on a fix from third party mongodb & calico vendors.
+This vulnerability was found in the python-certifi package. eTurgra certificates are marked as untrusted by Mozilla and
+were removed from Mozilla's root store in July 2023. This issue occurs when the e-Tugra root certificate in Certifi is
+removed, resulting in an unspecified error that has an unknown impact and attack vector. This issue is mostly impacted
+during the use of web browsers. The vulnerability exploitation likelihood in the calico cni images is low. We are
+waiting on an upstream fix from the 3rd party vendors. We will upgrade the images once the upstream fix becomes
+available.
 
 ## CVE Severity
 

docs/docs-content/security-bulletins/reports/cve-2024-1485.md

@@ -14,7 +14,7 @@ tags: ["security", "cve"]
 
 ## Last Update
 
-10/24/24
+10/29/24
 
 ## NIST CVE Summary
 
@@ -25,7 +25,11 @@ allowed.
 
 ## Our Official Summary
 
-Investigation is ongoing to determine how this vulnerability affects our products.
+This vulnerability can be exploited by an unauthenticated remote attacker who tricks a user into parsing a devfile with
+parent or plugin keywords. This malicious interaction could result in the download of a harmful archive, leading the
+cleanup process to overwrite or delete files outside the intended archive scope. There is no evidence that a public
+proof-of-concept exists. We are waiting on an upstream fix from the 3rd party vendors and will upgrade the images once
+the upstream fix becomes available.
 
 ## CVE Severity
 

docs/docs-content/security-bulletins/reports/cve-2024-21626.md

@@ -14,7 +14,7 @@ tags: ["security", "cve"]
 
 ## Last Update
 
-10/10/2024
+10/29/2024
 
 ## NIST CVE Summary
 
@@ -28,8 +28,12 @@ overwrite semi-arbitrary host binaries, allowing for complete container escapes
 
 ## Our Official Summary
 
-CVE exists in kube-proxy 1.28.11. Affects only k8s version 1.28.11 For customer workload clusters, workaround is to use
-k8s version 1.29+. For Palette Self Hosted cluster, a future release will upgrade to 1.29+.
+A file descriptor leak issue was found in the runc package. These vulnerabilities not only enable malicious actors to
+escape containerized environments but also allow for full control over the underlying host system. The presence of these
+dependencies in the container does not imply a security risk to the containerized application itself, as it is based on
+low-level packages included, and the impact to the container's core functionality is minimal. Upstream fix from the 3rd
+party vendors is awaited. We are waiting on an upstream fix from the 3rd party vendors and will upgrade the images once
+the upstream fix becomes available.
 
 ## CVE Severity
 

docs/docs-content/security-bulletins/reports/cve-2024-24790.md

@@ -14,7 +14,7 @@ tags: ["security", "cve"]
 
 ## Last Update
 
-10/25/2024
+10/29/2024
 
 ## NIST CVE Summary
 
@@ -23,8 +23,8 @@ false for addresses which would return true in their traditional IPv4 forms.
 
 ## Our Official Summary
 
-This vulnerability is reported on several 3rd party images used by the product. We are waiting on an upstream fix from
-the vendor. If the vulnerability is exploited, impact is low for the products using these images.
+This vulnerability is reported on some of the 3rd party csi images and coredns images from Kubernetes. This CVE requires
+a network-based attack vector. We will upgrade the images when the fixes are available from the vendor.
 
 ## CVE Severity
 

docs/docs-content/security-bulletins/reports/cve-2024-37371.md

@@ -14,7 +14,7 @@ tags: ["security", "cve"]
 
 ## Last Update
 
-10/10/2024
+10/29/2024
 
 ## NIST CVE Summary
 
@@ -25,8 +25,13 @@ by sending message tokens with invalid length fields.
 
 This CVE is a memory corruption vulnerability reported on kerboros libraries. Attackers could potentially exploit a flaw
 within Kerberos' handling of GSS (Generic Security Service) message tokens to cause invalid memory reads, potentially
-leading to system crashes. Risk of this specific vulnerability for spectro cloud components is low. Working on
-removing/upgrading libraries to fix the issue.
+leading to system crashes. This issue is classified as a moderate severity vulnerability because, while it allows an
+attacker to modify the plaintext "Extra Count" field of a GSS krb5 wrap token, the impact is primarily limited to token
+truncation at the application layer. This truncation can disrupt services but does not directly lead to a full
+compromise of confidentiality or integrity. The attack requires that the attacker already has access to a valid token
+transmission to modify, meaning it cannot be exploited remotely without first obtaining or intercepting a valid token.
+We are waiting on an upstream fix from the 3rd party vendor and will upgrade the images once the upstream fix becomes
+available.
 
 ## CVE Severity
 

docs/docs-content/security-bulletins/reports/cve-2024-45491.md

@@ -26,7 +26,7 @@ An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have
 This CVE identifies an integer overflow vulnerability found in libexpat versions prior to 2.6.3, specifically in the
 dtdCopy function of xmlparse.c on 32-bit platforms. This vulnerability can be exploited over a network without user
 interaction and has very low attack complexity. Not all of the images affected use the specific function affected.
-Exploiting this vulnerable library will require a user to compromise the containers and gain privileged access. Fix
+Exploiting this vulnerable library will require a user to compromise the containers and gain privileged access. Fix is
 available in libexpat versions > 2.6.3. Investigating upgrading this library within the affected images.
 
 ## CVE Severity