docs: 9-15-24 palette cve updates (#3930) (#3943)

* 9-15-24 palette cve updates

* ci: auto-formatting prettier issues

* chore: fixed symbol issues

* chore: fix redirect

* chore: vale fixes

---------

Co-authored-by: frederickjoi <[email protected]>
Co-authored-by: Karl Cardenas <[email protected]>
(cherry picked from commit 8fe8d40)

Co-authored-by: frederickjoi <[email protected]>

docs/docs-content/registries-and-packs/adding-add-on-packs.md

@@ -7,7 +7,7 @@ hide_table_of_contents: false
 sidebar_position: 30
 ---
 
-An Add-on Pack defines deployment specifics of a Kubernetes application to be installed on a running Kubernetes cluster.
+An Add-on Pack defines deployment specifics of a Kubernetes application to be installed on an active Kubernetes cluster.
 Palette provides several Add-on packs out of the box for various layers of the Kubernetes stack. For example:
 
 - **Logging** - elastic search, fluentd

docs/docs-content/security-bulletins/reports/cve-2019-9936.md

@@ -18,7 +18,7 @@ tags: ["security", "cve"]
 
 ## NIST CVE Summary
 
-In SQLite 3.27.2, running fts5 prefix queries inside a transaction could trigger a heap-based buffer over-read in
+In SQLite 3.27.2, using fts5 prefix queries inside a transaction could trigger a heap-based buffer over-read in
 fts5HashEntrySort in sqlite3.c, which may lead to an information leak. This is related to ext/fts5/fts5_hash.c.
 
 ## Our Official Summary

docs/docs-content/security-bulletins/reports/cve-2022-28357.md

@@ -0,0 +1,46 @@
+---
+sidebar_label: "CVE-2022-28357"
+title: "CVE-2022-28357"
+description: "Lifecycle of CVE-2022-28357"
+hide_table_of_contents: true
+sidebar_class_name: "hide-from-sidebar"
+toc_max_heading_level: 2
+tags: ["security", "cve"]
+---
+
+## CVE Details
+
+[CVE-2022-28357](https://nvd.nist.gov/vuln/detail/CVE-2022-28357)
+
+## Last Update
+
+09/15/2024
+
+## NIST CVE Summary
+
+NATS `nats-server` 2.2.0 through 2.7.4 allows directory traversal because of an unintended path to a management action
+from a management account.
+
+## Our Official Summary
+
+A vulnerability was found in NATS nats-server up to 2.7.4. The product uses external input to construct a pathname that
+is intended to identify a file or directory that is located underneath a restricted parent directory, but the product
+does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location
+that is outside of the restricted directory. Upgrade of the nats server is needed to fix this vulnerability.
+
+## CVE Severity
+
+[9.8](https://nvd.nist.gov/vuln/detail/CVE-2022-28357)
+
+## Status
+
+Ongoing
+
+## Affected Products & Versions
+
+- Palette VerteX 4.4.18
+
+## Revision History
+
+- 1.0 09/15/2024 Initial Publication
+- 2.0 09/15/2024 Added palette VerteX 4.4.18 to Affected Products

docs/docs-content/security-bulletins/reports/cve-2022-28948.md

@@ -0,0 +1,43 @@
+---
+sidebar_label: "CVE-2022-28948"
+title: "CVE-2022-28948"
+description: "Lifecycle of CVE-2022-28948"
+hide_table_of_contents: true
+sidebar_class_name: "hide-from-sidebar"
+toc_max_heading_level: 2
+tags: ["security", "cve"]
+---
+
+## CVE Details
+
+[CVE-2022-28948](https://nvd.nist.gov/vuln/detail/CVE-2022-28948)
+
+## Last Update
+
+09/15/2024
+
+## NIST CVE Summary
+
+An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid
+input.
+
+## Our Official Summary
+
+Investigation is ongoing to determine how this vulnerability affects our products.
+
+## CVE Severity
+
+[7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-28948)
+
+## Status
+
+Ongoing
+
+## Affected Products & Versions
+
+- Palette VerteX 4.4.18
+
+## Revision History
+
+- 1.0 09/15/2024 Initial Publication
+- 2.0 09/15/2024 Added palette VerteX 4.4.18 to Affected Products

docs/docs-content/security-bulletins/reports/cve-2022-41724.md

@@ -0,0 +1,45 @@
+---
+sidebar_label: "CVE-2022-41724"
+title: "CVE-2022-41724"
+description: "Lifecycle of CVE-2022-41724"
+hide_table_of_contents: true
+sidebar_class_name: "hide-from-sidebar"
+toc_max_heading_level: 2
+tags: ["security", "cve"]
+---
+
+## CVE Details
+
+[CVE-2022-41724](https://nvd.nist.gov/vuln/detail/CVE-2022-41724)
+
+## Last Update
+
+09/15/2024
+
+## NIST CVE Summary
+
+Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records
+which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3
+clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil
+value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert).
+
+## Our Official Summary
+
+Investigation is ongoing to determine how this vulnerability affects our products.
+
+## CVE Severity
+
+[7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-41724)
+
+## Status
+
+Ongoing
+
+## Affected Products & Versions
+
+- Palette VerteX 4.4.18
+
+## Revision History
+
+- 1.0 09/15/2024 Initial Publication
+- 2.0 09/15/2024 Added palette VerteX 4.4.18 to Affected Products

docs/docs-content/security-bulletins/reports/cve-2022-41725.md

@@ -0,0 +1,59 @@
+---
+sidebar_label: "CVE-2022-41725"
+title: "CVE-2022-41725"
+description: "Lifecycle of CVE-2022-41725"
+hide_table_of_contents: true
+sidebar_class_name: "hide-from-sidebar"
+toc_max_heading_level: 2
+tags: ["security", "cve"]
+---
+
+## CVE Details
+
+[CVE-2022-41725](https://nvd.nist.gov/vuln/detail/CVE-2022-41725)
+
+## Last Update
+
+09/15/2024
+
+## NIST CVE Summary
+
+A denial of service is possible from excessive resource consumption in net/http and mime/multipart. Multipart form
+parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also
+affects form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and
+PostFormValue. ReadForm takes a maxMemory parameter, and is documented as storing "up to maxMemory bytes +10MB (reserved
+for non-file parts) in memory". File parts which cannot be stored in memory are stored on disk in temporary files. The
+unconfigurable 10MB reserved for non-file parts is excessively large and can potentially open a denial of service vector
+on its own. However, ReadForm did not properly account for all memory consumed by a parsed form, such as map entry
+overhead, part names, and MIME headers, permitting a maliciously crafted form to consume well over 10MB. In addition,
+ReadForm contained no limit on the number of disk files created, permitting a relatively small request body to create a
+large number of disk temporary files. With fix, ReadForm now properly accounts for various forms of memory overhead, and
+should now stay within its documented limit of 10MB + maxMemory bytes of memory consumption. Users should still be aware
+that this limit is high and may still be hazardous. In addition, ReadForm now creates at most one on-disk temporary
+file, combining multiple form parts into a single temporary file. The mime/multipart.File interface type's documentation
+states, "If stored on disk, the File's underlying concrete type will be an \*os.File.". This is no longer the case when
+a form contains more than one file part, due to this coalescing of parts into a single file. The previous behavior of
+using distinct files for each form part may be reenabled with the environment variable GODEBUG=multipartfiles=distinct.
+Users should be aware that multipart.ReadForm and the http.Request methods that call it do not limit the amount of disk
+consumed by temporary files. Callers can limit the size of form data with http.MaxBytesReader.
+
+## Our Official Summary
+
+Investigation is ongoing to determine how this vulnerability affects our products.
+
+## CVE Severity
+
+[7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-41725)
+
+## Status
+
+Ongoing
+
+## Affected Products & Versions
+
+- Palette VerteX 4.4.18
+
+## Revision History
+
+- 1.0 09/15/2024 Initial Publication
+- 2.0 09/15/2024 Added palette VerteX 4.4.18 to Affected Products

docs/docs-content/security-bulletins/reports/cve-2022-45061.md

@@ -27,7 +27,12 @@ HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16,
 
 ## Our Official Summary
 
-Investigation is ongoing to determine how this vulnerability affects our products.
+This CVE is a vulnerability affecting certain versions of Python, specifically those before version 3.11.1. The issue
+lies in an unnecessary quadratic algorithm in one path when processing some inputs to the IDNA (RFC 3490) decoder. This
+can lead to slow execution times and potential denial of service attacks on systems using affected Python versions.
+Systems that utilize Python's idna module for decoding large strings, such as web servers or applications handling
+user-provided hostnames, may be impacted by this vulnerability. There is no known workaround for this vulnerability.
+Python version needs to be upgraded in the images reported.
 
 ## CVE Severity
 

docs/docs-content/security-bulletins/reports/cve-2022-48560.md

@@ -14,15 +14,18 @@ tags: ["security", "cve"]
 
 ## Last Update
 
-9/13/24
+9/15/24
 
 ## NIST CVE Summary
 
 A use-after-free exists in Python through 3.9 via heappushpop in heapq.
 
 ## Our Official Summary
 
-Investigation is ongoing to determine how this vulnerability affects our products.
+This CVE affects python versions upto 3.9. The use-after-free vulnerability in Python's heapq module allows an attacker
+to manipulate memory after it has been freed, potentially leading to arbitrary code execution or a denial of service.
+This vulnerability can be exploited by carefully crafting a malicious input that triggers the use-after-free condition.
+There is no known workaround for this vulnerability. Python version needs to be upgraded in the images reported.
 
 ## CVE Severity
 

docs/docs-content/security-bulletins/reports/cve-2022-48565.md

@@ -14,7 +14,7 @@ tags: ["security", "cve"]
 
 ## Last Update
 
-9/13/24
+9/15/24
 
 ## NIST CVE Summary
 
@@ -23,7 +23,11 @@ declarations in XML plist files to avoid XML vulnerabilities.
 
 ## Our Official Summary
 
-Investigation is ongoing to determine how this vulnerability affects our products.
+This CVE affects users of Python versions up to 3.9.1. This issue lies in the plistlib module, which used to accept
+entity declarations in XML plist files, making it susceptible to XXE attacks. This vulnerability is not listed in CISA's
+Known Exploited Vulnerabilities Catalog. The possibility of this vulnerability getting exploited in Spectro Cloud
+products is low. Need an update from the 3rd party vendor to fix the vulnerability. Investigating possibility of
+updating python version to fix this vulnerability.
 
 ## CVE Severity
 

docs/docs-content/security-bulletins/reports/cve-2023-24329.md

@@ -23,7 +23,10 @@ supplying a URL that starts with blank characters.
 
 ## Our Official Summary
 
-Investigation is ongoing to determine how this vulnerability affects our products.
+An issue in the urllib.parse component of Python before v3.11 allows attackers to bypass blocklisting methods by
+supplying a URL that starts with blank characters. urlparse has a parsing problem when the entire URL starts with blank
+characters. This problem affects both the parsing of hostname and scheme, and eventually causes any blocklisting methods
+to fail. Python version needs to be upgraded in the images reported.
 
 ## CVE Severity
 

docs/docs-content/security-bulletins/reports/cve-2023-24534.md

@@ -0,0 +1,47 @@
+---
+sidebar_label: "CVE-2023-24534"
+title: "CVE-2023-24534"
+description: "Lifecycle of CVE-2023-24534"
+hide_table_of_contents: true
+sidebar_class_name: "hide-from-sidebar"
+toc_max_heading_level: 2
+tags: ["security", "cve"]
+---
+
+## CVE Details
+
+[CVE-2023-24534](https://nvd.nist.gov/vuln/detail/CVE-2023-24534)
+
+## Last Update
+
+09/15/2024
+
+## NIST CVE Summary
+
+HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading
+to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME
+headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this
+behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory
+exhaustion and a denial of service. With fix, header parsing now correctly allocates only the memory required to hold
+parsed headers.
+
+## Our Official Summary
+
+Investigation is ongoing to determine how this vulnerability affects our products.
+
+## CVE Severity
+
+[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-24534)
+
+## Status
+
+Ongoing
+
+## Affected Products & Versions
+
+- Palette VerteX 4.4.18
+
+## Revision History
+
+- 1.0 09/15/2024 Initial Publication
+- 2.0 09/15/2024 Added palette VerteX 4.4.18 to Affected Products

docs/docs-content/security-bulletins/reports/cve-2023-24536.md

@@ -0,0 +1,56 @@
+---
+sidebar_label: "CVE-2023-24536"
+title: "CVE-2023-24536"
+description: "Lifecycle of CVE-2023-24536"
+hide_table_of_contents: true
+sidebar_class_name: "hide-from-sidebar"
+toc_max_heading_level: 2
+tags: ["security", "cve"]
+---
+
+## CVE Details
+
+[CVE-2023-24536](https://nvd.nist.gov/vuln/detail/CVE-2023-24536)
+
+## Last Update
+
+09/15/2024
+
+## NIST CVE Summary
+
+Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large
+numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the total memory a parsed
+multipart form can consume. ReadForm can undercount the amount of memory consumed, leading it to accept larger inputs
+than intended. 2. Limiting total memory does not account for increased pressure on the garbage collector from large
+numbers of small allocations in forms with many parts. 3. ReadForm can allocate a large number of short-lived buffers,
+further increasing pressure on the garbage collector. The combination of these factors can permit an attacker to cause
+an program that parses multipart forms to consume large amounts of CPU and memory, potentially resulting in a denial of
+service. This affects programs that use mime/multipart.Reader.ReadForm, as well as form parsing in the net/http package
+with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. With fix, ReadForm now does a
+better job of estimating the memory consumption of parsed forms, and performs many fewer short-lived allocations. In
+addition, the fixed mime/multipart.Reader imposes the following limits on the size of parsed forms: 1. Forms parsed with
+ReadForm may contain no more than 1000 parts. This limit may be adjusted with the environment variable
+GODEBUG=multipartmaxparts=. 2. Form parts parsed with NextPart and NextRawPart may contain no more than 10,000 header
+fields. In addition, forms parsed with ReadForm may contain no more than 10,000 header fields across all parts. This
+limit may be adjusted with the environment variable GODEBUG=multipartmaxheaders=.
+
+## Our Official Summary
+
+Investigation is ongoing to determine how this vulnerability affects our products.
+
+## CVE Severity
+
+[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-24536)
+
+## Status
+
+Ongoing
+
+## Affected Products & Versions
+
+- Palette VerteX 4.4.18
+
+## Revision History
+
+- 1.0 09/15/2024 Initial Publication
+- 2.0 09/15/2024 Added palette VerteX 4.4.18 to Affected Products