From 6e6f49cecad14cccc382101bedd5d431dec32ded Mon Sep 17 00:00:00 2001 From: frederickjoi <153292280+frederickjoi@users.noreply.github.com> Date: Thu, 19 Sep 2024 06:22:10 -0700 Subject: [PATCH 1/3] 9-19-24 cve updates --- .../security-bulletins/reports/cve-2022-41725.md | 5 +++-- .../security-bulletins/reports/cve-2023-24539.md | 4 ++-- .../security-bulletins/reports/cve-2023-45287.md | 5 +++-- .../security-bulletins/reports/cve-2023-49569.md | 6 ++++-- docs/docs-content/security-bulletins/reports/reports.md | 7 ++++--- 5 files changed, 16 insertions(+), 11 deletions(-) diff --git a/docs/docs-content/security-bulletins/reports/cve-2022-41725.md b/docs/docs-content/security-bulletins/reports/cve-2022-41725.md index c0c05fdae5..df370cb3b9 100644 --- a/docs/docs-content/security-bulletins/reports/cve-2022-41725.md +++ b/docs/docs-content/security-bulletins/reports/cve-2022-41725.md @@ -14,7 +14,7 @@ tags: ["security", "cve"] ## Last Update -09/15/2024 +09/19/2024 ## NIST CVE Summary @@ -39,7 +39,8 @@ consumed by temporary files. Callers can limit the size of form data with http.M ## Our Official Summary -Investigation is ongoing to determine how this vulnerability affects our products. +A denial-of-service vulnerability has been identified in the Go standard library affecting the mime/multipart package. This vulnerability could allow an attacker to conduct a +denial-of-service attack through excessive resource consumption in net/http and mime/multipart. This vulnerability affects multiple 3rd party images. Images will be upgraded to newer versions available. ## CVE Severity diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-24539.md b/docs/docs-content/security-bulletins/reports/cve-2023-24539.md index cd468f1d76..bedb82e247 100644 --- a/docs/docs-content/security-bulletins/reports/cve-2023-24539.md +++ b/docs/docs-content/security-bulletins/reports/cve-2023-24539.md @@ -14,7 +14,7 @@ tags: ["security", "cve"] ## Last Update -09/15/2024 +09/19/2024 ## NIST CVE Summary @@ -24,7 +24,7 @@ injection of unexpected HTML, if executed with untrusted input. ## Our Official Summary -Investigation is ongoing to determine how this vulnerability affects our products. +A vulnerability was found in html-template up to 1.19.8/1.20.3 on Go. The affected component is the CSS Handler. Manipulation with an unknown input could lead to a cross-site scripting vulnerability. If the input contains special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. A fix for the images affected will be investigated. ## CVE Severity diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-45287.md b/docs/docs-content/security-bulletins/reports/cve-2023-45287.md index 0846b971c2..ac468ecfc0 100644 --- a/docs/docs-content/security-bulletins/reports/cve-2023-45287.md +++ b/docs/docs-content/security-bulletins/reports/cve-2023-45287.md @@ -14,7 +14,7 @@ tags: ["security", "cve"] ## Last Update -09/15/2024 +09/19/2024 ## NIST CVE Summary @@ -26,7 +26,8 @@ exhibits any timing side channels. ## Our Official Summary -Investigation is ongoing to determine how this vulnerability affects our products. +This vulnerability exists in older versions of Golang for RSA based TLS exchanges. All the images in which this is detected are using older versions of Golang with updates +available with a fix. In order to exploit the vulnerability, attackers need to obtain privileged access to the cluster and handcraft specific calls to these containers. Images will be upgraded to newer versions. ## CVE Severity diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-49569.md b/docs/docs-content/security-bulletins/reports/cve-2023-49569.md index 896d3feba1..db2147fac1 100644 --- a/docs/docs-content/security-bulletins/reports/cve-2023-49569.md +++ b/docs/docs-content/security-bulletins/reports/cve-2023-49569.md @@ -14,7 +14,7 @@ tags: ["security", "cve"] ## Last Update -9/6/24 +9/19/24 ## NIST CVE Summary @@ -43,8 +43,10 @@ Ongoing ## Affected Products & Versions -- Palette Enterprise 4.4.15 +- Palette Enterprise 4.4.14 ## Revision History - 1.0 9/6/24 Initial Publication +- 2.0 9/19/24 Added Palette Enterprise 4.4.14 to Affected Products + diff --git a/docs/docs-content/security-bulletins/reports/reports.md b/docs/docs-content/security-bulletins/reports/reports.md index bde77eb892..e4a1d2437a 100644 --- a/docs/docs-content/security-bulletins/reports/reports.md +++ b/docs/docs-content/security-bulletins/reports/reports.md @@ -149,19 +149,20 @@ Click on the CVE ID to view the full details of the vulnerability. | [CVE-2022-28357](./cve-2022-28357.md) | 9/15/24 | 9/15/24 | 4.4.18 | Third-party component: NATS | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2022-28357) | :mag: Ongoing | | [CVE-2022-28948](./cve-2022-28948.md) | 9/15/24 | 9/15/24 | 4.4.18 | Third-party component: Go-Yaml | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-28948) | :mag: Ongoing | | [CVE-2022-41724](./cve-2022-41724.md) | 9/15/24 | 9/15/24 | 4.4.18 | Third-party component: Go Project | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-41724) | :mag: Ongoing | -| [CVE-2022-41725](./cve-2022-41725.md) | 9/15/24 | 9/15/24 | 4.4.18 | Third-party component: Go Project | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-41725) | :mag: Ongoing | +| [CVE-2022-41725](./cve-2022-41725.md) | 9/15/24 | 9/19/24 | 4.4.18 | Third-party component: Go Project | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-41725) | :mag: Ongoing | | [CVE-2023-24534](./cve-2023-24534.md) | 9/15/24 | 9/15/24 | 4.4.18 | Third-party component: Go Project | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-24534) | :mag: Ongoing | | [CVE-2023-24536](./cve-2023-24536.md) | 9/15/24 | 9/15/24 | 4.4.18 | Third-party component: Go Project | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-24536) | :mag: Ongoing | | [CVE-2023-24537](./cve-2023-24537.md) | 9/15/24 | 9/15/24 | 4.4.18 | Third-party component: Go Project | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-24537) | :mag: Ongoing | | [CVE-2023-24538](./cve-2023-24538.md) | 9/15/24 | 9/15/24 | 4.4.18 | Third-party component: Go Project | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2023-24538) | :mag: Ongoing | -| [CVE-2023-24539](./cve-2023-24539.md) | 9/15/24 | 9/15/24 | 4.4.18 | Third-party component: Go Project | [7.3](https://nvd.nist.gov/vuln/detail/CVE-2023-24539) | :mag: Ongoing | +| [CVE-2023-24539](./cve-2023-24539.md) | 9/15/24 | 9/19/24 | 4.4.18 | Third-party component: Go Project | [7.3](https://nvd.nist.gov/vuln/detail/CVE-2023-24539) | :mag: Ongoing | | [CVE-2023-24540](./cve-2023-24540.md) | 9/15/24 | 9/15/24 | 4.4.18 | Third-party component: Go Project | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2023-24540) | :mag: Ongoing | | [CVE-2023-29400](./cve-2023-29400.md) | 9/15/24 | 9/15/24 | 4.4.18 | Third-party component: Go Project | [7.3](https://nvd.nist.gov/vuln/detail/CVE-2023-29400) | :mag: Ongoing | | [CVE-2023-29403](./cve-2023-29403.md) | 9/15/24 | 9/15/24 | 4.4.18 | Third-party component: Go Project | [7.8](https://nvd.nist.gov/vuln/detail/CVE-2023-29403) | :mag: Ongoing | -| [CVE-2023-45287](./cve-2023-45287.md) | 9/15/24 | 9/15/24 | 4.4.18 | Third-party component: Go Project | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-45287) | :mag: Ongoing | +| [CVE-2023-45287](./cve-2023-45287.md) | 9/15/24 | 9/19/24 | 4.4.18 | Third-party component: Go Project | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-45287) | :mag: Ongoing | | [CVE-2023-52356](./cve-2023-52356.md) | 9/15/24 | 9/15/24 | 4.4.18 | Third-party component: Libtiff | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-52356) | :mag: Ongoing | | [CVE-2024-0743](./cve-2024-0743.md) | 9/15/24 | 9/15/24 | 4.4.18 | Third-party component: Mozilla | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-0743) | :mag: Ongoing | | [CVE-2024-32002](./cve-2024-32002.md) | 9/15/24 | 9/15/24 | 4.4.18 | Third-party component: Github | [9.0](https://nvd.nist.gov/vuln/detail/CVE-2024-32002) | :mag: Ongoing | +| [CVE-2023-49569](./cve-2023-49569.md) | 9/15/24 | 9/19/24 | 4.4.14 | Third-party component: Bitdefender | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2023-49569) | :mag: Ongoing | From 8ff0cf6cf68866e72c9bd2c951dd8d9d492d7547 Mon Sep 17 00:00:00 2001 From: frederickjoi Date: Thu, 19 Sep 2024 13:25:47 +0000 Subject: [PATCH 2/3] ci: auto-formatting prettier issues --- .../security-bulletins/reports/cve-2022-41725.md | 6 ++++-- .../security-bulletins/reports/cve-2023-24539.md | 5 ++++- .../security-bulletins/reports/cve-2023-45287.md | 6 ++++-- .../security-bulletins/reports/cve-2023-49569.md | 1 - 4 files changed, 12 insertions(+), 6 deletions(-) diff --git a/docs/docs-content/security-bulletins/reports/cve-2022-41725.md b/docs/docs-content/security-bulletins/reports/cve-2022-41725.md index df370cb3b9..90fe263cf4 100644 --- a/docs/docs-content/security-bulletins/reports/cve-2022-41725.md +++ b/docs/docs-content/security-bulletins/reports/cve-2022-41725.md @@ -39,8 +39,10 @@ consumed by temporary files. Callers can limit the size of form data with http.M ## Our Official Summary -A denial-of-service vulnerability has been identified in the Go standard library affecting the mime/multipart package. This vulnerability could allow an attacker to conduct a -denial-of-service attack through excessive resource consumption in net/http and mime/multipart. This vulnerability affects multiple 3rd party images. Images will be upgraded to newer versions available. +A denial-of-service vulnerability has been identified in the Go standard library affecting the mime/multipart package. +This vulnerability could allow an attacker to conduct a denial-of-service attack through excessive resource consumption +in net/http and mime/multipart. This vulnerability affects multiple 3rd party images. Images will be upgraded to newer +versions available. ## CVE Severity diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-24539.md b/docs/docs-content/security-bulletins/reports/cve-2023-24539.md index bedb82e247..2d8e83606e 100644 --- a/docs/docs-content/security-bulletins/reports/cve-2023-24539.md +++ b/docs/docs-content/security-bulletins/reports/cve-2023-24539.md @@ -24,7 +24,10 @@ injection of unexpected HTML, if executed with untrusted input. ## Our Official Summary -A vulnerability was found in html-template up to 1.19.8/1.20.3 on Go. The affected component is the CSS Handler. Manipulation with an unknown input could lead to a cross-site scripting vulnerability. If the input contains special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. A fix for the images affected will be investigated. +A vulnerability was found in html-template up to 1.19.8/1.20.3 on Go. The affected component is the CSS Handler. +Manipulation with an unknown input could lead to a cross-site scripting vulnerability. If the input contains special +characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a +downstream component that processes web pages. A fix for the images affected will be investigated. ## CVE Severity diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-45287.md b/docs/docs-content/security-bulletins/reports/cve-2023-45287.md index ac468ecfc0..6b62dbaf0e 100644 --- a/docs/docs-content/security-bulletins/reports/cve-2023-45287.md +++ b/docs/docs-content/security-bulletins/reports/cve-2023-45287.md @@ -26,8 +26,10 @@ exhibits any timing side channels. ## Our Official Summary -This vulnerability exists in older versions of Golang for RSA based TLS exchanges. All the images in which this is detected are using older versions of Golang with updates -available with a fix. In order to exploit the vulnerability, attackers need to obtain privileged access to the cluster and handcraft specific calls to these containers. Images will be upgraded to newer versions. +This vulnerability exists in older versions of Golang for RSA based TLS exchanges. All the images in which this is +detected are using older versions of Golang with updates available with a fix. In order to exploit the vulnerability, +attackers need to obtain privileged access to the cluster and handcraft specific calls to these containers. Images will +be upgraded to newer versions. ## CVE Severity diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-49569.md b/docs/docs-content/security-bulletins/reports/cve-2023-49569.md index db2147fac1..3dd4664a33 100644 --- a/docs/docs-content/security-bulletins/reports/cve-2023-49569.md +++ b/docs/docs-content/security-bulletins/reports/cve-2023-49569.md @@ -49,4 +49,3 @@ Ongoing - 1.0 9/6/24 Initial Publication - 2.0 9/19/24 Added Palette Enterprise 4.4.14 to Affected Products - From 5378f29747bebeaba7384a4025678ba3b1e58b66 Mon Sep 17 00:00:00 2001 From: Karl Cardenas Date: Thu, 19 Sep 2024 08:16:27 -0700 Subject: [PATCH 3/3] docs: chore fixed invalid symbols --- docs/docs-content/security-bulletins/reports/cve-2023-24539.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-24539.md b/docs/docs-content/security-bulletins/reports/cve-2023-24539.md index 2d8e83606e..c7db92bc2d 100644 --- a/docs/docs-content/security-bulletins/reports/cve-2023-24539.md +++ b/docs/docs-content/security-bulletins/reports/cve-2023-24539.md @@ -26,7 +26,7 @@ injection of unexpected HTML, if executed with untrusted input. A vulnerability was found in html-template up to 1.19.8/1.20.3 on Go. The affected component is the CSS Handler. Manipulation with an unknown input could lead to a cross-site scripting vulnerability. If the input contains special -characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a +characters such as `"<", ">"`, and `"&"` that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. A fix for the images affected will be investigated. ## CVE Severity