diff --git a/.github/workflows/api_format.yaml b/.github/workflows/api_format.yaml index 371526c2ca..df9c1b81e9 100644 --- a/.github/workflows/api_format.yaml +++ b/.github/workflows/api_format.yaml @@ -19,6 +19,8 @@ env: ALGOLIA_INDEX_NAME: ${{ secrets.ALGOLIA_INDEX_NAME }} PALETTE_API_KEY: ${{ secrets.PALETTE_API_KEY }} DISABLE_PACKS_INTEGRATIONS: ${{ secrets.DISABLE_PACKS_INTEGRATIONS }} + DISABLE_SECURITY_INTEGRATIONS: ${{ secrets.DISABLE_SECURITY_INTEGRATIONS }} + DSO_AUTH_TOKEN: ${{ secrets.DSO_AUTH_TOKEN }} jobs: backport: diff --git a/.github/workflows/dependabot.yaml b/.github/workflows/dependabot.yaml index 821cf1a663..52e7f2c45d 100644 --- a/.github/workflows/dependabot.yaml +++ b/.github/workflows/dependabot.yaml @@ -23,6 +23,8 @@ env: ALGOLIA_INDEX_NAME: ${{ secrets.ALGOLIA_INDEX_NAME }} PALETTE_API_KEY: ${{ secrets.PALETTE_API_KEY }} DISABLE_PACKS_INTEGRATIONS: ${{ secrets.DISABLE_PACKS_INTEGRATIONS }} + DISABLE_SECURITY_INTEGRATIONS: ${{ secrets.DISABLE_SECURITY_INTEGRATIONS }} + DSO_AUTH_TOKEN: ${{ secrets.DSO_AUTH_TOKEN }} jobs: dependabot_build: diff --git a/.github/workflows/nightly-docker-build.yaml b/.github/workflows/nightly-docker-build.yaml index b76e0e7c76..1eb4f26c7f 100644 --- a/.github/workflows/nightly-docker-build.yaml +++ b/.github/workflows/nightly-docker-build.yaml @@ -15,6 +15,8 @@ env: ALGOLIA_INDEX_NAME: "madeup-index" PALETTE_API_KEY: ${{ secrets.PALETTE_API_KEY }} DISABLE_PACKS_INTEGRATIONS: ${{ secrets.DISABLE_PACKS_INTEGRATIONS }} + DISABLE_SECURITY_INTEGRATIONS: ${{ secrets.DISABLE_SECURITY_INTEGRATIONS }} + DSO_AUTH_TOKEN: ${{ secrets.DSO_AUTH_TOKEN }} jobs: build: diff --git a/.github/workflows/post_release.yaml b/.github/workflows/post_release.yaml index 55662514d8..2e3be37168 100644 --- a/.github/workflows/post_release.yaml +++ b/.github/workflows/post_release.yaml @@ -18,6 +18,8 @@ env: ALGOLIA_INDEX_NAME: ${{ secrets.ALGOLIA_INDEX_NAME }} PALETTE_API_KEY: ${{ secrets.PALETTE_API_KEY }} DISABLE_PACKS_INTEGRATIONS: ${{ secrets.DISABLE_PACKS_INTEGRATIONS }} + DISABLE_SECURITY_INTEGRATIONS: ${{ secrets.DISABLE_SECURITY_INTEGRATIONS }} + DSO_AUTH_TOKEN: ${{ secrets.DSO_AUTH_TOKEN }} jobs: diff --git a/.github/workflows/pull_request.yaml b/.github/workflows/pull_request.yaml index 5b00129d6e..df50bfe523 100644 --- a/.github/workflows/pull_request.yaml +++ b/.github/workflows/pull_request.yaml @@ -22,6 +22,8 @@ env: ALGOLIA_INDEX_NAME: ${{ secrets.ALGOLIA_INDEX_NAME }} PALETTE_API_KEY: ${{ secrets.PALETTE_API_KEY }} DISABLE_PACKS_INTEGRATIONS: ${{ secrets.DISABLE_PACKS_INTEGRATIONS }} + DISABLE_SECURITY_INTEGRATIONS: ${{ secrets.DISABLE_SECURITY_INTEGRATIONS }} + DSO_AUTH_TOKEN: ${{ secrets.DSO_AUTH_TOKEN }} jobs: run-ci: diff --git a/.github/workflows/release-branch-pr.yaml b/.github/workflows/release-branch-pr.yaml index bbef39f7a0..f429dbf51a 100644 --- a/.github/workflows/release-branch-pr.yaml +++ b/.github/workflows/release-branch-pr.yaml @@ -19,6 +19,8 @@ env: GITHUB_BRANCH: ${{ github.ref_name }} PALETTE_API_KEY: ${{ secrets.PALETTE_API_KEY }} DISABLE_PACKS_INTEGRATIONS: ${{ secrets.DISABLE_PACKS_INTEGRATIONS }} + DISABLE_SECURITY_INTEGRATIONS: ${{ secrets.DISABLE_SECURITY_INTEGRATIONS }} + DSO_AUTH_TOKEN: ${{ secrets.DSO_AUTH_TOKEN }} concurrency: diff --git a/.github/workflows/release-preview.yaml b/.github/workflows/release-preview.yaml index c18e2985d2..65ef0b126d 100644 --- a/.github/workflows/release-preview.yaml +++ b/.github/workflows/release-preview.yaml @@ -18,6 +18,8 @@ env: ALGOLIA_INDEX_NAME: ${{ secrets.ALGOLIA_INDEX_NAME }} PALETTE_API_KEY: ${{ secrets.PALETTE_API_KEY }} DISABLE_PACKS_INTEGRATIONS: ${{ secrets.DISABLE_PACKS_INTEGRATIONS }} + DISABLE_SECURITY_INTEGRATIONS: ${{ secrets.DISABLE_SECURITY_INTEGRATIONS }} + DSO_AUTH_TOKEN: ${{ secrets.DSO_AUTH_TOKEN }} concurrency: diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 668109c70c..3b6a6a32f3 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -7,12 +7,14 @@ on: schedule: - cron: '0 20 * * 1-5' # At 12:00 PM PST (8 PM UTC), Monday through Friday - cron: '0 5 * * 2-6' # At 9:00 PM PST (5 AM UTC next day), Monday through Friday + - cron: '0 20 * * 6' # At 12:00 PM PST (8 PM UTC next day), Saturday - Due to Security Buletin Publication + - cron: '0 20 * * 0' # At 12:00 PM PST (8 PM UTC next day), Sunday - Due to Security Buletin Publication workflow_dispatch: inputs: useGitHubHostedLargeRunner: description: 'Use the GitHub-hosted large runner. Allowed values are true or false. Caution - this results in additional charges to the organization.' required: false - default: false + default: 'false' env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -27,6 +29,8 @@ env: ALGOLIA_INDEX_NAME: ${{ secrets.ALGOLIA_INDEX_NAME }} PALETTE_API_KEY: ${{ secrets.PALETTE_API_KEY }} DISABLE_PACKS_INTEGRATIONS: ${{ secrets.DISABLE_PACKS_INTEGRATIONS }} + DISABLE_SECURITY_INTEGRATIONS: ${{ secrets.DISABLE_SECURITY_INTEGRATIONS }} + DSO_AUTH_TOKEN: ${{ secrets.DSO_AUTH_TOKEN }} concurrency: diff --git a/.github/workflows/screenshot_capture.yaml b/.github/workflows/screenshot_capture.yaml index 6e599cefbd..23d94271d8 100644 --- a/.github/workflows/screenshot_capture.yaml +++ b/.github/workflows/screenshot_capture.yaml @@ -21,6 +21,8 @@ env: ALGOLIA_INDEX_NAME: ${{ secrets.ALGOLIA_INDEX_NAME }} PALETTE_API_KEY: ${{ secrets.PALETTE_API_KEY }} DISABLE_PACKS_INTEGRATIONS: ${{ secrets.DISABLE_PACKS_INTEGRATIONS }} + DISABLE_SECURITY_INTEGRATIONS: ${{ secrets.DISABLE_SECURITY_INTEGRATIONS }} + DSO_AUTH_TOKEN: ${{ secrets.DSO_AUTH_TOKEN }} jobs: diff --git a/.github/workflows/versions_robot.yaml b/.github/workflows/versions_robot.yaml index 7db30a1b81..9a5ca6db04 100644 --- a/.github/workflows/versions_robot.yaml +++ b/.github/workflows/versions_robot.yaml @@ -22,7 +22,10 @@ env: ALGOLIA_SEARCH_KEY: ${{ secrets.ALGOLIA_SEARCH_KEY }} ALGOLIA_INDEX_NAME: ${{ secrets.ALGOLIA_INDEX_NAME }} PALETTE_API_KEY: ${{ secrets.PALETTE_API_KEY }} - GITHUB_BRANCH: ${{ github.ref_name }} + GITHUB_BRANCH: ${{ github.ref_name }} + DISABLE_PACKS_INTEGRATIONS: ${{ secrets.DISABLE_PACKS_INTEGRATIONS }} + DISABLE_SECURITY_INTEGRATIONS: ${{ secrets.DISABLE_SECURITY_INTEGRATIONS }} + DSO_AUTH_TOKEN: ${{ secrets.DSO_AUTH_TOKEN }} jobs: run-ci: diff --git a/.github/workflows/visual-comparison.yaml b/.github/workflows/visual-comparison.yaml index 9576b49dcf..71768d609b 100644 --- a/.github/workflows/visual-comparison.yaml +++ b/.github/workflows/visual-comparison.yaml @@ -17,6 +17,8 @@ env: ALGOLIA_INDEX_NAME: ${{ secrets.ALGOLIA_INDEX_NAME }} HTML_REPORT_URL_PATH: reports/${{ github.head_ref }}/${{ github.run_id }}/${{ github.run_attempt }} DISABLE_PACKS_INTEGRATIONS: ${{ secrets.DISABLE_PACKS_INTEGRATIONS }} + DISABLE_SECURITY_INTEGRATIONS: ${{ secrets.DISABLE_SECURITY_INTEGRATIONS }} + DSO_AUTH_TOKEN: ${{ secrets.DSO_AUTH_TOKEN }} concurrency: diff --git a/.gitignore b/.gitignore index 327c773f9e..e277103b03 100644 --- a/.gitignore +++ b/.gitignore @@ -40,6 +40,10 @@ docs/api-content/api-docs/v1/sidebar.* docs/api-content/api-docs/edge-v1/*.mdx docs/api-content/api-docs/edge-v1/sidebar.* +# Security Bulletins (Autogenerated) + +docs/docs-content/security-bulletins/reports/*.md + # Versions Content versions.json versioned_docs/ @@ -72,6 +76,7 @@ _partials/index.ts # Ignore statoc/img/packs static/img/packs +static/data/security-bulletins/* .vale-config/ vale/styles/spectrocloud/ diff --git a/.prettierignore b/.prettierignore index 7e33410237..462ae7b456 100644 --- a/.prettierignore +++ b/.prettierignore @@ -13,6 +13,7 @@ docs/api-content/**/*.json tsconfig.json src/components/IconMapper/dynamicFontAwesomeImports.* docs/docs-content/security-bulletins/cve-reports.md +docs/docs-content/security-bulletins/reports/*.md # Ignore partials _partials/ diff --git a/Makefile b/Makefile index 8c13514301..3081b4c6ce 100644 --- a/Makefile +++ b/Makefile @@ -32,7 +32,7 @@ initialize: ## Initialize the repository dependencies npx husky-init vale sync -clean: ## Clean common artifacts +clean: clean-security ## Clean common artifacts npm run clear && npm run clean-api-docs rm -rfv build @@ -56,6 +56,10 @@ clean-packs: ## Clean supplemental packs and pack images rm -rf .docusaurus/packs-integrations/api_pack_response.json rm -rf .docusaurus/packs-integrations/api_repositories_response.json +clean-security: ## Clean security bulletins + rm -rf .docusaurus/security-bulletins/default/*.json + rm -rfv docs/docs-content/security-bulletins/reports/*.md + clean-api: ## Clean API docs @echo "cleaning api docs" npm run clean-api-docs @@ -80,6 +84,7 @@ init: ## Initialize npm dependencies start: ## Start a local development server make generate-partials + npm run cves npm run start start-cached-packs: ## Start a local development server with cached packs retry. diff --git a/README.md b/README.md index bc4e8e99bc..af4dbd32f3 100644 --- a/README.md +++ b/README.md @@ -775,6 +775,28 @@ Below is an example of how to use the component when the URLs are different: /> page to learn more about system administrator roles. ``` +## Security Bulletins + +The security bulletins are auto-generated upon server start or the build process. The bulletins are generated by +querying an internal Spectro Cloud API. The bulletins are displayed in the security bulletins page +`https://docs.spectrocloud.com/security-bulletins/reports/`. + +The logic for generated the security bulletins is located in the [cves folder](./utils/cves/index.js). The script is +invoked before a build or a local development server start. The script will fetch the security bulletins and store the +data in the `.docusaurus/security-bulletins/default/` folder. The data is stored in the `data.json` file. + +The script will also generate each markdown file for each security bulletin. The markdown files are stored in the +`/security-bulletins/reports/` folder. + +### Disable Security Bulletins + +To disable the security bulletins, you can set the environment variable `DISABLE_SECURITY_INTEGRATIONS` to `true`. This +will stop the pre-build script from fetching the security bulletins. + +```shell +export DISABLE_SECURITY_INTEGRATIONS=true +``` + ## Packs Component The packs component is a custom component that displays all packs available in Palette SaaS by querying the Palette API diff --git a/babel.config.js b/babel.config.js deleted file mode 100644 index 1b97d0a067..0000000000 --- a/babel.config.js +++ /dev/null @@ -1,4 +0,0 @@ -module.exports = { - plugins: ["macros"], - presets: [require.resolve("@docusaurus/core/lib/babel/preset"), ["@babel/preset-env"], "@babel/preset-typescript"], -}; diff --git a/docs/docs-content/release-notes/release-notes.md b/docs/docs-content/release-notes/release-notes.md index 0c90165415..ad8374e1ca 100644 --- a/docs/docs-content/release-notes/release-notes.md +++ b/docs/docs-content/release-notes/release-notes.md @@ -240,7 +240,7 @@ to learn more about the changes introduced in this release. ### Security Notices -- Review the [Security Bulletins](../security-bulletins/reports/reports.md) page for the latest security advisories. +- Review the [Security Bulletins](../security-bulletins/reports/reports.mdx) page for the latest security advisories. ### Palette Enterprise {#palette-enterprise-4-5-3} diff --git a/docs/docs-content/security-bulletins/reports/cve-2005-2541.md b/docs/docs-content/security-bulletins/reports/cve-2005-2541.md deleted file mode 100644 index 56c5326afc..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2005-2541.md +++ /dev/null @@ -1,60 +0,0 @@ ---- -sidebar_label: "CVE-2005-2541" -title: "CVE-2005-2541" -description: "Lifecycle of CVE-2005-2541" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2005-2541](https://nvd.nist.gov/vuln/detail/CVE-2005-2541) - -## Last Update - -11/7/24 - -## NIST CVE Summary - -Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote -attackers to gain privileges. - -## Our Official Summary - -Palette & Vertex Impact Summary - -This vulnerability is reported on some 3rd party images used by our products. The vulnerability exploitation scenario -requires specific conditions to be met: the tar extraction must be performed by the root user, and the tarball itself -must be crafted maliciously with setuid or setgid bits. These 3rd party images do not run as root, so the probability of -exploitation is low. We will upgrade the image once the upstream fix becomes available. - -Palette airgap & Vertex airgap Summary - -This vulnerability is reported on some 3rd party images used by our products. The vulnerability exploitation scenario -requires specific conditions to be met: the tar extraction must be performed by the root user, and the tarball itself -must be crafted maliciously with setuid or setgid bits. These 3rd party images do not run as root, so the probability of -exploitation is low. A new fixed version of the image is available by upgrading to 4.4.18. - -## CVE Severity - -[10.0](https://nvd.nist.gov/vuln/detail/CVE-2005-2541) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.14 -- Palette VerteX 4.5.3, 4.5.8 -- Palette Enterprise 4.5.3, 4.5.8 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 3.0 09/25/2024 CVE remediated in Palette VerteX airgap 4.4.18 -- 4.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 5.0 11/7/2024 Added Palette Enterprise & Palette VerteX 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2011-4116.md b/docs/docs-content/security-bulletins/reports/cve-2011-4116.md deleted file mode 100644 index 13b452ba0f..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2011-4116.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -sidebar_label: "CVE-2011-4116" -title: "CVE-2011-4116" -description: "Lifecycle of CVE-2011-4116" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2011-4116](https://nvd.nist.gov/vuln/detail/CVE-2011-4116) - -## Last Update - -11/7/24 - -## NIST CVE Summary - -\_is_safe in the File::Temp module for Perl does not properly handle symlinks. - -## Our Official Summary - -Investigation is ongoing to determine how this vulnerability affects our products. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2011-4116) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette Enterprise 4.5.3, 4.5.8 -- Palette VerteX 4.5.3, 4.5.8 - -## Revision History - -- 1.0 10/14/24 Initial Publication -- 2.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 3.0 11/7/2024 Added Palette Enterprise & Palette VerteX 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2012-2663.md b/docs/docs-content/security-bulletins/reports/cve-2012-2663.md deleted file mode 100644 index d5e0608885..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2012-2663.md +++ /dev/null @@ -1,53 +0,0 @@ ---- -sidebar_label: "CVE-2012-2663" -title: "CVE-2012-2663" -description: "Lifecycle of CVE-2012-2663" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2012-2663](https://nvd.nist.gov/vuln/detail/CVE-2012-2663) - -## Last Update - -11/7/2024 - -## NIST CVE Summary - -extensions/libxt_tcp.c in iptables through 1.4.21 does not match TCP SYN+FIN packets in --syn rules, which might allow -remote attackers to bypass intended firewall restrictions via crafted packets. NOTE: the CVE-2012-6638 fix makes this -issue less relevant. - -## Our Official Summary - -This is an iptables userspace issue. This CVE is superseded by CVE-2012-6638. There is no fix available for this issue -in kernel stable releases and is being marked as ignored. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2012-2663) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.14, 4.4.18, 4.5.3, 4.5.8 -- Palette Enterprise airgap 4.4.18, 4.5.3, 4.5.8 -- Palette VerteX 4.5.3, 4.5.8 -- Palette Enterprise 4.5.3, 4.5.8 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX airgap 4.4.18 & Palette Enterprise airgap 4.4.18 to Affected Products -- 4.0 10/10/2024 Added Palette VerteX airgap 4.5.3 & Palette Enterprise airgap 4.5.3 to Affected Products -- 5.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 5.0 11/7/2024 Added Palette Enterprise, Palette Enterprise airgap, Palette VerteX, and VerteX airgap 4.5.8 to Affected - Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2015-20107.md b/docs/docs-content/security-bulletins/reports/cve-2015-20107.md deleted file mode 100644 index 966c10a0d7..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2015-20107.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -sidebar_label: "CVE-2015-20107" -title: "CVE-2015-20107" -description: "Lifecycle of CVE-2015-20107" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2015-20107](https://nvd.nist.gov/vuln/detail/CVE-2015-20107) - -## Last Update - -9/25/24 - -## NIST CVE Summary - -In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the -system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch -with untrusted input (if they lack validation of user-provided filenames or arguments). The fix is also back-ported to -3.7, 3.8, 3.9 - -## Our Official Summary - -Waiting on a fix from third party mongodb vendor - -## CVE Severity - -[7.6](https://nvd.nist.gov/vuln/detail/CVE-2015-20107) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.14 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 3.0 09/25/2024 CVE remediated in Palette VerteX airgap 4.4.18 diff --git a/docs/docs-content/security-bulletins/reports/cve-2015-8855.md b/docs/docs-content/security-bulletins/reports/cve-2015-8855.md deleted file mode 100644 index 82ecbed751..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2015-8855.md +++ /dev/null @@ -1,45 +0,0 @@ ---- -sidebar_label: "CVE-2015-8855" -title: "CVE-2015-8855" -description: "Lifecycle of CVE-2015-8855" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2015-8855](https://nvd.nist.gov/vuln/detail/CVE-2015-8855) - -## Last Update - -9/25/24 - -## NIST CVE Summary - -The semver package before 4.3.2 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long -version string, aka a "regular expression denial of service (ReDoS)." - -## Our Official Summary - -This is a false positive as the CVE is in a node.js package that has the same name which is being used in the Golang -application. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2015-8855) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.11 - -## Revision History - -- 1.0 07/31/2024 Initial Publication -- 2.0 08/17/2024 Remediated in Palette VerteX airgap 4.4.14 -- 3.0 09/25/2024 Remediated in Palette VerteX airgap 4.4.18 diff --git a/docs/docs-content/security-bulletins/reports/cve-2016-1585.md b/docs/docs-content/security-bulletins/reports/cve-2016-1585.md deleted file mode 100644 index 6b97c4e6e8..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2016-1585.md +++ /dev/null @@ -1,51 +0,0 @@ ---- -sidebar_label: "CVE-2016-1585" -title: "CVE-2016-1585" -description: "Lifecycle of CVE-2016-1585" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2016-1585](https://nvd.nist.gov/vuln/detail/CVE-2016-1585) - -## Last Update - -11/12/24 - -## NIST CVE Summary - -In all versions of AppArmor mount rules are accidentally widened when compiled. - -## Our Official Summary - -The vulnerability allows programs to access files and directories that they should not have access to, potentially -leading to unauthorized access to sensitive data. Exploitation of this vulnerability requires privileged access to the -container since only local users on the container can exploit this. Hence the risk of exploitation is low. Even if -exploited, since this is a container used for specific tasks, the risk that sensitive data will be exploited through -this CVE is low. - -## CVE Severity - -[9.8](https://nvd.nist.gov/vuln/detail/CVE-2016-1585) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.14, 4.5.8 -- Palette Enterprise airgap 4.5.8 -- Palette VerteX 4.5.8 -- Palette Enterprise 4.5.8 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 3.0 09/25/2024 CVE remediated in Palette VerteX airgap 4.4.18 -- 4.0 11/7/2024 Added Palette VerteX airgap, VerteX, Palette airgap, and Palette Enterprise 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2016-20013.md b/docs/docs-content/security-bulletins/reports/cve-2016-20013.md deleted file mode 100644 index ed0b47c451..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2016-20013.md +++ /dev/null @@ -1,51 +0,0 @@ ---- -sidebar_label: "CVE-2016-20013" -title: "CVE-2016-20013" -description: "Lifecycle of CVE-2016-20013" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2016-20013](https://nvd.nist.gov/vuln/detail/CVE-2016-20013) - -## Last Update - -11/7/2024 - -## NIST CVE Summary - -sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the -algorithm's runtime is proportional to the square of the length of the password. - -## Our Official Summary - -Spectro Cloud Offical Summary Coming Soon. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2016-20013) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.14, 4.4.18, 4.5.3, 4.5.8 -- Palette Enterprise airgap 4.4.18, 4.5.3, 4.5.8 -- Palette VerteX 4.5.3, 4.5.8 -- Palette Enterprise 4.5.3, 4.5.8 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX airgap 4.4.18 & Palette Enterprise airgap 4.4.18 to Affected Products -- 4.0 10/10/2024 Added Palette VerteX airgap 4.5.3 & Palette Enterprise airgap 4.5.3 to Affected Products -- 5.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 6.0 11/7/2024 Added Palette Enterprise, Palette Enterprise airgap, Palette VerteX, and Palette VerteX airgap 4.5.8 to - Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2017-11164.md b/docs/docs-content/security-bulletins/reports/cve-2017-11164.md deleted file mode 100644 index 48ea72c38b..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2017-11164.md +++ /dev/null @@ -1,51 +0,0 @@ ---- -sidebar_label: "CVE-2017-11164" -title: "CVE-2017-11164" -description: "Lifecycle of CVE-2017-11164" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2017-11164](https://nvd.nist.gov/vuln/detail/CVE-2017-11164) - -## Last Update - -11/7/2024 - -## NIST CVE Summary - -In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled -recursion) when processing a crafted regular expression. - -## Our Official Summary - -No known fixes from upstream vendors at this time. - -## CVE Severity - -[7.8](https://nvd.nist.gov/vuln/detail/CVE-2017-11164) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.14, 4.4.18, 4.5.3, 4.5.8 -- Palette Enterprise airgap 4.4.18, 4.5.3, 4.5.8 -- Palette VerteX 4.5.3, 4.5.8 -- Palette Enterprise 4.5.3, 4.5.8 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX airgap 4.4.18 & Palette Enterprise airgap 4.4.18 to Affected Products -- 4.0 10/10/2024 Added Palette VerteX airgap 4.5.3 & Palette Enterprise airgap 4.5.3 to Affected Products -- 5.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 6.0 11/7/2024 Added Palette Enterprise, Palette Enterprise airgap, Palette VerteX, and Palette VerteX airgap 4.5.8 to - Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2018-20225.md b/docs/docs-content/security-bulletins/reports/cve-2018-20225.md deleted file mode 100644 index 650c6d89f3..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2018-20225.md +++ /dev/null @@ -1,54 +0,0 @@ ---- -sidebar_label: "CVE-2018-20225" -title: "CVE-2018-20225" -description: "Lifecycle of CVE-2018-20225" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2018-20225](https://nvd.nist.gov/vuln/detail/CVE-2018-20225) - -## Last Update - -11/12/24 - -## NIST CVE Summary - -An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if -the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url -option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can -put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality -and the user is responsible for using --extra-index-url securely - -## Our Official Summary - -This flaw was found in the python-pip component and only affects the --extra-index-url option. Exploitation requires -that the package does not already exist in the public index (and thus the attacker can put the package there with an -arbitrary version number). Risk of exploitation is low for our products as this CVE is reported on a backend container. -Attacker must gain privileged access to the container and run pip on the container to be able to exploit this. - -## CVE Severity - -[7.8](https://nvd.nist.gov/vuln/detail/CVE-2018-20225) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.14, 4.5.8 -- Palette Enterprise airgap 4.5.8 -- Palette VerteX 4.5.8 -- Palette Enterprise 4.5.8 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 3.0 09/25/2024 CVE remediated in Palette VerteX airgap 4.4.18 -- 4.0 11/7/2024 Added Palette VerteX airgap, VerteX, Palette airgap, and Palette Enterprise 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2018-20657.md b/docs/docs-content/security-bulletins/reports/cve-2018-20657.md deleted file mode 100644 index 8473ad45ca..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2018-20657.md +++ /dev/null @@ -1,55 +0,0 @@ ---- -sidebar_label: "CVE-2018-20657" -title: "CVE-2018-20657" -description: "Lifecycle of CVE-2018-20657" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2018-20657](https://nvd.nist.gov/vuln/detail/CVE-2018-20657) - -## Last Update - -11/7/2024 - -## NIST CVE Summary - -The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, has a memory leak -via a crafted string, leading to a denial of service (memory consumption), as demonstrated by cxxfilt, a related issue -to CVE-2018-12698. - -## Our Official Summary - -This denial-of-service vulnerability in GNU Binutils 2.31.1, has a memory leak using a crafted string. The 3rd party -images in which this vulnerability is reported do not have fixed versions available. Exploitation for our products would -require privileged access to containers, executing code within these containers and using the library with crafted -input. These containers have controls in place to prevent any code execution. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2018-20657) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.14, 4.4.18, 4.5.3, 4.5.8 -- Palette Enterprise airgap 4.4.18, 4.5.3, 4.5.8 -- Palette VerteX 4.5.3, 4.5.8 -- Palette Enterprise 4.5.3, 4.5.8 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX airgap 4.4.18 & Palette Enterprise airgap 4.4.18 to Affected Products -- 4.0 10/10/2024 Added Palette VerteX airgap 4.5.3 & Palette Enterprise airgap 4.5.3 to Affected Products -- 5.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 6.0 11/7/2024 Added Palette VerteX airgap, Palette Enterprise airgap, Palette Enterprise, and Palette VerteX 4.5.8 to - Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2018-20796.md b/docs/docs-content/security-bulletins/reports/cve-2018-20796.md deleted file mode 100644 index eb19f6c76d..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2018-20796.md +++ /dev/null @@ -1,54 +0,0 @@ ---- -sidebar_label: "CVE-2018-20796" -title: "CVE-2018-20796" -description: "Lifecycle of CVE-2018-20796" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2018-20796](https://nvd.nist.gov/vuln/detail/CVE-2018-20796) - -## Last Update - -11/7/2024 - -## NIST CVE Summary - -In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled -Recursion, as demonstrated by '(\\227|)(\\1\\1|t1|\\\\2537)+' in grep. - -## Our Official Summary - -This CVE is reported in the GNU C Library (aka glibc or libc6) through 2.29. Upstream does not consider this to be a -security issue, per -[https://sourceware.org/glibc/wiki/Security%20Exceptions](https://sourceware.org/glibc/wiki/Security%20Exceptions) and -no fix is available. This issue has been disputed and marked as not a security issue. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2018-20796) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.14, 4.4.18, 4.5.3, 4.5.8 -- Palette Enterprise airgap 4.4.18, 4.5.3, 4.5.8 -- Palette VerteX 4.5.3, 4.5.8 -- Palette Enterprise 4.5.3, 4.5.8 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX airgap 4.4.18 & Palette Enterprise airgap 4.4.18 to Affected Products -- 4.0 10/10/2024 Added Palette VerteX airgap 4.5.3 & Palette Enterprise airgap 4.5.3 to Affected Products -- 5.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 6.0 11/7/2024 Added Palette VerteX airgap, Palette Enterprise airgap, Palette Enterprise, and Palette VerteX 4.5.8 to - Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2018-20839.md b/docs/docs-content/security-bulletins/reports/cve-2018-20839.md deleted file mode 100644 index cd0b281a9b..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2018-20839.md +++ /dev/null @@ -1,50 +0,0 @@ ---- -sidebar_label: "CVE-2018-20839" -title: "CVE-2018-20839" -description: "Lifecycle of CVE-2018-20839" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2018-20839](https://nvd.nist.gov/vuln/detail/CVE-2018-20839) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -Systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain -circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE (aka -current keyboard mode) check is mishandled. - -## Our Official Summary - -Waiting on a fix from third party mongodb & calico vendors. - -## CVE Severity - -[9.8](https://nvd.nist.gov/vuln/detail/CVE-2018-20839) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.14, 4.4.18, 4.5.3 -- Palette Enterprise airgap 4.4.18, 4.5.3 -- Palette VerteX 4.5.3 -- Palette Enterprise 4.5.3 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX airgap 4.4.18 & Palette Enterprise airgap 4.4.18 to Affected Products -- 4.0 10/10/2024 Added Palette VerteX airgap 4.5.3 & Palette Enterprise airgap 4.5.3 to Affected Products -- 5.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2018-6829.md b/docs/docs-content/security-bulletins/reports/cve-2018-6829.md deleted file mode 100644 index e32f8d7197..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2018-6829.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -sidebar_label: "CVE-2018-6829" -title: "CVE-2018-6829" -description: "Lifecycle of CVE-2018-6829" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2018-6829](https://nvd.nist.gov/vuln/detail/CVE-2018-6829) - -## Last Update - -11/7/24 - -## NIST CVE Summary - -Cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, -which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic -security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for -Libgcrypt's ElGamal implementation. - -## Our Official Summary - -Investigation is ongoing to determine how this vulnerability affects our products. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2018-6829) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette Enterprise 4.5.3, 4.5.8 -- Palette VerteX 4.5.3, 4.5.8 - -## Revision History - -- 1.0 10/14/24 Initial Publication -- 2.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 3.0 11/7/2024 Added Palette Enterprise & Palette VerteX 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2019-1010022.md b/docs/docs-content/security-bulletins/reports/cve-2019-1010022.md deleted file mode 100644 index bc056599f1..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2019-1010022.md +++ /dev/null @@ -1,57 +0,0 @@ ---- -sidebar_label: "CVE-2019-1010022" -title: "CVE-2019-1010022" -description: "Lifecycle of CVE-2019-1010022" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2019-1010022](https://nvd.nist.gov/vuln/detail/CVE-2019-1010022) - -## Last Update - -11/7/2024 - -## NIST CVE Summary - -GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The -component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability -to bypass stack guard. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat. - -## Our Official Summary - -The issue relates to a mitigation bypass in the GNU Libc library's NPTL component, allowing attackers to circumvent -stack guard protection via a stack buffer overflow. This is considered a post-attack mitigation rather than a direct -vulnerability by many upstream maintainers. In our products, exploiting this vulnerability on the 3rd party images is -very low since this issue does not directly lead to code execution. Instead, it weakens an additional layer of -protection after an attack has already occurred, thus classifying it as a post-attack hardening issue. We are waiting on -an upstream fix from the 3rd party vendors and will upgrade the images once the upstream fix becomes available. - -## CVE Severity - -[9.8](https://nvd.nist.gov/vuln/detail/CVE-2019-1010022) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.14, 4.4.18, 4.5.3, 4.5.8 -- Palette Enterprise airgap 4.4.18, 4.5.3, 4.5.8 -- Palette VerteX 4.5.3, 4.5.8 -- Palette Enterprise 4.5.3, 4.5.8 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX airgap 4.4.18 & Palette Enterprise airgap 4.4.18 to Affected Products -- 4.0 10/10/2024 Added Palette VerteX airgap 4.5.3 & Palette Enterprise airgap 4.5.3 to Affected Products -- 5.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 6.0 11/7/2024 Added Palette VerteX airgap, Palette Enterprise airgap, Palette Enterprise, and Palette VerteX 4.5.8 to - Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2019-12900.md b/docs/docs-content/security-bulletins/reports/cve-2019-12900.md deleted file mode 100644 index fc05dff30d..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2019-12900.md +++ /dev/null @@ -1,56 +0,0 @@ ---- -sidebar_label: "CVE-2019-12900" -title: "CVE-2019-12900" -description: "Lifecycle of CVE-2019-12900" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2019-12900](https://nvd.nist.gov/vuln/detail/CVE-2019-12900) - -## Last Update - -11/7/2024 - -## NIST CVE Summary - -BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors. - -## Our Official Summary - -This vulnerability is reported on several of the 3rd party cni images used by our products such as calico and -multus-cni. The out-of-bounds write vulnerability in the Bzip2 libraries can be exploited by a malicious bzip2 payload, -potentially resulting in a denial of service or remote code execution. Network services or command line utilities that -decompress untrusted bzip2 payloads are at risk. The risk scenario is low for the following reasons: These images are -optional and will be installed depending on the configuration of the deployments; there are no known reports of -exploitation from the 3rd party vendors; and these images are not accessible directly for an attacker to send crafted -input. We will upgrade the images when the fixes become available from the vendors. - -## CVE Severity - -[9.8](https://nvd.nist.gov/vuln/detail/CVE-2019-12900) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.14, 4.4.18, 4.5.3, 4.5.8 -- Palette Enterprise airgap 4.4.18, 4.5.3, 4.5.8 -- Palette VerteX 4.5.3, 4.5.8 -- Palette Enterprise 4.5.3, 4.5.8 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX airgap 4.4.18 & Palette Enterprise airgap 4.4.18 to Affected Products -- 4.0 10/10/2024 Added Palette VerteX airgap 4.5.3 & Palette Enterprise airgap 4.5.3 to Affected Products -- 5.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 6.0 11/7/2024 Added Palette VerteX airgap, Palette Enterprise airgap, Palette Enterprise, and Palette VerteX 4.5.8 to - Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2019-17543.md b/docs/docs-content/security-bulletins/reports/cve-2019-17543.md deleted file mode 100644 index e28b5e9768..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2019-17543.md +++ /dev/null @@ -1,48 +0,0 @@ ---- -sidebar_label: "CVE-2019-17543" -title: "CVE-2019-17543" -description: "Lifecycle of CVE-2019-17543" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2019-17543](https://nvd.nist.gov/vuln/detail/CVE-2019-17543) - -## Last Update - -11/7/2024 - -## NIST CVE Summary - -LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting -applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the -vendor states "only a few specific / uncommon usages of the API are at risk." - -## Our Official Summary - -Waiting on a fix from third party mongodb vendor - -## CVE Severity - -[8.1](https://nvd.nist.gov/vuln/detail/CVE-2019-17543) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.14 -- Palette VerteX 4.5.3, 4.5.8 -- Palette Enterprise 4.5.3, 4.5.8 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 3.0 10/14/2024 Added Palette VerteX & Palette Enterptise 4.5.3 to Affected Products -- 4.0 11/7/2024 Added Palette VerteX & Palette Enterptise 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2019-19244.md b/docs/docs-content/security-bulletins/reports/cve-2019-19244.md deleted file mode 100644 index afdbb0b7d5..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2019-19244.md +++ /dev/null @@ -1,48 +0,0 @@ ---- -sidebar_label: "CVE-2019-19244" -title: "CVE-2019-19244" -description: "Lifecycle of CVE-2019-19244" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2019-19244](https://nvd.nist.gov/vuln/detail/CVE-2019-19244) - -## Last Update - -11/7/24 - -## NIST CVE Summary - -Sqlite3Select in select.c in SQLite 3.30.1 allows a crash if a sub-select uses both DISTINCT and window functions, and -also has certain ORDER BY usage. - -## Our Official Summary - -Waiting on a fix from third party mongodb vendor. - -## CVE Severity - -[8.1](https://nvd.nist.gov/vuln/detail/CVE-2019-19244) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.14 -- Palette VerteX 4.5.3, 4.5.8 -- Palette Enterprise 4.5.3, 4.5.8 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added palette VerteX 4.4.14 to Affected Products -- 3.0 09/25/2024 CVE remediated in Palette VerteX 4.4.18 -- 4.0 10/14/2024 Added Palette VerteX & Palette Enterptise 4.5.3 to Affected Products -- 5.0 11/7/2024 Added Palette VerteX & Palette Enterptise 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2019-19882.md b/docs/docs-content/security-bulletins/reports/cve-2019-19882.md deleted file mode 100644 index c972cfb59b..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2019-19882.md +++ /dev/null @@ -1,50 +0,0 @@ ---- -sidebar_label: "CVE-2019-19882" -title: "CVE-2019-19882" -description: "Lifecycle of CVE-2019-19882" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2019-19882](https://nvd.nist.gov/vuln/detail/CVE-2019-19882) - -## Last Update - -10/14/24 - -## NIST CVE Summary - -Shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain -root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using ---with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable -for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, -groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root -in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed -(i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version -4.8). - -## Our Official Summary - -Investigation is ongoing to determine how this vulnerability affects our products. - -## CVE Severity - -[7.8](https://nvd.nist.gov/vuln/detail/CVE-2019-19882) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette Enterprise 4.5.3 -- Palette VerteX 4.5.3 - -## Revision History - -- 1.0 10/14/24 Initial Publication -- 2.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2019-9192.md b/docs/docs-content/security-bulletins/reports/cve-2019-9192.md deleted file mode 100644 index 25ad5d15b5..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2019-9192.md +++ /dev/null @@ -1,55 +0,0 @@ ---- -sidebar_label: "CVE-2019-9192" -title: "CVE-2019-9192" -description: "Lifecycle of CVE-2019-9192" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2019-9192](https://nvd.nist.gov/vuln/detail/CVE-2019-9192) - -## Last Update - -11/7/2024 - -## NIST CVE Summary - -In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled -Recursion, as demonstrated by '(|)(\\1\\1)\*' in grep, a different issue than CVE-2018-20796. NOTE: the software -maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern - -## Our Official Summary - -This CVE is reported in the GNU C Library (aka glibc or libc6) through 2.29. Upstream does not consider this to be a -security issue, per -[https://sourceware.org/glibc/wiki/Security%20Exceptions](https://sourceware.org/glibc/wiki/Security%20Exceptions) and -no fix is available. This issue has been disputed and marked as not a security issue. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2019-9192) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.14, 4.4.18, 4.5.3, 4.5.8 -- Palette Enterprise airgap 4.4.18, 4.5.3, 4.5.8 -- Palette VerteX 4.5.3, 4.5.8 -- Palette Enterprise 4.5.3, 4.5.8 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX airgap 4.4.18 & Palette Enterprise airgap 4.4.18 to Affected Products -- 4.0 10/10/2024 Added Palette VerteX airgap 4.5.3 & Palette Enterprise airgap 4.5.3 to Affected Products -- 5.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 6.0 11/7/2024 Added Palette VerteX airgap, Palette Enterprise airgap, Palette Enterprise, and Palette VerteX 4.5.8 to - Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2019-9674.md b/docs/docs-content/security-bulletins/reports/cve-2019-9674.md deleted file mode 100644 index 391a87a7db..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2019-9674.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -sidebar_label: "CVE-2019-9674" -title: "CVE-2019-9674" -description: "Lifecycle of CVE-2019-9674" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2019-9674](https://nvd.nist.gov/vuln/detail/CVE-2019-9674) - -## Last Update - -9/25/24 - -## NIST CVE Summary - -Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a -ZIP bomb. - -## Our Official Summary - -Waiting on a fix from third party mongodb vendor - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2019-9674) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.14 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 3.0 09/25/2024 CVE remediated in Palette VerteX airgap 4.4.18 diff --git a/docs/docs-content/security-bulletins/reports/cve-2019-9923.md b/docs/docs-content/security-bulletins/reports/cve-2019-9923.md deleted file mode 100644 index 680637566c..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2019-9923.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -sidebar_label: "CVE-2019-9923" -title: "CVE-2019-9923" -description: "Lifecycle of CVE-2019-9923" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2019-9923](https://nvd.nist.gov/vuln/detail/CVE-2019-9923) - -## Last Update - -9/25/24 - -## NIST CVE Summary - -Pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that -have malformed extended headers. - -## Our Official Summary - -Waiting on a fix from third party mongodb vendor. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2019-9923) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.14 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 3.0 09/25/2024 CVE remediated in Palette VerteX airgap 4.4.18 diff --git a/docs/docs-content/security-bulletins/reports/cve-2019-9936.md b/docs/docs-content/security-bulletins/reports/cve-2019-9936.md deleted file mode 100644 index d30b8feaae..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2019-9936.md +++ /dev/null @@ -1,48 +0,0 @@ ---- -sidebar_label: "CVE-2019-9936" -title: "CVE-2019-9936" -description: "Lifecycle of CVE-2019-9936" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2019-9936](https://nvd.nist.gov/vuln/detail/CVE-2019-9936) - -## Last Update - -11/7/24 - -## NIST CVE Summary - -In SQLite 3.27.2, using fts5 prefix queries inside a transaction could trigger a heap-based buffer over-read in -fts5HashEntrySort in sqlite3.c, which may lead to an information leak. This is related to ext/fts5/fts5_hash.c. - -## Our Official Summary - -Waiting on a fix from third party mongodb vendor. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2019-9936) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.14 -- Palette VerteX 4.5.3, 4.5.8 -- Palette Enterprise 4.5.3, 4.5.8 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 3.0 09/25/2024 CVE remediated in Palette VerteX airgap 4.4.18 -- 4.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 5.0 11/7/2024 Added Palette Enterprise & Palette VerteX 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2019-9937.md b/docs/docs-content/security-bulletins/reports/cve-2019-9937.md deleted file mode 100644 index ad51cce514..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2019-9937.md +++ /dev/null @@ -1,48 +0,0 @@ ---- -sidebar_label: "CVE-2019-9937" -title: "CVE-2019-9937" -description: "Lifecycle of CVE-2019-9937" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2019-9937](https://nvd.nist.gov/vuln/detail/CVE-2019-9937) - -## Last Update - -11/7/24 - -## NIST CVE Summary - -In SQLite 3.27.2, interleaving reads and writes in a single transaction with an fts5 virtual table will lead to a NULL -Pointer Dereference in fts5ChunkIterate in sqlite3.c. This is related to ext/fts5/fts5_hash.c and ext/fts5/fts5_index.c. - -## Our Official Summary - -Waiting on a fix from third party mongodb vendor. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2019-9937) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.14 -- Palette VerteX 4.5.3, 4.5.8 -- Palette Enterprise 4.5.3, 4.5.8 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 3.0 09/25/2024 CVE remediated in Palette VerteX airgap 4.4.18 -- 4.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 5.0 11/7/2024 Added Palette Enterprise & Palette VerteX 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2020-35512.md b/docs/docs-content/security-bulletins/reports/cve-2020-35512.md deleted file mode 100644 index 3d273949a9..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2020-35512.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -sidebar_label: "CVE-2020-35512" -title: "CVE-2020-35512" -description: "Lifecycle of CVE-2020-35512" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2020-35512](https://nvd.nist.gov/vuln/detail/CVE-2020-35512) - -## Last Update - -9/25/24 - -## NIST CVE Summary - -A use-after-free flaw was found in D-Bus Development branch \<= 1.13.16, dbus-1.12.x stable branch \<= 1.12.18, and -dbus-1.10.x and older branches \<= 1.10.30 when a system has multiple usernames sharing the same UID. When a set of -policy rules references these usernames, D-Bus may free some memory in the heap, which is still used by data structures -necessary for the other usernames sharing the UID, possibly leading to a crash or other undefined behaviors - -## Our Official Summary - -This vulnerability is reported on several 3rd party images used by our product. A new fixed version of the image is -available by upgrading to 4.4.18. - -## CVE Severity - -[7.8](https://nvd.nist.gov/vuln/detail/CVE-2020-35512) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.14 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 3.0 9/25/2024 CVE remediated in Palette VerteX airgap 4.4.18 diff --git a/docs/docs-content/security-bulletins/reports/cve-2020-36325.md b/docs/docs-content/security-bulletins/reports/cve-2020-36325.md deleted file mode 100644 index 829aed44b5..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2020-36325.md +++ /dev/null @@ -1,51 +0,0 @@ ---- -sidebar_label: "CVE-2020-36325" -title: "CVE-2020-36325" -description: "Lifecycle of CVE-2020-36325" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2020-36325](https://nvd.nist.gov/vuln/detail/CVE-2020-36325) - -## Last Update - -11/7/2024 - -## NIST CVE Summary - -An issue was discovered in Jansson through 2.13.1. Due to a parsing error in json_loads, there's an out-of-bounds -read-access bug. NOTE: the vendor reports that this only occurs when a programmer fails to follow the API specification. - -## Our Official Summary - -Waiting on a fix from third party mongodb vendor. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2020-36325) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.14, 4.4.18, 4.5.3, 4.5.8 -- Palette Enterprise airgap 4.4.18, 4.5.3, 4.5.8 -- Palette VerteX 4.5.3, 4.5.8 -- Palette Enterprise 4.5.3, 4.5.8 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX airgap 4.4.18 & Palette Enterprise airgap 4.4.18 to Affected Products -- 4.0 10/10/2024 Added Palette VerteX airgap 4.5.3 & Palette Enterprise airgap 4.5.3 to Affected Products -- 5.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 6.0 11/7/2024 Added Palette VerteX airgap, Palette Enterprise airgap, Palette Enterprise, and Palette VerteX 4.5.8 to - Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2021-3737.md b/docs/docs-content/security-bulletins/reports/cve-2021-3737.md deleted file mode 100644 index 063f65e0cc..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2021-3737.md +++ /dev/null @@ -1,45 +0,0 @@ ---- -sidebar_label: "CVE-2021-3737" -title: "CVE-2021-3737" -description: "Lifecycle of CVE-2021-3737" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2021-3737](https://nvd.nist.gov/vuln/detail/CVE-2021-3737) - -## Last Update - -9/25/24 - -## NIST CVE Summary - -A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote -attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The -highest threat from this vulnerability is to system availability. - -## Our Official Summary - -Waiting on a fix from third party mongodb vendor - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2021-3737) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.14 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 3.0 09/25/2024 CVE remediated in Palette VerteX airgap 4.4.18 diff --git a/docs/docs-content/security-bulletins/reports/cve-2021-39537.md b/docs/docs-content/security-bulletins/reports/cve-2021-39537.md deleted file mode 100644 index 2ccce429ed..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2021-39537.md +++ /dev/null @@ -1,54 +0,0 @@ ---- -sidebar_label: "CVE-2021-39537" -title: "CVE-2021-39537" -description: "Lifecycle of CVE-2021-39537" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2021-39537](https://nvd.nist.gov/vuln/detail/CVE-2021-39537) - -## Last Update - -11/7/2024 - -## NIST CVE Summary - -An issue was discovered in ncurses through v6.2-1. \_nc_captoinfo in captoinfo.c has a heap-based buffer overflow. - -## Our Official Summary - -This vulnerability is reported on some 3rd party images used by our products. This flaw results from a lack of proper -bounds checking during input processing. By exploiting this boundary error, an attacker can create a malicious file, -deceive the victim into opening it using the affected software, and initiate an out-of-bounds write, potentially -impacting system availability. We are waiting on an upstream fix from the 3rd party vendor. We will upgrade the images -once the upstream fix becomes available. - -## CVE Severity - -[8.8](https://nvd.nist.gov/vuln/detail/CVE-2021-39537) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.14, 4.4.18, 4.5.3, 4.5.8 -- Palette Enterprise airgap 4.4.18, 4.5.3, 4.5.8 -- Palette VerteX 4.5.3, 4.5.8 -- Palette Enterprise 4.5.3, 4.5.8 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX airgap 4.4.18 & Palette Enterprise airgap 4.4.18 to Affected Products -- 4.0 10/10/2024 Added Palette VerteX airgap 4.5.3 & Palette Enterprise airgap 4.5.3 to Affected Products -- 5.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 6.0 11/7/2024 Added Palette VerteX airgap, Palette Enterprise airgap, Palette Enterprise, and Palette VerteX 4.5.8 to - Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2021-42694.md b/docs/docs-content/security-bulletins/reports/cve-2021-42694.md deleted file mode 100644 index 3b9e2569ca..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2021-42694.md +++ /dev/null @@ -1,59 +0,0 @@ ---- -sidebar_label: "CVE-2021-42694" -title: "CVE-2021-42694" -description: "Lifecycle of CVE-2021-42694" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2021-42694](https://nvd.nist.gov/vuln/detail/CVE-2021-42694) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -An issue was discovered in the character definitions of the Unicode Specification through 14.0. The specification allows -an adversary to produce source code identifiers such as function names using homoglyphs that render visually identical -to a target identifier. Adversaries can leverage this to inject code via adversarial identifier definitions in upstream -software dependencies invoked deceptively in downstream software. NOTE: the Unicode Consortium offers the following -alternative approach to presenting this concern. An issue is noted in the nature of international text that can affect -applications that implement support for The Unicode Standard (all versions). Unless mitigated, an adversary could -produce source code identifiers using homoglyph characters that render visually identical to but are distinct from a -target identifier. In this way, an adversary could inject adversarial identifier definitions in upstream software that -are not detected by human reviewers and are invoked deceptively in downstream software. The Unicode Consortium has -documented this class of security vulnerability in its document, Unicode Technical Report #36, Unicode Security -Considerations. The Unicode Consortium also provides guidance on mitigations for this class of issues in Unicode -Technical Standard #39, Unicode Security Mechanisms. - -## Our Official Summary - -Waiting on a fix from third party mongodb & calico vendors. - -## CVE Severity - -[8.3](https://nvd.nist.gov/vuln/detail/CVE-2021-42694) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.14, 4.4.18, 4.5.3 -- Palette Enterprise airgap 4.4.18, 4.5.3 -- Palette VerteX 4.5.3 -- Palette Enterprise 4.5.3 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX airgap 4.4.18 & Palette Enterprise airgap 4.4.18 to Affected Products -- 4.0 10/10/2024 Added Palette VerteX airgap 4.5.3 & Palette Enterprise airgap 4.5.3 to Affected Products -- 5.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2021-46848.md b/docs/docs-content/security-bulletins/reports/cve-2021-46848.md deleted file mode 100644 index bbc7b62d6a..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2021-46848.md +++ /dev/null @@ -1,54 +0,0 @@ ---- -sidebar_label: "CVE-2021-46848" -title: "CVE-2021-46848" -description: "Lifecycle of CVE-2021-46848" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2021-46848](https://nvd.nist.gov/vuln/detail/CVE-2021-46848) - -## Last Update - -11/7/24 - -## NIST CVE Summary - -GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der. - -## Our Official Summary - -This is a vulnerability reported in GNU Libtasn1 before version 4.19.0, a library used to manage the ASN.1 data -structure. This vulnerability is caused by an off-by-one array size check issue, leading to an out-of-bounds read. -Impacting systems using GNU Libtasn1 before 4.19.0. This flaw enables access to one additional memory byte, -significantly constraining the potential damage an attacker could inflict. We are waiting on an upstream fix from the -3rd party vendors and will upgrade the images once the upstream fix becomes available. - -## CVE Severity - -[9.1](https://nvd.nist.gov/vuln/detail/CVE-2021-46848) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.14, 4.4.18, 4.5.3, 4.5.8 -- Palette Enterprise airgap 4.4.18, 4.5.3, 4.5.8 -- Palette VerteX 4.5.3, 4.5.8 -- Palette Enterprise 4.5.3, 4.5.8 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX airgap 4.4.18 & Palette Enterprise airgap 4.4.18 to Affected Products -- 4.0 10/10/2024 Added Palette VerteX airgap 4.5.3 & Palette Enterprise airgap 4.5.3 to Affected Products -- 5.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 6.0 11/7/2024 Added Palette VerteX airgap, Palette Enterprise airgap, Palette Enterprise, and Palette VerteX 4.5.8 to - Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2022-0391.md b/docs/docs-content/security-bulletins/reports/cve-2022-0391.md deleted file mode 100644 index 247035161a..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2022-0391.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -sidebar_label: "CVE-2022-0391" -title: "CVE-2022-0391" -description: "Lifecycle of CVE-2022-0391" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2022-0391](https://nvd.nist.gov/vuln/detail/CVE-2022-0391) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource -Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows -characters like '\r' and '\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection -attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14. - -## Our Official Summary - -Waiting on a fix from third party mongodb vendor - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-0391) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.14, 4.4.18 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX airgap 4.4.18 to Affected Products -- 4.0 10/10/2024 CVE remediated in Palette VerteX airgap 4.5.3 diff --git a/docs/docs-content/security-bulletins/reports/cve-2022-23990.md b/docs/docs-content/security-bulletins/reports/cve-2022-23990.md deleted file mode 100644 index c5de80c11b..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2022-23990.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -sidebar_label: "CVE-2022-23990" -title: "CVE-2022-23990" -description: "Lifecycle of CVE-2022-23990" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2022-23990](https://nvd.nist.gov/vuln/detail/CVE-2022-23990) - -## Last Update - -10/25/24 - -## NIST CVE Summary - -Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function. - -## Our Official Summary - -This vulnerability is reported on several 3rd party images used by the product. A new fixed version of the image is -available by upgrading to 4.4.18. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-23990) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.14 - -## Revision History - -- 1.0 08/16/2024 Initial Publications -- 2.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 3.0 09/25/2024 CVE remediated in Palette VerteX airgap 4.4.18 diff --git a/docs/docs-content/security-bulletins/reports/cve-2022-25883.md b/docs/docs-content/security-bulletins/reports/cve-2022-25883.md deleted file mode 100644 index 27516a8320..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2022-25883.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -sidebar_label: "CVE-2022-25883" -title: "CVE-2022-25883" -description: "Lifecycle of CVE-2022-25883" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2022-25883](https://nvd.nist.gov/vuln/detail/CVE-2022-25883) - -## Last Update - -9/25/24 - -## NIST CVE Summary - -Versions of the package server before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the -function new Range, when untrusted user data is provided as a range. - -## Our Official Summary - -The CVE reported in virtual cluster CAPI provider. Govulncheck reports it as non-impacting. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-25883) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.11 - -## Revision History - -- 1.0 07/16/2024 Initial Publication -- 2.0 08/17/2024 Remediated in Palette VerteX airgap 4.4.14 -- 3.0 09/25/2024 Remediated in Palette VerteX airgap 4.4.18 diff --git a/docs/docs-content/security-bulletins/reports/cve-2022-27664.md b/docs/docs-content/security-bulletins/reports/cve-2022-27664.md deleted file mode 100644 index 5bf1e8d308..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2022-27664.md +++ /dev/null @@ -1,49 +0,0 @@ ---- -sidebar_label: "CVE-2022-27664" -title: "CVE-2022-27664" -description: "Lifecycle of CVE-2022-27664" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2022-27664](https://nvd.nist.gov/vuln/detail/CVE-2022-27664) - -## Last Update - -11/7/24 - -## NIST CVE Summary - -In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 -connection can hang during closing if shutdown were preempted by a fatal error. - -## Our Official Summary - -This Denial of Service is limited to the Golang runtime. For our products, this would be restricted to a few snapshots -related to 3rd party containers. There are multiple layers of guard rails (resource constraints imposed at the container -and cluster levels) which would require a malicious user to continue submitting attacks for there to be any enduring -impact. Attackers would also need privileged access to clusters running the container as these containers are not -exposed beyond the cluster boundary. These containers are part of an optional feature and are by default not enabled. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-27664) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette Enterprise 4.5.3, 4.5.8 -- Palette VerteX 4.5.3, 4.5.8 - -## Revision History - -- 1.0 10/14/2024 Initial Publication -- 2.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 3.0 11/7/2024 Added Palette Enterprise & Palette VerteX 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2022-28357.md b/docs/docs-content/security-bulletins/reports/cve-2022-28357.md deleted file mode 100644 index 0217f6b506..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2022-28357.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -sidebar_label: "CVE-2022-28357" -title: "CVE-2022-28357" -description: "Lifecycle of CVE-2022-28357" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2022-28357](https://nvd.nist.gov/vuln/detail/CVE-2022-28357) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -NATS `nats-server` 2.2.0 through 2.7.4 allows directory traversal because of an unintended path to a management action -from a management account. - -## Our Official Summary - -A vulnerability was found in NATS nats-server up to 2.7.4. The product uses external input to construct a pathname that -is intended to identify a file or directory that is located underneath a restricted parent directory, but the product -does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location -that is outside of the restricted directory. Upgrade of the nats server is needed to fix this vulnerability. - -## CVE Severity - -[9.8](https://nvd.nist.gov/vuln/detail/CVE-2022-28357) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.18 - -## Revision History - -- 1.0 09/15/2024 Initial Publication -- 2.0 09/15/2024 Added palette VerteX airgap 4.4.18 to Affected Products -- 3.0 10/10/2024 CVE remediated in Palette VerteX airgap 4.5.3 diff --git a/docs/docs-content/security-bulletins/reports/cve-2022-28948.md b/docs/docs-content/security-bulletins/reports/cve-2022-28948.md deleted file mode 100644 index 5e3ac4a16e..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2022-28948.md +++ /dev/null @@ -1,48 +0,0 @@ ---- -sidebar_label: "CVE-2022-28948" -title: "CVE-2022-28948" -description: "Lifecycle of CVE-2022-28948" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2022-28948](https://nvd.nist.gov/vuln/detail/CVE-2022-28948) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid -input. - -## Our Official Summary - -A flaw was found in the Unmarshal function in Go-Yaml. This vulnerability results in program crashes when attempting to -convert (or deserialize) invalid input data, potentially impacting system stability and reliability. 3rd party images -affected will be upgraded to remove the vulnerability. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-28948) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.18, 4.5.3 -- Palette Enterprise 4.5.3 - -## Revision History - -- 1.0 09/15/2024 Initial Publication -- 2.0 09/15/2024 Added Palette VerteX airgap 4.4.18 to Affected Products -- 3.0 10/10/2024 Added Palette VerteX airgap 4.5.3 to Affected Products -- 4.0 10/14/2024 Added Palette Enterprise 4.5.3 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2022-32190.md b/docs/docs-content/security-bulletins/reports/cve-2022-32190.md deleted file mode 100644 index 0b570baa89..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2022-32190.md +++ /dev/null @@ -1,49 +0,0 @@ ---- -sidebar_label: "CVE-2022-32190" -title: "CVE-2022-32190" -description: "Lifecycle of CVE-2022-32190" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2022-32190](https://nvd.nist.gov/vuln/detail/CVE-2022-32190) - -## Last Update - -11/7/24 - -## NIST CVE Summary - -JoinPath and URL.JoinPath do not remove `../` path elements appended to a relative path. For example, -`JoinPath("https://go.dev", "../go")` returns the URL `https://go.dev/../go`, despite the JoinPath documentation stating -that `../` path elements are removed from the result. - -## Our Official Summary - -This flaw is found in the Golang package. The vulnerable functions, JoinPath and URL.JoinPath were introduced in -upstream go1.19, whereas most of our containers use a higher version of go, which does not contain the vulnerable code. -This vulnerability is reported on a couple of 3rd party containers, which has a newer version with fixes. We will -upgrade to that version to fix the vulnerability. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-32190) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette Enterprise 4.5.3, 4.5.8 -- Palette VerteX 4.5.3, 4.5.8 - -## Revision History - -- 1.0 10/14/24 Initial Publication -- 2.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 3.0 11/7/2024 Added Palette Enterprise & Palette VerteX 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2022-3996.md b/docs/docs-content/security-bulletins/reports/cve-2022-3996.md deleted file mode 100644 index 892fc1ef8d..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2022-3996.md +++ /dev/null @@ -1,50 +0,0 @@ ---- -sidebar_label: "CVE-2022-3996" -title: "CVE-2022-3996" -description: "Lifecycle of CVE-2022-3996" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2022-3996](https://nvd.nist.gov/vuln/detail/CVE-2022-3996) - -## Last Update - -11/7/24 - -## NIST CVE Summary - -If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will -be taken twice recursively. On some operating systems (most widely: Windows) this results in a denial of service when -the affected process hangs. Policy processing being enabled on a publicly facing server is not considered to be a common -setup. Policy processing is enabled by passing the -`-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function. Update -(31 March 2023): The description of the policy processing enablement was corrected based on CVE-2023-0466. - -## Our Official Summary - -This vulnerability is platform specific and is reported on Windows OS only. The 3rd party kubevirt images in which this -vulnerability is reported have no fixed versions available yet. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-3996) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette Enterprise 4.5.3, 4.5.8 -- Palette VerteX 4.5.3, 4.5.8 - -## Revision History - -- 1.0 10/14/24 Initial Publication -- 2.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 3.0 11/7/2024 Added Palette Enterprise & Palette VerteX 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2022-40735.md b/docs/docs-content/security-bulletins/reports/cve-2022-40735.md deleted file mode 100644 index e1ec816ccc..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2022-40735.md +++ /dev/null @@ -1,54 +0,0 @@ ---- -sidebar_label: "CVE-2022-40735" -title: "CVE-2022-40735" -description: "Lifecycle of CVE-2022-40735" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2022-40735](https://nvd.nist.gov/vuln/detail/CVE-2022-40735) - -## Last Update - -11/7/2024 - -## NIST CVE Summary - -The Diffie-Hellman Key Agreement Protocol allows use of long exponents that arguably make certain calculations -unnecessarily expensive, because the 1996 van Oorschot and Wiener paper found that "(appropriately) short exponents" can -be used when there are adequate subgroup constraints, and these short exponents can lead to less expensive calculations -than for long exponents. This issue is different from CVE-2002-20001 because it is based on an observation about -exponent size, rather than an observation about numbers that are not public keys. The specific situations in which -calculation expense would constitute a server-side vulnerability depend on the protocol (e.g., TLS, SSH, or IKE) and the -DHE implementation details. In general, there might be an availability concern because of server-side resource -consumption from DHE modular-exponentiation calculations. Finally, it is possible for an attacker to exploit this -vulnerability and CVE-2002-20001 together. - -## Our Official Summary - -Investigation is ongoing to determine how this vulnerability impacts our products. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-40735) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.5.8 -- Palette Enterprise airgap 4.5.8 -- Palette VerteX 4.5.8 -- Palette Enterprise 4.5.8 - -## Revision History - -- 1.0 11/7/2024 Initial Publication -- 2.0 11/7/2024 Added Palette VerteX airgap, Palette Enterprise airgap, VerteX, and Palette Enterprise 4.5.8 to Affected - Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2022-41409.md b/docs/docs-content/security-bulletins/reports/cve-2022-41409.md deleted file mode 100644 index 7bc8cc059a..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2022-41409.md +++ /dev/null @@ -1,51 +0,0 @@ ---- -sidebar_label: "CVE-2022-41409" -title: "CVE-2022-41409" -description: "Lifecycle of CVE-2022-41409" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2022-41409](https://nvd.nist.gov/vuln/detail/CVE-2022-41409) - -## Last Update - -11/7/2024 - -## NIST CVE Summary - -Integer overflow vulnerability in pcre2test before 10.41 allows attackers to cause a denial of service or other -unspecified impacts via negative input. - -## Our Official Summary - -Waiting on a fix from third party mongodb & calico vendors - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-41409) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.14, 4.4.18, 4.5.3, 4.5.8 -- Palette Enterprise airgap 4.4.18, 4.5.3, 4.5.8 -- Palette VerteX 4.5.3, 4.5.8 -- Palette Enterprise 4.5.3, 4.5.8 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX airgap 4.4.18 & Palette Enterprise airgap 4.4.18 to Affected Products -- 4.0 10/10/2024 Added Palette VerteX airgap 4.5.3 & Palette Enterprise airgap 4.5.3 to Affected Products -- 5.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 6.0 11/7/2024 Added Palette VerteX airgap, Palette Enterprise airgap, Palette Enterprise, and Palette VerteX 4.5.8 to - Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2022-41715.md b/docs/docs-content/security-bulletins/reports/cve-2022-41715.md deleted file mode 100644 index b179afc4c1..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2022-41715.md +++ /dev/null @@ -1,48 +0,0 @@ ---- -sidebar_label: "CVE-2022-41715" -title: "CVE-2022-41715" -description: "Lifecycle of CVE-2022-41715" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2022-41715](https://nvd.nist.gov/vuln/detail/CVE-2022-41715) - -## Last Update - -11/7/24 - -## NIST CVE Summary - -Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of -service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can -be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp -being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than -that are rejected. Normal use of regular expressions is unaffected. - -## Our Official Summary - -Investigation is ongoing to determine how this vulnerability affects our products. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-41715) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette Enterprise 4.5.3, 4.5.8 -- Palette VerteX 4.5.3, 4.5.8 - -## Revision History - -- 1.0 10/14/24 Initial Publication -- 2.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 3.0 11/7/2024 Added Palette Enterprise & Palette VerteX 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2022-41723.md b/docs/docs-content/security-bulletins/reports/cve-2022-41723.md deleted file mode 100644 index 7be5331fa6..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2022-41723.md +++ /dev/null @@ -1,51 +0,0 @@ ---- -sidebar_label: "CVE-2022-41723" -title: "CVE-2022-41723" -description: "Lifecycle of CVE-2022-41723" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2022-41723](https://nvd.nist.gov/vuln/detail/CVE-2022-41723) - -## Last Update - -11/7/2024 - -## NIST CVE Summary - -A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a -denial of service from a small number of small requests. - -## Our Official Summary - -CVE exists in coredns that’s being used in k8s 1.28.11. Affects only k8s version 1.28.11.For customer workload clusters, -workaround is to use k8s version 1.29+. For Palette Self Hosted cluster, a future release will upgrade to 1.29+. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-41723) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.14, 4.4.18, 4.5.3 -- Palette Enterprise airgap 4.4.18, 4.5.3 -- Palette VerteX 4.5.3, 4.5.8 -- Palette Enterprise 4.5.3, 4.5.8 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX airgap 4.4.18 & Palette Enterprise airgap 4.4.18 to Affected Products -- 4.0 10/10/2024 Added Palette VerteX airgap 4.5.3 & Palette Enterprise airgap 4.5.3 to Affected Products -- 5.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 6.0 11/7/2024 Added Palette Enterprise & Palette VerteX 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2022-41724.md b/docs/docs-content/security-bulletins/reports/cve-2022-41724.md deleted file mode 100644 index 4b26544200..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2022-41724.md +++ /dev/null @@ -1,53 +0,0 @@ ---- -sidebar_label: "CVE-2022-41724" -title: "CVE-2022-41724" -description: "Lifecycle of CVE-2022-41724" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2022-41724](https://nvd.nist.gov/vuln/detail/CVE-2022-41724) - -## Last Update - -11/7/2024 - -## NIST CVE Summary - -Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records -which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 -clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil -value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert). - -## Our Official Summary - -A vulnerability in crypto-tls in Go affects the component TLS Handshake Handler. The product does not properly control -the allocation and maintenance of a limited resource, when handling large handshake records, thereby enabling an actor -to influence the amount of resources consumed, eventually leading to the exhaustion of available resources. A fix is -available in latest versions of go. All the images affected will be upgraded to the latest versions. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-41724) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.18 -- Palette VerteX 4.5.3, 4.5.8 -- Palette Enterprise 4.5.3, 4.5.8 - -## Revision History - -- 1.0 09/15/2024 Initial Publication -- 2.0 09/15/2024 Added palette VerteX airgap 4.4.18 to Affected Products -- 3.0 10/10/2024 CVE remediated in Palette VerteX airgap 4.5.3 -- 4.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 5.0 11/7/2024 Added Palette Enterprise & Palette VerteX 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2022-41725.md b/docs/docs-content/security-bulletins/reports/cve-2022-41725.md deleted file mode 100644 index 027db80b31..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2022-41725.md +++ /dev/null @@ -1,67 +0,0 @@ ---- -sidebar_label: "CVE-2022-41725" -title: "CVE-2022-41725" -description: "Lifecycle of CVE-2022-41725" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2022-41725](https://nvd.nist.gov/vuln/detail/CVE-2022-41725) - -## Last Update - -11/7/2024 - -## NIST CVE Summary - -A denial of service is possible from excessive resource consumption in net/http and mime/multipart. Multipart form -parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also -affects form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and -PostFormValue. ReadForm takes a maxMemory parameter, and is documented as storing "up to maxMemory bytes +10MB (reserved -for non-file parts) in memory". File parts which cannot be stored in memory are stored on disk in temporary files. The -unconfigurable 10MB reserved for non-file parts is excessively large and can potentially open a denial of service vector -on its own. However, ReadForm did not properly account for all memory consumed by a parsed form, such as map entry -overhead, part names, and MIME headers, permitting a maliciously crafted form to consume well over 10MB. In addition, -ReadForm contained no limit on the number of disk files created, permitting a relatively small request body to create a -large number of disk temporary files. With fix, ReadForm now properly accounts for various forms of memory overhead, and -should now stay within its documented limit of 10MB + maxMemory bytes of memory consumption. Users should still be aware -that this limit is high and may still be hazardous. In addition, ReadForm now creates at most one on-disk temporary -file, combining multiple form parts into a single temporary file. The mime/multipart.File interface type's documentation -states, "If stored on disk, the File's underlying concrete type will be an \*os.File.". This is no longer the case when -a form contains more than one file part, due to this coalescing of parts into a single file. The previous behavior of -using distinct files for each form part may be reenabled with the environment variable GODEBUG=multipartfiles=distinct. -Users should be aware that multipart.ReadForm and the http.Request methods that call it do not limit the amount of disk -consumed by temporary files. Callers can limit the size of form data with http.MaxBytesReader. - -## Our Official Summary - -A denial-of-service vulnerability has been identified in the Go standard library affecting the mime/multipart package. -This vulnerability could allow an attacker to conduct a denial-of-service attack through excessive resource consumption -in net/http and mime/multipart. This vulnerability affects multiple 3rd party images. Images will be upgraded to newer -versions available. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-41725) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.18 -- Palette VerteX 4.5.3, 4.5.8 -- Palette Enterprise 4.5.3, 4.5.8 - -## Revision History - -- 1.0 09/15/2024 Initial Publication -- 2.0 09/15/2024 Added palette VerteX airgap 4.4.18 to Affected Products -- 3.0 10/10/2024 CVE remediated in Palette VerteX airgap 4.5.3 -- 4.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 5.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2022-4450.md b/docs/docs-content/security-bulletins/reports/cve-2022-4450.md deleted file mode 100644 index 8f9cb2613e..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2022-4450.md +++ /dev/null @@ -1,56 +0,0 @@ ---- -sidebar_label: "CVE-2022-4450" -title: "CVE-2022-4450" -description: "Lifecycle of CVE-2022-4450" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2022-4450](https://nvd.nist.gov/vuln/detail/CVE-2022-4450) - -## Last Update - -11/7/24 - -## NIST CVE Summary - -The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any -header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are -populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those -buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() -will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. -If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be -exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service -attack. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these -functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions -including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal -uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() -returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in -OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue. - -## Our Official Summary - -Investigation is ongoing to determine how this vulnerability affects our products. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-4450) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette Enterprise 4.5.3, 4.5.8 -- Palette VerteX 4.5.3, 4.5.8 - -## Revision History - -- 1.0 10/14/24 Initial Publication -- 2.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 3.0 11/7/2024 Added Palette Enterprise & Palette VerteX 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2022-45061.md b/docs/docs-content/security-bulletins/reports/cve-2022-45061.md deleted file mode 100644 index dac8f548dd..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2022-45061.md +++ /dev/null @@ -1,53 +0,0 @@ ---- -sidebar_label: "CVE-2022-45061" -title: "CVE-2022-45061" -description: "Lifecycle of CVE-2022-45061" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2022-45061](https://nvd.nist.gov/vuln/detail/CVE-2022-45061) - -## Last Update - -10/10/24 - -## NIST CVE Summary - -An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing -some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder -could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a -malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use -of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an -HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16. - -## Our Official Summary - -This CVE is a vulnerability affecting certain versions of Python, specifically those before version 3.11.1. The issue -lies in an unnecessary quadratic algorithm in one path when processing some inputs to the IDNA (RFC 3490) decoder. This -can lead to slow execution times and potential denial of service attacks on systems using affected Python versions. -Systems that utilize Python's idna module for decoding large strings, such as web servers or applications handling -user-provided hostnames, may be impacted by this vulnerability. There is no known workaround for this vulnerability. -Python version needs to be upgraded in the images reported. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-45061) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.18 - -## Revision History - -- 1.0 9/13/2024 Initial Publication -- 2.0 9/13/2024 Added Palette VerteX airgap 4.4.18 to Affected Products -- 3.0 10/10/2024 CVE remediated in Palette VerteX 4.5.3 diff --git a/docs/docs-content/security-bulletins/reports/cve-2022-48560.md b/docs/docs-content/security-bulletins/reports/cve-2022-48560.md deleted file mode 100644 index 88c46a41c0..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2022-48560.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -sidebar_label: "CVE-2022-48560" -title: "CVE-2022-48560" -description: "Lifecycle of CVE-2022-48560" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2022-48560](https://nvd.nist.gov/vuln/detail/CVE-2022-48560) - -## Last Update - -10/10/24 - -## NIST CVE Summary - -A use-after-free exists in Python through 3.9 via heappushpop in heapq. - -## Our Official Summary - -This CVE affects python versions upto 3.9. The use-after-free vulnerability in Python's heapq module allows an attacker -to manipulate memory after it has been freed, potentially leading to arbitrary code execution or a denial of service. -This vulnerability can be exploited by carefully crafting a malicious input that triggers the use-after-free condition. -There is no known workaround for this vulnerability. Python version needs to be upgraded in the images reported. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-48560) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.18 - -## Revision History - -- 1.0 9/13/2024 Initial Publication -- 2.0 9/13/2024 Added Palette VerteX airgap 4.4.18 to Affected Products -- 3.0 10/10/2024 CVE remediated in Palette VerteX airgap 4.5.3 diff --git a/docs/docs-content/security-bulletins/reports/cve-2022-48565.md b/docs/docs-content/security-bulletins/reports/cve-2022-48565.md deleted file mode 100644 index 4535dbe007..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2022-48565.md +++ /dev/null @@ -1,48 +0,0 @@ ---- -sidebar_label: "CVE-2022-48565" -title: "CVE-2022-48565" -description: "Lifecycle of CVE-2022-48565" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2022-48565](https://nvd.nist.gov/vuln/detail/CVE-2022-48565) - -## Last Update - -10/10/24 - -## NIST CVE Summary - -An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity -declarations in XML plist files to avoid XML vulnerabilities. - -## Our Official Summary - -This CVE affects users of Python versions up to 3.9.1. This issue lies in the plistlib module, which used to accept -entity declarations in XML plist files, making it susceptible to XXE attacks. This vulnerability is not listed in CISA's -Known Exploited Vulnerabilities Catalog. The possibility of this vulnerability getting exploited in Spectro Cloud -products is low. Need an update from the 3rd party vendor to fix the vulnerability. Investigating possibility of -updating python version to fix this vulnerability. - -## CVE Severity - -[9.8](https://nvd.nist.gov/vuln/detail/CVE-2022-48565) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.18 - -## Revision History - -- 1.0 9/13/2024 Initial Publication -- 2.0 9/13/2024 Added Palette VerteX airgap 4.4.18 to Affected Products -- 3.0 10/10/2024 CVE remediated in Palette VerteX airgap 4.5.3 diff --git a/docs/docs-content/security-bulletins/reports/cve-2022-4899.md b/docs/docs-content/security-bulletins/reports/cve-2022-4899.md deleted file mode 100644 index d140e86083..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2022-4899.md +++ /dev/null @@ -1,52 +0,0 @@ ---- -sidebar_label: "CVE-2022-4899" -title: "CVE-2022-4899" -description: "Lifecycle of CVE-2022-4899" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2022-4899](https://nvd.nist.gov/vuln/detail/CVE-2022-4899) - -## Last Update - -11/7/2024 - -## NIST CVE Summary - -A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line -tool to cause buffer overrun. - -## Our Official Summary - -This vulnerability is reported on several 3rd party images used by the product. We are waiting on an upstream fix from -the vendor. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-4899) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.14, 4.4.18, 4.5.3, 4.5.8 -- Palette Enterprise airgap 4.4.18, 4.5.3, 4.5.8 -- Palette VerteX 4.5.3, 4.5.8 -- Palette Enterprise 4.5.3, 4.5.8 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX airgap 4.4.18 & Palette Enterprise airgap 4.4.18 to Affected Products -- 4.0 10/10/2024 Added Palette VerteX airgap 4.5.3 & Palette Enterprise airgap 4.5.3 to Affected Products -- 5.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 6.0 11/7/2024 Added Palette VerteX airgap, Palette Enterprise airgap, Palette Enterprise, and Palette VerteX 4.5.8 to - Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-0215.md b/docs/docs-content/security-bulletins/reports/cve-2023-0215.md deleted file mode 100644 index d3059a9175..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-0215.md +++ /dev/null @@ -1,56 +0,0 @@ ---- -sidebar_label: "CVE-2023-0215" -title: "CVE-2023-0215" -description: "Lifecycle of CVE-2023-0215" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-0215](https://nvd.nist.gov/vuln/detail/CVE-2023-0215) - -## Last Update - -11/7/24 - -## NIST CVE Summary - -The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used -internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end -user applications. The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of -it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for -example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result -indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller -still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the -BIO then a use-after-free will occur. This will most likely result in a crash. This scenario occurs directly in the -internal function B64_write_ASN1() which may cause BIO_new_NDEF() to be called and will subsequently call BIO_pop() on -the BIO. This internal function is in turn called by the public API functions PEM_write_bio_ASN1_stream, -PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream, SMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7. Other -public API functions that may be impacted by this include i2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, -i2d_CMS_bio_stream and i2d_PKCS7_bio_stream. The OpenSSL cms and smime command line applications are similarly affected. - -## Our Official Summary - -Investigation is ongoing to determine how this vulnerability affects our products. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-0215) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette Enterprise 4.5.3, 4.5.8 -- Palette VerteX 4.5.3, 4.5.8 - -## Revision History - -- 1.0 10/14/24 Initial Publication -- 2.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 3.0 11/7/2024 Added Palette Enterprise & Palette VerteX 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-0216.md b/docs/docs-content/security-bulletins/reports/cve-2023-0216.md deleted file mode 100644 index cd102789f2..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-0216.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -sidebar_label: "CVE-2023-0216" -title: "CVE-2023-0216" -description: "Lifecycle of CVE-2023-0216" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-0216](https://nvd.nist.gov/vuln/detail/CVE-2023-0216) - -## Last Update - -11/7/24 - -## NIST CVE Summary - -An invalid pointer dereference on read can be triggered when an application tries to load malformed PKCS7 data with the -d2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions. The result of the dereference is an application crash which -could lead to a denial of service attack. The TLS implementation in OpenSSL does not call this function however third -party applications might call these functions on untrusted data. - -## Our Official Summary - -Investigation is ongoing to determine how this vulnerability affects our products. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-0216) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette Enterprise 4.5.3, 4.5.8 -- Palette VerteX 4.5.3, 4.5.8 - -## Revision History - -- 1.0 10/14/24 Initial Publication -- 2.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 3.0 11/7/2024 Added Palette Enterprise & Palette VerteX 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-0217.md b/docs/docs-content/security-bulletins/reports/cve-2023-0217.md deleted file mode 100644 index 15e814bd34..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-0217.md +++ /dev/null @@ -1,48 +0,0 @@ ---- -sidebar_label: "CVE-2023-0217" -title: "CVE-2023-0217" -description: "Lifecycle of CVE-2023-0217" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-0217](https://nvd.nist.gov/vuln/detail/CVE-2023-0217) - -## Last Update - -11/7/24 - -## NIST CVE Summary - -An invalid pointer dereference on read can be triggered when an application tries to check a malformed DSA public key by -the EVP_PKEY_public_check() function. This will most likely lead to an application crash. This function can be called on -public keys supplied from untrusted sources which could allow an attacker to cause a denial of service attack. The TLS -implementation in OpenSSL does not call this function but applications might call the function if there are additional -security requirements imposed by standards such as FIPS 140-3. - -## Our Official Summary - -Investigation is ongoing to determine how this vulnerability affects our products. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-0217) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette Enterprise 4.5.3, 4.5.8 -- Palette VerteX 4.5.3, 4.5.8 - -## Revision History - -- 1.0 10/14/24 Initial Publication -- 2.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 3.0 11/7/2024 Added Palette Enterprise & Palette VerteX 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-0286.md b/docs/docs-content/security-bulletins/reports/cve-2023-0286.md deleted file mode 100644 index f5e6a08351..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-0286.md +++ /dev/null @@ -1,53 +0,0 @@ ---- -sidebar_label: "CVE-2023-0286" -title: "CVE-2023-0286" -description: "Lifecycle of CVE-2023-0286" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-0286](https://nvd.nist.gov/vuln/detail/CVE-2023-0286) - -## Last Update - -11/7/24 - -## NIST CVE Summary - -There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 -addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the -type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function -GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the -X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, -enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to -provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only -controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which -is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own -functionality for retrieving CRLs over a network. - -## Our Official Summary - -Investigation is ongoing to determine how this vulnerability affects our products. - -## CVE Severity - -[7.4](https://nvd.nist.gov/vuln/detail/CVE-2023-0286) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette Enterprise 4.5.3, 4.5.8 -- Palette VerteX 4.5.3, 4.5.8 - -## Revision History - -- 1.0 10/14/24 Initial Publication -- 2.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 3.0 11/7/2024 Added Palette Enterprise & Palette VerteX 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-0401.md b/docs/docs-content/security-bulletins/reports/cve-2023-0401.md deleted file mode 100644 index cc30e5e100..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-0401.md +++ /dev/null @@ -1,51 +0,0 @@ ---- -sidebar_label: "CVE-2023-0401" -title: "CVE-2023-0401" -description: "Lifecycle of CVE-2023-0401" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-0401](https://nvd.nist.gov/vuln/detail/CVE-2023-0401) - -## Last Update - -11/7/24 - -## NIST CVE Summary - -A NULL pointer can be dereferenced when signatures are being verified on PKCS7 signed or signedAndEnveloped data. In -case the hash algorithm used for the signature is known to the OpenSSL library but the implementation of the hash -algorithm is not available the digest initialization will fail. There is a missing check for the return value from the -initialization function which later leads to invalid usage of the digest API most likely leading to a crash. The -unavailability of an algorithm can be caused by using FIPS enabled configuration of providers or more commonly by not -loading the legacy provider. PKCS7 data is processed by the SMIME library calls and also by the time stamp (TS) library -calls. The TLS implementation in OpenSSL does not call these functions however third party applications would be -affected if they call these functions to verify signatures on untrusted data. - -## Our Official Summary - -Investigation is ongoing to determine how this vulnerability affects our products. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-0401) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette Enterprise 4.5.3, 4.5.8 -- Palette VerteX 4.5.3, 4.5.8 - -## Revision History - -- 1.0 10/14/24 Initial Publication -- 2.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 3.0 11/7/2024 Added Palette Enterprise & Palette VerteX 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-0464.md b/docs/docs-content/security-bulletins/reports/cve-2023-0464.md deleted file mode 100644 index ed1928d725..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-0464.md +++ /dev/null @@ -1,53 +0,0 @@ ---- -sidebar_label: "CVE-2023-0464" -title: "CVE-2023-0464" -description: "Lifecycle of CVE-2023-0464" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-0464](https://nvd.nist.gov/vuln/detail/CVE-2023-0464) - -## Last Update - -11/7/2024 - -## NIST CVE Summary - -A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 -certificate chains that include policy constraints. - -## Our Official Summary - -This is a false positive reported by twistlock. We have confirmed this CVE is fixed in the FIPS openSSL version -1.1.1f-1ubuntu2.fips.22 that’s being used in VerteX. You can learn more about this CVE at -[https://ubuntu.com/security/CVE-2023-0464](https://ubuntu.com/security/CVE-2023-0464). - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-0464) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.14, 4.4.18, 4.5.3, 4.5.8 -- Palette Enterprise airgap 4.4.18, 4.5.3, 4.5.8 -- Palette VerteX 4.5.3, 4.5.8 -- Palette Enterprise 4.5.3, 4.5.8 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX airgap 4.4.18 & Palette Enterprise airgap 4.4.18 to Affected Products -- 4.0 10/10/2024 Added Palette VerteX airgap 4.5.3 & Palette Enterprise airgap 4.5.3 to Affected Products -- 5.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 6.0 11/7/2024 Added Palette VerteX airgap, Palette Enterprise airgap, Palette Enterprise, and Palette VerteX 4.5.8 to - Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-24329.md b/docs/docs-content/security-bulletins/reports/cve-2023-24329.md deleted file mode 100644 index b77a393a08..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-24329.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -sidebar_label: "CVE-2023-24329" -title: "CVE-2023-24329" -description: "Lifecycle of CVE-2023-24329" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-24329](https://nvd.nist.gov/vuln/detail/CVE-2023-24329) - -## Last Update - -10/10/24 - -## NIST CVE Summary - -An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by -supplying a URL that starts with blank characters. - -## Our Official Summary - -An issue in the urllib.parse component of Python before v3.11 allows attackers to bypass blocklisting methods by -supplying a URL that starts with blank characters. urlparse has a parsing problem when the entire URL starts with blank -characters. This problem affects both the parsing of hostname and scheme, and eventually causes any blocklisting methods -to fail. Python version needs to be upgraded in the images reported. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-24329) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.18 - -## Revision History - -- 1.0 9/13/2024 Initial Publication -- 2.0 9/13/2024 Added Palette VerteX airgap 4.4.18 to Affected Products -- 3.0 10/10/2024 CVE remediated in Palette VerteX airgap 4.5.3 diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-24534.md b/docs/docs-content/security-bulletins/reports/cve-2023-24534.md deleted file mode 100644 index adb36a62d1..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-24534.md +++ /dev/null @@ -1,57 +0,0 @@ ---- -sidebar_label: "CVE-2023-24534" -title: "CVE-2023-24534" -description: "Lifecycle of CVE-2023-24534" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-24534](https://nvd.nist.gov/vuln/detail/CVE-2023-24534) - -## Last Update - -11/7/2024 - -## NIST CVE Summary - -HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading -to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME -headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this -behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory -exhaustion and a denial of service. With fix, header parsing now correctly allocates only the memory required to hold -parsed headers. - -## Our Official Summary - -This CVE involves excessive memory allocation in net/http and net/textproto, potentially leading to a denial-of-service -due to large memory allocation while parsing HTTP and MIME headers even for small inputs. Attackers can exploit this -vulnerability to exhaust an HTTP server's memory resources, causing a denial of service. By crafting specific input data -patterns, an attacker can trigger the excessive memory allocation behavior in the HTTP and MIME header parsing -functions, leading to memory exhaustion. The risk of this vulnerability exploited in Spectro Cloud products is very low. -3rd party images affected will be upgraded to remove the vulnerability. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-24534) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.18 -- Palette VerteX 4.5.3, 4.5.8 -- Palette Enterprise 4.5.3, 4.5.8 - -## Revision History - -- 1.0 09/15/2024 Initial Publication -- 2.0 09/15/2024 Added palette VerteX airgap 4.4.18 to Affected Products -- 3.0 10/10/2024 CVE remediated in Palette VerteX airgap 4.5.3 -- 4.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 5.0 11/7/2024 Added Palette Enterprise & Palette VerteX 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-24536.md b/docs/docs-content/security-bulletins/reports/cve-2023-24536.md deleted file mode 100644 index f3d5aca996..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-24536.md +++ /dev/null @@ -1,64 +0,0 @@ ---- -sidebar_label: "CVE-2023-24536" -title: "CVE-2023-24536" -description: "Lifecycle of CVE-2023-24536" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-24536](https://nvd.nist.gov/vuln/detail/CVE-2023-24536) - -## Last Update - -11/7/2024 - -## NIST CVE Summary - -Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large -numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the total memory a parsed -multipart form can consume. ReadForm can undercount the amount of memory consumed, leading it to accept larger inputs -than intended. 2. Limiting total memory does not account for increased pressure on the garbage collector from large -numbers of small allocations in forms with many parts. 3. ReadForm can allocate a large number of short-lived buffers, -further increasing pressure on the garbage collector. The combination of these factors can permit an attacker to cause -an program that parses multipart forms to consume large amounts of CPU and memory, potentially resulting in a denial of -service. This affects programs that use mime/multipart.Reader.ReadForm, as well as form parsing in the net/http package -with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. With fix, ReadForm now does a -better job of estimating the memory consumption of parsed forms, and performs many fewer short-lived allocations. In -addition, the fixed mime/multipart.Reader imposes the following limits on the size of parsed forms: 1. Forms parsed with -ReadForm may contain no more than 1000 parts. This limit may be adjusted with the environment variable -GODEBUG=multipartmaxparts=. 2. Form parts parsed with NextPart and NextRawPart may contain no more than 10,000 header -fields. In addition, forms parsed with ReadForm may contain no more than 10,000 header fields across all parts. This -limit may be adjusted with the environment variable GODEBUG=multipartmaxheaders=. - -## Our Official Summary - -Golang Go is vulnerable to a denial-of-service, caused by a flaw during multipart form parsing. By sending a specially -crafted input, a remote attacker could exploit this vulnerability to consume large amounts of CPU and memory, and -results in a denial-of-service condition. The risk of this vulnerability exploited in our products is low. The images in -which this is reported will be upgraded to fix the issue. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-24536) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.18 -- Palette VerteX 4.5.3, 4.5.8 -- Palette Enterprise 4.5.3, 4.5.8 - -## Revision History - -- 1.0 09/15/2024 Initial Publication -- 2.0 09/15/2024 Added palette VerteX airgap 4.4.18 to Affected Products -- 3.0 10/10/2024 CVE remediated in Palette VerteX airgap 4.5.3 -- 4.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 5.0 11/7/2024 Added Palette Enterprise & Palette VerteX 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-24537.md b/docs/docs-content/security-bulletins/reports/cve-2023-24537.md deleted file mode 100644 index d3834f20ae..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-24537.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -sidebar_label: "CVE-2023-24537" -title: "CVE-2023-24537" -description: "Lifecycle of CVE-2023-24537" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-24537](https://nvd.nist.gov/vuln/detail/CVE-2023-24537) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can -cause an infinite loop due to integer overflow. - -## Our Official Summary - -This is a new golang-related security vulnerability that affects Go languages, which can cause an infinite loop and a -denial-of-service attack, due to a integer overflow. The images in which this is reported will be upgraded to fix the -issue. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-24537) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette Enterprise airgap 4.4.18 - -## Revision History - -- 1.0 09/15/2024 Initial Publication -- 2.0 09/15/2024 Added Palette Enterprise airgap 4.4.18 to Affected Products -- 3.0 10/10/2024 CVE remediated in Palette Enterprise airgap 4.5.3 diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-24538.md b/docs/docs-content/security-bulletins/reports/cve-2023-24538.md deleted file mode 100644 index eb9aab0a3a..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-24538.md +++ /dev/null @@ -1,55 +0,0 @@ ---- -sidebar_label: "CVE-2023-24538" -title: "CVE-2023-24538" -description: "Lifecycle of CVE-2023-24538" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-24538](https://nvd.nist.gov/vuln/detail/CVE-2023-24538) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -Templates do not properly consider backticks `` ` `` as Javascript string delimiters, and do not escape them as -expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a -Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary -Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string -interpolation, the decision was made to simply disallow Go template actions from being used inside of them -e.g.`"var a = {{.}}"`, since there is no safe way to allow this behavior. This takes the same approach as -github.com/google/safehtml. With fix, Template.Parse returns an Error when it encounters templates like this, with an -ErrorCode of value 12. This ErrorCode is currently unexported, but will be exported in the release of Go 1.21. Users who -rely on the previous behavior can re-enable it using the GODEBUG flag jstmpllitinterp=1, with the caveat that backticks -will now be escaped. This should be used with caution. - -## Our Official Summary - -CVE-2023-24538 is a critical security vulnerability affecting the Go programming language, specifically its handling of -templates with Go template actions within JavaScript template literals. The vulnerability has been addressed in recent -Go releases. The risk of this vulnerability exploited in our products is low. The images in which this is reported will -be upgraded to fix the issue. - -## CVE Severity - -[9.8](https://nvd.nist.gov/vuln/detail/CVE-2023-24538) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette Enterprise airgap 4.4.18 - -## Revision History - -- 1.0 09/15/2024 Initial Publication -- 2.0 09/15/2024 Added Palette Enterprise airgap 4.4.18 to Affected Products -- 3.0 10/10/2024 CVE remediated in Palette Enterprise airgap 4.5.3 diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-24539.md b/docs/docs-content/security-bulletins/reports/cve-2023-24539.md deleted file mode 100644 index cf567a0ff3..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-24539.md +++ /dev/null @@ -1,48 +0,0 @@ ---- -sidebar_label: "CVE-2023-24539" -title: "CVE-2023-24539" -description: "Lifecycle of CVE-2023-24539" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-24539](https://nvd.nist.gov/vuln/detail/CVE-2023-24539) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -Angle brackets `<>` are not considered dangerous characters when inserted into CSS contexts. Templates containing -multiple actions separated by a `/` character can result in unexpectedly closing the CSS context and allowing for -injection of unexpected HTML, if executed with untrusted input. - -## Our Official Summary - -A vulnerability was found in html-template up to 1.19.8/1.20.3 on Go. The affected component is the CSS Handler. -Manipulation with an unknown input could lead to a cross-site scripting vulnerability. If the input contains special -characters such as `"<", ">"`, and `"&"` that could be interpreted as web-scripting elements when they are sent to a -downstream component that processes web pages. A fix for the images affected will be investigated. - -## CVE Severity - -[7.3](https://nvd.nist.gov/vuln/detail/CVE-2023-24539) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette Enterprise airgap 4.4.18 - -## Revision History - -- 1.0 09/15/2024 Initial Publication -- 2.0 09/15/2024 Added Palette Enterprise airgap 4.4.18 to Affected Products -- 3.0 10/10/2024 CVE remediated in Palette Enterprise airgap 4.5.3 diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-24540.md b/docs/docs-content/security-bulletins/reports/cve-2023-24540.md deleted file mode 100644 index 586a8f31ac..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-24540.md +++ /dev/null @@ -1,51 +0,0 @@ ---- -sidebar_label: "CVE-2023-24540" -title: "CVE-2023-24540" -description: "Lifecycle of CVE-2023-24540" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-24540](https://nvd.nist.gov/vuln/detail/CVE-2023-24540) - -## Last Update - -10/29/2024 - -## NIST CVE Summary - -Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace -characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions -may not be properly sanitized during execution. - -## Our Official Summary - -This is a vulnerability affecting the Golang Go software, specifically the html/template package. This issue arises from -improper handling of JavaScript whitespace characters in certain contexts, leading to potential security risks. Systems -using Golang Go versions up to 1.19.9 and from 1.20.0 to 1.20.4 are affected, particularly those using the html/template -package with JavaScript contexts containing actions and specific whitespace characters. The images in which -vulnerabilities are reported are not directly exposed. This restricts access to the vulnerable golang html/templates to -authenticated users only, reducing the impact. We are waiting on an upstream fix from the 3rd party vendors. We will -upgrade the images once the upstream fix becomes available. - -## CVE Severity - -[9.8](https://nvd.nist.gov/vuln/detail/CVE-2023-24540) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette Enterprise airgap 4.4.18 - -## Revision History - -- 1.0 09/15/2024 Initial Publication -- 2.0 09/15/2024 Added Palette Enterprise airgap 4.4.18 to Affected Products -- 3.0 10/10/2024 CVE remediated in Palette Enterprise airgap 4.5.3 diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-26604.md b/docs/docs-content/security-bulletins/reports/cve-2023-26604.md deleted file mode 100644 index ca60c60ad1..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-26604.md +++ /dev/null @@ -1,51 +0,0 @@ ---- -sidebar_label: "CVE-2023-26604" -title: "CVE-2023-26604" -description: "Lifecycle of CVE-2023-26604" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-26604](https://nvd.nist.gov/vuln/detail/CVE-2023-26604) - -## Last Update - -11/7/2024 - -## NIST CVE Summary - -In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the -system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch -with untrusted input (if they lack validation of user-provided filenames or arguments). The fix is also back-ported to -3.7, 3.8, 3.9 - -## Our Official Summary - -Spectro Cloud Official Summary Coming Soon - -## CVE Severity - -[7.8](https://nvd.nist.gov/vuln/detail/CVE-2023-26604) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.14, 4.4.18, 4.5.3, 4.5.8 -- Palette Enterprise airgap 4.4.18 -- Palette VerteX 4.5.3, 4.5.8 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX airgap & Palette Enterprise airgap 4.4.18 to Affected Products -- 4.0 10/10/2024 CVE remediated in Palette Enterprise airgap 4.5.3 -- 5.0 10/14/2024 Added Palette VerteX 4.5.3 to Affected Products -- 6.0 11/7/2024 Added Palette VerteX airgap & Palette VerteX 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-27534.md b/docs/docs-content/security-bulletins/reports/cve-2023-27534.md deleted file mode 100644 index 18d07b5903..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-27534.md +++ /dev/null @@ -1,50 +0,0 @@ ---- -sidebar_label: "CVE-2023-27534" -title: "CVE-2023-27534" -description: "Lifecycle of CVE-2023-27534" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-27534](https://nvd.nist.gov/vuln/detail/CVE-2023-27534) - -## Last Update - -11/7/2024 - -## NIST CVE Summary - -A path traversal vulnerability exists in curl \<8.0.0 SFTP implementation causes the tilde (\~) character to be wrongly -replaced when used as a prefix in the first path element, in addition to its intended use as the first element to -indicate a path relative to the user's home directory. Attackers can exploit this flaw to bypass filtering or execute -arbitrary code by crafting a path like /\~2/foo while accessing a server with a specific user. - -## Our Official Summary - -This vulnerability is reported on several 3rd party images used by the product. We are waiting on an upstream fix from -the vendor. If the vulnerability is exploited, impact is low for the products using these images. - -## CVE Severity - -[8.8](https://nvd.nist.gov/vuln/detail/CVE-2023-27534) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.14 -- Palette VerteX 4.5.3, 4.5.8 -- Palette Enterprise 4.5.3, 4.5.8 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 3.0 10/14/2024 Added Palette VerteX and Palette Enterprise 4.5.3 to Affected Products -- 4.0 11/7/2024 Added Palette Enterprise & Palette VerteX 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-29400.md b/docs/docs-content/security-bulletins/reports/cve-2023-29400.md deleted file mode 100644 index c6981df893..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-29400.md +++ /dev/null @@ -1,50 +0,0 @@ ---- -sidebar_label: "CVE-2023-29400" -title: "CVE-2023-29400" -description: "Lifecycle of CVE-2023-29400" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-29400](https://nvd.nist.gov/vuln/detail/CVE-2023-29400) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -Templates containing actions in unquoted HTML attributes e.g. `"attr={{.}}"` executed with empty input can result in -output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary -attributes into tags. - -## Our Official Summary - -The vulnerability in golang arises from the use of unquoted HTML attributes in templates. When these templates are -executed with empty input, the resulting output may be parsed incorrectly due to HTML normalization rules. This can -enable an attacker to inject arbitrary attributes into HTML tags, potentially leading to cross-site scripting (XSS) -attacks or other security vulnerabilities. All the images in which this CVE is reported are 3rd party images, which do -not process HTML data. So possibility of this vulnerability getting exploited in Spectro Cloud products is low. Waiting -on upsteam fixes. - -## CVE Severity - -[7.3](https://nvd.nist.gov/vuln/detail/CVE-2023-29400) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette Enterprise airgap 4.4.18 - -## Revision History - -- 1.0 09/15/2024 Initial Publication -- 2.0 09/15/2024 Added Palette Enterprise airgap 4.4.18 to Affected Products -- 3.0 10/10/2024 CVE remediated in Palette Enterprise airgap 4.5.3 diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-29403.md b/docs/docs-content/security-bulletins/reports/cve-2023-29403.md deleted file mode 100644 index 4fead028ca..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-29403.md +++ /dev/null @@ -1,53 +0,0 @@ ---- -sidebar_label: "CVE-2023-29403" -title: "CVE-2023-29403" -description: "Lifecycle of CVE-2023-29403" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-29403](https://nvd.nist.gov/vuln/detail/CVE-2023-29403) - -## Last Update - -11/7/2024 - -## NIST CVE Summary - -On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can -be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file -descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can -result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is -terminated, either via panic or signal, it may leak the contents of its registers. - -## Our Official Summary - -This vulnerability is reported on Go runtime in several older versions. Resources such as files and directories may be -inadvertently exposed through mechanisms such as insecure permissions, or when a program accidentally operates on the -wrong object. Third party images on which this vulnerability is reported has to be upgraded. - -## CVE Severity - -[7.8](https://nvd.nist.gov/vuln/detail/CVE-2023-29403) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.18, 4.5.3 -- Palette Enterprise 4.5.3, 4.5.8 -- Palette VerteX 4.5.3, 4.5.8 - -## Revision History - -- 1.0 09/15/2024 Initial Publication -- 2.0 09/15/2024 Added Palette VerteX airgap 4.4.18 to Affected Products -- 3.0 10/10/2024 Added Palette VerteX airgap 4.5.3 to Affected Products -- 4.0 10/14/2024 Added Palette VerteX and Palette Enterprise 4.5.3 to Affected Products -- 5.0 11/7/2024 Added Palette Enterprise & Palette VerteX 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-29499.md b/docs/docs-content/security-bulletins/reports/cve-2023-29499.md deleted file mode 100644 index 74f3b1d092..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-29499.md +++ /dev/null @@ -1,48 +0,0 @@ ---- -sidebar_label: "CVE-2023-29499" -title: "CVE-2023-29499" -description: "Lifecycle of CVE-2023-29499" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-29499](https://nvd.nist.gov/vuln/detail/CVE-2023-29499) - -## Last Update - -11/7/2024 - -## NIST CVE Summary - -A flaw was found in GLib. GVariant deserialization fails to validate that the input conforms to the expected format, -leading to denial of service. - -## Our Official Summary - -This vulnerability is reported on several 3rd party images used by the product. We are waiting on an upstream fix from -the vendor. If the vulnerability is exploited, impact is low for the products using these images. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-29499) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.14 -- Palette Enterprise 4.5.3, 4.5.8 -- Palette VerteX 4.5.3, 4.5.8 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 3.0 10/14/2024 Added Palette VerteX and Palette Enterprise 4.5.3 to Affected Products -- 4.0 11/7/2024 Added Palette Enterprise & Palette VerteX 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-31484.md b/docs/docs-content/security-bulletins/reports/cve-2023-31484.md deleted file mode 100644 index f9b0505d66..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-31484.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -sidebar_label: "CVE-2023-31484" -title: "CVE-2023-31484" -description: "Lifecycle of CVE-2023-31484" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-31484](https://nvd.nist.gov/vuln/detail/CVE-2023-31484) - -## Last Update - -11/7/24 - -## NIST CVE Summary - -CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. - -## Our Official Summary - -Investigation is ongoing to determine how this vulnerability affects our products. - -## CVE Severity - -[8.1](https://nvd.nist.gov/vuln/detail/CVE-2023-31484) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette Enterprise 4.5.3, 4.5.8 -- Palette VerteX 4.5.3, 4.5.8 - -## Revision History - -- 1.0 10/14/24 Initial Publication -- 2.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 3.0 11/7/2024 Added Palette Enterprise & Palette VerteX 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-31486.md b/docs/docs-content/security-bulletins/reports/cve-2023-31486.md deleted file mode 100644 index a6ce03e25f..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-31486.md +++ /dev/null @@ -1,45 +0,0 @@ ---- -sidebar_label: "CVE-2023-31486" -title: "CVE-2023-31486" -description: "Lifecycle of CVE-2023-31486" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-31486](https://nvd.nist.gov/vuln/detail/CVE-2023-31486) - -## Last Update - -11/7/24 - -## NIST CVE Summary - -HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS -configuration where users must opt in to verify certificates. - -## Our Official Summary - -Investigation is ongoing to determine how this vulnerability affects our products. - -## CVE Severity - -[8.1](https://nvd.nist.gov/vuln/detail/CVE-2023-31486) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette Enterprise 4.5.3, 4.5.8 -- Palette VerteX 4.5.3, 4.5.8 - -## Revision History - -- 1.0 10/14/24 Initial Publication -- 2.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 3.0 11/7/2024 Added Palette Enterprise & Palette VerteX 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-32636.md b/docs/docs-content/security-bulletins/reports/cve-2023-32636.md deleted file mode 100644 index 1d7df7b793..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-32636.md +++ /dev/null @@ -1,50 +0,0 @@ ---- -sidebar_label: "CVE-2023-32636" -title: "CVE-2023-32636" -description: "Lifecycle of CVE-2023-32636" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-32636](https://nvd.nist.gov/vuln/detail/CVE-2023-32636) - -## Last Update - -11/7/2024 - -## NIST CVE Summary - -A flaw was found in glib, where the gvariant deserialization code is vulnerable to a denial of service introduced by -additional input validation added to resolve CVE-2023-29499. The offset table validation may be very slow. This bug does -not affect any released version of glib but does affect glib distributors who followed the guidance of glib developers -to backport the initial fix for CVE-2023-29499. - -## Our Official Summary - -This vulnerability is reported on several 3rd party images used by the product. We are waiting on an upstream fix from -the vendor. If the vulnerability is exploited, impact is low for the products using these images. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-32636) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.14 -- Palette Enterprise 4.5.3, 4.5.8 -- Palette VerteX 4.5.3, 4.5.8 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 3.0 10/14/2024 Added Palette VerteX and Palette Enterprise 4.5.3 to Affected Products -- 4.0 11/7/2024 Added Palette Enterprise & Palette VerteX 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-36632.md b/docs/docs-content/security-bulletins/reports/cve-2023-36632.md deleted file mode 100644 index ff904172a3..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-36632.md +++ /dev/null @@ -1,50 +0,0 @@ ---- -sidebar_label: "CVE-2023-36632" -title: "CVE-2023-36632" -description: "Lifecycle of CVE-2023-36632" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-36632](https://nvd.nist.gov/vuln/detail/CVE-2023-36632) - -## Last Update - -11/7/24 - -## NIST CVE Summary - -The legacy email.utils.parseaddr function in Python through 3.11.4 allows attackers to trigger "RecursionError: maximum -recursion depth exceeded while calling a Python object" via a crafted argument. This argument is plausibly an untrusted -value from an application's input data that was supposed to contain a name and an e-mail address. NOTE: -email.utils.parseaddr is categorized as a Legacy API in the documentation of the Python email package. Applications -should instead use the email.parser.BytesParser or email.parser.Parser class. NOTE: the vendor's perspective is that -this is neither a vulnerability nor a bug. The email package is intended to have size limits and to throw an exception -when limits are exceeded; they were exceeded by the example demonstration code. - -## Our Official Summary - -Investigation is ongoing to determine how this vulnerability affects our products. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-36632) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette Enterprise 4.5.3, 4.5.8 -- Palette VerteX 4.5.3, 4.5.8 - -## Revision History - -- 1.0 10/14/24 Initial Publication -- 2.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 3.0 11/7/2024 Added Palette Enterprise & Palette VerteX 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-37920.md b/docs/docs-content/security-bulletins/reports/cve-2023-37920.md deleted file mode 100644 index 9c1f4ed7f5..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-37920.md +++ /dev/null @@ -1,58 +0,0 @@ ---- -sidebar_label: "CVE-2023-37920" -title: "CVE-2023-37920" -description: "Lifecycle of CVE-2023-37920" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-37920](https://nvd.nist.gov/vuln/detail/CVE-2023-37920) - -## Last Update - -11/7/2024 - -## NIST CVE Summary - -Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while -verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. -e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. -Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store. - -## Our Official Summary - -This vulnerability was found in the python-certifi package. eTurgra certificates are marked as untrusted by Mozilla and -were removed from Mozilla's root store in July 2023. This issue occurs when the e-Tugra root certificate in Certifi is -removed, resulting in an unspecified error that has an unknown impact and attack vector. This issue is mostly impacted -during the use of web browsers. The vulnerability exploitation likelihood in the calico cni images is low. We are -waiting on an upstream fix from the 3rd party vendors. We will upgrade the images once the upstream fix becomes -available. - -## CVE Severity - -[9.8](https://nvd.nist.gov/vuln/detail/CVE-2023-37920) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.14, 4.4.18, 4.5.3, 4.5.8 -- Palette Enterprise airgap 4.4.18, 4.5.3, 4.5.8 -- Palette VerteX 4.5.3, 4.5.8 -- Palette Enterprise 4.5.3, 4.5.8 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX airgap 4.4.18 & Palette Enterprise airgap 4.4.18 to Affected Products -- 4.0 10/10/2024 Added Palette VerteX airgap 4.5.3 & Palette Enterprise airgap 4.5.3 to Affected Products -- 5.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 6.0 11/7/2024 Added Palette VerteX airgap, Palette Enterprise airgap, Palette Enterprise, and Palette VerteX 4.5.8 to - Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-39325.md b/docs/docs-content/security-bulletins/reports/cve-2023-39325.md deleted file mode 100644 index ea3a24d2bf..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-39325.md +++ /dev/null @@ -1,51 +0,0 @@ ---- -sidebar_label: "CVE-2023-39325" -title: "CVE-2023-39325" -description: "Lifecycle of CVE-2023-39325" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) - -## Last Update - -11/7/2024 - -## NIST CVE Summary - -A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource -consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting -an in-progress request allows the attacker to create a new request while the existing one is still executing. - -## Our Official Summary - -CVE exists in coredns that’s being used in k8s 1.28.11. For customer workload clusters, workaround is to use k8s version -1.29+. For Palette Self Hosted cluster, a future release will upgrade to 1.29+. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.14, 4.4.18, 4.5.3, 4.5.8 -- Palette Enterprise airgap 4.4.18, 4.5.3, 4.5.8 -- Palette VerteX 4.5.3, 4.5.8 -- Palette Enterprise 4.5.3, 4.5.8 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX airgap 4.4.18 & Palette Enterprise airgap 4.4.18 to Affected Products -- 4.0 10/10/2024 Added Palette VerteX airgap 4.5.3 & Palette Enterprise airgap 4.5.3 to Affected Products -- 5.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-4156.md b/docs/docs-content/security-bulletins/reports/cve-2023-4156.md deleted file mode 100644 index c7cf758d71..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-4156.md +++ /dev/null @@ -1,48 +0,0 @@ ---- -sidebar_label: "CVE-2023-4156" -title: "CVE-2023-4156" -description: "Lifecycle of CVE-2023-4156" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-4156](https://nvd.nist.gov/vuln/detail/CVE-2023-4156) - -## Last Update - -11/7/2024 - -## NIST CVE Summary - -A heap out-of-bounds read flaw was found in builtin.c in the gawk package. This issue may lead to a crash and could be -used to read sensitive information. - -## Our Official Summary - -This vulnerability is reported on several 3rd party images used by the product. We are waiting on an upstream fix from -the vendor. If the vulnerability is exploited, impact is low for the products using these images. - -## CVE Severity - -[7.1](https://nvd.nist.gov/vuln/detail/CVE-2023-4156) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.14 -- Palette VerteX 4.5.3, 4.5.8 -- Palette Enterprise 4.5.3, 4.5.8 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 3.0 10/14/2024 Added Palette VerteX and Palette Enterprise 4.5.3 to Affected Products -- 4.0 10/14/2024 Added Palette VerteX and Palette Enterprise 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-44487.md b/docs/docs-content/security-bulletins/reports/cve-2023-44487.md deleted file mode 100644 index 2c9b84cffc..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-44487.md +++ /dev/null @@ -1,43 +0,0 @@ ---- -sidebar_label: "CVE-2023-44487" -title: "CVE-2023-44487" -description: "Lifecycle of CVE-2023-44487" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487) - -## Last Update - -8/16/2024 - -## NIST CVE Summary - -The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many -streams quickly, as exploited in the wild in August through October 2023\. - -## Our Official Summary - -The CVE reported in coredns and kube-vip. Govulncheck reports it as non-impacting. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-44487) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.11, 4.4.14 - -## Revision History - -- 1.0 07/16/2024 Initial Publication -- 2.0 08/16/2024 Added Palette VerteX airgap 4.4.14 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-45142.md b/docs/docs-content/security-bulletins/reports/cve-2023-45142.md deleted file mode 100644 index bfd53a5087..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-45142.md +++ /dev/null @@ -1,48 +0,0 @@ ---- -sidebar_label: "CVE-2023-45142" -title: "CVE-2023-45142" -description: "Lifecycle of CVE-2023-45142" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-45142](https://nvd.nist.gov/vuln/detail/CVE-2023-45142) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box -adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server's potential memory -exhaustion when many malicious requests are sent to it. - -## Our Official Summary - -CVE exists in k8s version 1.28.11. For customer workload clusters, workaround is to use k8s version 1.29+. For Palette -Self Hosted cluster, a future release will upgrade to 1.29+. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-45142) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.14, 4.4.18 -- Palette Enterprise airgap 4.4.18 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX airgap 4.4.18 & Palette Enterprise airgap 4.4.18 to Affected Products -- 4.0 10/10/2024 CVE remediated in Palette VerteX airgap 4.5.3 & Palette Enterprise airgap 4.5.3 diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-45287.md b/docs/docs-content/security-bulletins/reports/cve-2023-45287.md deleted file mode 100644 index 84edc5bd87..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-45287.md +++ /dev/null @@ -1,54 +0,0 @@ ---- -sidebar_label: "CVE-2023-45287" -title: "CVE-2023-45287" -description: "Lifecycle of CVE-2023-45287" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-45287](https://nvd.nist.gov/vuln/detail/CVE-2023-45287) - -## Last Update - -11/7/2024 - -## NIST CVE Summary - -Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was -applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it appears -as if the removal of PKCS#1 padding may leak timing information, which in turn could be used to recover session key -bits. In Go 1.20, the crypto/tls library switched to a fully constant time RSA implementation, which we do not believe -exhibits any timing side channels. - -## Our Official Summary - -This vulnerability exists in older versions of Golang for RSA based TLS exchanges. All the images in which this is -detected are using older versions of Golang with updates available with a fix. In order to exploit the vulnerability, -attackers need to obtain privileged access to the cluster and handcraft specific calls to these containers. Images will -be upgraded to newer versions. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-45287) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette Enterprise airgap 4.4.18, 4.5.3 -- Palette VerteX 4.5.3, 4.5.8 -- Palette Enterprise 4.5.3, 4.5.8 - -## Revision History - -- 1.0 09/15/2024 Initial Publication -- 2.0 09/15/2024 Added Palette Enterprise airgap 4.4.18 to Affected Products -- 3.0 10/10/2024 Added Palette Enterprise airgap 4.5.3 to Affected Products -- 4.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 5.0 10/14/2024 Added Palette VerteX and Palette Enterprise 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-45853.md b/docs/docs-content/security-bulletins/reports/cve-2023-45853.md deleted file mode 100644 index 4c2b0fcf01..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-45853.md +++ /dev/null @@ -1,52 +0,0 @@ ---- -sidebar_label: "CVE-2023-45853" -title: "CVE-2023-45853" -description: "Lifecycle of CVE-2023-45853" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-45853](https://nvd.nist.gov/vuln/detail/CVE-2023-45853) - -## Last Update - -11/7/24 - -## NIST CVE Summary - -MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 -via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip -through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code -through its compress API. - -## Our Official Summary - -This vulnerability is reported on some of the 3rd party cni images used by our products such as multus-cni. This -heap-based buffer overflow can be exploited through a long filename, comment, or extra field. The risk scenario is low -for the following reasons: These images are optional and will be installed depending on the configuration of the -deployments; there are no known reports of exploitation from the 3rd party vendors; and these images are not accessible -directly for an attacker to send crafted input. We will upgrade the images when the fixes become available from the -vendors. - -## CVE Severity - -[9.8](https://nvd.nist.gov/vuln/detail/CVE-2023-45853) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.5.3, 4.5.8 -- Palette Enterprise 4.5.3, 4.5.8 - -## Revision History - -- 1.0 10/14/24 Initial Publication -- 2.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 3.0 10/14/2024 Added Palette VerteX and Palette Enterprise 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-47108.md b/docs/docs-content/security-bulletins/reports/cve-2023-47108.md deleted file mode 100644 index 68f6ae391e..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-47108.md +++ /dev/null @@ -1,53 +0,0 @@ ---- -sidebar_label: "CVE-2023-47108" -title: "CVE-2023-47108" -description: "Lifecycle of CVE-2023-47108" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-47108](https://nvd.nist.gov/vuln/detail/CVE-2023-47108) - -## Last Update - -11/12/2024 - -## NIST CVE Summary - -OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc -Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound -cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. - -## Our Official Summary - -This vulnerability is reported on the Kubernetes images such as apiserver, kube-controller-manager, kube-proxy and -kube-scheduler. This flaw is from the open telemetry otelgrpc handler. Kubernetes components use open telemetry only for -tracing and not for metrics collection, making this vulnerability a false positive and the risk of exploitation low. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-47108) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.14, 4.4.18, 4.5.3 -- Palette Enterprise airgap 4.4.18, 4.5.3, 4.5.8 -- Palette VerteX 4.5.3 -- Palette Enterprise 4.5.3, 4.5.8 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX airgap 4.4.18 & Palette Enterprise airgap 4.4.18 to Affected Products -- 4.0 10/10/2024 Added Palette VerteX airgap 4.5.3 & Palette Enterprise airgap 4.5.3 to Affected Products -- 5.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 6.0 11/7/2024 Added Palette Enterprise & Palette Enterprise airgap 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-4807.md b/docs/docs-content/security-bulletins/reports/cve-2023-4807.md deleted file mode 100644 index 0f71024322..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-4807.md +++ /dev/null @@ -1,63 +0,0 @@ ---- -sidebar_label: "CVE-2023-4807" -title: "CVE-2023-4807" -description: "Lifecycle of CVE-2023-4807" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-4807](https://nvd.nist.gov/vuln/detail/CVE-2023-4807) - -## Last Update - -11/7/24 - -## NIST CVE Summary - -Issue summary: The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the -internal state of applications on the Windows 64 platform when running on newer X86_64 processors supporting the -AVX512-IFMA instructions. Impact summary: If in an application that uses the OpenSSL library an attacker can influence -whether the POLY1305 MAC algorithm is used, the application state might be corrupted with various application dependent -consequences. The POLY1305 MAC (message authentication code) implementation in OpenSSL does not save the contents of -non-volatile XMM registers on Windows 64 platform when calculating the MAC of data larger than 64 bytes. Before -returning to the caller all the XMM registers are set to zero rather than restoring their previous content. The -vulnerable code is used only on newer x86_64 processors supporting the AVX512-IFMA instructions. The consequences of -this kind of internal application state corruption can be various - from no consequences, if the calling application -does not depend on the contents of non-volatile XMM registers at all, to the worst consequences, where the attacker -could get complete control of the application process. However given the contents of the registers are just zeroized so -the attacker cannot put arbitrary values inside, the most likely consequence, if any, would be an incorrect result of -some application dependent calculations or a crash leading to a denial of service. The POLY1305 MAC algorithm is most -frequently used as part of the CHACHA20-POLY1305 AEAD (authenticated encryption with associated data) algorithm. The -most common usage of this AEAD cipher is with TLS protocol versions 1.2 and 1.3 and a malicious client can influence -whether this AEAD cipher is used by the server. This implies that server applications using OpenSSL can be potentially -impacted. However we are currently not aware of any concrete application that would be affected by this issue therefore -we consider this a Low severity security issue. As a workaround the AVX512-IFMA instructions support can be disabled at -runtime by setting the environment variable OPENSSL_ia32cap: OPENSSL_ia32cap=:~0x200000 The FIPS provider is not -affected by this issue. - -## Our Official Summary - -Investigation is ongoing to determine how this vulnerability affects our products. - -## CVE Severity - -[7.8](https://nvd.nist.gov/vuln/detail/CVE-2023-4807) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette Enterprise 4.5.3, 4.5.8 -- Palette VerteX 4.5.3, 4.5.8 - -## Revision History - -- 1.0 10/14/24 Initial Publication -- 2.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 3.0 11/7/2024 Added Palette Enterprise & Palette VerteX 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-4911.md b/docs/docs-content/security-bulletins/reports/cve-2023-4911.md deleted file mode 100644 index 2afbce0766..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-4911.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -sidebar_label: "CVE-2023-4911" -title: "CVE-2023-4911" -description: "Lifecycle of CVE-2023-4911" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-4911](https://nvd.nist.gov/vuln/detail/CVE-2023-4911) - -## Last Update - -11/7/24 - -## NIST CVE Summary - -A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES -environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment -variables when launching binaries with SUID permission to execute code with elevated privileges. - -## Our Official Summary - -Investigation is ongoing to determine how this vulnerability affects our products. - -## CVE Severity - -[7.8](https://nvd.nist.gov/vuln/detail/CVE-2023-4911) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette Enterprise 4.5.3, 4.5.8 -- Palette VerteX 4.5.3, 4.5.8 - -## Revision History - -- 1.0 10/14/24 Initial Publication -- 2.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 3.0 11/7/2024 Added Palette Enterprise & Palette VerteX 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-49569.md b/docs/docs-content/security-bulletins/reports/cve-2023-49569.md deleted file mode 100644 index 370631fcd9..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-49569.md +++ /dev/null @@ -1,51 +0,0 @@ ---- -sidebar_label: "CVE-2023-49569" -title: "CVE-2023-49569" -description: "Lifecycle of CVE-2023-49569" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-49569](https://nvd.nist.gov/vuln/detail/CVE-2023-49569) - -## Last Update - -9/19/24 - -## NIST CVE Summary - -A path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker -to create and amend files across the filesystem. In the worse case scenario, remote code execution could be achieved. - -Applications are only affected if they are using the -[ChrootOS](https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS) , which is the default when using "Plain" -versions of Open and Clone funcs (e.g. PlainClone). Applications using -[BoundOS](https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#BoundOS) or in-memory filesystems are not affected by -this issue. - -This is a go-git implementation issue and does not affect the upstream git cli. - -## Our Official Summary - -Investigation is ongoing to determine how this vulnerability affects any of our products. - -## CVE Severity - -[9.8](https://nvd.nist.gov/vuln/detail/CVE-2023-49569) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette Enterprise airgap 4.4.14 - -## Revision History - -- 1.0 9/6/24 Initial Publication -- 2.0 9/19/24 Added Palette Enterprise airgap 4.4.14 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-52356.md b/docs/docs-content/security-bulletins/reports/cve-2023-52356.md deleted file mode 100644 index b578fdb338..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-52356.md +++ /dev/null @@ -1,51 +0,0 @@ ---- -sidebar_label: "CVE-2023-52356" -title: "CVE-2023-52356" -description: "Lifecycle of CVE-2023-52356" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-52356](https://nvd.nist.gov/vuln/detail/CVE-2023-52356) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -A segment fault (SEGV) flaw was found in libtiff that could be triggered by passing a crafted tiff file to the -TIFFReadRGBATileExt() API. This flaw allows a remote attacker to cause a heap-buffer overflow, leading to a denial of -service. - -## Our Official Summary - -This is a vulnerability in libtiff that can be exploited by a remote attacker to cause a heap-buffer overflow and -denial-of-service. The vulnerability is caused by a segment fault (SEGV) flaw that can be triggered when a crafted TIFF -file is passed to the TIFFReadRGBATileExt() API. Investigating a possible fix for this vulnerability on the affected -images. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-52356) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette Enterprise airgap 4.4.18, 4.5.3, 4.5.8 -- Palette Enterprise 4.5.3, 4.5.8 - -## Revision History - -- 1.0 09/15/2024 Initial Publication -- 2.0 09/15/2024 Added Palette Enterprise airgap 4.4.18 to Affected Products -- 3.0 10/10/2024 Added Palette Enterprise airgap 4.5.3 to Affected Products -- 4.0 10/14/2024 Added Palette Enterprise 4.5.3 to Affected Products -- 5.0 11/7/2024 Added Palette Enterprise 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-5363.md b/docs/docs-content/security-bulletins/reports/cve-2023-5363.md deleted file mode 100644 index acc89a4352..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-5363.md +++ /dev/null @@ -1,62 +0,0 @@ ---- -sidebar_label: "CVE-2023-5363" -title: "CVE-2023-5363" -description: "Lifecycle of CVE-2023-5363" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-5363](https://nvd.nist.gov/vuln/detail/CVE-2023-5363) - -## Last Update - -11/7/24 - -## NIST CVE Summary - -Issue summary: A bug has been identified in the processing of key and initialisation vector (IV) lengths. This can lead -to potential truncation or overruns during the initialisation of some symmetric ciphers. Impact summary: A truncation in -the IV can result in non-uniqueness, which could result in loss of confidentiality for some cipher modes. When calling -EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or EVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after -the key and IV have been established. Any alterations to the key length, via the "keylen" parameter or the IV length, -via the "ivlen" parameter, within the OSSL_PARAM array will not take effect as intended, potentially causing truncation -or overreading of these values. The following ciphers and cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB. -For the CCM, GCM and OCB cipher modes, truncation of the IV can result in loss of confidentiality. For example, when -following NIST's SP 800-38D section 8.2.1 guidance for constructing a deterministic IV for AES in GCM mode, truncation -of the counter portion could lead to IV reuse. Both truncations and overruns of the key and overruns of the IV will -produce incorrect results and could, in some cases, trigger a memory exception. However, these issues are not currently -assessed as security critical. Changing the key and/or IV lengths is not considered to be a common operation and the -vulnerable API was recently introduced. Furthermore it is likely that application developers will have spotted this -problem during testing since decryption would fail unless both peers in the communication were similarly vulnerable. For -these reasons we expect the probability of an application being vulnerable to this to be quite low. However if an -application is vulnerable then this issue is considered very serious. For these reasons we have assessed this issue as -Moderate severity overall. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 -FIPS providers are not affected by this because the issue lies outside of the FIPS provider boundary. OpenSSL 3.1 and -3.0 are vulnerable to this issue. - -## Our Official Summary - -Investigation is ongoing to determine how this vulnerability affects our products. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-5363) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette Enterprise 4.5.3, 4.5.8 -- Palette VerteX 4.5.3, 4.5.8 - -## Revision History - -- 1.0 10/14/24 Initial Publication -- 2.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 3.0 11/7/2024 Added Palette Enterprise & Palette VerteX 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-6246.md b/docs/docs-content/security-bulletins/reports/cve-2023-6246.md deleted file mode 100644 index 40fc532f25..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-6246.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -sidebar_label: "CVE-2023-6246" -title: "CVE-2023-6246" -description: "Lifecycle of CVE-2023-6246" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-6246](https://nvd.nist.gov/vuln/detail/CVE-2023-6246) - -## Last Update - -11/7/24 - -## NIST CVE Summary - -A heap-based buffer overflow was found in the \_\_vsyslog_internal function of the glibc library. This function is -called by the syslog and vsyslog functions. This issue occurs when the openlog function was not called, or called with -the ident argument set to NULL, and the program name (the basename of argv[0]) is bigger than 1024 bytes, resulting in -an application crash or local privilege escalation. This issue affects glibc 2.36 and newer. - -## Our Official Summary - -Investigation is ongoing to determine how this vulnerability affects our products. - -## CVE Severity - -[7.8](https://nvd.nist.gov/vuln/detail/CVE-2023-6246) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette Enterprise 4.5.3, 4.5.8 -- Palette VerteX 4.5.3, 4.5.8 - -## Revision History - -- 1.0 10/14/24 Initial Publication -- 2.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 3.0 11/7/2024 Added Palette Enterprise & Palette VerteX 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-6779.md b/docs/docs-content/security-bulletins/reports/cve-2023-6779.md deleted file mode 100644 index bfa90f90e7..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-6779.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -sidebar_label: "CVE-2023-6779" -title: "CVE-2023-6779" -description: "Lifecycle of CVE-2023-6779" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-6779](https://nvd.nist.gov/vuln/detail/CVE-2023-6779) - -## Last Update - -11/7/24 - -## NIST CVE Summary - -An off-by-one heap-based buffer overflow was found in the \_\_vsyslog_internal function of the glibc library. This -function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a message -bigger than INT_MAX bytes, leading to an incorrect calculation of the buffer size to store the message, resulting in an -application crash. This issue affects glibc 2.37 and newer. - -## Our Official Summary - -Investigation is ongoing to determine how this vulnerability affects our products. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-6779) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette Enterprise 4.5.3, 4.5.8 -- Palette VerteX 4.5.3, 4.5.8 - -## Revision History - -- 1.0 10/14/24 Initial Publication -- 2.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 3.0 11/7/2024 Added Palette Enterprise & Palette VerteX 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-0743.md b/docs/docs-content/security-bulletins/reports/cve-2024-0743.md deleted file mode 100644 index fe23d207ed..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2024-0743.md +++ /dev/null @@ -1,50 +0,0 @@ ---- -sidebar_label: "CVE-2023-0743" -title: "CVE-2023-0743" -description: "Lifecycle of CVE-2023-0743" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-0743](https://nvd.nist.gov/vuln/detail/CVE-2023-0743) - -## Last Update - -11/7/2024 - -## NIST CVE Summary - -An unchecked return value in TLS handshake code could have caused a potentially exploitable crash. This vulnerability -affects Firefox < 122, Firefox ESR < 115.9, and Thunderbird < 115.9. - -## Our Official Summary - -An unchecked return value in TLS handshake code could cause a potentially exploitable crash in certain versions of -Firefox. This CVE is reported on container images where there are no reported instances of TLS handshake code causing -crashes. Risk of this vulnerability getting exploited in Spectro Cloud products is low. Need an update from the 3rd -party vendor to fix the vulnerability. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-0743) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette Enterprise airgap 4.4.18, 4.5.3, 4.5.8 -- Palette Enterprise 4.5.3, 4.5.8 - -## Revision History - -- 1.0 09/15/2024 Initial Publication -- 2.0 09/15/2024 Added Palette Enterprise airgap 4.4.18 to Affected Products -- 3.0 10/10/2024 Added Palette Enterprise airgap 4.5.3 to Affected Products -- 4.0 10/14/2024 Added Palette Enterprise 4.5.3 to Affected Products -- 5.0 11/7/2024 Added Palette Enterprise & Palette Enterprise airgap 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-0760.md b/docs/docs-content/security-bulletins/reports/cve-2024-0760.md deleted file mode 100644 index 5e3ab29c1c..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2024-0760.md +++ /dev/null @@ -1,53 +0,0 @@ ---- -sidebar_label: "CVE-2024-0760" -title: "CVE-2024-0760" -description: "Lifecycle of CVE-2024-0760" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2024-0760](https://nvd.nist.gov/vuln/detail/CVE-2024-0760) - -## Last Update - -10/10/24 - -## NIST CVE Summary - -A malicious client can send many DNS messages over TCP, potentially causing the server to become unstable while the -attack is in progress. The server may recover after the attack ceases. Use of ACLs will not mitigate the attack. This -issue affects BIND 9 versions 9.18.1 through 9.18.27, 9.19.0 through 9.19.24, and 9.18.11-S1 through 9.18.27-S1. - -## Our Official Summary - -A malicious client can send many DNS messages over TCP, potentially causing the server to become unstable while the -attack is in progress. The server may recover after the attack ceases. In order to exploit this vulnerability, image in -which this cve is reported has to be compromised and hacker has to gain privileged access. There are sufficient controls -in place to consider the probability of occurrence as low. There is a fix available upstream and we are investigating -upgrading to the fixed version. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-0760) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.14, 4.4.18 -- Palette Enterprise airgap 4.4.18, 4.5.3 -- Palette Enterprise 4.5.3 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX airgap 4.4.18 & Palette Enterprise airgap 4.4.18 to Affected Products -- 4.0 10/10/2024 CVE remediated in Palette VerteX airgap 4.5.3 -- 5.0 10/14/2024 Added Palette Enterprise 4.5.3 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-10963.md b/docs/docs-content/security-bulletins/reports/cve-2024-10963.md deleted file mode 100644 index 5f62d76b70..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2024-10963.md +++ /dev/null @@ -1,48 +0,0 @@ ---- -sidebar_label: "CVE-2024-10963" -title: "CVE-2024-10963" -description: "Lifecycle of CVE-2024-10963" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2024-10963](https://nvd.nist.gov/vuln/detail/CVE-2024-10963) - -## Last Update - -11/12/2024 - -## NIST CVE Summary - -A flaw was found in pam_access, where certain rules in its configuration file are mistakenly treated as hostnames. This -vulnerability allows attackers to trick the system by pretending to be a trusted hostname, gaining unauthorized access. -This issue poses a risk for systems that rely on this feature to control who can access certain services or terminals. - -## Our Official Summary - -Investigation is ongoing to determine how this vulnerability impacts our products. - -## CVE Severity - -[7.4](https://nvd.nist.gov/vuln/detail/CVE-2024-10963) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette Enterprise airgap 4.5.8 -- Palette Enterprise 4.5.8 -- Palette VerteX airgap 4.5.8 -- Palette VerteX 4.5.8 - -## Revision History - -- 1.0 11/12/2024 Initial Publication -- 2.0 11/7/2024 Added Palette Enterprise airgap, Palette Enterprise, VerteX airgap, and Palette VerteX 4.5.8 to Affected - Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-1485.md b/docs/docs-content/security-bulletins/reports/cve-2024-1485.md deleted file mode 100644 index ee2c0131ea..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2024-1485.md +++ /dev/null @@ -1,50 +0,0 @@ ---- -sidebar_label: "CVE-2024-1485" -title: "CVE-2024-1485" -description: "Lifecycle of CVE-2024-1485" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2024-1485](https://nvd.nist.gov/vuln/detail/CVE-2024-1485) - -## Last Update - -10/29/24 - -## NIST CVE Summary - -A flaw was found in the decompression function of registry-support. This issue can be triggered if an unauthenticated -remote attacker tricks a user into parsing a devfile which uses the `parent` or `plugin` keywords. This could download a -malicious archive and cause the cleanup process to overwrite or delete files outside of the archive, which should not be -allowed. - -## Our Official Summary - -This vulnerability can be exploited by an unauthenticated remote attacker who tricks a user into parsing a devfile with -parent or plugin keywords. This malicious interaction could result in the download of a harmful archive, leading the -cleanup process to overwrite or delete files outside the intended archive scope. There is no evidence that a public -proof-of-concept exists. We are waiting on an upstream fix from the 3rd party vendors and will upgrade the images once -the upstream fix becomes available. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-1485) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette Enterprise 4.5.3 -- Palette VerteX 4.5.3 - -## Revision History - -- 1.0 10/24/24 Initial Publication -- 2.0 10/24/2024 Added Palette Enterprise and Palette VerteX 4.5.3 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-1737.md b/docs/docs-content/security-bulletins/reports/cve-2024-1737.md deleted file mode 100644 index 3fcc97c7eb..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2024-1737.md +++ /dev/null @@ -1,56 +0,0 @@ ---- -sidebar_label: "CVE-2024-1737" -title: "CVE-2024-1737" -description: "Lifecycle of CVE-2024-1737" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2024-1737](https://nvd.nist.gov/vuln/detail/CVE-2024-1737) - -## Last Update - -10/10/24 - -## NIST CVE Summary - -Resolver caches and authoritative zone databases that hold significant numbers of RRs for the same hostname (of any -RTYPE) can suffer from degraded performance as content is being added or updated, and also when handling client queries -for this name. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through -9.18.27, 9.19.0 through 9.19.24, 9.11.4-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through -9.18.27-S1. - -## Our Official Summary - -This vulnerability can be exploited if resolver caches and authoritative zone databases hold significant numbers of RRs -for the same hostname (of any RTYPE). Services will suffer from degraded performance as content is being added or -updated, and also when handling client queries for this name. In order to exploit this vulenerability, image in which -this cve is reported has to be compromised and hacker has to gain privileged access. There are sufficient controls in -place to consider the probability of occurence as low. There is a fix available upstream and we are investigating -upgrading to the fixed version. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-1737) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.14, 4.4.18 -- Palette Enterprise airgap 4.4.18, 4.5.3 -- Palette Enterprise 4.5.3 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX airgap 4.4.18 & Palette Enterprise airgap 4.4.18 to Affected Products -- 4.0 10/10/2024 CVE remediated in Palette VerteX airgap 4.5.3 -- 5.0 10/14/2024 Added Palette Enterprise 4.5.3 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-1975.md b/docs/docs-content/security-bulletins/reports/cve-2024-1975.md deleted file mode 100644 index 9efb83f006..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2024-1975.md +++ /dev/null @@ -1,54 +0,0 @@ ---- -sidebar_label: "CVE-2024-1975" -title: "CVE-2024-1975" -description: "Lifecycle of CVE-2024-1975" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2024-1975](https://nvd.nist.gov/vuln/detail/CVE-2024-1975) - -## Last Update - -10/10/24 - -## NIST CVE Summary - -If a server hosts a zone containing a "KEY" Resource Record, or a resolver DNSSEC-validates a "KEY" Resource Record from -a DNSSEC-signed domain in cache, a client can exhaust resolver CPU resources by sending a stream of SIG(0) signed -requests. This issue affects BIND 9 versions 9.0.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, -9.19.0 through 9.19.24, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.49-S1, and 9.18.11-S1 through 9.18.27-S1. - -## Our Official Summary - -This vulnerability can be exploited by a client only if a server hosts a zone containing a “KEY” Resource Record, or a -resolver DNSSEC-validates a “KEY” Resource Record from a DNSSEC-signed domain in cache. In order to exploit this -vulenerability, image in which this cve is reported has to be compromised and hacker has to gain privileged access. -There are sufficient controls in place to consider the probability of occurence as low. There is a fix available -upstream and we are investigating upgrading to the fixed version. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-1975) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.14, 4.4.18 -- Palette Enterprise airgap 4.4.18, 4.5.3 -- Palette Enterprise 4.5.3 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX airgap 4.4.18 & Palette Enterprise airgap 4.4.18 to Affected Products -- 4.0 10/10/2024 CVE remediated in Palette VerteX airgap 4.5.3 -- 5.0 10/14/2024 Added Palette Enterprise 4.5.3 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-21626.md b/docs/docs-content/security-bulletins/reports/cve-2024-21626.md deleted file mode 100644 index 435d571f8e..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2024-21626.md +++ /dev/null @@ -1,60 +0,0 @@ ---- -sidebar_label: "CVE-2024-21626" -title: "CVE-2024-21626" -description: "Lifecycle of CVE-2024-21626" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2024-21626](https://nvd.nist.gov/vuln/detail/CVE-2024-21626) - -## Last Update - -11/7/2024 - -## NIST CVE Summary - -runc is a CLI tool for spawning and using containers on Linux according to the OCI specification. In runc 1.1.11 and -earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc -exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to -the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to -gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to -overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc -1.1.12 includes patches for this issue. - -## Our Official Summary - -A file descriptor leak issue was found in the runc package. These vulnerabilities not only enable malicious actors to -escape containerized environments but also allow for full control over the underlying host system. The presence of these -dependencies in the container does not imply a security risk to the containerized application itself, as it is based on -low-level packages included, and the impact to the container's core functionality is minimal. Upstream fix from the 3rd -party vendors is awaited. We are waiting on an upstream fix from the 3rd party vendors and will upgrade the images once -the upstream fix becomes available. - -## CVE Severity - -[8.6](https://nvd.nist.gov/vuln/detail/CVE-2024-21626) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.14, 4.4.18, 4.5.3 -- Palette Enterprise airgap 4.4.18, 4.5.3, 4.5.8 -- Palette VerteX 4.5.3 -- Palette Enterprise 4.5.3, 4.5.8 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX airgap 4.4.18 & Palette Enterprise airgap 4.4.18 to Affected Products -- 4.0 10/10/2024 Added Palette VerteX airgap 4.5.3 & Palette Enterprise airgap 4.5.3 to Affected Products -- 5.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 6.0 11/7/2024 Added Palette Enterprise & Palette Enterprise airgap 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-24790.md b/docs/docs-content/security-bulletins/reports/cve-2024-24790.md deleted file mode 100644 index c3ca00c6a9..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2024-24790.md +++ /dev/null @@ -1,49 +0,0 @@ ---- -sidebar_label: "CVE-2024-24790" -title: "CVE-2024-24790" -description: "Lifecycle of CVE-2024-24790" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2024-24790](https://nvd.nist.gov/vuln/detail/CVE-2024-24790) - -## Last Update - -11/7/2024 - -## NIST CVE Summary - -The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning -false for addresses which would return true in their traditional IPv4 forms. - -## Our Official Summary - -This vulnerability is reported on some of the 3rd party csi images and coredns images from Kubernetes. This CVE requires -a network-based attack vector. We will upgrade the images when the fixes are available from the vendor. - -## CVE Severity - -[9.8](hhttps://nvd.nist.gov/vuln/detail/CVE-2024-24790) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette Enterprise airgap 4.4.14, 4.4.18, 4.5.3, 4.5.8 -- Palette VerteX 4.5.3, 4.5.8 -- Palette Enterprise 4.5.3, 4.5.8 - -## Revision History - -- 1.0 08/06/2024 Initial Publication -- 2.0 09/17/2024 Added Palette Enterprise airgap 4.4.18 to Affected Products -- 3.0 10/10/2024 Added Palette Enterprise airgap 4.5.3 to Affected Products -- 4.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 5.0 11/7/2024 Added Palette Enterprise, Palette Enterprise airgap, and Palette VerteX 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-32002.md b/docs/docs-content/security-bulletins/reports/cve-2024-32002.md deleted file mode 100644 index d40cb8d018..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2024-32002.md +++ /dev/null @@ -1,53 +0,0 @@ ---- -sidebar_label: "CVE-2024-32002" -title: "CVE-2024-32002" -description: "Lifecycle of CVE-2024-32002" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2024-32002](https://nvd.nist.gov/vuln/detail/CVE-2024-32002) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, -repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing -files not into the submodule's worktree but into a `.git/` directory. This allows writing a hook that will be executed -while the clone operation is still active, giving the user no opportunity to inspect the code that is being executed. -The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link -support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. As -always, it is best to avoid cloning repositories from untrusted sources. - -## Our Official Summary - -A critical vulnerability in Git has recently been published that could lead to remote command injection. The -exploitation occurs when the victim clones a malicious repository recursively, which would execute hooks contained in -the submodules. The vulnerability lies in the way Git handles symbolic links in repository submodules. There are -currently several PoCs with public exploits that expose the vulnerability. This risk of this vulnerability exploited in -spectrocloud products is very low. - -## CVE Severity - -[9.0](https://nvd.nist.gov/vuln/detail/CVE-2024-32002) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette Enterprise airgap 4.4.18 - -## Revision History - -- 1.0 09/15/2024 Initial Publication -- 2.0 09/15/2024 Added Palette Enterprise airgap 4.4.18 to Affected Products -- 3.0 10/10/2024 CVE remediated in Palette Enterprise airgap 4.5.3 diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-35325.md b/docs/docs-content/security-bulletins/reports/cve-2024-35325.md deleted file mode 100644 index 5fb2436fa2..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2024-35325.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -sidebar_label: "CVE-2024-35325" -title: "CVE-2024-35325" -description: "Lifecycle of CVE-2024-35325" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2024-35325](https://nvd.nist.gov/vuln/detail/CVE-2024-35325) - -## Last Update - -8/30/2024 - -## NIST CVE Summary - -A vulnerability was found in libyaml up to 0.2.5. Affected by this issue is the function yaml_event_delete of the file -/src/libyaml/src/api.c. The manipulation leads to a double-free. - -NIST Rejected reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security -issue. Notes: none. - -## Our Official Summary - -Not applicable. - -## CVE Severity - -[9.8](https://nvd.nist.gov/vuln/detail/CVE-2024-35325) - -## Status - -Resolved - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.14 - -## Revision History - -- 1.0 08/27/2024 Initial Publication -- 2.0 08/27/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 3.0 08/30/2024 NIST reclassified CVE- not a security issue diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-3651.md b/docs/docs-content/security-bulletins/reports/cve-2024-3651.md deleted file mode 100644 index 70bf00e16c..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2024-3651.md +++ /dev/null @@ -1,54 +0,0 @@ ---- -sidebar_label: "CVE-2024-3651" -title: "CVE-2024-3651" -description: "Lifecycle of CVE-2024-3651" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2024-3651](https://nvd.nist.gov/vuln/detail/CVE-2024-3651) - -## Last Update - -11/7/24 - -## NIST CVE Summary - -A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting -version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic -complexity and consequently, a denial of service condition. This vulnerability is triggered by a crafted input that -causes the `idna.encode()` function to process the input with considerable computational load, significantly increasing -the processing time in a quadratic manner relative to the input size. - -## Our Official Summary - -The idna package is a Python library that provides support for Internationalized Domain Names in Applications (IDNA). It -allows encoding and decoding of domain names containing non-ASCII characters. This vulnerability affects versions prior -to 3.7 of the idna package. Domain names cannot exceed 253 characters in length, so enforcing this limit can prevent the -resource consumption issue. However, this workaround may not be foolproof as it relies on the higher-level application -performing input validation. Upgrade the package to > 3.7 version to fix the vulnerability. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-3651) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.18, 4.5.3, 4.5.8 -- Palette VerteX 4.5.3, 4.5.8 - -## Revision History - -- 1.0 9/13/2024 Initial Publication -- 2.0 9/13/2024 Added Palette VerteX airgap 4.4.18 to Affected Products -- 3.0 10/10/2024 Added Palette VerteX airgap 4.5.3 to Affected Products -- 4.0 10/14/2024 Added Palette VerteX 4.5.3 to Affected Products -- 5.0 11/7/2024 Added Palette VerteX & Palette VerteX airgap 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-37370.md b/docs/docs-content/security-bulletins/reports/cve-2024-37370.md deleted file mode 100644 index 91db88d3e2..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2024-37370.md +++ /dev/null @@ -1,53 +0,0 @@ ---- -sidebar_label: "CVE-2024-37370" -title: "CVE-2024-37370" -description: "Lifecycle of CVE-2024-37370" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2024-37370](https://nvd.nist.gov/vuln/detail/CVE-2024-37370) - -## Last Update - -11/7/2024 - -## NIST CVE Summary - -In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS -krb5 wrap token, causing the unwrapped token to appear truncated to the application. - -## Our Official Summary - -This CVE is a message token handling issue reported on kerboros libraries. This affects krb5 packages in versions less -than 1.21.3-1. Exploitation of this flaw could cause system crashes. Risk of this specific vulnerability for spectro -cloud components is low. Working on removing/upgrading libraries to fix the issue. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-37370) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.14, 4.4.18, 4.5.3, 4.5.8 -- Palette Enterprise airgap 4.4.18, 4.5.3, 4.5.8 -- Palette VerteX 4.5.3, 4.5.8 -- Palette Enterprise 4.5.3, 4.5.8 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX airgap 4.4.18 & Palette Enterprise airgap 4.4.18 to Affected Products -- 4.0 10/10/2024 Added Palette VerteX airgap 4.5.3 & Palette Enterprise airgap 4.5.3 to Affected Products -- 5.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 6.0 11/7/2024 Added Palette VerteX airgap, Palette Enterprise airgap, Palette Enterprise, and Palette VerteX 4.5.8 to - Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-37371.md b/docs/docs-content/security-bulletins/reports/cve-2024-37371.md deleted file mode 100644 index 3eb335b69a..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2024-37371.md +++ /dev/null @@ -1,59 +0,0 @@ ---- -sidebar_label: "CVE-2024-37371" -title: "CVE-2024-37371" -description: "Lifecycle of CVE-2024-37371" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2024-37371](https://nvd.nist.gov/vuln/detail/CVE-2024-37371) - -## Last Update - -11/7/2024 - -## NIST CVE Summary - -In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling -by sending message tokens with invalid length fields. - -## Our Official Summary - -This CVE is a memory corruption vulnerability reported on kerboros libraries. Attackers could potentially exploit a flaw -within Kerberos' handling of GSS (Generic Security Service) message tokens to cause invalid memory reads, potentially -leading to system crashes. This issue is classified as a moderate severity vulnerability because, while it allows an -attacker to modify the plaintext "Extra Count" field of a GSS krb5 wrap token, the impact is primarily limited to token -truncation at the application layer. This truncation can disrupt services but does not directly lead to a full -compromise of confidentiality or integrity. The attack requires that the attacker already has access to a valid token -transmission to modify, meaning it cannot be exploited remotely without first obtaining or intercepting a valid token. -We are waiting on an upstream fix from the 3rd party vendor and will upgrade the images once the upstream fix becomes -available. - -## CVE Severity - -[9.1](https://nvd.nist.gov/vuln/detail/CVE-2024-37371) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.14, 4.4.18, 4.5.3, 4.5.8 -- Palette Enterprise airgap 4.4.18, 4.5.3, 4.5.8 -- Palette VerteX 4.5.3, 4.5.8 -- Palette Enterprise 4.5.3, 4.5.8 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX airgap 4.4.18 & Palette Enterprise airgap 4.4.18 to Affected Products -- 4.0 10/10/2024 Added Palette VerteX airgap 4.5.3 & Palette Enterprise airgap 4.5.3 to Affected Products -- 5.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 6.0 11/7/2024 Added Palette VerteX airgap, Palette Enterprise airgap, Palette Enterprise, and Palette VerteX 4.5.8 to - Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-38428.md b/docs/docs-content/security-bulletins/reports/cve-2024-38428.md deleted file mode 100644 index e5657a2deb..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2024-38428.md +++ /dev/null @@ -1,51 +0,0 @@ ---- -sidebar_label: "CVE-2024-38428" -title: "CVE-2024-38428" -description: "Lifecycle of CVE-2024-38428" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2024-38428](https://nvd.nist.gov/vuln/detail/CVE-2024-38428) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -Url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be -insecure behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the -host subcomponent. - -## Our Official Summary - -This is a critical severity vulnerability that affects any Wget version up to and including 1.24.5. `wget` parses URIs -in a way that causes user information to be considered part of the host if it contains a semicolon. This means that the -host part of the URI could be interpreted incorrectly and be abused by attackers that control the userinfo. The CVE is -only exploitable when a vulnerable `wget` version is used in specific conditions. Risk of this vulnerability getting -exploited in Spectro Cloud products is low. Need updates from the 3rd party vendor to fix the vulnerability. - -## CVE Severity - -[9.1](https://nvd.nist.gov/vuln/detail/CVE-2024-38428) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.14, 4.4.18 -- Palette Enterprise airgap 4.4.18 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX airgap 4.4.18 & Palette Enterprise airgap 4.4.18 to Affected Products -- 4.0 10/10/2024 CVE remediated in Palette VerteX airgap 4.5.3 & Palette Enterprise airgap 4.5.3 diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-45490.md b/docs/docs-content/security-bulletins/reports/cve-2024-45490.md deleted file mode 100644 index 714b7a45fe..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2024-45490.md +++ /dev/null @@ -1,54 +0,0 @@ ---- -sidebar_label: "CVE-2024-45490" -title: "CVE-2024-45490" -description: "Lifecycle of CVE-2024-45490" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2024-45490](https://nvd.nist.gov/vuln/detail/CVE-2024-45490) - -## Last Update - -11/7/24 - -## NIST CVE Summary - -An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer. - -## Our Official Summary - -This CVE is a critical vulnerability affecting images using libexpat libraries versions prior to 2.6.3, where the -function xmlparse.c fails to reject negative lengths in XML_ParseBuffer. This vulnerability can be exploited over a -network without user interaction and has very low attack complexity. Not all of the images affected use the specific -function affected. Exploiting this vulnerable library will require a user to compromise the containers and gain -privileged access. Fix available in libexpat versions > 2.6.3. Investigating upgrading this library within the affected -images. - -## CVE Severity - -[9.8](https://nvd.nist.gov/vuln/detail/CVE-2024-45490) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.14, 4.4.18, 4.5.3 -- Palette Enterprise airgap 4.4.18, 4.5.3, 4.5.8 -- Palette VerteX 4.5.3 -- Palette Enterprise 4.5.3, 4.5.8 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX airgap 4.4.18 & Palette Enterprise airgap 4.4.18 to Affected Products -- 4.0 10/10/2024 Added Palette VerteX airgap 4.5.3 & Palette Enterprise airgap 4.5.3 to Affected Products -- 5.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 6.0 11/7/2024 Added Palette Enterprise & Palette Enterprise airgap 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-45491.md b/docs/docs-content/security-bulletins/reports/cve-2024-45491.md deleted file mode 100644 index c1237c1af1..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2024-45491.md +++ /dev/null @@ -1,54 +0,0 @@ ---- -sidebar_label: "CVE-2024-45491" -title: "CVE-2024-45491" -description: "Lifecycle of CVE-2024-45491" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2024-45491](https://nvd.nist.gov/vuln/detail/CVE-2024-45491) - -## Last Update - -11/7/24 - -## NIST CVE Summary - -An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on -32-bit platforms (where UINT_MAX equals SIZE_MAX). - -## Our Official Summary - -This CVE identifies an integer overflow vulnerability found in libexpat versions prior to 2.6.3, specifically in the -dtdCopy function of xmlparse.c on 32-bit platforms. This vulnerability can be exploited over a network without user -interaction and has very low attack complexity. Not all of the images affected use the specific function affected. -Exploiting this vulnerable library will require a user to compromise the containers and gain privileged access. Fix is -available in libexpat versions > 2.6.3. Investigating upgrading this library within the affected images. - -## CVE Severity - -[9.8](https://nvd.nist.gov/vuln/detail/CVE-2024-45491) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.14, 4.4.18, 4.5.3 -- Palette Enterprise airgap 4.4.18, 4.5.3, 4.5.8 -- Palette VerteX 4.5.3 -- Palette Enterprise 4.5.3, 4.5.8 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX airgap 4.4.18 & Palette Enterprise airgap 4.4.18 to Affected Products -- 4.0 10/10/2024 Added Palette VerteX airgap 4.5.3 & Palette Enterprise airgap 4.5.3 to Affected Products -- 5.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 6.0 11/7/2024 Added Palette Enterprise & Palette Enterprise airgap 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-45492.md b/docs/docs-content/security-bulletins/reports/cve-2024-45492.md deleted file mode 100644 index b6cd7dd39d..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2024-45492.md +++ /dev/null @@ -1,55 +0,0 @@ ---- -sidebar_label: "CVE-2024-45492" -title: "CVE-2024-45492" -description: "Lifecycle of CVE-2024-45492" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2024-45492](https://nvd.nist.gov/vuln/detail/CVE-2024-45492) - -## Last Update - -11/7/24 - -## NIST CVE Summary - -An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for -m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX). - -## Our Official Summary - -This CVE identifies an integer overflow vulnerability found in libexpat versions prior to 2.6.3, which can lead to an -integer overflow in the nextScaffoldPart function on 32-bit platforms. This vulnerability can be exploited over a -network without user interaction and has very low attack complexity. Not all of the images affected use the specific -function affected. Exploiting this vulnerable library will require a user to compromise the containers and gain -privileged access. Fix available in libexpat versions > 2.6.3. Investigating upgrading this library within the affected -images. - -## CVE Severity - -[9.8](https://nvd.nist.gov/vuln/detail/CVE-2024-45492) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.14, 4.4.18, 4.5.3 -- Palette Enterprise airgap 4.4.18, 4.5.3, 4.5.8 -- Palette VerteX 4.5.3 -- Palette Enterprise 4.5.3, 4.5.8 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX airgap 4.4.18 & Palette Enterprise airgap 4.4.18 to Affected Products -- 4.0 10/10/2024 Added Palette VerteX airgap 4.5.3 & Palette Enterprise airgap 4.5.3 to Affected Products -- 5.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products -- 6.0 11/7/2024 Added Palette Enterprise & Palette Enterprise airgap 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-49767.md b/docs/docs-content/security-bulletins/reports/cve-2024-49767.md deleted file mode 100644 index 1bbb621013..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2024-49767.md +++ /dev/null @@ -1,48 +0,0 @@ ---- -sidebar_label: "CVE-2024-49767" -title: "CVE-2024-49767" -description: "Lifecycle of CVE-2024-49767" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2024-49767](https://nvd.nist.gov/vuln/detail/CVE-2024-49767) - -## Last Update - -11/7/2024 - -## NIST CVE Summary - -Werkzeug is a Web Server Gateway Interface web application library. Applications using -`werkzeug.formparser.MultiPartParser` corresponding to a version of Werkzeug prior to 3.0.6 to parse -`multipart/form-data` requests (e.g. all flask applications) are vulnerable to a relatively simple but effective -resource exhaustion (denial of service) attack. A specifically crafted form submission request can cause the parser to -allocate and block 3 to 8 times the upload size in main memory. There is no upper limit; a single upload at 1 Gbit/s can -exhaust 32 GB of RAM in less than 60 seconds. Werkzeug version 3.0.6 fixes this issue. - -## Our Official Summary - -Investigation is ongoing to determine how this vulnerability impacts our products. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-49767) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette Enterprise airgap 4.5.8 -- Palette Enterprise 4.5.8 - -## Revision History - -- 1.0 11/7/2024 Initial Publication -- 2.0 11/7/2024 Added Palette Enterprise airgap and Palette Enterprise airgap 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-6197.md b/docs/docs-content/security-bulletins/reports/cve-2024-6197.md deleted file mode 100644 index 9a9152b11d..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2024-6197.md +++ /dev/null @@ -1,55 +0,0 @@ ---- -sidebar_label: "CVE-2024-6197" -title: "CVE-2024-6197" -description: "Lifecycle of CVE-2024-6197" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2024-6197](https://nvd.nist.gov/vuln/detail/CVE-2024-6197) - -## Last Update - -11/7/2024 - -## NIST CVE Summary - -Libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. Itcan detect an invalid -field and return error. Unfortunately, when doing so it also invokes `free()` on a 4 byte localstack buffer. Most modern -malloc implementations detect this error and immediately abort. Some however accept the input pointer and add that -memory to its list of available chunks. This leads to the overwriting of nearby stack memory. The content of the -overwrite is decided by the `free()` implementation; likely to be memory pointers and a set of flags. The most likely -outcome of exploting this flaw is a crash, although it cannot be ruled out that more serious results can be had in -special circumstances. - -## Our Official Summary - -This CVE is reported on nginx-ingress-controller image on the libcurl's ASN1 parser. The vulnerable code path can be -triggered by a malicious operation offering an especially crafted TLS certificate. Problem is fixed in curl -version >=8.9.0. Investigating a possible fix. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-6197) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.14 -- Palette Enterprise airgap 4.5.3, 4.5.8 -- Palette Enterprise 4.5.3, 4.5.8 - -## Revision History - -- 1.0 08/27/2024 Initial Publication -- 2.0 08/27/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 3.0 10/10/2024 Added Palette Enterprise airgap 4.5.3 to Affected Products -- 4.0 10/14/2024 Added Palette Enterprise 4.5.3 to Affected Products -- 5.0 11/7/2024 Added Palette Enterprise & Palette Enterprise airgap 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-6232.md b/docs/docs-content/security-bulletins/reports/cve-2024-6232.md deleted file mode 100644 index 0c5b6fe188..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2024-6232.md +++ /dev/null @@ -1,57 +0,0 @@ ---- -sidebar_label: "CVE-2024-6232" -title: "CVE-2024-6232" -description: "Lifecycle of CVE-2024-6232" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2024-6232](https://nvd.nist.gov/vuln/detail/CVE-2024-6232) - -## Last Update - -11/7/24 - -## NIST CVE Summary - -There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking -during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives. - -## Our Official Summary - -This CVE affects all images using the Python's tarfile module. A specificlly crafted tar file which causes excessive -backtracking while tarfile parses headers is needed to exploit this vulnerability. If the vulnerability is exploited, it -can cause a denial of service attack. But from our product point of view, this risk of this vulnerability getting -exploited is very low. This is because it does not enable remote code execution. A user has to compromise of the images -using this library within python module and feed a specially crafted tar file and relies on the underlying system -processing that file, which limits the attack vector. A fix is not available at this time. We will upgrade the library -once the fix becomes available. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-6232) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.11, 4.4.14, 4.4.18, 4.5.3 -- Palette Enterprise airgap 4.4.18, 4.5.3 -- Palette Enterprise 4.5.3, 4.5.8 -- Palette VerteX 4.5.3, 4.5.8 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/16/2024 Added Palette VerteX airgap 4.4.11 to Affected Products -- 3.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 4.0 09/17/2024 Added Palette VerteX airgap 4.4.18 & Palette Enterprise airgap 4.4.18 to Affected Products -- 5.0 10/10/2024 Added Palette VerteX airgap 4.5.3 & Palette Enterprise airgap 4.5.3 to Affected Products -- 6.0 10/14/2024 Added Palette Enterprise and Palette VerteX 4.5.3 to Affected Products -- 7.0 11/7/2024 Added Palette Enterprise and Palette VerteX 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-7006.md b/docs/docs-content/security-bulletins/reports/cve-2024-7006.md deleted file mode 100644 index 7d72635611..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2024-7006.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -sidebar_label: "CVE-2024-7006" -title: "CVE-2024-7006" -description: "Lifecycle of CVE-2024-7006" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2024-7006](https://nvd.nist.gov/vuln/detail/CVE-2024-7006) - -## Last Update - -11/7/24 - -## NIST CVE Summary - -A null pointer dereference flaw was found in Libtiff via `tif_dirinfo.c`. This issue may allow an attacker to trigger -memory allocation failures through certain means, such as restricting the heap space size or injecting faults, causing a -segmentation fault. This can cause an application crash, eventually leading to a denial of service. - -## Our Official Summary - -Investigation is ongoing to determine how this vulnerability affects our products. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-7006) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette Enterprise airgap 4.5.3, 4.5.8 -- Palette Enterprise 4.5.3, 4.5.8 - -## Revision History - -- 1.0 10/14/24 Initial Publication -- 2.0 10/14/2024 Added Palette Enterprise and Palette Enterprise airgap 4.5.3 to Affected Products -- 3.0 11/7/2024 Added Palette Enterprise and Palette Enterprise airgap 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-7592.md b/docs/docs-content/security-bulletins/reports/cve-2024-7592.md deleted file mode 100644 index c9f97cf3e4..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2024-7592.md +++ /dev/null @@ -1,53 +0,0 @@ ---- -sidebar_label: "CVE-2024-7592" -title: "CVE-2024-7592" -description: "Lifecycle of CVE-2024-7592" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2024-7592](https://nvd.nist.gov/vuln/detail/CVE-2024-7592) - -## Last Update - -11/7/24 - -## NIST CVE Summary - -There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When -parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm -with quadratic complexity, resulting in excess CPU resources being used while parsing the value. - -## Our Official Summary - -Some problematic patterns and their application can lead to exponential time complexity under certain conditions, akin -to a Regular Expression Denial of Service (ReDoS) attack. Investigating to see if there is a upstream fix available. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-7592) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.11, 4.4.14, 4.4.18, 4.5.3 -- Palette Enterprise airgap 4.4.18, 4.5.3 -- Palette Enterprise 4.5.3, 4.5.8 -- Palette VerteX 4.5.3, 4.5.8 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/16/2024 Added Palette VerteX airgap 4.4.11 to Affected Products -- 3.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 4.0 09/17/2024 Added Palette VerteX airgap 4.4.18 & Palette Enterprise airgap 4.4.18 to Affected Products -- 5.0 10/10/2024 Added Palette VerteX airgap 4.5.3 & Palette Enterprise airgap 4.5.3 to Affected Products -- 6.0 10/14/2024 Added Palette Enterprise and Palette VerteX 4.5.3 to Affected Products -- 7.0 11/7/2024 Added Palette Enterprise and Palette VerteX 4.5.8 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/ghsa-74fp-r6jw-h4mp.md b/docs/docs-content/security-bulletins/reports/ghsa-74fp-r6jw-h4mp.md deleted file mode 100644 index efb5926176..0000000000 --- a/docs/docs-content/security-bulletins/reports/ghsa-74fp-r6jw-h4mp.md +++ /dev/null @@ -1,55 +0,0 @@ ---- -sidebar_label: "GHSA-74fp-r6jw-h4mp" -title: "GHSA-74fp-r6jw-h4mp" -description: "Lifecycle of GHSA-74fp-r6jw-h4mp" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[GHSA-74fp-r6jw-h4mp](https://github.com/advisories/ghsa-74fp-r6jw-h4mp) - -## Last Update - -11/7/2024 - -## NIST CVE Summary - -Kubernetes apimachinery packages vulnerable to unbounded recursion in JSON or YAML parsing. - -## Our Official Summary - -This vulnerability is reported by govulncheck because of the presence of go library, k8s.io/apimachinery (Affected -versions: \< 0.0.0-20190927203648-9ce6eca90e73). This is a false positive, because it does not affect latest kubernetes -versions as indicated here -([https://nvd.nist.gov/vuln/detail/CVE-2019-11253](https://nvd.nist.gov/vuln/detail/CVE-2019-11253)). Current K8s -version used: 1.28.11 - -## CVE Severity - -[7.5](https://github.com/advisories/ghsa-74fp-r6jw-h4mp) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.11, 4.4.14, 4.4.18, 4.5.3, 4.5.8 -- Palette Enterprise airgap 4.4.18, 4.5.3, 4.5.8 -- Palette Enterprise 4.5.3, 4.5.8 -- Palette VerteX 4.5.3, 4.5.8 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/16/2024 Added Palette VerteX airgap 4.4.11 to Affected Products -- 3.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 4.0 09/17/2024 Added Palette VerteX airgap 4.4.18 & Palette Enterprise airgap 4.4.18 to Affected Products -- 5.0 10/10/2024 Added Palette VerteX airgap 4.5.3 & Palette Enterprise airgap 4.5.3 to Affected Products -- 6.0 10/14/2024 Added Palette Enterprise and Palette VerteX 4.5.3 to Affected Products -- 7.0 11/7/2024 Added Palette VerteX airgap, Palette Enterprise airgap, Palette Enterprise, and Palette VerteX 4.5.8 to - Affected Products diff --git a/docs/docs-content/security-bulletins/reports/ghsa-m425-mq94-257g.md b/docs/docs-content/security-bulletins/reports/ghsa-m425-mq94-257g.md deleted file mode 100644 index e9efa5c792..0000000000 --- a/docs/docs-content/security-bulletins/reports/ghsa-m425-mq94-257g.md +++ /dev/null @@ -1,55 +0,0 @@ ---- -sidebar_label: "GHSA-m425-mq94-257g" -title: "GHSA-m425-mq94-257g" -description: "Lifecycle of GHSA-m425-mq94-257g" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[GHSA-m425-mq94-257g](https://github.com/advisories/GHSA-m425-mq94-257g) - -## Last Update - -11/7/24 - -## NIST CVE Summary - -The affected releases of gRPC-Go, it is possible for an attacker to send HTTP/2 requests, cancel them, and send -subsequent requests, which is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to launch more concurrent -method handlers than the configured maximum stream limit. - -## Our Official Summary - -CVE exists in coredns that’s being used in k8s 1.28.11. Affects only k8s version 1.28.11. For customer workload -clusters, workaround is to use k8s version 1.29+. For Palette Self Hosted cluster, a future release will upgrade to -1.29+. - -## CVE Severity - -[7.5](https://github.com/advisories/GHSA-m425-mq94-257g) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX airgap 4.4.11, 4.4.14, 4.4.18, 4.5.3, 4.5.8 -- Palette Enterprise airgap 4.4.18, 4.5.3, 4.5.8 -- Palette Enterprise 4.5.3, 4.5.8 -- Palette VerteX 4.5.3, 4.5.8 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/16/2024 Added Palette VerteX airgap 4.4.11 to Affected Products -- 3.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products -- 4.0 09/17/2024 Added Palette VerteX airgap 4.4.18 & Palette Enterprise airgap 4.4.18 to Affected Products -- 5.0 10/10/2024 Added Palette VerteX airgap 4.5.3 & Palette Enterprise airgap 4.5.3 to Affected Products -- 6.0 10/14/2024 Added Palette VerteX 4.5.3 to Affected Products -- 7.0 11/7/2024 Added Palette VerteX airgap, Palette Enterprise airgap, Palette Enterprise, and Palette VerteX 4.5.8 to - Affected Products diff --git a/docs/docs-content/security-bulletins/reports/reports.md b/docs/docs-content/security-bulletins/reports/reports.md deleted file mode 100644 index 94134232a1..0000000000 --- a/docs/docs-content/security-bulletins/reports/reports.md +++ /dev/null @@ -1,343 +0,0 @@ ---- -sidebar_label: "CVE Reports" -title: "CVE Reports" -description: "Security bulletins for Common Vulnerabilities and Exposures (CVEs) related to Palette and Palette VerteX" -icon: "" -hide_table_of_contents: true -sidebar_position: 0 -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -# Security Bulletins - -The vulnerabilities reported in this Security Bulletin include vulnerabilities within the Palette VerteX, Palette -Enterprise, and airgap environments. The reported vulnerabilities also include third-party component vulnerabilities, -which we have become aware of. These vulnerabilities are discovered via our Bug Bounty program, our security monitoring -program, or reported to us by our supply chain. - -:::info - -The CVSS Severity is provided by either the third-party service provider, or NIST CVE. We do not provide the criticality -score for third-party components. Previous security bulletins are available in the -[Security Bulletins Archive](../../unlisted/cve-reports.md). - -::: - -To fix all the vulnerabilities impacting your products, we recommend patching your instances to the latest version -regarding any third-party components. For vulnerabilities originating in our products, we will provide mitigations and -workarounds where applicable. - -Click on the CVE ID to view the full details of the vulnerability. - - - - - -| CVE ID | Initial Pub Date | Modified Date | Product Version | Vulnerability Type | CVSS Severity | Status | -| ----------------------------------------------- | ---------------- | ------------- | ------------------------------------ | --------------------------------------- | -------------------------------------------------------------------- | --------------------------- | -| [CVE-2024-21626](./cve-2024-21626.md) | 1/3/24 | 10/29/24 | 4.4.11, 4.4.14, 4.4.18, 4.5.3 | Third-party component: kube-proxy | [8.6](https://nvd.nist.gov/vuln/detail/CVE-2024-21626) | :mag: Ongoing | -| [CVE-2022-41723](./cve-2022-41723.md) | 2/28/23 | 10/10/24 | 4.4.11, 4.4.14, 4.4.18 | Third-party component: CoreDNS | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-41723) | :mag: Ongoing | -| [GHSA-m425-mq94-257g](./ghsa-m425-mq94-257g.md) | 10/25/23 | 11/7/24 | 4.4.11, 4.4.14, 4.4.18, 4.5.3, 4.5.8 | Third-party component: CoreDNS | [7.5](https://github.com/advisories/GHSA-m425-mq94-257g) | :mag: Ongoing | -| [CVE-2023-45142](./cve-2023-45142.md) | 10/12/23 | 10/10/24 | 4.4.11, 4.4.14, 4.4.18 | Third-party component: OpenTelemetry-Go | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-45142) | :mag: Ongoing | -| [CVE-2023-0464](./cve-2023-0464.md) | 3/22/23 | 10/10/24 | 4.4.11, 4.4.14, 4.4.18, 4.5.3 | Third-party component: OpenSSL | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-0464) | :mag: Ongoing | -| [CVE-2023-39325](./cve-2023-39325.md) | 10/11/23 | 11/7/24 | 4.4.11, 4.4.14, 4.4.18, 4.5.3, 4.5.8 | Third-party component: Go project | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) | :mag: Ongoing | -| [CVE-2023-47108](./cve-2023-47108.md) | 11/20/23 | 11/12/24 | 4.4.11, 4.4.14, 4.4.18, 4.5.3 | Third-party component: OpenTelemetry-Go | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-47108) | :mag: Ongoing | -| [CVE-2023-44487](./cve-2023-44487.md) | 10/10/23 | 6/27/24 | 4.4.11, 4.4.14 | Third-party component: CAPI | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-44487) | :mag: Ongoing | -| [CVE-2022-25883](./cve-2022-25883.md) | 6/21/23 | 9/25/24 | 4.4.11, 4.4.14 | Third-party component: CAPI | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-25883) | :mag: Ongoing | -| [CVE-2015-8855](./cve-2015-8855.md) | 1/23/17 | 9/25/24 | 4.4.11 | Third-party component: CAPI | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2015-8855) | :mag: Ongoing | -| [CVE-2019-12900](./cve-2019-12900.md) | 08/16/24 | 11/7/24 | 4.4.14, 4.4.18, 4.5.3, 4.5.8 | Third-party component: BZ2 | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2019-12900) | :mag: Ongoing | -| [CVE-2023-37920](./cve-2023-37920.md) | 08/16/24 | 10/29/24 | 4.4.14, 4.4.18, 4.5.3 | Third-party component: Certifi | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2023-37920) | :mag: Ongoing | -| [CVE-2019-1010022](./cve-2019-1010022.md) | 08/16/24 | 11/7/24 | 4.4.14, 4.4.18, 4.5.3, 4.5.8 | Third-party component: GNU Libc | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2019-1010022) | :mag: Ongoing | -| [CVE-2016-1585](./cve-2016-1585.md) | 08/16/24 | 11/12/24 | 4.4.14, 4.5.8 | Third-party component: Ubuntu | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2016-1585) | :mag: Ongoing | -| [CVE-2018-20839](./cve-2018-20839.md) | 08/16/24 | 10/10/24 | 4.4.14, 4.4.18, 4.5.3 | Third-party component: MongoDB | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2018-20839) | :mag: Ongoing | -| [CVE-2024-38428](./cve-2024-38428.md) | 08/16/24 | 10/10/24 | 4.4.14, 4.4.18 | Third-party component: MongoDB | [9.1](https://nvd.nist.gov/vuln/detail/CVE-2024-38428) | :mag: Ongoing | -| [CVE-2021-42694](./cve-2021-42694.md) | 08/16/24 | 10/10/24 | 4.4.14, 4.4.18, 4.5.3 | Third-party component: MongoDB | [8.3](https://nvd.nist.gov/vuln/detail/CVE-2021-42694) | :mag: Ongoing | -| [CVE-2021-39537](./cve-2021-39537.md) | 08/16/24 | 11/7/24 | 4.4.14, 4.4.18, 4.5.3, 4.5.8 | Third-party component: MongoDB | [8.8](https://nvd.nist.gov/vuln/detail/CVE-2021-39537) | :mag: Ongoing | -| [CVE-2019-9923](./cve-2019-9923.md) | 08/16/24 | 9/25/24 | 4.4.14 | Third-party component: MongoDB | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2019-9923) | :mag: Ongoing | -| [CVE-2020-36325](./cve-2020-36325.md) | 08/16/24 | 11/7/24 | 4.4.14, 4.4.18, 4.5.3, 4.5.8 | Third-party component: Jansson | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2020-36325) | :mag: Ongoing | -| [CVE-2005-2541](./cve-2005-2541.md) | 08/16/24 | 10/25/24 | 4.4.14, 4.5.3 | Third-party component: MongoDB | [10.0](https://nvd.nist.gov/vuln/detail/CVE-2005-2541) | :mag: Ongoing | -| [CVE-2019-9937](./cve-2019-9937.md) | 08/16/24 | 9/25/24 | 4.4.14 | Third-party component: MongoDB | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2019-9937) | :mag: Ongoing | -| [CVE-2019-9936](./cve-2019-9936.md) | 08/16/24 | 9/25/24 | 4.4.14 | Third-party component: MongoDB | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2019-9936) | :mag: Ongoing | -| [CVE-2019-19244](./cve-2019-19244.md) | 08/16/24 | 9/25/24 | 4.4.14 | Third-party component: MongoDB | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2019-19244) | :mag: Ongoing | -| [CVE-2016-20013](./cve-2016-20013.md) | 08/16/24 | 11/7/24 | 4.4.14, 4.4.18, 4.5.3, 4.5.8 | Third-party component: Ubuntu | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2016-20013) | :mag: Ongoing | -| [CVE-2022-0391](./cve-2022-0391.md) | 08/16/24 | 10/10/24 | 4.4.14, 4.4.18 | Third-party component: MongoDB | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-0391) | :mag: Ongoing | -| [CVE-2021-3737](./cve-2021-3737.md) | 08/16/24 | 9/25/24 | 4.4.14 | Third-party component: MongoDB | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2021-3737) | :mag: Ongoing | -| [CVE-2019-9674](./cve-2019-9674.md) | 08/16/24 | 9/25/24 | 4.4.14 | Third-party component: MongoDB | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2019-9674) | :mag: Ongoing | -| [CVE-2023-26604](./cve-2023-26604.md) | 08/16/24 | 11/7/24 | 4.4.14, 4.4.18, 4.5.3, 4.5.8 | Third-party component: Ubuntu | [7.8](https://nvd.nist.gov/vuln/detail/CVE-2023-26604) | :mag: Ongoing | -| [CVE-2015-20107](./cve-2015-20107.md) | 08/16/24 | 9/25/24 | 4.4.14 | Third-party component: MongoDB | [7.6](https://nvd.nist.gov/vuln/detail/CVE-2015-20107) | :mag: Ongoing | -| [CVE-2017-11164](./cve-2017-11164.md) | 08/16/24 | 11/7/24 | 4.4.14, 4.4.18, 4.5.3, 4.5.8 | Third-party component: Ubuntu | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2017-11164) | :mag: Ongoing | -| [CVE-2018-20225](./cve-2018-20225.md) | 08/16/24 | 11/12/24 | 4.4.14, 4.5.8 | Third-party component: MongoDB | [7.8](https://nvd.nist.gov/vuln/detail/CVE-2018-20225) | :mag: Ongoing | -| [CVE-2022-41409](./cve-2022-41409.md) | 08/16/24 | 11/7/24 | 4.4.14, 4.4.18, 4.5.3, 4.5.8 | Third-party component: MongoDB | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-41409) | :mag: Ongoing | -| [CVE-2019-17543](./cve-2019-17543.md) | 08/16/24 | 08/16/24 | 4.4.14 | Third-party component: MongoDB | [8.1](https://nvd.nist.gov/vuln/detail/CVE-2019-17543) | :mag: Ongoing | -| [CVE-2022-4899](./cve-2022-4899.md) | 08/16/24 | 11/7/24 | 4.4.14, 4.4.18, 4.5.3, 4.5.8 | Third-party component: MongoDB | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-4899) | :mag: Ongoing | -| [CVE-2018-20657](./cve-2018-20657.md) | 08/16/24 | 11/7/24 | 4.4.14, 4.4.18, 4.5.3, 4.5.8 | Third-party component: MongoDB | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2018-20657) | :mag: Ongoing | -| [CVE-2023-27534](./cve-2023-27534.md) | 08/16/24 | 10/25/24 | 4.4.14 | Third-party component: MongoDB | [8.8](https://nvd.nist.gov/vuln/detail/CVE-2023-27534) | :mag: Ongoing | -| [CVE-2023-32636](./cve-2023-32636.md) | 08/16/24 | 10/25/24 | 4.4.14 | Third-party component: MongoDB | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-32636) | :mag: Ongoing | -| [CVE-2023-29499](./cve-2023-29499.md) | 08/16/24 | 10/25/24 | 4.4.14 | Third-party component: MongoDB | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-29499) | :mag: Ongoing | -| [CVE-2024-24790](./cve-2024-24790.md) | 8/6/24 | 10/29/24 | 4.4.11, 4.4.14 | Third-party component: Go Project | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2024-24790) | :mag: Ongoing | -| [CVE-2023-4156](./cve-2023-4156.md) | 08/16/24 | 10/25/24 | 4.4.14 | Third-party component: MongoDB | [7.1](https://nvd.nist.gov/vuln/detail/CVE-2023-4156) | :mag: Ongoing | -| [CVE-2022-23990](./cve-2022-23990.md) | 08/16/24 | 10/25/24 | 4.4.14 | Third-party component: MongoDB | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-23990) | :mag: Ongoing | -| [CVE-2020-35512](./cve-2020-35512.md) | 08/16/24 | 10/25/24 | 4.4.14 | Third-party component: MongoDB | [7.8](https://nvd.nist.gov/vuln/detail/CVE-2020-35512) | :mag: Ongoing | -| [CVE-2012-2663](./cve-2012-2663.md) | 08/16/24 | 11/7/24 | 4.4.14, 4.4.18, 4.5.3, 4.5.8 | Third-party component: iPtables | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2012-2663) | :mag: Ongoing | -| [CVE-2019-9192](./cve-2019-9192.md) | 08/16/24 | 11/7/24 | 4.4.14, 4.4.18, 4.5.3, 4.5.8 | Third-party component: GNU C Library | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2019-9192) | :mag: Ongoing | -| [CVE-2018-20796](./cve-2018-20796.md) | 08/16/24 | 11/7/24 | 4.4.14, 4.4.18, 4.5.3, 4.5.8 | Third-party component: GNU C Library | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2018-20796) | :mag: Ongoing | -| [GHSA-74fp-r6jw-h4mp](./ghsa-74fp-r6jw-h4mp.md) | 10/25/23 | 11/7/24 | 4.4.11, 4.4.14, 4.4.18, 4.5.3, 4.5.8 | Third-party component: Kubernetes API | [7.5](https://github.com/advisories/GHSA-74fp-r6jw-h4mp) | :mag: Ongoing | -| [CVE-2024-35325](./cve-2024-35325.md) | 08/27/24 | 08/30/24 | 4.4.14 | Third-party component: Libyaml | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2024-35325) | :white_check_mark: Resolved | -| [CVE-2024-6197](./cve-2024-6197.md) | 08/27/24 | 10/10/24 | 4.4.14 | Third-party component: Libcurl | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-6197) | :mag: Ongoing | -| [CVE-2024-37371](./cve-2024-37371.md) | 08/30/24 | 11/7/24 | 4.4.14, 4.4.18, 4.5.3, 4.5.8 | Third-party component: MIT Kerberos | [9.1](https://nvd.nist.gov/vuln/detail/CVE-2024-37371) | :mag: Ongoing | -| [CVE-2024-37370](./cve-2024-37370.md) | 08/30/24 | 11/7/24 | 4.4.14, 4.4.18, 4.5.3, 4.5.8 | Third-party component: MIT Kerberos | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-37370) | :mag: Ongoing | -| [CVE-2021-46848](./cve-2021-46848.md) | 9/5/24 | 11/7/24 | 4.4.14, 4.4.18, 4.5.3, 4.5.8 | Third-party component: GNU Libtasn1 | [9.1](https://nvd.nist.gov/vuln/detail/CVE-2021-46848) | :mag: Ongoing | -| [CVE-2024-7592](./cve-2024-7592.md) | 9/5/24 | 9/5/24 | 4.4.14, 4.4.18 | Third-party component: CPython | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-7592) | :mag: Ongoing | -| [CVE-2024-1737](./cve-2024-1737.md) | 9/5/24 | 10/10/24 | 4.4.14, 4.4.18 | Third-party component: ISC | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-1737) | :mag: Ongoing | -| [CVE-2024-0760](./cve-2024-0760.md) | 9/5/24 | 10/10/24 | 4.4.14, 4.4.18 | Third-party component: ISC | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-0760) | :mag: Ongoing | -| [CVE-2024-1975](./cve-2024-1975.md) | 9/5/24 | 10/10/24 | 4.4.14, 4.4.18, 4.5.3 | Third-party component: ISC | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-1975) | :mag: Ongoing | -| [CVE-2024-45490](./cve-2024-45490.md) | 9/5/24 | 10/10/24 | 4.4.14, 4.4.18, 4.5.3 | Third-party component: Libexpat | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2024-45490) | :mag: Ongoing | -| [CVE-2024-45491](./cve-2024-45491.md) | 9/5/24 | 10/10/24 | 4.4.14, 4.4.18, 4.5.3 | Third-party component: Libexpat | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2024-45491) | :mag: Ongoing | -| [CVE-2024-45492](./cve-2024-45492.md) | 9/5/24 | 10/10/24 | 4.4.14, 4.4.18, 4.5.3 | Third-party component: Libexpat | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2024-45492) | :mag: Ongoing | -| [CVE-2024-6232](./cve-2024-6232.md) | 9/5/24 | 10/10/24 | 4.4.14, 4.4.18, 4.5.3 | Third-party component: MIT Kerberos | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-6232) | :mag: Ongoing | -| [CVE-2024-3651](./cve-2024-3651.md) | 9/13/24 | 11/7/24 | 4.4.18, 4.5.3, 4.5.8 | Third-party component: kjd | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-3651) | :mag: Ongoing | -| [CVE-2023-24329](./cve-2023-24329.md) | 9/13/24 | 10/10/24 | 4.4.18 | Third-party component: Python | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-24329) | :mag: Ongoing | -| [CVE-2022-45061](./cve-2022-45061.md) | 9/13/24 | 10/24/24 | 4.4.18 | Third-party component: Python | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-45061) | :mag: Ongoing | -| [CVE-2022-48560](./cve-2022-48560.md) | 9/13/24 | 10/24/24 | 4.4.18 | Third-party component: Python | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-48560) | :mag: Ongoing | -| [CVE-2022-48565](./cve-2022-48565.md) | 9/13/24 | 10/24/24 | 4.4.18 | Third-party component: Python | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2022-48565) :mag: Ongoing | -| [CVE-2022-40735](./cve-2022-40735.md) | 11/14/22 | 11/7/24 | 4.5.8 | Third-party component: DH Key Exhcnage | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-40735) :mag: Ongoing | -| [CVE-2024-10963](./cve-2022-40735.md) | 11/7/24 | 11/12/24 | 4.5.8 | Third-party component: PAM | [7.4](https://nvd.nist.gov/vuln/detail/CVE-2022-40735) :mag: Ongoing | - - - - - -| CVE ID | Initial Pub Date | Modified Date | Product Version | Vulnerability Type | CVSS Severity | Status | -| ----------------------------------------------- | ---------------- | ------------- | ---------------------------- | --------------------------------------- | -------------------------------------------------------------------- | ------------- | -| [CVE-2024-37371](./cve-2024-37371.md) | 08/30/24 | 11/7/24 | 4.4.18, 4.5.3, 4.5.8 | Third-party component: MIT Kerberos | [9.1](https://nvd.nist.gov/vuln/detail/CVE-2024-37371) | :mag: Ongoing | -| [CVE-2019-1010022](./cve-2019-1010022.md) | 08/16/24 | 11/7/24 | 4.4.18, 4.5.3, 4.5.8 | Third-party component: GNU Libc | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2019-1010022) | :mag: Ongoing | -| [CVE-2024-45490](./cve-2024-45490.md) | 9/5/24 | 11/7/24 | 4.4.18, 4.5.3, 4.5.8 | Third-party component: Libexpat | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2024-45490) | :mag: Ongoing | -| [CVE-2019-12900](./cve-2019-12900.md) | 08/16/24 | 11/7/24 | 4.4.18, 4.5.3, 4.5.8 | Third-party component: BZ2 | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2019-12900) | :mag: Ongoing | -| [CVE-2021-46848](./cve-2021-46848.md) | 9/5/24 | 11/7/24 | 4.4.18, 4.5.3, 4.5.8 | Third-party component: GNU Libtasn1 | [9.1](https://nvd.nist.gov/vuln/detail/CVE-2021-46848) | :mag: Ongoing | -| [CVE-2024-24790](./cve-2024-24790.md) | 8/6/24 | 11/7/24 | 4.4.14, 4.4.18, 4.5.3, 4.5.8 | Third-party component: Go Project | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2024-24790) | :mag: Ongoing | -| [CVE-2018-20839](./cve-2018-20839.md) | 08/16/24 | 10/10/24 | 4.4.18, 4.5.3 | Third-party component: MongoDB | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2018-20839) | :mag: Ongoing | -| [CVE-2023-37920](./cve-2023-37920.md) | 08/16/24 | 10/29/24 | 4.4.18, 4.5.3 | Third-party component: Certifi | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2023-37920) | :mag: Ongoing | -| [CVE-2024-45491](./cve-2024-45491.md) | 9/5/24 | 11/7/24 | 4.4.18, 4.5.3, 4.5.8 | Third-party component: Libexpat | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2024-45491) | :mag: Ongoing | -| [CVE-2024-45492](./cve-2024-45492.md) | 9/5/24 | 11/7/24 | 4.4.18, 4.5.3, 4.5.8 | Third-party component: Libexpat | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2024-45492) | :mag: Ongoing | -| [CVE-2024-38428](./cve-2024-38428.md) | 08/16/24 | 10/10/24 | 4.4.14, 4.4.18 | Third-party component: MongoDB | [9.1](https://nvd.nist.gov/vuln/detail/CVE-2024-38428) | :mag: Ongoing | -| [CVE-2024-6232](./cve-2024-6232.md) | 9/5/24 | 10/10/24 | 4.4.18, 4.5.3 | Third-party component: MIT Kerberos | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-6232) | :mag: Ongoing | -| [CVE-2020-36325](./cve-2020-36325.md) | 08/16/24 | 11/7/24 | 4.4.18, 4.5.3, 4.5.8 | Third-party component: Jansson | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2020-36325) | :mag: Ongoing | -| [CVE-2019-9192](./cve-2019-9192.md) | 08/16/24 | 11/7/24 | 4.4.18, 4.5.3, 4.5.8 | Third-party component: GNU C Library | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2019-9192) | :mag: Ongoing | -| [CVE-2018-20796](./cve-2018-20796.md) | 08/16/24 | 11/7/24 | 4.4.18, 4.5.3, 4.5.8 | Third-party component: GNU C Library | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2018-20796) | :mag: Ongoing | -| [CVE-2012-2663](./cve-2012-2663.md) | 08/16/24 | 11/7/24 | 4.4.14, 4.4.18, 4.5.3, 4.5.8 | Third-party component: iPtables | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2012-2663) | :mag: Ongoing | -| [CVE-2023-47108](./cve-2023-47108.md) | 11/20/23 | 11/12/24 | 4.4.18, 4.5.3, 4.5.8 | Third-party component: OpenTelemetry-Go | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-47108) | :mag: Ongoing | -| [CVE-2023-45142](./cve-2023-45142.md) | 10/12/23 | 10/10/24 | 4.4.11, 4.4.14, 4.4.18 | Third-party component: OpenTelemetry-Go | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-45142) | :mag: Ongoing | -| [CVE-2022-41409](./cve-2022-41409.md) | 08/16/24 | 11/7/24 | 4.4.18, 4.5.3, 4.5.8 | Third-party component: MongoDB | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-41409) | :mag: Ongoing | -| [CVE-2017-11164](./cve-2017-11164.md) | 08/16/24 | 11/7/24 | 4.4.14, 4.4.18, 4.5.3, 4.5.8 | Third-party component: Ubuntu | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2017-11164) | :mag: Ongoing | -| [GHSA-m425-mq94-257g](./ghsa-m425-mq94-257g.md) | 10/25/23 | 11/7/24 | 4.4.18, 4.5.3, 4.5.8 | Third-party component: CoreDNS | [7.5](https://github.com/advisories/GHSA-m425-mq94-257g) | :mag: Ongoing | -| [CVE-2022-4899](./cve-2022-4899.md) | 08/16/24 | 11/7/24 | 4.4.18, 4.5.3, 4.5.8 | Third-party component: MongoDB | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-4899) | :mag: Ongoing | -| [CVE-2022-41723](./cve-2022-41723.md) | 2/28/23 | 10/10/24 | 4.4.11, 4.4.14, 4.4.18 | Third-party component: CoreDNS | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-41723) | :mag: Ongoing | -| [CVE-2023-0464](./cve-2023-0464.md) | 3/22/23 | 10/10/24 | 4.4.18, 4.5.3 | Third-party component: OpenSSL | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-0464) | :mag: Ongoing | -| [CVE-2021-39537](./cve-2021-39537.md) | 08/16/24 | 11/7/24 | 4.4.18, 4.5.3, 4.5.8 | Third-party component: MongoDB | [8.8](https://nvd.nist.gov/vuln/detail/CVE-2021-39537) | :mag: Ongoing | -| [CVE-2018-20657](./cve-2018-20657.md) | 08/16/24 | 11/7/24 | 4.4.18, 4.5.3, 4.5.8 | Third-party component: MongoDB | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2018-20657) | :mag: Ongoing | -| [CVE-2021-42694](./cve-2021-42694.md) | 08/16/24 | 10/10/24 | 4.4.18, 4.5.3 | Third-party component: MongoDB | [8.3](https://nvd.nist.gov/vuln/detail/CVE-2021-42694) | :mag: Ongoing | -| [GHSA-74fp-r6jw-h4mp](./ghsa-74fp-r6jw-h4mp.md) | 10/25/23 | 11/7/24 | 4.4.18, 4.5.3, 4.5.8 | Third-party component: Kubernetes API | [7.5](https://github.com/advisories/GHSA-74fp-r6jw-h4mp) | :mag: Ongoing | -| [CVE-2024-6197](./cve-2024-6197.md) | 08/27/24 | 11/7/24 | 4.4.18, 4.5.3, 4.5.8 | Third-party component: Libcurl | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-6197) | :mag: Ongoing | -| [CVE-2023-26604](./cve-2023-26604.md) | 08/16/24 | 10/10/24 | 4.4.14, 4.4.18 | Third-party component: Ubuntu | [7.8](https://nvd.nist.gov/vuln/detail/CVE-2023-26604) | :mag: Ongoing | -| [CVE-2023-39325](./cve-2023-39325.md) | 10/11/23 | 11/7/24 | 4.4.18, 4.5.3, 4.5.8 | Third-party component: Go project | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) | :mag: Ongoing | -| [CVE-2024-37370](./cve-2024-37370.md) | 08/30/24 | 11/7/24 | 4.4.18, 4.5.3, 4.5.8 | Third-party component: MIT Kerberos | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-37370) | :mag: Ongoing | -| [CVE-2016-20013](./cve-2016-20013.md) | 08/16/24 | 11/7/24 | 4.4.14, 4.4.18, 4.5.3, 4.5.8 | Third-party component: Ubuntu | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2016-20013) | :mag: Ongoing | -| [CVE-2024-21626](./cve-2024-21626.md) | 1/3/24 | 11/7/24 | 4.4.18, 4.5.3, 4.5.8 | Third-party component: kube-proxy | [8.6](https://nvd.nist.gov/vuln/detail/CVE-2024-21626) | :mag: Ongoing | -| [CVE-2024-7592](./cve-2024-7592.md) | 9/5/24 | 10/10/24 | 4.4.18, 4.5.3 | Third-party component: CPython | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-7592) | :mag: Ongoing | -| [CVE-2024-0760](./cve-2024-0760.md) | 9/5/24 | 10/10/24 | 4.4.14, 4.4.18, 4.5.3 | Third-party component: ISC | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-0760) | :mag: Ongoing | -| [CVE-2024-1737](./cve-2024-1737.md) | 9/5/24 | 10/10/24 | 4.4.14, 4.4.18, 4.5.3 | Third-party component: ISC | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-1737) | :mag: Ongoing | -| [CVE-2024-1975](./cve-2024-1975.md) | 9/5/24 | 10/10/24 | 4.4.14, 4.4.18, 4.5.3 | Third-party component: ISC | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-1975) | :mag: Ongoing | -| [CVE-2022-28357](./cve-2022-28357.md) | 9/15/24 | 10/10/24 | 4.4.18 | Third-party component: NATS | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2022-28357) | :mag: Ongoing | -| [CVE-2022-28948](./cve-2022-28948.md) | 9/15/24 | 10/10/24 | 4.4.18, 4.5.3 | Third-party component: Go-Yaml | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-28948) | :mag: Ongoing | -| [CVE-2022-41724](./cve-2022-41724.md) | 9/15/24 | 10/10/24 | 4.4.18 | Third-party component: Go Project | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-41724) | :mag: Ongoing | -| [CVE-2022-41725](./cve-2022-41725.md) | 9/15/24 | 10/10/24 | 4.4.18 | Third-party component: Go Project | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-41725) | :mag: Ongoing | -| [CVE-2023-24534](./cve-2023-24534.md) | 9/15/24 | 10/10/24 | 4.4.18 | Third-party component: Go Project | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-24534) | :mag: Ongoing | -| [CVE-2023-24536](./cve-2023-24536.md) | 9/15/24 | 10/10/24 | 4.4.18 | Third-party component: Go Project | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-24536) | :mag: Ongoing | -| [CVE-2023-24537](./cve-2023-24537.md) | 9/15/24 | 10/10/24 | 4.4.18 | Third-party component: Go Project | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-24537) | :mag: Ongoing | -| [CVE-2023-24538](./cve-2023-24538.md) | 9/15/24 | 10/10/24 | 4.4.18 | Third-party component: Go Project | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2023-24538) | :mag: Ongoing | -| [CVE-2023-24539](./cve-2023-24539.md) | 9/15/24 | 10/10/24 | 4.4.18 | Third-party component: Go Project | [7.3](https://nvd.nist.gov/vuln/detail/CVE-2023-24539) | :mag: Ongoing | -| [CVE-2023-24540](./cve-2023-24540.md) | 9/15/24 | 10/29/24 | 4.4.18 | Third-party component: Go Project | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2023-24540) | :mag: Ongoing | -| [CVE-2023-29400](./cve-2023-29400.md) | 9/15/24 | 10/10/24 | 4.4.18 | Third-party component: Go Project | [7.3](https://nvd.nist.gov/vuln/detail/CVE-2023-29400) | :mag: Ongoing | -| [CVE-2023-29403](./cve-2023-29403.md) | 9/15/24 | 10/10/24 | 4.4.18, 4.5.3 | Third-party component: Go Project | [7.8](https://nvd.nist.gov/vuln/detail/CVE-2023-29403) | :mag: Ongoing | -| [CVE-2023-45287](./cve-2023-45287.md) | 9/15/24 | 10/10/24 | 4.4.18, 4.5.3 | Third-party component: Go Project | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-45287) | :mag: Ongoing | -| [CVE-2023-52356](./cve-2023-52356.md) | 9/15/24 | 11/7/24 | 4.4.18, 4.5.3, 4.5.8 | Third-party component: Libtiff | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-52356) | :mag: Ongoing | -| [CVE-2024-0743](./cve-2024-0743.md) | 9/15/24 | 11/7/24 | 4.4.18, 4.5.3, 4.5.8 | Third-party component: Mozilla | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-0743) | :mag: Ongoing | -| [CVE-2024-32002](./cve-2024-32002.md) | 9/15/24 | 10/10/24 | 4.4.18 | Third-party component: Github | [9.0](https://nvd.nist.gov/vuln/detail/CVE-2024-32002) | :mag: Ongoing | -| [CVE-2023-49569](./cve-2023-49569.md) | 9/15/24 | 9/19/24 | 4.4.14 | Third-party component: Bitdefender | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2023-49569) | :mag: Ongoing | -| [CVE-2024-7006](./cve-2024-7006.md) | 8/12/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: Libtiff | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-7006) | :mag: Ongoing | -| [CVE-2022-40735](./cve-2022-40735.md) | 11/14/22 | 11/7/24 | 4.5.8 | Third-party component: DH Key Exhcnage | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-40735) :mag: Ongoing | -| [CVE-2024-49767](./cve-2024-49767.md) | 10/25/24 | 11/7/24 | 4.5.8 | Third-party component: Github | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-49767) :mag: Ongoing | -| [CVE-2018-20225](./cve-2018-20225.md) | 08/16/24 | 11/12/24 | 4.5.8 | Third-party component: MongoDB | [7.8](https://nvd.nist.gov/vuln/detail/CVE-2018-20225) | :mag: Ongoing | -| [CVE-2024-10963](./cve-2022-40735.md) | 11/7/24 | 11/12/24 | 4.5.8 | Third-party component: PAM | [7.4](https://nvd.nist.gov/vuln/detail/CVE-2022-40735) :mag: Ongoing | - - - - - -| CVE ID | Initial Pub Date | Modified Date | Product Version | Vulnerability Type | CVSS Severity | Status | -| ----------------------------------------------- | ---------------- | ------------- | -------------------- | --------------------------------------- | -------------------------------------------------------------------- | ------------- | -| [CVE-2005-2541](./cve-2005-2541.md) | 08/16/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: MongoDB | [10.0](https://nvd.nist.gov/vuln/detail/CVE-2005-2541) | :mag: Ongoing | -| [CVE-2012-2663](./cve-2012-2663.md) | 08/16/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: iPtables | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2012-2663) | :mag: Ongoing | -| [CVE-2016-20013](./cve-2016-20013.md) | 08/16/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: Ubuntu | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2016-20013) | :mag: Ongoing | -| [CVE-2017-11164](./cve-2017-11164.md) | 08/16/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: Ubuntu | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2017-11164) | :mag: Ongoing | -| [CVE-2018-20657](./cve-2018-20657.md) | 08/16/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: MongoDB | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2018-20657) | :mag: Ongoing | -| [CVE-2018-20796](./cve-2018-20796.md) | 08/16/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: GNU C Library | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2018-20796) | :mag: Ongoing | -| [CVE-2018-20839](./cve-2018-20839.md) | 08/16/24 | 10/14/24 | 4.5.3 | Third-party component: MongoDB | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2018-20839) | :mag: Ongoing | -| [CVE-2019-1010022](./cve-2019-1010022.md) | 08/16/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: GNU Libc | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2019-1010022) | :mag: Ongoing | -| [CVE-2019-12900](./cve-2019-12900.md) | 08/16/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: BZ2 | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2019-12900) | :mag: Ongoing | -| [CVE-2019-17543](./cve-2019-17543.md) | 08/16/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: MongoDB | [8.1](https://nvd.nist.gov/vuln/detail/CVE-2019-17543) | :mag: Ongoing | -| [CVE-2019-19244](./cve-2019-19244.md) | 08/16/24 | 10/14/24 | 4.5.3 | Third-party component: MongoDB | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2019-19244) | :mag: Ongoing | -| [CVE-2019-9192](./cve-2019-9192.md) | 08/16/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: GNU C Library | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2019-9192) | :mag: Ongoing | -| [CVE-2019-9937](./cve-2019-9937.md) | 08/16/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: MongoDB | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2019-9937) | :mag: Ongoing | -| [CVE-2019-9936](./cve-2019-9936.md) | 08/16/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: MongoDB | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2019-9936) | :mag: Ongoing | -| [CVE-2020-36325](./cve-2020-36325.md) | 08/16/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: Jansson | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2020-36325) | :mag: Ongoing | -| [CVE-2021-39537](./cve-2021-39537.md) | 08/16/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: MongoDB | [8.8](https://nvd.nist.gov/vuln/detail/CVE-2021-39537) | :mag: Ongoing | -| [CVE-2021-42694](./cve-2021-42694.md) | 08/16/24 | 10/14/24 | 4.5.3 | Third-party component: MongoDB | [8.3](https://nvd.nist.gov/vuln/detail/CVE-2021-42694) | :mag: Ongoing | -| [CVE-2021-46848](./cve-2021-46848.md) | 9/5/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: GNU Libtasn1 | [9.1](https://nvd.nist.gov/vuln/detail/CVE-2021-46848) | :mag: Ongoing | -| [CVE-2022-28948](./cve-2022-28948.md) | 9/15/24 | 10/14/24 | 4.5.3 | Third-party component: Go-Yaml | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-28948) | :mag: Ongoing | -| [CVE-2022-41409](./cve-2022-41409.md) | 08/16/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: MongoDB | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-41409) | :mag: Ongoing | -| [CVE-2022-41723](./cve-2022-41723.md) | 2/28/23 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: CoreDNS | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-41723) | :mag: Ongoing | -| [CVE-2022-41724](./cve-2022-41724.md) | 9/15/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: Go Project | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-41724) | :mag: Ongoing | -| [CVE-2022-41725](./cve-2022-41725.md) | 9/15/24 | 10/14/24 | 4.5.3 | Third-party component: Go Project | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-41725) | :mag: Ongoing | -| [CVE-2022-4899](./cve-2022-4899.md) | 08/16/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: MongoDB | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-4899) | :mag: Ongoing | -| [CVE-2023-0464](./cve-2023-0464.md) | 3/22/23 | 10/14/24 | 4.5.3 | Third-party component: OpenSSL | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-0464) | :mag: Ongoing | -| [CVE-2023-24534](./cve-2023-24534.md) | 9/15/24 | 10/14/24 | 4.5.3 | Third-party component: Go Project | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-24534) | :mag: Ongoing | -| [CVE-2023-24536](./cve-2023-24536.md) | 9/15/24 | 10/14/24 | 4.5.3 | Third-party component: Go Project | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-24536) | :mag: Ongoing | -| [CVE-2023-27534](./cve-2023-27534.md) | 08/16/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: MongoDB | [8.8](https://nvd.nist.gov/vuln/detail/CVE-2023-27534) | :mag: Ongoing | -| [CVE-2023-29403](./cve-2023-29403.md) | 9/15/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: Go Project | [7.8](https://nvd.nist.gov/vuln/detail/CVE-2023-29403) | :mag: Ongoing | -| [CVE-2023-29499](./cve-2023-29499.md) | 08/16/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: MongoDB | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-29499) | :mag: Ongoing | -| [CVE-2023-32636](./cve-2023-32636.md) | 08/16/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: MongoDB | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-32636) | :mag: Ongoing | -| [CVE-2023-37920](./cve-2023-37920.md) | 08/16/24 | 10/29/24 | 4.5.3 | Third-party component: Certifi | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2023-37920) | :mag: Ongoing | -| [CVE-2023-39325](./cve-2023-39325.md) | 10/11/23 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: Go project | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) | :mag: Ongoing | -| [CVE-2023-4156](./cve-2023-4156.md) | 08/16/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: MongoDB | [7.1](https://nvd.nist.gov/vuln/detail/CVE-2023-4156) | :mag: Ongoing | -| [CVE-2023-45287](./cve-2023-45287.md) | 9/15/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: Go Project | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-45287) | :mag: Ongoing | -| [CVE-2023-47108](./cve-2023-47108.md) | 11/20/23 | 11/12/24 | 4.5.3, 4.5.8 | Third-party component: OpenTelemetry-Go | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-47108) | :mag: Ongoing | -| [CVE-2023-52356](./cve-2023-52356.md) | 9/15/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: Libtiff | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-52356) | :mag: Ongoing | -| [CVE-2024-0743](./cve-2024-0743.md) | 9/15/24 | 11/7/24 | 4.4.18, 4.5.3, 4.5.8 | Third-party component: Mozilla | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-0743) | :mag: Ongoing | -| [CVE-2024-0760](./cve-2024-0760.md) | 9/5/24 | 10/14/24 | 4.5.3 | Third-party component: ISC | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-0760) | :mag: Ongoing | -| [CVE-2024-1737](./cve-2024-1737.md) | 9/5/24 | 10/14/24 | 4.5.3 | Third-party component: ISC | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-1737) | :mag: Ongoing | -| [CVE-2024-1975](./cve-2024-1975.md) | 9/5/24 | 10/14/24 | 4.5.3 | Third-party component: ISC | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-1975) | :mag: Ongoing | -| [CVE-2024-21626](./cve-2024-21626.md) | 1/3/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: kube-proxy | [8.6](https://nvd.nist.gov/vuln/detail/CVE-2024-21626) | :mag: Ongoing | -| [CVE-2024-24790](./cve-2024-24790.md) | 8/6/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: Go Project | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2024-24790) | :mag: Ongoing | -| [CVE-2024-37371](./cve-2024-37371.md) | 08/30/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: MIT Kerberos | [9.1](https://nvd.nist.gov/vuln/detail/CVE-2024-37371) | :mag: Ongoing | -| [CVE-2024-37370](./cve-2024-37370.md) | 08/30/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: MIT Kerberos | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-37370) | :mag: Ongoing | -| [CVE-2024-45490](./cve-2024-45490.md) | 9/5/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: Libexpat | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2024-45490) | :mag: Ongoing | -| [CVE-2024-45491](./cve-2024-45491.md) | 9/5/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: Libexpat | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2024-45491) | :mag: Ongoing | -| [CVE-2024-45492](./cve-2024-45492.md) | 9/5/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: Libexpat | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2024-45492) | :mag: Ongoing | -| [CVE-2024-6197](./cve-2024-6197.md) | 08/27/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: Libcurl | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-6197) | :mag: Ongoing | -| [CVE-2024-6232](./cve-2024-6232.md) | 9/5/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: MIT Kerberos | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-6232) | :mag: Ongoing | -| [CVE-2024-7592](./cve-2024-7592.md) | 9/5/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: CPython | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-7592) | :mag: Ongoing | -| [GHSA-74fp-r6jw-h4mp](./ghsa-74fp-r6jw-h4mp.md) | 10/25/23 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: Kubernetes API | [7.5](https://github.com/advisories/GHSA-74fp-r6jw-h4mp) | :mag: Ongoing | -| [GHSA-m425-mq94-257g](./ghsa-m425-mq94-257g.md) | 10/25/23 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: CoreDNS | [7.5](https://github.com/advisories/GHSA-m425-mq94-257g) | :mag: Ongoing | -| [CVE-2011-4116](./cve-2011-4116.md) | 1/31/20 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: Perl | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2011-4116) | :mag: Ongoing | -| [CVE-2018-6829](./cve-2018-6829.md) | 2/7/18 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: Libgcrypt | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2018-6829) | :mag: Ongoing | -| [CVE-2019-19882](./cve-2019-19882.md) | 12/18/19 | 10/14/24 | 4.5.3 | Third-party component: Shadow | [7.8](https://nvd.nist.gov/vuln/detail/CVE-2019-19882) | :mag: Ongoing | -| [CVE-2022-27664](./cve-2022-27664.md) | 9/6/22 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: Go Project | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-27664) | :mag: Ongoing | -| [CVE-2022-32190](./cve-2022-32190.md) | 11/6/23 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: Go Project | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-32190) | :mag: Ongoing | -| [CVE-2022-3996](./cve-2022-3996.md) | 12/13/22 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: OpenSSL | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-3996) | :mag: Ongoing | -| [CVE-2022-41715](./cve-2022-41715.md) | 10/14/22 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: Go Project | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-41715) | :mag: Ongoing | -| [CVE-2022-4450](./cve-2022-4450.md) | 2/8/23 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: OpenSSL | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-4450) | :mag: Ongoing | -| [CVE-2023-0215](./cve-2023-0215.md) | 2/8/23 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: OpenSSL | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-0215) | :mag: Ongoing | -| [CVE-2023-0216](./cve-2023-0216.md) | 2/8/23 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: OpenSSL | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-0216) | :mag: Ongoing | -| [CVE-2023-0217](./cve-2023-0217.md) | 2/8/23 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: OpenSSL | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-0217) | :mag: Ongoing | -| [CVE-2023-0286](./cve-2023-0286.md) | 2/8/23 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: OpenSSL | [7.4](https://nvd.nist.gov/vuln/detail/CVE-2023-0286) | :mag: Ongoing | -| [CVE-2023-0401](./cve-2023-0401.md) | 2/8/23 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: OpenSSL | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-0401) | :mag: Ongoing | -| [CVE-2023-31484](./cve-2023-31484.md) | 4/8/23 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: CPAN | [8.1](https://nvd.nist.gov/vuln/detail/CVE-2023-31484) | :mag: Ongoing | -| [CVE-2023-31486](./cve-2023-31486.md) | 4/8/23 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: CPAN | [8.1](https://nvd.nist.gov/vuln/detail/CVE-2023-31486) | :mag: Ongoing | -| [CVE-2023-36632](./cve-2023-36632.md) | 6/25/23 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: Python | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-36632) | :mag: Ongoing | -| [CVE-2023-45853](./cve-2023-45853.md) | 10/13/23 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: MiniZip | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2023-45853) | :mag: Ongoing | -| [CVE-2023-4807](./cve-2023-4807.md) | 9/8/23 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: OpenSSL | [7.8](https://nvd.nist.gov/vuln/detail/CVE-2023-4807) | :mag: Ongoing | -| [CVE-2023-4911](./cve-2023-4911.md) | 10/3/23 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: GNU C Library | [7.8](https://nvd.nist.gov/vuln/detail/CVE-2023-4911) | :mag: Ongoing | -| [CVE-2023-5363](./cve-2023-5363.md) | 10/25/23 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: OpenSSL | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-5363) | :mag: Ongoing | -| [CVE-2023-6246](./cve-2023-6246.md) | 1/31/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: GNU C Library | [7.8](https://nvd.nist.gov/vuln/detail/CVE-2023-6246) | :mag: Ongoing | -| [CVE-2023-6779](./cve-2023-6779.md) | 1/31/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: GNU C Library | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-6779) | :mag: Ongoing | -| [CVE-2024-7006](./cve-2024-7006.md) | 8/12/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: Libtiff | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-7006) | :mag: Ongoing | -| [CVE-2024-1485](./cve-2024-1485.md) | 2/13/24 | 10/29/24 | 4.5.3 | Third-party component: Github | [9.3](https://nvd.nist.gov/vuln/detail/CVE-2024-1485) | :mag: Ongoing | -| [CVE-2022-40735](./cve-2022-40735.md) | 11/14/22 | 11/7/24 | 4.5.8 | Third-party component: DH Key Exhcnage | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-40735) :mag: Ongoing | -| [CVE-2024-49767](./cve-2024-49767.md) | 10/25/24 | 11/7/24 | 4.5.8 | Third-party component: Github | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-49767) :mag: Ongoing | -| [CVE-2018-20225](./cve-2018-20225.md) | 08/16/24 | 11/12/24 | 4.5.8 | Third-party component: MongoDB | [7.8](https://nvd.nist.gov/vuln/detail/CVE-2018-20225) | :mag: Ongoing | -| [CVE-2024-10963](./cve-2022-40735.md) | 11/7/24 | 11/12/24 | 4.5.8 | Third-party component: PAM | [7.4](https://nvd.nist.gov/vuln/detail/CVE-2022-40735) :mag: Ongoing | - - - - - -| CVE ID | Initial Pub Date | Modified Date | Product Version | Vulnerability Type | CVSS Severity | Status | -| ----------------------------------------------- | ---------------- | ------------- | --------------- | --------------------------------------- | -------------------------------------------------------------------- | ------------- | -| [CVE-2005-2541](./cve-2005-2541.md) | 08/16/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: MongoDB | [10.0](https://nvd.nist.gov/vuln/detail/CVE-2005-2541) | :mag: Ongoing | -| [CVE-2012-2663](./cve-2012-2663.md) | 08/16/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: iPtables | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2012-2663) | :mag: Ongoing | -| [CVE-2016-20013](./cve-2016-20013.md) | 08/16/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: Ubuntu | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2016-20013) | :mag: Ongoing | -| [CVE-2017-11164](./cve-2017-11164.md) | 08/16/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: Ubuntu | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2017-11164) | :mag: Ongoing | -| [CVE-2018-20657](./cve-2018-20657.md) | 08/16/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: MongoDB | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2018-20657) | :mag: Ongoing | -| [CVE-2018-20796](./cve-2018-20796.md) | 08/16/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: GNU C Library | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2018-20796) | :mag: Ongoing | -| [CVE-2018-20839](./cve-2018-20839.md) | 08/16/24 | 10/14/24 | 4.5.3 | Third-party component: MongoDB | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2018-20839) | :mag: Ongoing | -| [CVE-2019-1010022](./cve-2019-1010022.md) | 08/16/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: GNU Libc | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2019-1010022) | :mag: Ongoing | -| [CVE-2019-12900](./cve-2019-12900.md) | 08/16/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: BZ2 | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2019-12900) | :mag: Ongoing | -| [CVE-2019-17543](./cve-2019-17543.md) | 08/16/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: MongoDB | [8.1](https://nvd.nist.gov/vuln/detail/CVE-2019-17543) | :mag: Ongoing | -| [CVE-2019-19244](./cve-2019-19244.md) | 08/16/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: MongoDB | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2019-19244) | :mag: Ongoing | -| [CVE-2019-9192](./cve-2019-9192.md) | 08/16/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: GNU C Library | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2019-9192) | :mag: Ongoing | -| [CVE-2019-9937](./cve-2019-9937.md) | 08/16/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: MongoDB | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2019-9937) | :mag: Ongoing | -| [CVE-2019-9936](./cve-2019-9936.md) | 08/16/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: MongoDB | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2019-9936) | :mag: Ongoing | -| [CVE-2020-36325](./cve-2020-36325.md) | 08/16/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: Jansson | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2020-36325) | :mag: Ongoing | -| [CVE-2021-39537](./cve-2021-39537.md) | 08/16/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: MongoDB | [8.8](https://nvd.nist.gov/vuln/detail/CVE-2021-39537) | :mag: Ongoing | -| [CVE-2021-42694](./cve-2021-42694.md) | 08/16/24 | 10/14/24 | 4.5.3 | Third-party component: MongoDB | [8.3](https://nvd.nist.gov/vuln/detail/CVE-2021-42694) | :mag: Ongoing | -| [CVE-2021-46848](./cve-2021-46848.md) | 9/5/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: GNU Libtasn1 | [9.1](https://nvd.nist.gov/vuln/detail/CVE-2021-46848) | :mag: Ongoing | -| [CVE-2022-41409](./cve-2022-41409.md) | 08/16/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: MongoDB | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-41409) | :mag: Ongoing | -| [CVE-2022-41723](./cve-2022-41723.md) | 2/28/23 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: CoreDNS | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-41723) | :mag: Ongoing | -| [CVE-2022-41724](./cve-2022-41724.md) | 9/15/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: Go Project | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-41724) | :mag: Ongoing | -| [CVE-2022-41725](./cve-2022-41725.md) | 9/15/24 | 10/14/24 | 4.5.3 | Third-party component: Go Project | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-41725) | :mag: Ongoing | -| [CVE-2022-4899](./cve-2022-4899.md) | 08/16/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: MongoDB | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-4899) | :mag: Ongoing | -| [CVE-2023-0464](./cve-2023-0464.md) | 3/22/23 | 10/14/24 | 4.5.3 | Third-party component: OpenSSL | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-0464) | :mag: Ongoing | -| [CVE-2023-24534](./cve-2023-24534.md) | 9/15/24 | 10/14/24 | 4.5.3 | Third-party component: Go Project | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-24534) | :mag: Ongoing | -| [CVE-2023-24536](./cve-2023-24536.md) | 9/15/24 | 10/14/24 | 4.5.3 | Third-party component: Go Project | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-24536) | :mag: Ongoing | -| [CVE-2023-26604](./cve-2023-26604.md) | 08/16/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: Ubuntu | [7.8](https://nvd.nist.gov/vuln/detail/CVE-2023-26604) | :mag: Ongoing | -| [CVE-2023-27534](./cve-2023-27534.md) | 08/16/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: MongoDB | [8.8](https://nvd.nist.gov/vuln/detail/CVE-2023-27534) | :mag: Ongoing | -| [CVE-2023-29403](./cve-2023-29403.md) | 9/15/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: Go Project | [7.8](https://nvd.nist.gov/vuln/detail/CVE-2023-29403) | :mag: Ongoing | -| [CVE-2023-29499](./cve-2023-29499.md) | 08/16/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: MongoDB | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-29499) | :mag: Ongoing | -| [CVE-2023-32636](./cve-2023-32636.md) | 08/16/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: MongoDB | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-32636) | :mag: Ongoing | -| [CVE-2023-37920](./cve-2023-37920.md) | 08/16/24 | 10/29/24 | 4.5.3 | Third-party component: Certifi | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2023-37920) | :mag: Ongoing | -| [CVE-2023-39325](./cve-2023-39325.md) | 10/11/23 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: Go project | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) | :mag: Ongoing | -| [CVE-2023-4156](./cve-2023-4156.md) | 08/16/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: MongoDB | [7.1](https://nvd.nist.gov/vuln/detail/CVE-2023-4156) | :mag: Ongoing | -| [CVE-2023-45287](./cve-2023-45287.md) | 9/15/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: Go Project | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-45287) | :mag: Ongoing | -| [CVE-2023-47108](./cve-2023-47108.md) | 11/20/23 | 11/12/24 | 4.5.3 | Third-party component: OpenTelemetry-Go | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-47108) | :mag: Ongoing | -| [CVE-2024-21626](./cve-2024-21626.md) | 1/3/24 | 10/29/24 | 4.5.3 | Third-party component: Kube-proxy | [8.6](https://nvd.nist.gov/vuln/detail/CVE-2024-21626) | :mag: Ongoing | -| [CVE-2024-24790](./cve-2024-24790.md) | 8/6/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: Go Project | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2024-24790) | :mag: Ongoing | -| [CVE-2024-3651](./cve-2024-3651.md) | 9/13/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: kjd | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-3651) | :mag: Ongoing | -| [CVE-2024-37371](./cve-2024-37371.md) | 08/30/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: MIT Kerberos | [9.1](https://nvd.nist.gov/vuln/detail/CVE-2024-37371) | :mag: Ongoing | -| [CVE-2024-37370](./cve-2024-37370.md) | 08/30/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: MIT Kerberos | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-37370) | :mag: Ongoing | -| [CVE-2024-45490](./cve-2024-45490.md) | 9/5/24 | 10/14/24 | 4.5.3 | Third-party component: Libexpat | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2024-45490) | :mag: Ongoing | -| [CVE-2024-45491](./cve-2024-45491.md) | 9/5/24 | 10/14/24 | 4.5.3 | Third-party component: Libexpat | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2024-45491) | :mag: Ongoing | -| [CVE-2024-45492](./cve-2024-45492.md) | 9/5/24 | 10/14/24 | 4.5.3 | Third-party component: Libexpat | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2024-45492) | :mag: Ongoing | -| [CVE-2024-6232](./cve-2024-6232.md) | 9/5/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: MIT Kerberos | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-6232) | :mag: Ongoing | -| [CVE-2024-7592](./cve-2024-7592.md) | 9/5/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: CPython | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-7592) | :mag: Ongoing | -| [GHSA-74fp-r6jw-h4mp](./ghsa-74fp-r6jw-h4mp.md) | 10/25/23 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: Kubernetes API | [7.5](https://github.com/advisories/GHSA-74fp-r6jw-h4mp) | :mag: Ongoing | -| [CVE-2011-4116](./cve-2011-4116.md) | 1/31/20 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: Perl | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2011-4116) | :mag: Ongoing | -| [CVE-2018-6829](./cve-2018-6829.md) | 2/7/18 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: Libgcrypt | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2018-6829) | :mag: Ongoing | -| [CVE-2019-19882](./cve-2019-19882.md) | 12/18/19 | 10/14/24 | 4.5.3 | Third-party component: Shadow | [7.8](https://nvd.nist.gov/vuln/detail/CVE-2019-19882) | :mag: Ongoing | -| [CVE-2022-27664](./cve-2022-27664.md) | 9/6/22 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: Go Project | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-27664) | :mag: Ongoing | -| [CVE-2022-32190](./cve-2022-32190.md) | 11/6/23 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: Go Project | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-32190) | :mag: Ongoing | -| [CVE-2022-3996](./cve-2022-3996.md) | 12/13/22 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: OpenSSL | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-3996) | :mag: Ongoing | -| [CVE-2022-41715](./cve-2022-41715.md) | 10/14/22 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: Go Project | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-41715) | :mag: Ongoing | -| [CVE-2022-4450](./cve-2022-4450.md) | 2/8/23 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: OpenSSL | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-4450) | :mag: Ongoing | -| [CVE-2023-0215](./cve-2023-0215.md) | 2/8/23 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: OpenSSL | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-0215) | :mag: Ongoing | -| [CVE-2023-0216](./cve-2023-0216.md) | 2/8/23 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: OpenSSL | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-0216) | :mag: Ongoing | -| [CVE-2023-0217](./cve-2023-0217.md) | 2/8/23 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: OpenSSL | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-0217) | :mag: Ongoing | -| [CVE-2023-0286](./cve-2023-0286.md) | 2/8/23 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: OpenSSL | [7.4](https://nvd.nist.gov/vuln/detail/CVE-2023-0286) | :mag: Ongoing | -| [CVE-2023-0401](./cve-2023-0401.md) | 2/8/23 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: OpenSSL | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-0401) | :mag: Ongoing | -| [CVE-2023-31484](./cve-2023-31484.md) | 4/8/23 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: CPAN | [8.1](https://nvd.nist.gov/vuln/detail/CVE-2023-31484) | :mag: Ongoing | -| [CVE-2023-31486](./cve-2023-31486.md) | 4/8/23 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: CPAN | [8.1](https://nvd.nist.gov/vuln/detail/CVE-2023-31486) | :mag: Ongoing | -| [CVE-2023-36632](./cve-2023-36632.md) | 6/25/23 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: Python | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-36632) | :mag: Ongoing | -| [CVE-2023-45853](./cve-2023-45853.md) | 10/13/23 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: MiniZip | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2023-45853) | :mag: Ongoing | -| [CVE-2023-4807](./cve-2023-4807.md) | 9/8/23 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: OpenSSL | [7.8](https://nvd.nist.gov/vuln/detail/CVE-2023-4807) | :mag: Ongoing | -| [CVE-2023-4911](./cve-2023-4911.md) | 10/3/23 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: GNU C Library | [7.8](https://nvd.nist.gov/vuln/detail/CVE-2023-4911) | :mag: Ongoing | -| [CVE-2023-5363](./cve-2023-5363.md) | 10/25/23 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: OpenSSL | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-5363) | :mag: Ongoing | -| [CVE-2023-6246](./cve-2023-6246.md) | 1/31/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: GNU C Library | [7.8](https://nvd.nist.gov/vuln/detail/CVE-2023-6246) | :mag: Ongoing | -| [CVE-2023-6779](./cve-2023-6779.md) | 1/31/24 | 11/7/24 | 4.5.3, 4.5.8 | Third-party component: GNU C Library | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-6779) | :mag: Ongoing | -| [CVE-2024-1485](./cve-2024-1485.md) | 2/13/24 | 10/29/24 | 4.5.3 | Third-party component: Github | [9.3](https://nvd.nist.gov/vuln/detail/CVE-2024-1485) | :mag: Ongoing | -| [CVE-2022-40735](./cve-2022-40735.md) | 11/14/22 | 11/7/24 | 4.5.8 | Third-party component: DH Key Exhcnage | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-40735) :mag: Ongoing | -| [CVE-2018-20225](./cve-2018-20225.md) | 08/16/24 | 11/12/24 | 4.5.8 | Third-party component: MongoDB | [7.8](https://nvd.nist.gov/vuln/detail/CVE-2018-20225) | :mag: Ongoing | -| [CVE-2024-10963](./cve-2022-40735.md) | 11/7/24 | 11/12/24 | 4.5.8 | Third-party component: PAM | [7.4](https://nvd.nist.gov/vuln/detail/CVE-2022-40735) :mag: Ongoing | - - - diff --git a/docs/docs-content/security-bulletins/reports/reports.mdx b/docs/docs-content/security-bulletins/reports/reports.mdx new file mode 100644 index 0000000000..34f43f5c75 --- /dev/null +++ b/docs/docs-content/security-bulletins/reports/reports.mdx @@ -0,0 +1,50 @@ +--- +sidebar_label: "CVE Reports" +title: "CVE Reports" +description: "Security bulletins for Common Vulnerabilities and Exposures (CVEs) related to Palette and Palette VerteX" +icon: "" +hide_table_of_contents: true +sidebar_position: 0 +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +import CveReportsTable from "@site/src/components/CveReportsTable"; + +# Security Bulletins + +The vulnerabilities reported in this Security Bulletin include vulnerabilities within the Palette VerteX, Palette +Enterprise, and airgap environments. The reported vulnerabilities also include third-party component vulnerabilities, +which we have become aware of. These vulnerabilities are discovered via our Bug Bounty program, our security monitoring +program, or reported to us by our supply chain. + +:::info + +The CVSS Severity is provided by either the third-party service provider, or NIST CVE. We do not provide the criticality +score for third-party components. Previous security bulletins are available in the +[Security Bulletins Archive](../../unlisted/cve-reports.md). + +::: + +To fix all the vulnerabilities impacting your products, we recommend patching your instances to the latest version +regarding any third-party components. For vulnerabilities originating in our products, we will provide mitigations and +workarounds where applicable. + +### Status + +We use the following statuses to track the progress of each vulnerability. N - 2 means two versions behind the latest +versions. + +| Status | Description | +| ------- | ------------------------------------------------------------------------------------------------------------------------------- | +| Open | The vulnerability has been identified and is pending an investigation. | +| Ongoing | The vulnerability is being investigated. | +| Fixed | The vulnerability has been addressed in the latest versions of Palette or Vertex. Previous versions (N -2) are being worked on. | +| Closed | The vulnerability has been addressed in the latest version and in N - 2 versions. | + +### CVE Reports + +By default, the table is sorted to display descending entries that were recently modified. Click on the CVE ID to view +the full details of the vulnerability. + + diff --git a/docs/docs-content/security-bulletins/security-bulletins.md b/docs/docs-content/security-bulletins/security-bulletins.md index 740e161674..16303124de 100644 --- a/docs/docs-content/security-bulletins/security-bulletins.md +++ b/docs/docs-content/security-bulletins/security-bulletins.md @@ -9,6 +9,8 @@ sidebar_custom_props: tags: ["security", "cve"] --- +import CveReportsTable from "@site/src/components/CveReportsTable"; + We aim to provide you with the most up-to-date information about the security of our products and services. No matter how carefully engineered the services are, from time to time, it may be necessary to notify you of security and privacy events with our services, including the security notifications we receive related to the third-party components we @@ -16,9 +18,10 @@ utilize in our products and services. ## Security Bulletins -We release [security bulletins](./reports/reports.md) on regular basis addressing security vulnerabilities in our -software or related third-party components, describing their remediation when available, and providing links to the -applicable updates for affected software when available. + +We release on a daily and ad-hoc basis addressing security vulnerabilities in our software or +related third-party components, describing their remediation when available, and providing links to the applicable +updates for affected software when available. ## Security Advisories @@ -29,4 +32,4 @@ security bulletin. ## Resources -- [Security Bulletins](./reports/reports.md) +- diff --git a/package-lock.json b/package-lock.json index ffea9acbb0..401f030b4c 100644 --- a/package-lock.json +++ b/package-lock.json @@ -21,7 +21,7 @@ "@fortawesome/free-solid-svg-icons": "^6.6.0", "@fortawesome/react-fontawesome": "^0.2.2", "@mdx-js/react": "^3.0.1", - "antd": "^5.6.2", + "antd": "^5.22.2", "axios-retry": "^4.5.0", "babel-plugin-macros": "^3.1.0", "clsx": "^1.2.1", @@ -58,7 +58,7 @@ "@typescript-eslint/parser": "^8.2.0", "babel-jest": "^29.6.2", "dotenv": "^16.3.1", - "eslint": "^8.45.0", + "eslint": "^8.57.0", "eslint-config-prettier": "^9.1.0", "eslint-plugin-import": "^2.27.5", "eslint-plugin-jsx-a11y": "^6.9.0", @@ -499,32 +499,59 @@ } }, "node_modules/@ant-design/colors": { - "version": "7.0.0", + "version": "7.1.0", + "resolved": "https://registry.npmjs.org/@ant-design/colors/-/colors-7.1.0.tgz", + "integrity": "sha512-MMoDGWn1y9LdQJQSHiCC20x3uZ3CwQnv9QMz6pCmJOrqdgM9YxsoVVY0wtrdXbmfSgnV0KNk6zi09NAhMR2jvg==", "license": "MIT", "dependencies": { - "@ctrl/tinycolor": "^3.4.0" + "@ctrl/tinycolor": "^3.6.1" } }, "node_modules/@ant-design/cssinjs": { - "version": "1.18.1", + "version": "1.22.0", + "resolved": "https://registry.npmjs.org/@ant-design/cssinjs/-/cssinjs-1.22.0.tgz", + "integrity": "sha512-W9XSFeRPR0mAN3OuxfuS/xhENCYKf+8s+QyNNER0FSWoK9OpISTag6CCweg6lq0hASQ/2Vcza0Z8/kGivCP0Ng==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.11.1", "@emotion/hash": "^0.8.0", "@emotion/unitless": "^0.7.5", "classnames": "^2.3.1", - "csstype": "3.1.2", + "csstype": "^3.1.3", "rc-util": "^5.35.0", - "stylis": "^4.0.13" + "stylis": "^4.3.4" }, "peerDependencies": { "react": ">=16.0.0", "react-dom": ">=16.0.0" } }, - "node_modules/@ant-design/cssinjs/node_modules/csstype": { - "version": "3.1.2", - "license": "MIT" + "node_modules/@ant-design/cssinjs-utils": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/@ant-design/cssinjs-utils/-/cssinjs-utils-1.1.1.tgz", + "integrity": "sha512-2HAiyGGGnM0es40SxdszeQAU5iWp41wBIInq+ONTCKjlSKOrzQfnw4JDtB8IBmqE6tQaEKwmzTP2LGdt5DSwYQ==", + "license": "MIT", + "dependencies": { + "@ant-design/cssinjs": "^1.21.0", + "@babel/runtime": "^7.23.2", + "rc-util": "^5.38.0" + }, + "peerDependencies": { + "react": ">=16.9.0", + "react-dom": ">=16.9.0" + } + }, + "node_modules/@ant-design/fast-color": { + "version": "2.0.6", + "resolved": "https://registry.npmjs.org/@ant-design/fast-color/-/fast-color-2.0.6.tgz", + "integrity": "sha512-y2217gk4NqL35giHl72o6Zzqji9O7vHh9YmhUVkPtAOpoTCH4uWxo/pr4VE8t0+ChEPs0qo4eJRC5Q1eXWo3vA==", + "license": "MIT", + "dependencies": { + "@babel/runtime": "^7.24.7" + }, + "engines": { + "node": ">=8.x" + } }, "node_modules/@ant-design/icons": { "version": "5.5.1", @@ -550,7 +577,9 @@ "license": "MIT" }, "node_modules/@ant-design/react-slick": { - "version": "1.0.2", + "version": "1.1.2", + "resolved": "https://registry.npmjs.org/@ant-design/react-slick/-/react-slick-1.1.2.tgz", + "integrity": "sha512-EzlvzE6xQUBrZuuhSAFTdsr4P2bBBHGZwKFemEfq8gIGyIQCxalYfZW/T2ORbtQx5rU69o+WycP3exY/7T1hGA==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.10.4", @@ -7296,6 +7325,8 @@ }, "node_modules/@emotion/hash": { "version": "0.8.0", + "resolved": "https://registry.npmjs.org/@emotion/hash/-/hash-0.8.0.tgz", + "integrity": "sha512-kBJtf7PH6aWwZ6fka3zQ0p6SBYzx4fl1LoZXE2RrnYST9Xljm7WfKJrU4g/Xr3Beg72MLrp1AWNUmuYJTL7Cow==", "license": "MIT" }, "node_modules/@emotion/memoize": { @@ -7349,6 +7380,8 @@ }, "node_modules/@emotion/unitless": { "version": "0.7.5", + "resolved": "https://registry.npmjs.org/@emotion/unitless/-/unitless-0.7.5.tgz", + "integrity": "sha512-OWORNpfjMsSSUBVrRBVGECkhWcULOAJz9ZW8uK9qgxD+87M7jHRcvh/A96XXNhXTLmKcoYSQtBEX7lHMO7YRwg==", "license": "MIT" }, "node_modules/@emotion/use-insertion-effect-with-fallbacks": { @@ -9804,14 +9837,28 @@ "version": "1.0.0-next.24", "license": "MIT" }, + "node_modules/@rc-component/async-validator": { + "version": "5.0.4", + "resolved": "https://registry.npmjs.org/@rc-component/async-validator/-/async-validator-5.0.4.tgz", + "integrity": "sha512-qgGdcVIF604M9EqjNF0hbUTz42bz/RDtxWdWuU5EQe3hi7M8ob54B6B35rOsvX5eSvIHIzT9iH1R3n+hk3CGfg==", + "license": "MIT", + "dependencies": { + "@babel/runtime": "^7.24.4" + }, + "engines": { + "node": ">=14.x" + } + }, "node_modules/@rc-component/color-picker": { - "version": "1.4.1", + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/@rc-component/color-picker/-/color-picker-2.0.1.tgz", + "integrity": "sha512-WcZYwAThV/b2GISQ8F+7650r5ZZJ043E57aVBFkQ+kSY4C6wdofXgB0hBx+GPGpIU0Z81eETNoDUJMr7oy/P8Q==", "license": "MIT", "dependencies": { - "@babel/runtime": "^7.10.1", - "@ctrl/tinycolor": "^3.6.0", + "@ant-design/fast-color": "^2.0.6", + "@babel/runtime": "^7.23.6", "classnames": "^2.2.6", - "rc-util": "^5.30.0" + "rc-util": "^5.38.1" }, "peerDependencies": { "react": ">=16.9.0", @@ -9820,6 +9867,8 @@ }, "node_modules/@rc-component/context": { "version": "1.4.0", + "resolved": "https://registry.npmjs.org/@rc-component/context/-/context-1.4.0.tgz", + "integrity": "sha512-kFcNxg9oLRMoL3qki0OMxK+7g5mypjgaaJp/pkOis/6rVxma9nJBF/8kCIuTYHUQNr0ii7MxqE33wirPZLJQ2w==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.10.1", @@ -9832,6 +9881,8 @@ }, "node_modules/@rc-component/mini-decimal": { "version": "1.1.0", + "resolved": "https://registry.npmjs.org/@rc-component/mini-decimal/-/mini-decimal-1.1.0.tgz", + "integrity": "sha512-jS4E7T9Li2GuYwI6PyiVXmxTiM6b07rlD9Ge8uGZSCz3WlzcG5ZK7g5bbuKNeZ9pgUuPK/5guV781ujdVpm4HQ==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.18.0" @@ -9858,6 +9909,8 @@ }, "node_modules/@rc-component/portal": { "version": "1.1.2", + "resolved": "https://registry.npmjs.org/@rc-component/portal/-/portal-1.1.2.tgz", + "integrity": "sha512-6f813C0IsasTZms08kfA8kPAGxbbkYToa8ALaiDIGGECU4i9hj8Plgbx0sNJDrey3EtHO30hmdaxtT0138xZcg==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.18.0", @@ -9872,13 +9925,33 @@ "react-dom": ">=16.9.0" } }, + "node_modules/@rc-component/qrcode": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/@rc-component/qrcode/-/qrcode-1.0.0.tgz", + "integrity": "sha512-L+rZ4HXP2sJ1gHMGHjsg9jlYBX/SLN2D6OxP9Zn3qgtpMWtO2vUfxVFwiogHpAIqs54FnALxraUy/BCO1yRIgg==", + "license": "MIT", + "dependencies": { + "@babel/runtime": "^7.24.7", + "classnames": "^2.3.2", + "rc-util": "^5.38.0" + }, + "engines": { + "node": ">=8.x" + }, + "peerDependencies": { + "react": ">=16.9.0", + "react-dom": ">=16.9.0" + } + }, "node_modules/@rc-component/tour": { - "version": "1.11.1", + "version": "1.15.1", + "resolved": "https://registry.npmjs.org/@rc-component/tour/-/tour-1.15.1.tgz", + "integrity": "sha512-Tr2t7J1DKZUpfJuDZWHxyxWpfmj8EZrqSgyMZ+BCdvKZ6r1UDsfU46M/iWAAFBy961Ssfom2kv5f3UcjIL2CmQ==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.18.0", "@rc-component/portal": "^1.0.0-9", - "@rc-component/trigger": "^1.3.6", + "@rc-component/trigger": "^2.0.0", "classnames": "^2.3.2", "rc-util": "^5.24.4" }, @@ -9891,7 +9964,9 @@ } }, "node_modules/@rc-component/trigger": { - "version": "1.18.2", + "version": "2.2.5", + "resolved": "https://registry.npmjs.org/@rc-component/trigger/-/trigger-2.2.5.tgz", + "integrity": "sha512-F1EJ4KjFpGAHAjuKvOyZB/6IZDkVx0bHl0M4fQM5wXcmm7lgTgVSSnR3bXwdmS6jOJGHOqfDxIJW3WUvwMIXhQ==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.23.2", @@ -13195,57 +13270,60 @@ } }, "node_modules/antd": { - "version": "5.12.2", + "version": "5.22.2", + "resolved": "https://registry.npmjs.org/antd/-/antd-5.22.2.tgz", + "integrity": "sha512-vihhiJbm9VG3d6boUeD1q2MXMax+qBrXhgqCEC+45v8iGUF6m4Ct+lFiCW4oWaN3EABOsbVA6Svy3Rj/QkQFKw==", "license": "MIT", "dependencies": { - "@ant-design/colors": "^7.0.0", - "@ant-design/cssinjs": "^1.18.1", - "@ant-design/icons": "^5.2.6", - "@ant-design/react-slick": "~1.0.2", - "@babel/runtime": "^7.23.4", + "@ant-design/colors": "^7.1.0", + "@ant-design/cssinjs": "^1.21.1", + "@ant-design/cssinjs-utils": "^1.1.1", + "@ant-design/icons": "^5.5.1", + "@ant-design/react-slick": "~1.1.2", + "@babel/runtime": "^7.25.7", "@ctrl/tinycolor": "^3.6.1", - "@rc-component/color-picker": "~1.4.1", + "@rc-component/color-picker": "~2.0.1", "@rc-component/mutate-observer": "^1.1.0", - "@rc-component/tour": "~1.11.1", - "@rc-component/trigger": "^1.18.2", - "classnames": "^2.3.2", + "@rc-component/qrcode": "~1.0.0", + "@rc-component/tour": "~1.15.1", + "@rc-component/trigger": "^2.2.5", + "classnames": "^2.5.1", "copy-to-clipboard": "^3.3.3", - "dayjs": "^1.11.1", - "qrcode.react": "^3.1.0", - "rc-cascader": "~3.20.0", - "rc-checkbox": "~3.1.0", - "rc-collapse": "~3.7.2", - "rc-dialog": "~9.3.4", - "rc-drawer": "~6.5.2", - "rc-dropdown": "~4.1.0", - "rc-field-form": "~1.41.0", - "rc-image": "~7.5.1", - "rc-input": "~1.3.6", - "rc-input-number": "~8.4.0", - "rc-mentions": "~2.9.1", - "rc-menu": "~9.12.4", - "rc-motion": "^2.9.0", - "rc-notification": "~5.3.0", - "rc-pagination": "~4.0.3", - "rc-picker": "~3.14.6", - "rc-progress": "~3.5.1", - "rc-rate": "~2.12.0", + "dayjs": "^1.11.11", + "rc-cascader": "~3.30.0", + "rc-checkbox": "~3.3.0", + "rc-collapse": "~3.9.0", + "rc-dialog": "~9.6.0", + "rc-drawer": "~7.2.0", + "rc-dropdown": "~4.2.0", + "rc-field-form": "~2.5.1", + "rc-image": "~7.11.0", + "rc-input": "~1.6.3", + "rc-input-number": "~9.3.0", + "rc-mentions": "~2.17.0", + "rc-menu": "~9.16.0", + "rc-motion": "^2.9.3", + "rc-notification": "~5.6.2", + "rc-pagination": "~4.3.0", + "rc-picker": "~4.8.1", + "rc-progress": "~4.0.0", + "rc-rate": "~2.13.0", "rc-resize-observer": "^1.4.0", - "rc-segmented": "~2.2.2", - "rc-select": "~14.10.0", - "rc-slider": "~10.5.0", + "rc-segmented": "~2.5.0", + "rc-select": "~14.16.3", + "rc-slider": "~11.1.7", "rc-steps": "~6.0.1", "rc-switch": "~4.1.0", - "rc-table": "~7.36.0", - "rc-tabs": "~12.14.1", - "rc-textarea": "~1.5.3", - "rc-tooltip": "~6.1.2", - "rc-tree": "~5.8.2", - "rc-tree-select": "~5.15.0", - "rc-upload": "~4.3.5", - "rc-util": "^5.38.1", + "rc-table": "~7.48.1", + "rc-tabs": "~15.4.0", + "rc-textarea": "~1.8.2", + "rc-tooltip": "~6.2.1", + "rc-tree": "~5.10.1", + "rc-tree-select": "~5.24.4", + "rc-upload": "~4.8.1", + "rc-util": "^5.43.0", "scroll-into-view-if-needed": "^3.1.0", - "throttle-debounce": "^5.0.0" + "throttle-debounce": "^5.0.2" }, "funding": { "type": "opencollective", @@ -13514,10 +13592,6 @@ "node": ">=0.10.0" } }, - "node_modules/array-tree-filter": { - "version": "2.1.0", - "license": "MIT" - }, "node_modules/array-union": { "version": "2.1.0", "license": "MIT", @@ -13750,10 +13824,6 @@ "node": ">= 0.10" } }, - "node_modules/async-validator": { - "version": "4.2.5", - "license": "MIT" - }, "node_modules/asynckit": { "version": "0.4.0", "dev": true, @@ -15864,7 +15934,9 @@ } }, "node_modules/classnames": { - "version": "2.3.2", + "version": "2.5.1", + "resolved": "https://registry.npmjs.org/classnames/-/classnames-2.5.1.tgz", + "integrity": "sha512-saHYOzhIQs6wy2sVxTM6bUDsQO4F50V9RQ22qBpEdCW+I+/Wmke2HOl6lS6dTpdxVhb88/I6+Hs+438c3lfUow==", "license": "MIT" }, "node_modules/clean-css": { @@ -30786,6 +30858,8 @@ }, "node_modules/json2mq": { "version": "0.2.0", + "resolved": "https://registry.npmjs.org/json2mq/-/json2mq-0.2.0.tgz", + "integrity": "sha512-SzoRg7ux5DWTII9J2qkrZrqV1gt+rTaoufMxEzXbS26Uid0NwaJd123HcoB80TgubEppxxIGdNxCx50fEoEWQA==", "license": "MIT", "dependencies": { "string-convert": "^0.2.0" @@ -59666,13 +59740,6 @@ ], "license": "MIT" }, - "node_modules/qrcode.react": { - "version": "3.1.0", - "license": "ISC", - "peerDependencies": { - "react": "^16.8.0 || ^17.0.0 || ^18.0.0" - } - }, "node_modules/qs": { "version": "6.5.3", "dev": true, @@ -59815,15 +59882,16 @@ } }, "node_modules/rc-cascader": { - "version": "3.20.0", + "version": "3.30.0", + "resolved": "https://registry.npmjs.org/rc-cascader/-/rc-cascader-3.30.0.tgz", + "integrity": "sha512-rrzSbk1Bdqbu+pDwiLCLHu72+lwX9BZ28+JKzoi0DWZ4N29QYFeip8Gctl33QVd2Xg3Rf14D3yAOG76ElJw16w==", "license": "MIT", "dependencies": { - "@babel/runtime": "^7.12.5", - "array-tree-filter": "^2.1.0", + "@babel/runtime": "^7.25.7", "classnames": "^2.3.1", - "rc-select": "~14.10.0", - "rc-tree": "~5.8.1", - "rc-util": "^5.37.0" + "rc-select": "~14.16.2", + "rc-tree": "~5.10.1", + "rc-util": "^5.43.0" }, "peerDependencies": { "react": ">=16.9.0", @@ -59831,7 +59899,9 @@ } }, "node_modules/rc-checkbox": { - "version": "3.1.0", + "version": "3.3.0", + "resolved": "https://registry.npmjs.org/rc-checkbox/-/rc-checkbox-3.3.0.tgz", + "integrity": "sha512-Ih3ZaAcoAiFKJjifzwsGiT/f/quIkxJoklW4yKGho14Olulwn8gN7hOBve0/WGDg5o/l/5mL0w7ff7/YGvefVw==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.10.1", @@ -59844,7 +59914,9 @@ } }, "node_modules/rc-collapse": { - "version": "3.7.2", + "version": "3.9.0", + "resolved": "https://registry.npmjs.org/rc-collapse/-/rc-collapse-3.9.0.tgz", + "integrity": "sha512-swDdz4QZ4dFTo4RAUMLL50qP0EY62N2kvmk2We5xYdRwcRn8WcYtuetCJpwpaCbUfUt5+huLpVxhvmnK+PHrkA==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.10.1", @@ -59858,7 +59930,9 @@ } }, "node_modules/rc-dialog": { - "version": "9.3.4", + "version": "9.6.0", + "resolved": "https://registry.npmjs.org/rc-dialog/-/rc-dialog-9.6.0.tgz", + "integrity": "sha512-ApoVi9Z8PaCQg6FsUzS8yvBEQy0ZL2PkuvAgrmohPkN3okps5WZ5WQWPc1RNuiOKaAYv8B97ACdsFU5LizzCqg==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.10.1", @@ -59873,14 +59947,16 @@ } }, "node_modules/rc-drawer": { - "version": "6.5.2", + "version": "7.2.0", + "resolved": "https://registry.npmjs.org/rc-drawer/-/rc-drawer-7.2.0.tgz", + "integrity": "sha512-9lOQ7kBekEJRdEpScHvtmEtXnAsy+NGDXiRWc2ZVC7QXAazNVbeT4EraQKYwCME8BJLa8Bxqxvs5swwyOepRwg==", "license": "MIT", "dependencies": { - "@babel/runtime": "^7.10.1", + "@babel/runtime": "^7.23.9", "@rc-component/portal": "^1.1.1", "classnames": "^2.2.6", "rc-motion": "^2.6.1", - "rc-util": "^5.36.0" + "rc-util": "^5.38.1" }, "peerDependencies": { "react": ">=16.9.0", @@ -59888,11 +59964,13 @@ } }, "node_modules/rc-dropdown": { - "version": "4.1.0", + "version": "4.2.0", + "resolved": "https://registry.npmjs.org/rc-dropdown/-/rc-dropdown-4.2.0.tgz", + "integrity": "sha512-odM8Ove+gSh0zU27DUj5cG1gNKg7mLWBYzB5E4nNLrLwBmYEgYP43vHKDGOVZcJSVElQBI0+jTQgjnq0NfLjng==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.18.3", - "@rc-component/trigger": "^1.7.0", + "@rc-component/trigger": "^2.0.0", "classnames": "^2.2.6", "rc-util": "^5.17.0" }, @@ -59902,11 +59980,13 @@ } }, "node_modules/rc-field-form": { - "version": "1.41.0", + "version": "2.5.1", + "resolved": "https://registry.npmjs.org/rc-field-form/-/rc-field-form-2.5.1.tgz", + "integrity": "sha512-33hunXwynQJyeae7LS3hMGTXNeRBjiPyPYgB0824EbmLHiXC1EBGyUwRh6xjLRy9c+en5WARYN0gJz5+JAqwig==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.18.0", - "async-validator": "^4.1.0", + "@rc-component/async-validator": "^5.0.3", "rc-util": "^5.32.2" }, "engines": { @@ -59918,13 +59998,15 @@ } }, "node_modules/rc-image": { - "version": "7.5.1", + "version": "7.11.0", + "resolved": "https://registry.npmjs.org/rc-image/-/rc-image-7.11.0.tgz", + "integrity": "sha512-aZkTEZXqeqfPZtnSdNUnKQA0N/3MbgR7nUnZ+/4MfSFWPFHZau4p5r5ShaI0KPEMnNjv4kijSCFq/9wtJpwykw==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.11.2", "@rc-component/portal": "^1.0.2", "classnames": "^2.2.6", - "rc-dialog": "~9.3.4", + "rc-dialog": "~9.6.0", "rc-motion": "^2.6.2", "rc-util": "^5.34.1" }, @@ -59934,7 +60016,9 @@ } }, "node_modules/rc-input": { - "version": "1.3.11", + "version": "1.6.3", + "resolved": "https://registry.npmjs.org/rc-input/-/rc-input-1.6.3.tgz", + "integrity": "sha512-wI4NzuqBS8vvKr8cljsvnTUqItMfG1QbJoxovCgL+DX4eVUcHIjVwharwevIxyy7H/jbLryh+K7ysnJr23aWIA==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.11.1", @@ -59947,14 +60031,16 @@ } }, "node_modules/rc-input-number": { - "version": "8.4.0", + "version": "9.3.0", + "resolved": "https://registry.npmjs.org/rc-input-number/-/rc-input-number-9.3.0.tgz", + "integrity": "sha512-JQ363ywqRyxwgVxpg2z2kja3CehTpYdqR7emJ/6yJjRdbvo+RvfE83fcpBCIJRq3zLp8SakmEXq60qzWyZ7Usw==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.10.1", "@rc-component/mini-decimal": "^1.0.1", "classnames": "^2.2.5", - "rc-input": "~1.3.5", - "rc-util": "^5.28.0" + "rc-input": "~1.6.0", + "rc-util": "^5.40.1" }, "peerDependencies": { "react": ">=16.9.0", @@ -59962,15 +60048,17 @@ } }, "node_modules/rc-mentions": { - "version": "2.9.1", + "version": "2.17.0", + "resolved": "https://registry.npmjs.org/rc-mentions/-/rc-mentions-2.17.0.tgz", + "integrity": "sha512-sfHy+qLvc+p8jx8GUsujZWXDOIlIimp6YQz7N5ONQ6bHsa2kyG+BLa5k2wuxgebBbH97is33wxiyq5UkiXRpHA==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.22.5", - "@rc-component/trigger": "^1.5.0", + "@rc-component/trigger": "^2.0.0", "classnames": "^2.2.6", - "rc-input": "~1.3.5", - "rc-menu": "~9.12.0", - "rc-textarea": "~1.5.0", + "rc-input": "~1.6.0", + "rc-menu": "~9.16.0", + "rc-textarea": "~1.8.0", "rc-util": "^5.34.1" }, "peerDependencies": { @@ -59979,11 +60067,13 @@ } }, "node_modules/rc-menu": { - "version": "9.12.4", + "version": "9.16.0", + "resolved": "https://registry.npmjs.org/rc-menu/-/rc-menu-9.16.0.tgz", + "integrity": "sha512-vAL0yqPkmXWk3+YKRkmIR8TYj3RVdEt3ptG2jCJXWNAvQbT0VJJdRyHZ7kG/l1JsZlB+VJq/VcYOo69VR4oD+w==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.10.1", - "@rc-component/trigger": "^1.17.0", + "@rc-component/trigger": "^2.0.0", "classnames": "2.x", "rc-motion": "^2.4.3", "rc-overflow": "^1.3.1", @@ -59995,12 +60085,14 @@ } }, "node_modules/rc-motion": { - "version": "2.9.0", + "version": "2.9.3", + "resolved": "https://registry.npmjs.org/rc-motion/-/rc-motion-2.9.3.tgz", + "integrity": "sha512-rkW47ABVkic7WEB0EKJqzySpvDqwl60/tdkY7hWP7dYnh5pm0SzJpo54oW3TDUGXV5wfxXFmMkxrzRRbotQ0+w==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.11.1", "classnames": "^2.2.1", - "rc-util": "^5.21.0" + "rc-util": "^5.43.0" }, "peerDependencies": { "react": ">=16.9.0", @@ -60008,7 +60100,9 @@ } }, "node_modules/rc-notification": { - "version": "5.3.0", + "version": "5.6.2", + "resolved": "https://registry.npmjs.org/rc-notification/-/rc-notification-5.6.2.tgz", + "integrity": "sha512-Id4IYMoii3zzrG0lB0gD6dPgJx4Iu95Xu0BQrhHIbp7ZnAZbLqdqQ73aIWH0d0UFcElxwaKjnzNovTjo7kXz7g==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.10.1", @@ -60026,6 +60120,8 @@ }, "node_modules/rc-overflow": { "version": "1.3.2", + "resolved": "https://registry.npmjs.org/rc-overflow/-/rc-overflow-1.3.2.tgz", + "integrity": "sha512-nsUm78jkYAoPygDAcGZeC2VwIg/IBGSodtOY3pMof4W3M9qRJgqaDYm03ZayHlde3I6ipliAxbN0RUcGf5KOzw==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.11.1", @@ -60039,7 +60135,9 @@ } }, "node_modules/rc-pagination": { - "version": "4.0.3", + "version": "4.3.0", + "resolved": "https://registry.npmjs.org/rc-pagination/-/rc-pagination-4.3.0.tgz", + "integrity": "sha512-UubEWA0ShnroQ1tDa291Fzw6kj0iOeF26IsUObxYTpimgj4/qPCWVFl18RLZE+0Up1IZg0IK4pMn6nB3mjvB7g==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.10.1", @@ -60052,13 +60150,17 @@ } }, "node_modules/rc-picker": { - "version": "3.14.6", + "version": "4.8.2", + "resolved": "https://registry.npmjs.org/rc-picker/-/rc-picker-4.8.2.tgz", + "integrity": "sha512-I6Nn4ngkRskSD//rsXDvjlEQ8CzX9kPQrUIb7+qTY49erJaa3/oKJWmi6JIxo/A7gy59phNmPTdhKosAa/NrQQ==", "license": "MIT", "dependencies": { - "@babel/runtime": "^7.10.1", - "@rc-component/trigger": "^1.5.0", + "@babel/runtime": "^7.24.7", + "@rc-component/trigger": "^2.0.0", "classnames": "^2.2.1", - "rc-util": "^5.30.0" + "rc-overflow": "^1.3.2", + "rc-resize-observer": "^1.4.0", + "rc-util": "^5.43.0" }, "engines": { "node": ">=8.x" @@ -60087,7 +60189,9 @@ } }, "node_modules/rc-progress": { - "version": "3.5.1", + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/rc-progress/-/rc-progress-4.0.0.tgz", + "integrity": "sha512-oofVMMafOCokIUIBnZLNcOZFsABaUw8PPrf1/y0ZBvKZNpOiu5h4AO9vv11Sw0p4Hb3D0yGWuEattcQGtNJ/aw==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.10.1", @@ -60100,7 +60204,9 @@ } }, "node_modules/rc-rate": { - "version": "2.12.0", + "version": "2.13.0", + "resolved": "https://registry.npmjs.org/rc-rate/-/rc-rate-2.13.0.tgz", + "integrity": "sha512-oxvx1Q5k5wD30sjN5tqAyWTvJfLNNJn7Oq3IeS4HxWfAiC4BOXMITNAsw7u/fzdtO4MS8Ki8uRLOzcnEuoQiAw==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.10.1", @@ -60117,6 +60223,8 @@ }, "node_modules/rc-resize-observer": { "version": "1.4.0", + "resolved": "https://registry.npmjs.org/rc-resize-observer/-/rc-resize-observer-1.4.0.tgz", + "integrity": "sha512-PnMVyRid9JLxFavTjeDXEXo65HCRqbmLBw9xX9gfC4BZiSzbLXKzW3jPz+J0P71pLbD5tBMTT+mkstV5gD0c9Q==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.20.7", @@ -60130,7 +60238,9 @@ } }, "node_modules/rc-segmented": { - "version": "2.2.2", + "version": "2.5.0", + "resolved": "https://registry.npmjs.org/rc-segmented/-/rc-segmented-2.5.0.tgz", + "integrity": "sha512-B28Fe3J9iUFOhFJET3RoXAPFJ2u47QvLSYcZWC4tFYNGPEjug5LAxEasZlA/PpAxhdOPqGWsGbSj7ftneukJnw==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.11.1", @@ -60144,11 +60254,13 @@ } }, "node_modules/rc-select": { - "version": "14.10.0", + "version": "14.16.3", + "resolved": "https://registry.npmjs.org/rc-select/-/rc-select-14.16.3.tgz", + "integrity": "sha512-51+j6s3fJJJXB7E+B6W1hM4Tjzv1B/Decooz9ilgegDBt3ZAth1b/xMwYCTrT5BbG2e53XACQsyDib2+3Ro1fg==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.10.1", - "@rc-component/trigger": "^1.5.0", + "@rc-component/trigger": "^2.1.1", "classnames": "2.x", "rc-motion": "^2.0.1", "rc-overflow": "^1.3.1", @@ -60164,12 +60276,14 @@ } }, "node_modules/rc-slider": { - "version": "10.5.0", + "version": "11.1.7", + "resolved": "https://registry.npmjs.org/rc-slider/-/rc-slider-11.1.7.tgz", + "integrity": "sha512-ytYbZei81TX7otdC0QvoYD72XSlxvTihNth5OeZ6PMXyEDq/vHdWFulQmfDGyXK1NwKwSlKgpvINOa88uT5g2A==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.10.1", "classnames": "^2.2.5", - "rc-util": "^5.27.0" + "rc-util": "^5.36.0" }, "engines": { "node": ">=8.x" @@ -60209,15 +60323,17 @@ } }, "node_modules/rc-table": { - "version": "7.36.0", + "version": "7.48.1", + "resolved": "https://registry.npmjs.org/rc-table/-/rc-table-7.48.1.tgz", + "integrity": "sha512-Z4mDKjWg+xz/Ezdw6ivWcbqRpaJ0QfCORRoRrlrw65KSGZLK8OcTdacH22/fyGb8L4It/0/9qcMm8VrVAk/WBw==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.10.1", "@rc-component/context": "^1.4.0", "classnames": "^2.2.5", "rc-resize-observer": "^1.1.0", - "rc-util": "^5.37.0", - "rc-virtual-list": "^3.11.1" + "rc-util": "^5.41.0", + "rc-virtual-list": "^3.14.2" }, "engines": { "node": ">=8.x" @@ -60228,13 +60344,15 @@ } }, "node_modules/rc-tabs": { - "version": "12.14.1", + "version": "15.4.0", + "resolved": "https://registry.npmjs.org/rc-tabs/-/rc-tabs-15.4.0.tgz", + "integrity": "sha512-llKuyiAVqmXm2z7OrmhX5cNb2ueZaL8ZyA2P4R+6/72NYYcbEgOXibwHiQCFY2RiN3swXl53SIABi2CumUS02g==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.11.2", "classnames": "2.x", - "rc-dropdown": "~4.1.0", - "rc-menu": "~9.12.0", + "rc-dropdown": "~4.2.0", + "rc-menu": "~9.16.0", "rc-motion": "^2.6.2", "rc-resize-observer": "^1.0.0", "rc-util": "^5.34.1" @@ -60248,12 +60366,14 @@ } }, "node_modules/rc-textarea": { - "version": "1.5.3", + "version": "1.8.2", + "resolved": "https://registry.npmjs.org/rc-textarea/-/rc-textarea-1.8.2.tgz", + "integrity": "sha512-UFAezAqltyR00a8Lf0IPAyTd29Jj9ee8wt8DqXyDMal7r/Cg/nDt3e1OOv3Th4W6mKaZijjgwuPXhAfVNTN8sw==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.10.1", "classnames": "^2.2.1", - "rc-input": "~1.3.5", + "rc-input": "~1.6.0", "rc-resize-observer": "^1.0.0", "rc-util": "^5.27.0" }, @@ -60263,11 +60383,13 @@ } }, "node_modules/rc-tooltip": { - "version": "6.1.2", + "version": "6.2.1", + "resolved": "https://registry.npmjs.org/rc-tooltip/-/rc-tooltip-6.2.1.tgz", + "integrity": "sha512-rws0duD/3sHHsD905Nex7FvoUGy2UBQRhTkKxeEvr2FB+r21HsOxcDJI0TzyO8NHhnAA8ILr8pfbSBg5Jj5KBg==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.11.2", - "@rc-component/trigger": "^1.18.0", + "@rc-component/trigger": "^2.0.0", "classnames": "^2.3.1" }, "peerDependencies": { @@ -60276,7 +60398,9 @@ } }, "node_modules/rc-tree": { - "version": "5.8.2", + "version": "5.10.1", + "resolved": "https://registry.npmjs.org/rc-tree/-/rc-tree-5.10.1.tgz", + "integrity": "sha512-FPXb3tT/u39mgjr6JNlHaUTYfHkVGW56XaGDahDpEFLGsnPxGcVLNTjcqoQb/GNbSCycl7tD7EvIymwOTP0+Yw==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.10.1", @@ -60294,14 +60418,16 @@ } }, "node_modules/rc-tree-select": { - "version": "5.15.0", + "version": "5.24.5", + "resolved": "https://registry.npmjs.org/rc-tree-select/-/rc-tree-select-5.24.5.tgz", + "integrity": "sha512-PnyR8LZJWaiEFw0SHRqo4MNQWyyZsyMs8eNmo68uXZWjxc7QqeWcjPPoONN0rc90c3HZqGF9z+Roz+GLzY5GXA==", "license": "MIT", "dependencies": { - "@babel/runtime": "^7.10.1", + "@babel/runtime": "^7.25.7", "classnames": "2.x", - "rc-select": "~14.10.0", - "rc-tree": "~5.8.1", - "rc-util": "^5.16.1" + "rc-select": "~14.16.2", + "rc-tree": "~5.10.1", + "rc-util": "^5.43.0" }, "peerDependencies": { "react": "*", @@ -60309,7 +60435,9 @@ } }, "node_modules/rc-upload": { - "version": "4.3.5", + "version": "4.8.1", + "resolved": "https://registry.npmjs.org/rc-upload/-/rc-upload-4.8.1.tgz", + "integrity": "sha512-toEAhwl4hjLAI1u8/CgKWt30BR06ulPa4iGQSMvSXoHzO88gPCslxqV/mnn4gJU7PDoltGIC9Eh+wkeudqgHyw==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.18.3", @@ -60322,7 +60450,9 @@ } }, "node_modules/rc-util": { - "version": "5.38.1", + "version": "5.43.0", + "resolved": "https://registry.npmjs.org/rc-util/-/rc-util-5.43.0.tgz", + "integrity": "sha512-AzC7KKOXFqAdIBqdGWepL9Xn7cm3vnAmjlHqUnoQaTMZYhM4VlXGLkkHHxj/BZ7Td0+SOPKB4RGPboBVKT9htw==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.18.3", @@ -60338,7 +60468,9 @@ "license": "MIT" }, "node_modules/rc-virtual-list": { - "version": "3.11.3", + "version": "3.15.0", + "resolved": "https://registry.npmjs.org/rc-virtual-list/-/rc-virtual-list-3.15.0.tgz", + "integrity": "sha512-dF2YQztqrU3ijAeWOqscTshCEr7vpimzSqAVjO1AyAmaqcHulaXpnGR0ptK5PXfxTUy48VkJOiglMIxlkYGs0w==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.20.0", @@ -60350,8 +60482,8 @@ "node": ">=8.x" }, "peerDependencies": { - "react": "*", - "react-dom": "*" + "react": ">=16.9.0", + "react-dom": ">=16.9.0" } }, "node_modules/rc/node_modules/strip-json-comments": { @@ -61802,6 +61934,8 @@ }, "node_modules/resize-observer-polyfill": { "version": "1.5.1", + "resolved": "https://registry.npmjs.org/resize-observer-polyfill/-/resize-observer-polyfill-1.5.1.tgz", + "integrity": "sha512-LwZrotdHOo12nQuZlHEmtuXdqGoOD0OhaxopaNFxWzInpEgaLWoVuAMbTzixuosCx2nEG58ngzW3vxdWoxIgdg==", "license": "MIT" }, "node_modules/resolve": { @@ -63976,6 +64110,8 @@ }, "node_modules/string-convert": { "version": "0.2.1", + "resolved": "https://registry.npmjs.org/string-convert/-/string-convert-0.2.1.tgz", + "integrity": "sha512-u/1tdPl4yQnPBjnVrmdLo9gtuLvELKsAoRapekWggdiQNvvvum+jYF329d84NAa660KQw7pB2n36KrIKVoXa3A==", "license": "MIT" }, "node_modules/string-length": { @@ -64340,7 +64476,9 @@ } }, "node_modules/stylis": { - "version": "4.3.0", + "version": "4.3.4", + "resolved": "https://registry.npmjs.org/stylis/-/stylis-4.3.4.tgz", + "integrity": "sha512-osIBl6BGUmSfDkyH2mB7EFvCJntXDrLhKjHTRj/rK6xLH0yuPrHULDRQzKokSOD4VoorhtKpfcfW1GAntu8now==", "license": "MIT" }, "node_modules/stylus": { @@ -65329,7 +65467,9 @@ } }, "node_modules/throttle-debounce": { - "version": "5.0.0", + "version": "5.0.2", + "resolved": "https://registry.npmjs.org/throttle-debounce/-/throttle-debounce-5.0.2.tgz", + "integrity": "sha512-B71/4oyj61iNH0KeCamLuE2rmKuTO5byTOSVwECM5FA7TiAiAW+UqTKZ9ERueC4qvgSttUhdmq1mXC3kJqGX7A==", "license": "MIT", "engines": { "node": ">=12.22" diff --git a/package.json b/package.json index a77746ab09..1318822019 100644 --- a/package.json +++ b/package.json @@ -5,8 +5,9 @@ "scripts": { "docusaurus": "docusaurus", "start": "docusaurus start --host 0.0.0.0 --port 9000", - "build": "npm run generate-api-docs && npm run generate-partials && docusaurus build", + "build": "npm run generate-api-docs && npm run cves && npm run generate-partials && docusaurus build", "swizzle": "docusaurus swizzle", + "cves": "node utils/cves/index.js", "deploy": "docusaurus deploy", "clear": "docusaurus clear", "serve": "docusaurus serve", @@ -19,7 +20,7 @@ "clean-api-docs": "docusaurus clean-api-docs palette && docusaurus clean-api-docs emc", "run-api-parser": "node utils/api-parser/index.js", "generate-partials": "./scripts/generate-partials.sh", - "lint": "eslint . --ext .js,.ts,.jsx,.tsx", + "lint": "eslint . -c .eslintrc.js --ext .js,.ts,.jsx,.tsx", "lint:fix": "npm run lint -- --fix", "format": "prettier --write \"**/*.{js,jsx,json,ts,tsx,md,mdx,css}\"", "format-check": "prettier . --check" @@ -47,7 +48,7 @@ "@fortawesome/free-solid-svg-icons": "^6.6.0", "@fortawesome/react-fontawesome": "^0.2.2", "@mdx-js/react": "^3.0.1", - "antd": "^5.6.2", + "antd": "^5.22.2", "axios-retry": "^4.5.0", "babel-plugin-macros": "^3.1.0", "clsx": "^1.2.1", @@ -84,7 +85,7 @@ "@typescript-eslint/parser": "^8.2.0", "babel-jest": "^29.6.2", "dotenv": "^16.3.1", - "eslint": "^8.45.0", + "eslint": "^8.57.0", "eslint-config-prettier": "^9.1.0", "eslint-plugin-import": "^2.27.5", "eslint-plugin-jsx-a11y": "^6.9.0", diff --git a/redirects.js b/redirects.js index 0552dd650d..c24a4c3619 100644 --- a/redirects.js +++ b/redirects.js @@ -666,6 +666,91 @@ let redirects = [ from: "/user-management/project-association/", to: "/user-management/palette-rbac/assign-a-role/", }, + { + from: [ + "/security-bulletins/reports/cve-2005-2541", + "/security-bulletins/reports/cve-2012-2663", + "/security-bulletins/reports/cve-2015-20107", + "/security-bulletins/reports/cve-2015-8855", + "/security-bulletins/reports/cve-2016-1585", + "/security-bulletins/reports/cve-2016-20013", + "/security-bulletins/reports/cve-2017-11164", + "/security-bulletins/reports/cve-2018-20225", + "/security-bulletins/reports/cve-2018-20657", + "/security-bulletins/reports/cve-2018-20796", + "/security-bulletins/reports/cve-2018-20839", + "/security-bulletins/reports/cve-2019-1010022", + "/security-bulletins/reports/cve-2019-12900", + "/security-bulletins/reports/cve-2019-17543", + "/security-bulletins/reports/cve-2019-19244", + "/security-bulletins/reports/cve-2019-9192", + "/security-bulletins/reports/cve-2019-9674", + "/security-bulletins/reports/cve-2019-9923", + "/security-bulletins/reports/cve-2019-9936", + "/security-bulletins/reports/cve-2019-9937", + "/security-bulletins/reports/cve-2020-35512", + "/security-bulletins/reports/cve-2020-36325", + "/security-bulletins/reports/cve-2021-3737", + "/security-bulletins/reports/cve-2021-39537", + "/security-bulletins/reports/cve-2021-42694", + "/security-bulletins/reports/cve-2021-46848", + "/security-bulletins/reports/cve-2022-0391", + "/security-bulletins/reports/cve-2022-23990", + "/security-bulletins/reports/cve-2022-25883", + "/security-bulletins/reports/cve-2022-28357", + "/security-bulletins/reports/cve-2022-28948", + "/security-bulletins/reports/cve-2022-41409", + "/security-bulletins/reports/cve-2022-41723", + "/security-bulletins/reports/cve-2022-41724", + "/security-bulletins/reports/cve-2022-41725", + "/security-bulletins/reports/cve-2022-45061", + "/security-bulletins/reports/cve-2022-48560", + "/security-bulletins/reports/cve-2022-48565", + "/security-bulletins/reports/cve-2022-4899", + "/security-bulletins/reports/cve-2023-0464", + "/security-bulletins/reports/cve-2023-24329", + "/security-bulletins/reports/cve-2023-24534", + "/security-bulletins/reports/cve-2023-24536", + "/security-bulletins/reports/cve-2023-24537", + "/security-bulletins/reports/cve-2023-24538", + "/security-bulletins/reports/cve-2023-24539", + "/security-bulletins/reports/cve-2023-24540", + "/security-bulletins/reports/cve-2023-26604", + "/security-bulletins/reports/cve-2023-27534", + "/security-bulletins/reports/cve-2023-29400", + "/security-bulletins/reports/cve-2023-29403", + "/security-bulletins/reports/cve-2023-29499", + "/security-bulletins/reports/cve-2023-32636", + "/security-bulletins/reports/cve-2023-37920", + "/security-bulletins/reports/cve-2023-39325", + "/security-bulletins/reports/cve-2023-4156", + "/security-bulletins/reports/cve-2023-44487", + "/security-bulletins/reports/cve-2023-45142", + "/security-bulletins/reports/cve-2023-45287", + "/security-bulletins/reports/cve-2023-47108", + "/security-bulletins/reports/cve-2023-49569", + "/security-bulletins/reports/cve-2023-52356", + "/security-bulletins/reports/cve-2024-0743", + "/security-bulletins/reports/cve-2024-0760", + "/security-bulletins/reports/cve-2024-1737", + "/security-bulletins/reports/cve-2024-1975", + "/security-bulletins/reports/cve-2024-21626", + "/security-bulletins/reports/cve-2024-24790", + "/security-bulletins/reports/cve-2024-32002", + "/security-bulletins/reports/cve-2024-35325", + "/security-bulletins/reports/cve-2024-3651", + "/security-bulletins/reports/cve-2024-37370", + "/security-bulletins/reports/cve-2024-37371", + "/security-bulletins/reports/cve-2024-38428", + "/security-bulletins/reports/cve-2024-45490", + "/security-bulletins/reports/cve-2024-45491", + "/security-bulletins/reports/cve-2024-45492", + "/security-bulletins/reports/cve-2024-6197", + "/security-bulletins/reports/cve-2024-6232", + "/security-bulletins/reports/cve-2024-7592", + ], + to: "/security-bulletins/reports/", + }, ]; if (packRedirects.length > 0) { diff --git a/src/components/CveReportsTable/CveReportTable.module.scss b/src/components/CveReportsTable/CveReportTable.module.scss new file mode 100644 index 0000000000..c83c25192c --- /dev/null +++ b/src/components/CveReportsTable/CveReportTable.module.scss @@ -0,0 +1,35 @@ +.wrapper { + display: flex; + flex-direction: column; + align-items: center; + justify-content: center; + + .tabPane { + padding-top: 15px; + font-size: 16px; + width: 100%; + // Karl's workaround for reducing the jank issue where the tabs disappear when refreshing the page. + // The spinner is displayed while the page is loading, and the entire table is hidden until the page is fully loaded. + min-height: 300px; + } +} + +.tableContainer { + display: block; + + @media (max-width: 768px) { + display: none; + } +} + +.unsupportedMessage { + display: none; + + @media (max-width: 768px) { + display: block; + text-align: center; + padding: 20px; + font-size: 1.2em; + color: #555; + } +} diff --git a/src/components/CveReportsTable/CveReportsTable.tsx b/src/components/CveReportsTable/CveReportsTable.tsx new file mode 100644 index 0000000000..324a92a862 --- /dev/null +++ b/src/components/CveReportsTable/CveReportsTable.tsx @@ -0,0 +1,273 @@ +import React, { useState, useEffect, useMemo } from "react"; +import { Tabs, ConfigProvider, Table, theme, Spin } from "antd"; +import { useColorMode } from "@docusaurus/theme-common"; +import useIsBrowser from "@docusaurus/useIsBrowser"; +import Link from "@docusaurus/Link"; +import type { ColumnsType } from "antd/es/table"; +import Admonition from "@theme/Admonition"; +import styles from "./CveReportTable.module.scss"; +import semver from "semver"; + +interface CveData { + palette: Cve[]; + paletteAirgap: Cve[]; + vertex: Cve[]; + vertexAirgap: Cve[]; +} + +interface Cve { + metadata: { + uid: string; + cve: string; + summary: string; + cvssScore: number; + nistSeverity: string; + trivySeverity: string; + grypeSeverity: string; + cvePublishedTimestamp: string; + cveLastModifiedTimestamp: string; + advCreatedTimestamp: string; + advLastModifiedTimestamp: string; + }; + spec: { + assessment: { + thirdParty: { + isDependentOnThirdParty: boolean; + }; + }; + impact: { + impactedVersions: string[]; + }; + }; + status: { + status: string; + }; +} + +interface MinimizedCve { + metadata: { + uid: string; + cve: string; + cvssScore: number; + cvePublishedTimestamp: string; + cveLastModifiedTimestamp: string; + }; + spec: { + assessment: { + thirdParty: { + isDependentOnThirdParty: boolean; + }; + }; + impact: { + impactedVersions: string[]; + }; + }; + status: { + status: string; + }; +} + +type CveDataUnion = + | CveData + | { + palette: MinimizedCve[]; + paletteAirgap: MinimizedCve[]; + vertex: MinimizedCve[]; + vertexAirgap: MinimizedCve[]; + }; + +export default function CveReportsTable() { + const [data, setData] = useState(null); + const [loading, setLoading] = useState(true); + const isBrowser = useIsBrowser(); + const [activeTabKey, setActiveTabKey] = useState("palette"); + const { colorMode } = useColorMode(); + const { defaultAlgorithm, darkAlgorithm } = theme; + + useEffect(() => { + if (isBrowser) { + const hash = window.location.hash?.replace("#", "") || "palette"; + setActiveTabKey(hash); + } + }, [isBrowser]); + + useEffect(() => { + const minimizeData = (entry: Cve): MinimizedCve => ({ + metadata: { + uid: entry.metadata.uid, + cve: entry.metadata.cve, + cvssScore: entry.metadata.cvssScore, + cvePublishedTimestamp: entry.metadata.cvePublishedTimestamp, + cveLastModifiedTimestamp: entry.metadata.cveLastModifiedTimestamp, + }, + spec: { + assessment: { + thirdParty: { isDependentOnThirdParty: entry.spec.assessment.thirdParty.isDependentOnThirdParty }, + }, + impact: { impactedVersions: entry.spec.impact.impactedVersions }, + }, + status: { status: entry.status.status }, + }); + + const loadData = async () => { + try { + const response = (await import("../../../.docusaurus/security-bulletins/default/data.json")).default; // eslint-disable-line @typescript-eslint/no-unsafe-member-access + const responseData = response as CveData; + + const reducedData: CveDataUnion = { + palette: responseData.palette.map(minimizeData), + paletteAirgap: responseData.paletteAirgap.map(minimizeData), + vertex: responseData.vertex.map(minimizeData), + vertexAirgap: responseData.vertexAirgap.map(minimizeData), + }; + setData(reducedData); + } catch (error) { + console.error("Error loading data:", error); + } finally { + setLoading(false); + } + }; + + loadData().catch((error) => console.error("Error loading data:", error)); + }, []); + + useEffect(() => { + if (isBrowser) { + window.location.hash = activeTabKey; + } + }, [activeTabKey, isBrowser]); + + const columns: ColumnsType = useMemo( + () => [ + { + title: "CVE ID", + dataIndex: ["metadata", "cve"], + key: "cve", + sorter: (a, b) => a.metadata.cve.localeCompare(b.metadata.cve), + render: (cve: string, record) => ( + + {cve} + + ), + }, + { + title: "Initial Pub Date", + dataIndex: ["metadata", "cvePublishedTimestamp"], + key: "publishedDateTime", + sorter: (a, b) => + new Date(a.metadata.cvePublishedTimestamp).getTime() - new Date(b.metadata.cvePublishedTimestamp).getTime(), + render: (text: string) => new Date(text).toLocaleDateString(), + }, + { + title: "Modified Date", + dataIndex: ["metadata", "cveLastModifiedTimestamp"], + key: "modifiedDateTime", + sorter: (a, b) => + new Date(a.metadata.cveLastModifiedTimestamp).getTime() - + new Date(b.metadata.cveLastModifiedTimestamp).getTime(), + render: (text: string) => new Date(text).toLocaleDateString(), + defaultSortOrder: "descend", + }, + { + title: "Product Version", + dataIndex: ["spec", "impact", "impactedVersions"], + key: "productVersion", + sorter: (a, b) => { + const versionsA = a.spec.impact.impactedVersions.sort(semver.compare).reverse(); + const versionsB = b.spec.impact.impactedVersions.sort(semver.compare).reverse(); + return semver.compare(versionsB[0] || "0.0.0", versionsA[0] || "0.0.0"); + }, + render: (impactedVersions: string[]) => { + const sortedVersions = impactedVersions.sort(semver.compare).reverse().slice(0, 3); + return sortedVersions.join(", ") + (impactedVersions.length > 3 ? ", ..." : ""); + }, + }, + { + title: "Third Party Vulnerability", + dataIndex: ["spec", "assessment", "thirdParty", "isDependentOnThirdParty"], + key: "vulnerabilityType", + sorter: (a, b) => + a.spec.assessment.thirdParty.isDependentOnThirdParty === b.spec.assessment.thirdParty.isDependentOnThirdParty + ? 0 + : 1, + render: (record) => (record ? "Yes" : "No"), + }, + { + title: "CVSS Severity", + dataIndex: ["metadata", "cvssScore"], + key: "baseScore", + sorter: (a, b) => a.metadata.cvssScore - b.metadata.cvssScore, + render: (baseScore: number, record) => ( + {baseScore} + ), + }, + { + title: "Status", + key: "status", + sorter: (a, b) => a.status.status.localeCompare(b.status.status), + render: (record: MinimizedCve) => { + const status = record.status.status; + return status === "Open" || status === "Ongoing" ? 🔍 {status} : ✅ {status}; + }, + }, + ], + [] + ); + + const renderCveTable = (cveList: MinimizedCve[]) => ( +
+ record.metadata.uid} + pagination={{ + pageSizeOptions: ["25", "50", "100", "500", "1000"], + defaultPageSize: 100, + showSizeChanger: true, + }} + scroll={{ y: 800 }} + bordered={true} + tableLayout="fixed" + sticky={true} + /> + + ); + + const tabs = useMemo( + () => [ + { label: "Palette Enterprise", key: "palette", children: renderCveTable(data?.palette || []) }, + { label: "Palette Enterprise Airgap", key: "paletteAirgap", children: renderCveTable(data?.paletteAirgap || []) }, + { label: "VerteX", key: "vertex", children: renderCveTable(data?.vertex || []) }, + { label: "VerteX Airgap", key: "vertexAirgap", children: renderCveTable(data?.vertexAirgap || []) }, + ], + [data] + ); + + if (loading) { + return ( + + ); + } + + return ( +
+ +
+ + The current screen size is not supported. Use a larger display to access the CVE table. + +
+
+ setActiveTabKey(key)} + items={tabs} + destroyInactiveTabPane={false} + type="card" + /> +
+
+
+ ); +} diff --git a/src/components/CveReportsTable/index.ts b/src/components/CveReportsTable/index.ts new file mode 100644 index 0000000000..0cfd2630e3 --- /dev/null +++ b/src/components/CveReportsTable/index.ts @@ -0,0 +1,3 @@ +import CveReportsTable from "./CveReportsTable"; + +export default CveReportsTable; diff --git a/utils/cves/index.js b/utils/cves/index.js new file mode 100644 index 0000000000..43d6b10281 --- /dev/null +++ b/utils/cves/index.js @@ -0,0 +1,283 @@ +const { api, callRateLimitAPI } = require("./requests"); +const { existsSync, mkdirSync } = require("node:fs"); +const { logger } = require("@docusaurus/logger"); +const fs = require("fs").promises; +const path = require("path"); +const { formatDateCveDetails } = require("../helpers/date"); +const { escapeMDXSpecialChars } = require("../helpers/string"); +const { generateMarkdownTable } = require("../helpers/affected-table"); +const { generateRevisionHistory } = require("../helpers/revision-history"); + +async function getSecurityBulletins(payload) { + try { + return await callRateLimitAPI(() => api.post(`https://dso.teams.spectrocloud.com/v1/advisories`, payload)); + } catch (error) { + logger.error(error); + logger.error("Error:", error.response ? error.response.data || error.response.status : error.message); + } +} + +async function generateCVEs() { + let GlobalCVEData = {}; + + const securityBulletins = new Map(); + const dirname = path.join(".docusaurus", "security-bulletins", "default"); + const filename = path.join(dirname, "data.json"); + + if (process.env.DISABLE_SECURITY_INTEGRATIONS === "true") { + logger.info("Security integrations are disabled. Skipping generation of security bulletins."); + if (!existsSync(dirname) || !existsSync(filename)) { + // Write the security bulletins data to a JSON file + mkdirSync(dirname, { recursive: true }); + await fs.writeFile(filename, JSON.stringify({}, null, 2)); + } + return; + } + + if (existsSync(dirname) && existsSync(filename)) { + logger.info("Security bulletins JSON file already exists. Skipping fetching."); + GlobalCVEData = JSON.parse(await fs.readFile(filename, "utf-8")); + } else { + logger.info("Fetching security bulletins..."); + + try { + const palette = await getSecurityBulletins({ + filters: [ + { + field: "metadata.nistSeverity", + operator: "in", + options: ["CRITICAL", "HIGH"], + }, + { + field: "spec.impact.impactedProducts.palette", + operator: "ex", + }, + { + field: "spec.impact.impactedDeployments.connected", + operator: "ex", + }, + ], + }); + const paletteAirgap = await getSecurityBulletins({ + filters: [ + { + field: "metadata.nistSeverity", + operator: "in", + options: ["CRITICAL", "HIGH"], + }, + { + field: "spec.impact.impactedProducts.palette", + operator: "ex", + }, + { + field: "spec.impact.impactedDeployments.airgap", + operator: "ex", + }, + ], + }); + const vertex = await getSecurityBulletins({ + filters: [ + { + field: "metadata.nistSeverity", + operator: "in", + options: ["CRITICAL", "HIGH"], + }, + { + field: "spec.impact.impactedProducts.vertex", + operator: "ex", + }, + { + field: "spec.impact.impactedDeployments.connected", + operator: "ex", + }, + ], + }); + const vertexAirgap = await getSecurityBulletins({ + filters: [ + { + field: "metadata.nistSeverity", + operator: "in", + options: ["CRITICAL", "HIGH"], + }, + { + field: "spec.impact.impactedProducts.vertex", + operator: "ex", + }, + { + field: "spec.impact.impactedDeployments.airgap", + operator: "ex", + }, + ], + }); + + securityBulletins.set("palette", palette); + securityBulletins.set("paletteAirgap", paletteAirgap); + securityBulletins.set("vertex", vertex); + securityBulletins.set("vertexAirgap", vertexAirgap); + + // const plainObject = Object.fromEntries(securityBulletins); + const plainObject = Object.fromEntries( + Array.from(securityBulletins.entries()).map(([key, value]) => [key, value.data]) + ); + GlobalCVEData = plainObject; + + // Write the security bulletins data to a JSON file + mkdirSync(dirname, { recursive: true }); + await fs.writeFile(filename, JSON.stringify(GlobalCVEData, null, 2)); + + logger.info("Finished fetching security bulletins data."); + } catch (error) { + logger.error(error); + logger.error("Error:", error.response ? error.response.status : error.message); + } + } + + await generateMarkdownForCVEs(GlobalCVEData); +} + +async function generateMarkdownForCVEs(GlobalCVEData) { + const allCVEs = Object.values(GlobalCVEData).reduce((acc, curr) => acc.concat(curr), []); + + // To generate the Impact Product & Versions table we need to track all the instances of the same CVE + // The following hashmap will store the data for each CVE and aggregate the impact data for each product + const cveImpactMap = {}; + + for (const item of allCVEs) { + // Let's add the CVE to the map if it doesn't exist + // We can take all of the values from the first instance of the CVE + // Future instances will update the values if they are true + if (!cveImpactMap[item.metadata.cve]) { + cveImpactMap[item.metadata.cve] = { + versions: item.spec.impact.impactedVersions, + impactsPaletteEnterprise: item.spec.impact.impactedProducts.palette, + impactsPaletteEnterpriseAirgap: item.spec.impact.impactedDeployments.airgap, + impactsVerteX: item.spec.impact.impactedProducts.vertex, + impactsVerteXAirgap: item.spec.impact.impactedDeployments.airgap, + }; + } + + // If the CVE already exists in the map, we need to update the values + // But only if the value is true. If the value is false, we don't need to update it. + if (cveImpactMap[item.metadata.cve]) { + cveImpactMap[item.metadata.cve].versions = [ + ...cveImpactMap[item.metadata.cve].versions, + ...item.spec.impact.impactedVersions, + ]; + + if (item.spec.impact.impactedProducts.palette) { + cveImpactMap[item.metadata.cve].impactsPaletteEnterprise = true; + } + + if (item.spec.impact.impactedDeployments.airgap) { + cveImpactMap[item.metadata.cve].impactsPaletteEnterpriseAirgap = true; + } + + if (item.spec.impact.impactedProducts.vertex) { + cveImpactMap[item.metadata.cve].impactsVerteX = true; + } + + if (item.spec.impact.impactedDeployments.airgap) { + cveImpactMap[item.metadata.cve].impactsVerteXAirgap = true; + } + } + } + + const markdownPromises = allCVEs.map((item) => + createCveMarkdown(item, cveImpactMap[item.metadata.cve], "docs/docs-content/security-bulletins/reports/") + ); + + const results = await Promise.all(markdownPromises); + + const failedFiles = results.filter((result) => !result.success); + + if (failedFiles.length > 0) { + logger.error("Failed to generate the following markdown files:"); + failedFiles.forEach((failure) => { + logger.error(`File: ${failure.file}, Error: ${failure.error.message}`); + }); + } + + logger.success("All security bulletin markdown files generated."); +} + +function createCveMarkdown(item, cveImpactData, location) { + const upperCaseCve = item.metadata.cve.toUpperCase(); + const revisions = item.spec.revision; + const uid = item.metadata.uid.toLowerCase(); + + // Generate a table of impacted products + let table = generateMarkdownTable(cveImpactData); + let revisionHistory = generateRevisionHistory(revisions); + + const content = `--- +sidebar_label: "${upperCaseCve}" +title: "${upperCaseCve}" +description: "Lifecycle of ${upperCaseCve}" +sidebar_class_name: "hide-from-sidebar" +hide_table_of_contents: false +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +## CVE Details + +[${upperCaseCve}](https://nvd.nist.gov/vuln/detail/${upperCaseCve}) + +## Initial Publication + +${formatDateCveDetails(item.metadata.advCreatedTimestamp)} + +## Last Update + +${formatDateCveDetails(item.metadata.advLastModifiedTimestamp)} + +${item.spec.assessment?.thirdParty?.dependentPackage != "" ? `## Third Party Dependency \n\n${item.spec.assessment.thirdParty.dependentPackage}` : "This CVE does not have a third party dependency."} + + +## NIST CVE Summary + +${escapeMDXSpecialChars(item.metadata.summary)} + +## CVE Severity + +${item.metadata.cvssScore} + +## Our Official Summary + +${item.spec.assessment.justification ? escapeMDXSpecialChars(item.spec.assessment.justification) : "Investigation is ongoing to determine how this vulnerability affects our products."} + +## Status + +${item.status.status} + +## Affected Products & Versions + +${item.spec.impact.isImpacting ? table : "This CVE is non-impacting as the impacting symbol and/or function is not used in the product"} + + +## Revision History + +${revisionHistory ? revisionHistory : "No revision history available."} +`; + + const filePath = path.join(location, `${uid}.md`); + + // Return a promise and include the CVE or file path in the error log + return fs + .writeFile(filePath, content) + .then(() => ({ + success: true, + file: filePath, + })) + .catch((err) => { + console.error(`Error writing file for ${upperCaseCve} at ${filePath}:`, err); + return { + success: false, + file: filePath, + error: err, + }; + }); +} + +// Call the main function to generate CVEs +generateCVEs(); diff --git a/utils/cves/requests.js b/utils/cves/requests.js new file mode 100644 index 0000000000..1d240728ef --- /dev/null +++ b/utils/cves/requests.js @@ -0,0 +1,52 @@ +const axios = require("axios"); +const axiosRetry = require("axios-retry").default; +const { pRateLimit } = require("p-ratelimit"); +require("dotenv").config(); + +const SECURITY_BULLETIN_URL = "https://dso.teams.spectrocloud.com"; + +// Ensure that the authentication token is available in the environment +const authToken = process.env.DSO_AUTH_TOKEN; +if (!authToken) { + throw new Error("DSO_AUTH_TOKEN must be set in the environment to use this plugin."); +} + +const api = axios.create({ + baseURL: SECURITY_BULLETIN_URL, + timeout: 120000, // 2 minutes timeout + headers: { + "Content-Type": "application/json", + Authorization: "Basic " + authToken, // Use the environment variable for auth token + }, +}); + +// Set up rate limiting using pRateLimit +const limit = pRateLimit({ + interval: 2000, // 2 seconds + rate: 10, // 10 API calls per interval + concurrency: 1, // no more than 1 running at once +}); + +axiosRetry(api, { + retries: 3, // Retry up to 3 times + retryDelay: axiosRetry.exponentialDelay, // Exponential backoff starting with 1 second + retryCondition(error) { + // Retry based on status codes + switch (error.response?.status) { + case 500: + case 404: + case 501: + case 429: + return true; + default: + return false; + } + }, +}); + +// Function to handle API calls with rate limiting +function callRateLimitAPI(delayedApiCall) { + return limit(delayedApiCall); +} + +module.exports = { api, callRateLimitAPI }; diff --git a/utils/helpers/affected-table.js b/utils/helpers/affected-table.js new file mode 100644 index 0000000000..da23a3d27b --- /dev/null +++ b/utils/helpers/affected-table.js @@ -0,0 +1,48 @@ +const semver = require("semver"); + +function generateMarkdownTable(cveImpactMap) { + if (!cveImpactMap || typeof cveImpactMap !== "object") { + throw new Error("Invalid input: cveImpactMap must be an object."); + } + + const impactData = { + "Palette Enterprise": cveImpactMap.impactsPaletteEnterprise, + "Palette Enterprise Airgap": cveImpactMap.impactsPaletteEnterpriseAirgap, + VerteX: cveImpactMap.impactsVerteX, + "VerteX Airgap": cveImpactMap.impactsVerteXAirgap, + }; + + const allProductsFalse = Object.values(impactData).every((value) => value === false); + if (allProductsFalse) { + return "Investigation is ongoing to determine how this vulnerability affects our products"; + } + + const anyProductTrue = Object.values(impactData).some((value) => value === true); + if (anyProductTrue && (!cveImpactMap.versions || cveImpactMap.versions.length === 0)) { + throw new Error("Error: Data inconsistency - Products impacted but no versions provided."); + } + + // Create the header row with the specified order + const header = `| Version | Palette Enterprise | Palette Enterprise Airgap | VerteX | VerteX Airgap |\n`; + const separator = `| - | -------- | -------- | -------- | -------- |\n`; + + // const uniqueVersions = Array.from(new Set(cveImpactMap.versions)).sort((a, b) => b.localeCompare(a)); + const uniqueVersions = Array.from(new Set(cveImpactMap.versions)).sort(semver.rcompare); + + const rows = uniqueVersions + .map((version) => { + const row = [ + `| ${version}`, + impactData["Palette Enterprise"] ? "Impacted" : "No Impact", + impactData["Palette Enterprise Airgap"] ? "Impacted" : "No Impact", + impactData["VerteX"] ? "Impacted" : "No Impact", + impactData["VerteX Airgap"] ? "Impacted" : "No Impact", + ].join(" | "); + return row + " |"; + }) + .join("\n"); + + return header + separator + rows; +} + +module.exports = { generateMarkdownTable }; diff --git a/utils/helpers/affected-table.test.js b/utils/helpers/affected-table.test.js new file mode 100644 index 0000000000..5cda941769 --- /dev/null +++ b/utils/helpers/affected-table.test.js @@ -0,0 +1,47 @@ +const { generateMarkdownTable } = require("./affected-table"); + +describe("generateMarkdownTable", () => { + it("should generate a markdown table for two products with mixed impact", () => { + const cveImpactMap = { + versions: ["4.4.20", "4.5.3"], + impactsPaletteEnterprise: true, + impactsPaletteEnterpriseAirgap: false, + impactsVerteX: false, + impactsVerteXAirgap: false, + }; + + const expectedTable = `| Version | Palette Enterprise | Palette Enterprise Airgap | VerteX | VerteX Airgap | +|-|--------|--------|--------|--------| +| 4.5.3 | Impacted | No Impact | No Impact | No Impact | +| 4.4.20 | Impacted | No Impact | No Impact | No Impact |`; + + expect(generateMarkdownTable(cveImpactMap).replace(/\s+/g, "")).toBe(expectedTable.replace(/\s+/g, "")); + }); + + it("should return investigation message when all products are not impacted", () => { + const cveImpactMap = { + versions: ["4.4.20", "4.5.3"], + impactsPaletteEnterprise: false, + impactsPaletteEnterpriseAirgap: false, + impactsVerteX: false, + impactsVerteXAirgap: false, + }; + + const expectedMessage = "Investigation is ongoing to determine how this vulnerability affects our products"; + expect(generateMarkdownTable(cveImpactMap)).toBe(expectedMessage); + }); + + it("should throw an error when products are impacted but no versions are provided", () => { + const cveImpactMap = { + versions: [], + impactsPaletteEnterprise: true, + impactsPaletteEnterpriseAirgap: false, + impactsVerteX: false, + impactsVerteXAirgap: false, + }; + + expect(() => generateMarkdownTable(cveImpactMap)).toThrow( + "Error: Data inconsistency - Products impacted but no versions provided." + ); + }); +}); diff --git a/utils/helpers/date.js b/utils/helpers/date.js new file mode 100644 index 0000000000..d49b8dcb84 --- /dev/null +++ b/utils/helpers/date.js @@ -0,0 +1,23 @@ +function getTodayFormattedDate() { + const options = { timeZone: "America/Los_Angeles", year: "numeric", month: "2-digit", day: "2-digit" }; + const formattedDate = new Date().toLocaleDateString("en-CA", options); + return formattedDate; +} + +function formatDateCveDetails(isoString) { + const date = new Date(isoString); + + // Check if the date is valid + if (isNaN(date.getTime())) { + console.warn(`Invalid date string: ${isoString}`); + return "N/A"; // or an appropriate placeholder for invalid dates + } + + const month = String(date.getUTCMonth() + 1).padStart(2, "0"); // Pad month to 2 digits + const day = String(date.getUTCDate()).padStart(2, "0"); // Pad day to 2 digits + const year = date.getUTCFullYear(); + + return `${month}/${day}/${year}`; +} + +module.exports = { getTodayFormattedDate, formatDateCveDetails }; diff --git a/utils/helpers/dates.test.js b/utils/helpers/dates.test.js new file mode 100644 index 0000000000..d06e062284 --- /dev/null +++ b/utils/helpers/dates.test.js @@ -0,0 +1,51 @@ +const { getTodayFormattedDate, formatDateCveDetails } = require("./date"); + +describe("getTodayFormattedDate", () => { + it("should return today's date formatted as YYYY-MM-DD in America/Los_Angeles timezone", () => { + const options = { timeZone: "America/Los_Angeles", year: "numeric", month: "2-digit", day: "2-digit" }; + const expectedDate = new Date().toLocaleDateString("en-CA", options); + + expect(getTodayFormattedDate()).toBe(expectedDate); + }); + + it("should return the date in YYYY-MM-DD format", () => { + const formattedDate = getTodayFormattedDate(); + expect(formattedDate).toMatch(/^\d{4}-\d{2}-\d{2}$/); // Check for correct format + }); +}); + +describe("formatDateCveDetails", () => { + it("should format ISO string date to MM/DD/YYYY with zero-padded month and day", () => { + const isoString = "2023-09-05T00:00:00Z"; + const formattedDate = formatDateCveDetails(isoString); + + expect(formattedDate).toBe("09/05/2023"); + }); + + it("should handle leap years correctly", () => { + const isoString = "2024-02-29T00:00:00Z"; + const formattedDate = formatDateCveDetails(isoString); + + expect(formattedDate).toBe("02/29/2024"); + }); + + it("should return the correct date even with different time zones in the input", () => { + const isoString = "2023-09-20T15:00:00Z"; // Time zone is UTC but should still give the same day in UTC + const formattedDate = formatDateCveDetails(isoString); + + expect(formattedDate).toBe("09/20/2023"); + }); + + it("should return 'N/A' for an invalid date string", () => { + const invalidDate = "invalid-date"; + const formattedDate = formatDateCveDetails(invalidDate); + + expect(formattedDate).toBe("N/A"); + }); + + it("should return 'N/A' for undefined input", () => { + const formattedDate = formatDateCveDetails(undefined); + + expect(formattedDate).toBe("N/A"); + }); +}); diff --git a/utils/helpers/revision-history.js b/utils/helpers/revision-history.js new file mode 100644 index 0000000000..29f9a36647 --- /dev/null +++ b/utils/helpers/revision-history.js @@ -0,0 +1,104 @@ +const { formatDateCveDetails } = require("./date"); + +/** + * Generates a markdown table for revision history, sorted by newest entries first + * @param {Array} revisions - An array of revision objects + * @returns {string} - The markdown table as a string + */ +function generateRevisionHistory(revisions) { + const headers = ["Date", "Revision"]; + const headerRow = `| ${headers.join(" | ")} |`; + const separatorRow = `| ${headers.map(() => "---").join(" | ")} |`; + + // Sort revisions by timestamp in descending order, only if revisions array is not empty + const sortedRevisions = revisions.length + ? [...revisions].sort((a, b) => new Date(b.revisionTimestamp) - new Date(a.revisionTimestamp)) + : []; + + const rows = sortedRevisions.reduce((acc, { revisionTimestamp, revisedField, revisedFrom, revisedTo }) => { + const description = getItemDescription(revisedField, revisedFrom, revisedTo); + + if (!description) return acc; + + const formattedDate = formatDateCveDetails(revisionTimestamp); + acc.push(`| ${formattedDate} | ${description} |`); + return acc; + }, []); + + return `${headerRow}\n${separatorRow}\n${rows.join("\n")}`; +} + +/** + * Generates a description for a revision item based on field, from, and to values + * @param {string} revisedField - The field that was revised + * @param {string} revisedFrom - The previous value of the field + * @param {string} revisedTo - The new value of the field + * @returns {string} - A human-readable description of the revision + */ +function getItemDescription(revisedField, revisedFrom, revisedTo) { + let itemDescription = ""; + + revisedField = revisedField.replace(/(\r\n|\n|\r)/gm, ""); + revisedFrom = revisedFrom.replace(/(\r\n|\n|\r)/gm, ""); + revisedTo = revisedTo.replace(/(\r\n|\n|\r)/gm, ""); + + switch (revisedField) { + case "spec.assessment.justification": + itemDescription = getJustificationDescription(revisedFrom, revisedTo); + break; + + case "metadata.nistSeverity": + itemDescription = getSeverityDescription(revisedFrom, revisedTo); + break; + + case "spec.impact.impactedVersions": + itemDescription = getImpactedVersionsDescription(revisedFrom, revisedTo); + break; + + case "status.status": + itemDescription = revisedFrom !== revisedTo ? `Status changed from ${revisedFrom} to ${revisedTo}` : ""; + break; + + case "spec.impact.isImpacting": + itemDescription = + revisedFrom === "false" && revisedTo === "true" + ? "Advisory is now impacting." + : revisedFrom === "true" && revisedTo === "false" + ? "Advisory is no longer impacting." + : ""; + break; + + default: + return ""; // Return early if no matching case + } + + return itemDescription; +} + +function getJustificationDescription(revisedFrom, revisedTo) { + if (!revisedFrom && revisedTo) return "Official summary added"; + if (revisedFrom && !revisedTo) return "Official summary removed"; + if (revisedFrom && revisedTo) return `Official summary revised: ${revisedTo}`; + return ""; +} + +function getSeverityDescription(revisedFrom, revisedTo) { + if (revisedFrom === "UNKNOWN") return `Advisory assigned with ${revisedTo} severity`; + if (revisedFrom !== revisedTo) return `Advisory severity revised to ${revisedTo} from ${revisedFrom}`; + return ""; +} + +function getImpactedVersionsDescription(revisedFrom, revisedTo) { + const formattedFrom = formatArray(revisedFrom); + const formattedTo = formatArray(revisedTo); + + return revisedFrom === "[]" + ? `Added impacted versions: ${formattedTo}` + : `Impacted versions changed from ${formattedFrom} to ${formattedTo}`; +} + +function formatArray(value) { + return value.replace(/\s+/g, ", ").replace(/^\[|\]$/g, ""); +} + +module.exports = { generateRevisionHistory }; diff --git a/utils/helpers/revision-history.test.js b/utils/helpers/revision-history.test.js new file mode 100644 index 0000000000..396cf48a4c --- /dev/null +++ b/utils/helpers/revision-history.test.js @@ -0,0 +1,186 @@ +const { generateRevisionHistory } = require("./revision-history"); + +describe("generateRevisionHistory", () => { + it("should generate history for justification field changes", () => { + const revisionHistory = [ + { + revisionTimestamp: "2024-10-16T05:50:00.194Z", + revisedField: "spec.assessment.justification", + revisedFrom: "", + revisedTo: "Summary text added", + }, + { + revisionTimestamp: "2024-10-17T05:50:00.194Z", + revisedField: "spec.assessment.justification", + revisedFrom: "Summary text added", + revisedTo: "Revised summary text", + }, + { + revisionTimestamp: "2024-10-18T05:50:00.194Z", + revisedField: "spec.assessment.justification", + revisedFrom: "Revised summary text", + revisedTo: "", + }, + ]; + + const expectedOutput = [ + "| Date | Revision |", + "| --- | --- |", + "| 10/18/2024 | Official summary removed |", + "| 10/17/2024 | Official summary revised: Revised summary text |", + "| 10/16/2024 | Official summary added |", + ].join("\n"); + + expect(generateRevisionHistory(revisionHistory)).toBe(expectedOutput); + }); + + it("should generate history for NIST severity changes", () => { + const revisionHistory = [ + { + revisionTimestamp: "2024-10-16T05:50:00.194Z", + revisedField: "metadata.nistSeverity", + revisedFrom: "UNKNOWN", + revisedTo: "CRITICAL", + }, + { + revisionTimestamp: "2024-10-17T05:50:00.194Z", + revisedField: "metadata.nistSeverity", + revisedFrom: "CRITICAL", + revisedTo: "HIGH", + }, + ]; + + const expectedOutput = [ + "| Date | Revision |", + "| --- | --- |", + "| 10/17/2024 | Advisory severity revised to HIGH from CRITICAL |", + "| 10/16/2024 | Advisory assigned with CRITICAL severity |", + ].join("\n"); + + expect(generateRevisionHistory(revisionHistory)).toBe(expectedOutput); + }); + + it("should generate history for impacted versions changes", () => { + const revisionHistory = [ + { + revisionTimestamp: "2024-10-16T05:50:00.194Z", + revisedField: "spec.impact.impactedVersions", + revisedFrom: "[]", + revisedTo: "[4.4.20]", + }, + { + revisionTimestamp: "2024-10-17T05:50:00.194Z", + revisedField: "spec.impact.impactedVersions", + revisedFrom: "[4.4.20]", + revisedTo: "[4.4.20 4.5.3]", + }, + ]; + + const expectedOutput = [ + "| Date | Revision |", + "| --- | --- |", + "| 10/17/2024 | Impacted versions changed from 4.4.20 to 4.4.20, 4.5.3 |", + "| 10/16/2024 | Added impacted versions: 4.4.20 |", + ].join("\n"); + + expect(generateRevisionHistory(revisionHistory)).toBe(expectedOutput); + }); + + it("should generate history for status changes", () => { + const revisionHistory = [ + { + revisionTimestamp: "2024-10-16T05:50:00.194Z", + revisedField: "status.status", + revisedFrom: "OPEN", + revisedTo: "CLOSED", + }, + ]; + + const expectedOutput = [ + "| Date | Revision |", + "| --- | --- |", + "| 10/16/2024 | Status changed from OPEN to CLOSED |", + ].join("\n"); + + expect(generateRevisionHistory(revisionHistory)).toBe(expectedOutput); + }); + + it("should generate history for isImpacting changes", () => { + const revisionHistory = [ + { + revisionTimestamp: "2024-10-16T05:50:00.194Z", + revisedField: "spec.impact.isImpacting", + revisedFrom: "false", + revisedTo: "true", + }, + { + revisionTimestamp: "2024-10-17T05:50:00.194Z", + revisedField: "spec.impact.isImpacting", + revisedFrom: "true", + revisedTo: "false", + }, + ]; + + const expectedOutput = [ + "| Date | Revision |", + "| --- | --- |", + "| 10/17/2024 | Advisory is no longer impacting. |", + "| 10/16/2024 | Advisory is now impacting. |", + ].join("\n"); + + expect(generateRevisionHistory(revisionHistory)).toBe(expectedOutput); + }); + + it("should sort revisions with newest entries at the top", () => { + const revisionHistory = [ + { + revisionTimestamp: "2024-10-15T05:50:00.194Z", + revisedField: "spec.assessment.justification", + revisedFrom: "", + revisedTo: "Initial summary", + }, + { + revisionTimestamp: "2024-10-17T05:50:00.194Z", + revisedField: "spec.assessment.justification", + revisedFrom: "Initial summary", + revisedTo: "Updated summary", + }, + { + revisionTimestamp: "2024-10-16T05:50:00.194Z", + revisedField: "spec.assessment.justification", + revisedFrom: "Updated summary", + revisedTo: "Final summary", + }, + ]; + + const expectedOutput = [ + "| Date | Revision |", + "| --- | --- |", + "| 10/17/2024 | Official summary revised: Updated summary |", + "| 10/16/2024 | Official summary revised: Final summary |", + "| 10/15/2024 | Official summary added |", + ].join("\n"); + + expect(generateRevisionHistory(revisionHistory)).toBe(expectedOutput); + }); + + it("newlines are removed from description", () => { + const revisionHistory = [ + { + revisionTimestamp: "2024-10-15T05:50:00.194Z", + revisedField: "spec.assessment.justification", + revisedFrom: "Investigation is ongoing to determine how this vulnerability impacts our products.\n", + revisedTo: + "This vulnerability in pam_access allows hostname spoofing to bypass restrictions intended for specific local TTYs or services This enables attackers with minimal effort to exploit gaps in security policies that rely on access.conf configurations. \n\nThis is reported on a few of the third party images which do not use pam_access. So risk of exploitation is low. Impact of exploit is also low, since these containers present a minimal attack surface.\n", + }, + ]; + + const expectedOutput = [ + "| Date | Revision |", + "| --- | --- |", + "| 10/15/2024 | Official summary revised: This vulnerability in pam_access allows hostname spoofing to bypass restrictions intended for specific local TTYs or services This enables attackers with minimal effort to exploit gaps in security policies that rely on access.conf configurations. This is reported on a few of the third party images which do not use pam_access. So risk of exploitation is low. Impact of exploit is also low, since these containers present a minimal attack surface. |", + ].join("\n"); + + expect(generateRevisionHistory(revisionHistory)).toBe(expectedOutput); + }); +}); diff --git a/utils/helpers/string.js b/utils/helpers/string.js new file mode 100644 index 0000000000..dbbe068ba5 --- /dev/null +++ b/utils/helpers/string.js @@ -0,0 +1,16 @@ +function escapeMDXSpecialChars(str) { + if (typeof str !== "string") { + return ""; + } + + // Escape special MDX characters by adding a backslash in front of them + return str + .replace(/\\/g, "\\\\") // Escape backslash + .replace(/{/g, "\\{") // Escape opening curly brace + .replace(/}/g, "\\}") // Escape closing curly brace + .replace(/`/g, "\\`") // Escape backticks + .replace(//g, "\\>"); // Escape greater-than sign +} + +module.exports = { escapeMDXSpecialChars }; diff --git a/utils/helpers/string.test.js b/utils/helpers/string.test.js new file mode 100644 index 0000000000..f2e54ee3b1 --- /dev/null +++ b/utils/helpers/string.test.js @@ -0,0 +1,57 @@ +const { escapeMDXSpecialChars } = require("./string"); + +describe("escapeMDXSpecialChars", () => { + it("should escape all special MDX characters", () => { + const input = "\\ { } ` < >"; + const expectedOutput = "\\\\ \\{ \\} \\` \\< \\>"; + + expect(escapeMDXSpecialChars(input)).toBe(expectedOutput); + }); + + it("should handle strings without special characters", () => { + const input = "Hello World"; + const expectedOutput = "Hello World"; + + expect(escapeMDXSpecialChars(input)).toBe(expectedOutput); + }); + + it("should return an empty string if input is not a string", () => { + expect(escapeMDXSpecialChars(null)).toBe(""); + expect(escapeMDXSpecialChars(123)).toBe(""); + expect(escapeMDXSpecialChars({})).toBe(""); + expect(escapeMDXSpecialChars([])).toBe(""); + expect(escapeMDXSpecialChars(undefined)).toBe(""); + }); + + it("should escape only MDX special characters and leave others intact", () => { + const input = "Hello {world} is a `test` \\ string!"; + const expectedOutput = "Hello \\{world\\} \\ is a \\`test\\` \\\\ string!"; + + expect(escapeMDXSpecialChars(input)).toBe(expectedOutput); + }); + + it("should handle a string with only backslashes correctly", () => { + const input = "\\\\"; + const expectedOutput = "\\\\\\\\"; + + expect(escapeMDXSpecialChars(input)).toBe(expectedOutput); + }); + + it("should escape MDX special characters when they appear multiple times", () => { + const input = "{}{}<<>>``"; + const expectedOutput = "\\{\\}\\{\\}\\<\\<\\>\\>\\`\\`"; + + expect(escapeMDXSpecialChars(input)).toBe(expectedOutput); + }); + + it("should handle an empty string input", () => { + expect(escapeMDXSpecialChars("")).toBe(""); + }); + + it("should not modify numeric characters or punctuation marks other than MDX special characters", () => { + const input = "12345 ,.!? "; + const expectedOutput = "12345 ,.!? "; + + expect(escapeMDXSpecialChars(input)).toBe(expectedOutput); + }); +});