Total
347 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-41319 | 1 Ethyca | 1 Fides | 2024-11-21 | 8.8 High |
| Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides webserver API allows custom integrations to be uploaded as a ZIP file. This ZIP file must contain YAML files, but Fides can be configured to also accept the inclusion of custom Python code in it. The custom code is executed in a restricted, sandboxed environment, but the sandbox can be bypassed to execute any arbitrary code. The vulnerability allows the execution of arbitrary code on the target system within the context of the webserver python process owner on the webserver container, which by default is `root`, and leverage that access to attack underlying infrastructure and integrated systems. This vulnerability affects Fides versions `2.11.0` through `2.19.0`. Exploitation is limited to API clients with the `CONNECTOR_TEMPLATE_REGISTER` authorization scope. In the Fides Admin UI this scope is restricted to highly privileged users, specifically root users and users with the owner role. Exploitation is only possible if the security configuration parameter `allow_custom_connector_functions` is enabled by the user deploying the Fides webserver container, either in `fides.toml` or by setting the env var `FIDES__SECURITY__ALLOW_CUSTOM_CONNECTOR_FUNCTIONS=True`. By default this configuration parameter is disabled. The vulnerability has been patched in Fides version `2.19.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. Users unable to upgrade should ensure that `allow_custom_connector_functions` in `fides.toml` and the `FIDES__SECURITY__ALLOW_CUSTOM_CONNECTOR_FUNCTIONS` are both either unset or explicit set to `False`. | ||||
| CVE-2023-3089 | 1 Redhat | 18 Acm, Amq Streams, Container Native Virtualization and 15 more | 2024-11-21 | 7 High |
| A compliance problem was found in the Red Hat OpenShift Container Platform. Red Hat discovered that, when FIPS mode was enabled, not all of the cryptographic modules in use were FIPS-validated. | ||||
| CVE-2023-34984 | 1 Fortinet | 1 Fortiweb | 2024-11-21 | 7.1 High |
| A protection mechanism failure in Fortinet FortiWeb 7.2.0 through 7.2.1, 7.0.0 through 7.0.6, 6.4.0 through 6.4.3, 6.3.6 through 6.3.23 allows attacker to execute unauthorized code or commands via specially crafted HTTP requests. | ||||
| CVE-2023-34427 | 1 Intel | 2 Realsense 450 Fa, Realsense 450 Fa Firmware | 2024-11-21 | 5.3 Medium |
| Protection mechanism failure in some Intel(R) RealSense(TM) ID software for Intel(R) RealSense(TM) 450 FA in version 0.25.0 may allow an authenticated user to potentially enable escalation of privilege via local access. | ||||
| CVE-2023-32644 | 1 Intel | 10 Killer, Killer Wi-fi 6 Ax1650, Killer Wi-fi 6e Ax1675 and 7 more | 2024-11-21 | 4.3 Medium |
| Protection mechanism failure for some Intel(R) PROSet/Wireless and Intel(R) Killer(TM) Wi-Fi software before version 22.240 may allow an unauthenticated user to potentially enable denial of service via adjacent access. | ||||
| CVE-2023-32493 | 1 Dell | 1 Powerscale Onefs | 2024-11-21 | 7.3 High |
| Dell PowerScale OneFS, 9.5.0.x, contains a protection mechanism bypass vulnerability. An unprivileged, remote attacker could potentially exploit this vulnerability, leading to denial of service, information disclosure and remote execution. | ||||
| CVE-2023-31273 | 1 Intel | 1 Data Center Manager | 2024-11-21 | 10 Critical |
| Protection mechanism failure in some Intel DCM software before version 5.2 may allow an unauthenticated user to potentially enable escalation of privilege via network access. | ||||
| CVE-2023-27383 | 1 Intel | 5 Advisor, Inspector, Mpi Library and 2 more | 2024-11-21 | 6.8 Medium |
| Protection mechanism failure in some Intel(R) oneAPI HPC Toolkit 2023.1 and Intel(R)MPI Library software before version 2021.9 may allow a privileged user to potentially enable escalation of privilege via adjacent access. | ||||
| CVE-2023-25945 | 1 Intel | 1 One Boot Flash Update | 2024-11-21 | 6.7 Medium |
| Protection mechanism failure in some Intel(R) OFU software before version 14.1.31 may allow an authenticated user to potentially enable escalation of privilege via local access. | ||||
| CVE-2023-25080 | 1 Intel | 1 Openvino | 2024-11-21 | 5.3 Medium |
| Protection mechanism failure in some Intel(R) Distribution of OpenVINO toolkit software before version 2023.0.0 may allow an authenticated user to potentially enable information disclosure via local access. | ||||
| CVE-2022-43406 | 2 Jenkins, Redhat | 3 Groovy Libraries, Ocp Tools, Openshift | 2024-11-21 | 9.9 Critical |
| A sandbox bypass vulnerability in Jenkins Pipeline: Deprecated Groovy Libraries Plugin 583.vf3b_454e43966 and earlier allows attackers with permission to define untrusted Pipeline libraries and to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. | ||||
| CVE-2022-43405 | 2 Jenkins, Redhat | 3 Groovy Libraries, Ocp Tools, Openshift | 2024-11-21 | 9.9 Critical |
| A sandbox bypass vulnerability in Jenkins Pipeline: Groovy Libraries Plugin 612.v84da_9c54906d and earlier allows attackers with permission to define untrusted Pipeline libraries and to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. | ||||
| CVE-2022-43404 | 2 Jenkins, Redhat | 3 Script Security, Ocp Tools, Openshift | 2024-11-21 | 9.9 Critical |
| A sandbox bypass vulnerability involving crafted constructor bodies and calls to sandbox-generated synthetic constructors in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. | ||||
| CVE-2022-43403 | 2 Jenkins, Redhat | 3 Script Security, Ocp Tools, Openshift | 2024-11-21 | 9.9 Critical |
| A sandbox bypass vulnerability involving casting an array-like value to an array type in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. | ||||
| CVE-2022-43402 | 2 Jenkins, Redhat | 3 Pipeline\, Ocp Tools, Openshift | 2024-11-21 | 9.9 Critical |
| A sandbox bypass vulnerability involving various casts performed implicitly by the Groovy language runtime in Jenkins Pipeline: Groovy Plugin 2802.v5ea_628154b_c2 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. | ||||
| CVE-2022-43401 | 2 Jenkins, Redhat | 3 Script Security, Ocp Tools, Openshift | 2024-11-21 | 9.9 Critical |
| A sandbox bypass vulnerability involving various casts performed implicitly by the Groovy language runtime in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. | ||||
| CVE-2022-41984 | 1 Intel | 4 Arc A750, Arc A750 Firmware, Arc A770 and 1 more | 2024-11-21 | 4.4 Medium |
| Protection mechanism failure for some Intel(R) Arc(TM) graphics cards A770 and A750 Limited Edition sold between October of 2022 and December of 2022 may allow a privileged user to potentially enable denial of service via local access. | ||||
| CVE-2022-34175 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 7.5 High |
| Jenkins 2.335 through 2.355 (both inclusive) allows attackers in some cases to bypass a protection mechanism, thereby directly accessing some view fragments containing sensitive information, bypassing any permission checks in the corresponding view. | ||||
| CVE-2022-31479 | 2 Carrier, Hidglobal | 28 Lenels2 Lnl-4420, Lenels2 Lnl-4420 Firmware, Lenels2 Lnl-x2210 and 25 more | 2024-11-21 | 9.6 Critical |
| An unauthenticated attacker can update the hostname with a specially crafted name that will allow for shell commands to be executed during the core collection process. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 which contain firmware versions prior to 1.302 for the LP series and 1.296 for the EP series. An attacker with this level of access on the device can monitor all communications sent to and from this device, modify onboard relays, change configuration files, or cause the device to become unstable. The injected commands only get executed during start up or when unsafe calls regarding the hostname are used. This allows the attacker to gain remote access to the device and can make their persistence permanent by modifying the filesystem. | ||||
| CVE-2022-30945 | 2 Jenkins, Redhat | 2 Pipeline\, Openshift | 2024-11-21 | 8.5 High |
| Jenkins Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier allows loading any Groovy source files on the classpath of Jenkins and Jenkins plugins in sandboxed pipelines. | ||||