Attackers can exploit a weakness in the connector template upload feature to upload a malicious zip bomb file, resulting in resource exhaustion and service unavailability for all users of the Fides webserver. The Fides webserver is vulnerable to a type of Denial of Service (DoS) attack. There is no known workaround to remediate this vulnerability without upgrading.įides is an open-source privacy engineering platform for managing data privacy requests and privacy regulations. Users are advised to upgrade to this version or later to secure their systems against this threat. The vulnerability has been patched in Fides version `2.16.0`. Exploitation is limited to users with elevated privileges with the `CONNECTOR_TEMPLATE_REGISTER` scope, which includes root users and users with the owner role. This vulnerability affects Fides versions `2.11.0` through `2.15.1`. Attackers can exploit this vulnerability to upload zip files containing malicious SVG bombs (similar to a billion laughs attack), causing resource exhaustion in Admin UI browser tabs and creating a persistent denial of service of the 'new connector' page (`datastore-connection/new`). Affected products and versions are as follows: WRC-1167GHBK-S v1.03 and earlier, WRC-1167GEBK-S v1.03 and earlier, WRC-1167FEBK-S v1.04 and earlier, WRC-1167GHBK3-A v1.24 and earlier, and WRC-1167FEBK-A v1.18 and earlier.įides is an open-source privacy engineering platform for managing data privacy requests and privacy regulations. OS command injection vulnerability in ELECOM wireless LAN routers allows a network-adjacent authenticated attacker to execute an arbitrary OS command with a root privilege by sending a specially crafted request. There is no known workaround outside of upgrading to Apptainer 1.2.1.
A security fix has been included in Apptainer 1.2.1.
Version 1.2.0-rc.2 introduced an ineffective privilege drop when requesting container network setup, therefore subsequent functions are called with root privileges, the attack surface is rather limited for users but an attacker could possibly craft a starter config to delete any directory on the host filesystems. An app may be able to gain root privileges.Īpptainer is an open source container platform. This issue is fixed in macOS Monterey 12.6.8, iOS 16.6 and iPadOS 16.6, macOS Big Sur 11.7.9, macOS Ventura 13.5, watchOS 9.6. A path handling issue was addressed with improved validation.
0 kommentar(er)
