Alban Crequy

**Name of the Vulnerable Software and Affected Versions** Kubernetes versions prior to v1.14.0 **Description** The issue arises from improper validation of URL redirection in the Kubernetes API server, allowing an attacker-controlled Kubelet to redirect API server requests to arbitrary hosts. This can lead to API servers following the redirect as a GET request with client-certificate credentials for authenticating to the Kubelet. **Recommendations** For versions prior to v1.14.0, update to version v1.14.0 or later to resolve the issue. As a temporary workaround, consider restricting access to streaming endpoints to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** D-Bus versions 1.3.0 through 1.6.x before 1.6.24 D-Bus versions 1.8.x before 1.8.8 **Description** The issue allows local users to cause a denial of service by queuing the maximum number of file descriptors, preventing new connections and causing connection drops. Additionally, it can cause a denial of service via multiple messages that combine to exceed the allowed number of file descriptors for a single sendmsg call. Exploitation of the vulnerabilities may lead to disruption of confidentiality, integrity, and availability of protected information and can be performed remotely. **Recommendations** For D-Bus versions 1.3.0 through 1.6.x before 1.6.24, update to version 1.6.24 or later to resolve the issue. For D-Bus versions 1.8.x before 1.8.8, update to version 1.8.8 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `sendmsg` call to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** D-Bus versions prior to 1.6.24 D-Bus versions 1.8.x prior to 1.8.8 dbus-1 versions (affected versions not specified) dbus-1-32bit versions (affected versions not specified) dbus-1-x11 versions (affected versions not specified) dbus-1-devel-doc versions (affected versions not specified) dbus-1-devel versions (affected versions not specified) **Description** The issue allows local users to cause a denial of service (CPU consumption) via a large number of method calls, potentially leading to disruption of protected information. This can be exploited locally. The `bus connections check reply` function in `config-parser.c` is specifically vulnerable. **Recommendations** For D-Bus versions prior to 1.6.24, update to version 1.6.24 or later. For D-Bus versions 1.8.x prior to 1.8.8, update to version 1.8.8 or later. For dbus-1, dbus-1-32bit, dbus-1-x11, dbus-1-devel-doc, and dbus-1-devel, at the moment, there is no information about a newer version that contains a fix for this vulnerability.