Doran Moppert

**Nome do software vulnerável e versões afetadas** argocd (versões afetadas não especificadas) **Descrição** Foi identificada uma falha no argocd que permite que qualquer usuário sem privilégios implante o argocd em seu namespace. Com a conta de serviço criada `argocd-argocd-server`, o usuário sem privilégios pode ler todos os recursos do cluster, incluindo todos os segredos, o que pode possibilitar a escalada de privilégios. A maior ameaça decorrente desse problema é à confidencialidade dos dados. **Recomendações** No momento, não há informações sobre uma versão mais recente que contenha uma correção para essa vulnerabilidade.

**Nome do software vulnerável e versões afetadas** Versões do rhacm anteriores à 2.0.5 Versões do rhacm anteriores à 2.1.0 **Descrição** Foi identificada uma falha no provisionamento das APIs de serviços internos, que foram configuradas incorretamente utilizando um certificado de teste do repositório de código-fonte. Isso faz com que todas as instalações utilizem os mesmos certificados. Se um invasor puder observar o tráfego de rede interno de um cluster, ele poderá usar a chave privada para decodificar solicitações de API que deveriam ser protegidas por sessões TLS, obtendo potencialmente informações que, de outra forma, não conseguiria. Esses certificados não são usados para autenticação de serviço, portanto, não há possibilidade de suplantar identidade ou realizar ataques MITM ativos. **Recomendações** Para versões anteriores à 2.0.5, atualize para a versão 2.0.5 ou posterior para resolver o problema. Para versões anteriores à 2.1.0, atualize para a versão 2.1.0 ou posterior para resolver o problema.

**Nome do software vulnerável e versões afetadas** nbdkit versões 1.12.7, 1.14.1, 1.15.1 **Descrição** Foi descoberta uma vulnerabilidade de negação de serviço no nbdkit. Um invasor poderia se conectar ao serviço nbdkit, fazendo com que ele realizasse uma grande quantidade de trabalho na inicialização de plug-ins de back-end simplesmente ao abrir uma conexão com o serviço. Isso poderia causar consumo de recursos e degradação do serviço no nbdkit, dependendo dos plug-ins configurados no lado do servidor. **Recomendações** Para a versão 1.12.7, atualize para uma versão que corrija este problema. Para a versão 1.14.1, atualize para uma versão que corrija este problema. Para a versão 1.15.1, atualize para uma versão que corrija este problema. Como solução temporária, considere restringir o acesso ao serviço nbdkit para minimizar o risco de exploração.

Name of the Vulnerable Software and Affected Versions: oVirt Metrics (affected versions not specified) Description: The issue concerns sensitive passwords used in the deployment and configuration of oVirt Metrics. These passwords are insufficiently protected and could be disclosed in log files if playbooks are run with the -v option or in playbooks stored on Metrics or Bastion hosts. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** fence-agents versions prior to 4.3.4 **Description** A flaw in fence-agents can cause the fence rhevm component to exit with an exception when non-ASCII characters are used in certain fields of a guest VM, such as comments. This issue can lead to denial of service in cluster environments, preventing automated recovery. The vulnerability is related to encoding errors and can be exploited by a remote attacker to cause a denial of service. **Recommendations** For versions prior to 4.3.4, update to version 4.3.4 or later to resolve the issue. As a temporary workaround, consider avoiding the use of non-ASCII characters in guest VM comments and other fields to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** libvirt versions 4.x.x through 4.10.0 libvirt versions 5.x.x through 5.4.0 **Description** The issue is related to the `virConnectGetDomainCapabilities()` function in the libvirt API, which accepts an `emulatorbin` argument. This argument can be used to specify a program for domain emulation. Since version 1.2.19, libvirt executes the specified program to probe domain capabilities. A problem arises because read-only clients can provide an arbitrary path for the `emulatorbin` argument, potentially causing libvirtd to execute a crafted executable with its own privileges. This is due to errors in access control. **Recommendations** For libvirt versions 4.x.x through 4.10.0, update to version 4.10.1 or later. For libvirt versions 5.x.x through 5.4.0, update to version 5.4.1 or later. As a temporary workaround, consider restricting access to the `virConnectGetDomainCapabilities()` function until a patch is available. Avoid using the `emulatorbin` argument in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** libvirtd versions 4.x.x through 4.10.0 libvirtd versions 5.x.x through 5.4.0 **Description** The issue is related to insufficient access control in the `virDomainManagedSaveDefineXML()` API, allowing readonly clients to modify managed save state files. If a managed save was created by a privileged user, a local attacker could modify this file to execute an arbitrary program when the domain is resumed. This could potentially allow an attacker to change arbitrary files by sending a specially crafted request. **Recommendations** For libvirtd versions 4.x.x through 4.10.0, update to version 4.10.1 or later. For libvirtd versions 5.x.x through 5.4.0, update to version 5.4.1 or later. As a temporary workaround, consider restricting access to the `virDomainManagedSaveDefineXML()` API until a patch is available.

**Name of the Vulnerable Software and Affected Versions** gnome-shell versions 3.15.91 and later **Description** The gnome-shell lock screen does not properly restrict all contextual actions, allowing an attacker with physical access to a locked workstation to invoke certain keyboard shortcuts and potentially other actions. **Recommendations** For gnome-shell versions 3.15.91 and later, consider disabling the lock screen feature until a patch is available to prevent potential exploitation. Restrict physical access to workstations to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** sssd versions 1.13.0 through 1.99.99 (since 2.0.0 is the first version not affected, it implies versions before 2.0.0 are vulnerable) **Description** The issue concerns improper restriction of access to the infopipe based on the `allowed uids` configuration parameter. This could lead to the disclosure of sensitive information stored in the user directory to local attackers. **Recommendations** For sssd versions 1.13.0 through 1.99.99, update to version 2.0.0 or later to properly restrict access to the infopipe according to the `allowed uids` configuration parameter.

**Name of the Vulnerable Software and Affected Versions** vdsm versions prior to 4.20.37 **Description** The issue allows an attacker to cause a denial of service condition by uploading a specially crafted image, which could consume unbounded amounts of memory or CPU time, potentially impacting other users of the host. **Recommendations** For versions prior to 4.20.37, update to version 4.20.37 or later to resolve the issue. As a temporary workaround, consider restricting the upload of images to trusted sources until the update is applied.

**Name of the Vulnerable Software and Affected Versions** ovirt-engine versions prior to 4.2.2 **Description** The issue allows for information exposure through log files. When the engine-backup command is run with certain options, such as `--provision*db`, the database `username` and `password` are logged in cleartext. This could lead to database passwords being leaked if the provisioning log is shared. **Recommendations** For versions prior to 4.2.2, update to version 4.2.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the provisioning log to minimize the risk of exploitation. Avoid sharing the provisioning log until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** ovirt-ansible-roles versions prior to 1.0.6 **Description** The issue is due to a missing no log directive in the 'Add oVirt Provider to ManageIQ/CloudForms' playbook, which results in the inadvertent disclosure of admin passwords in the provisioning log. This could lead to privilege escalation in environments where logs are shared with other parties. **Recommendations** For versions prior to 1.0.6, update to version 1.0.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the provisioning log to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** oVirt Engine versions prior to 4.2.3 **Description** The web console login form in oVirt Engine returned different errors for non-existent users and invalid passwords. This allowed an attacker to discover the names of valid user accounts by exploiting the difference in error responses. **Recommendations** For versions prior to 4.2.3, update to version 4.2.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** oVirt Engine versions prior to 4.2.2.5 oVirt Engine versions prior to 4.1.11.2 **Description** The issue allows exposure of Power Management credentials, including cleartext passwords, to Host Administrators. A Host Administrator could exploit this to gain access to the power management systems of hosts they control. **Recommendations** For versions prior to 4.2.2.5, update to version 4.2.2.5 or later. For versions prior to 4.1.11.2, update to version 4.1.11.2 or later.

**Name of the Vulnerable Software and Affected Versions** setup versions prior to 2.11.4-1.fc28 **Description** The issue is related to errors in authorization. It violates security assumptions made by pam shells and some daemons, which allow access based on a user's shell being listed in /etc/shells. Under some circumstances, users who had their shell changed to /sbin/nologin could still access the system. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited. **Recommendations** For versions prior to 2.11.4-1.fc28, update to version 2.11.4-1.fc28 or later to resolve the issue. As a temporary workaround, consider restricting access to the pam shells module until a patch is available. Avoid using the /sbin/nologin and /usr/sbin/nologin shells in /etc/shells to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** oVirt versions 4.1.x through 4.1.8 **Description** A vulnerability was discovered where the combination of Enable Discard and Wipe After Delete flags for VM disks could cause a disk to be incompletely zeroed when removed from a VM. This could potentially reveal sensitive data to privileged users of another VM if the same storage blocks are later allocated to a new disk. **Recommendations** For oVirt versions 4.1.x through 4.1.8, update to version 4.1.9 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** perl-Image-Info (affected versions not specified) **Description** The issue concerns external entity expansion (XXE) not being disabled when parsing an SVG file. This could allow an attacker to craft a malicious SVG file, potentially leading to denial of service or information disclosure when processed by an application using the affected software. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** openjpeg (affected versions not specified) **Description** A heap-based buffer overflow flaw was found in the patch for a previous issue. A crafted j2k image could cause the application to crash, or potentially execute arbitrary code. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** libarchive version 3.2.1 **Description** The issue is related to the mtree bidder in libarchive, which does not properly track line sizes when extending the read-ahead. This allows remote attackers to cause a denial of service, resulting in a crash, by providing a crafted file. The crash is triggered by an invalid read in either the `detect form` or `bid entry` function in libarchive/archive read support format mtree.c. **Recommendations** For libarchive version 3.2.1, consider restricting the use of the mtree bidder until a patch is available. As a temporary workaround, avoid using the `detect form` or `bid entry` functions in libarchive/archive read support format mtree.c to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** libarchive version 3.2.1 **Description** The issue is related to a stack-based buffer overflow in the safe fprintf function, located in tar/util.c. This overflow can be triggered by remote attackers who send a crafted non-printable multibyte character in a filename, potentially causing a denial of service. **Recommendations** For libarchive version 3.2.1, consider updating to a newer version that contains a fix for this issue, as using a crafted filename can cause a denial of service due to the buffer overflow in the safe fprintf function. At the moment, there is no information about a newer version that contains a fix for this vulnerability.