Adam Korczynski

**Name of the Vulnerable Software and Affected Versions** Apache Avro Java SDK versions up to and including 1.11.2 Confluence Data Center versions from 7.17.0 to 8.7.1 Confluence Data Center versions from 8.7.0 to 8.7.1 Confluence Server versions from 7.17.0 to 8.5.4 LTS Bamboo Data Center and Server versions 9.2.1, 9.3.0, and 9.4.0 **Description** When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system. This issue affects Java applications using Apache Avro Java SDK. An unauthenticated attacker can expose assets in the environment susceptible to exploitation, with no impact to confidentiality, no impact to integrity, high impact to availability, and requires no user interaction. **Recommendations** For Apache Avro Java SDK versions up to and including 1.11.2, update to apache-avro version 1.11.3. For Confluence Data Center versions from 7.17.0 to 8.7.1, upgrade to the latest version, or to one of the specified supported fixed versions: 8.8.0, 8.7.2, 8.6.2, 8.5.4 LTS, 8.5.5 LTS, 8.5.6 LTS, 7.19.17 LTS, 7.19.18 LTS, 7.19.19 LTS. For Confluence Server versions from 7.17.0 to 8.5.4 LTS, upgrade to the latest 8.5.x LTS version, or to one of the specified supported fixed versions: 8.5.5 LTS, 8.5.6 LTS, 7.19.17 LTS, 7.19.18 LTS, 7.19.19 LTS. For Bamboo Data Center and Server versions 9.2.1, 9.3.0, and 9.4.0, upgrade to the latest version, or to one of the specified supported fixed versions: 9.2.8, 9.3.6, 9.4.2.

**Name of the Vulnerable Software and Affected Versions** notation versions prior to v1.0.0-rc.6 **Description** An attacker who has compromised a registry and added a high number of signatures to an artifact can cause denial of service of services on the machine, if a user runs `notation verify` command on the same machine. This issue can be exploited by making the registry serve an infinite number of signatures for the artifact. The `maxSignatureAttempts` in `notation verify` enables this endless data attack. **Recommendations** For notation versions prior to v1.0.0-rc.6, upgrade the notation packages to v1.0.0-rc.6 or above. As a temporary workaround, consider restricting container registries to a set of secure and trusted container registries until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** notation versions prior to v1.0.0-rc.6 **Description** An attacker who has compromised a registry can cause users to verify the wrong artifact. This issue allows an attacker to lead a user into verifying the wrong artifact if they control or compromise a registry. **Recommendations** For versions prior to v1.0.0-rc.6, upgrade the notation-go library to v1.0.0-rc.6 or above. As a temporary workaround for users unable to upgrade, restrict container registries to a set of secure and trusted container registries.

**Name of the Vulnerable Software and Affected Versions** notation-go versions prior to 1.0.0-rc.3 **Description** The issue causes excessive memory consumption when verifying signatures, leading to application crashes and impacting availability. Users can review their trust policy file for the identity string containing `=#` and ensure only trusted certificates are in their trust stores with `authenticity` validation set to `enforce`. **Recommendations** For versions prior to 1.0.0-rc.3, upgrade to version 1.0.0-rc.3 or above. As a temporary workaround, review your trust policy file and check if the identity string contains `=#`. Meanwhile, only put trusted certificates in your trust stores referenced by your trust policy files, and make sure the `authenticity` validation is set to `enforce`.

**Name of the Vulnerable Software and Affected Versions** containerd versions 1.6.17 and earlier, containerd versions 1.5.17 and earlier **Description** The issue is related to the import of OCI images in containerd, where there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file could cause a denial of service. **Recommendations** Update to containerd version 1.6.18 or later to resolve the issue. Update to containerd version 1.5.18 or later to resolve the issue. As a temporary workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.

**Name of the Vulnerable Software and Affected Versions** golang.org/x/text/language (affected versions not specified) **Description** The issue is related to the ParseAcceptLanguage function, which can be exploited to cause a denial of service by crafting a specific Accept-Language header. This header can cause the function to take significant time to parse, leading to a denial of service. The problem is due to the quadratic time complexity of the BCP 47 tag parser, which is exposed to untrusted user input. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited. **Recommendations** For golang.org/x/text/language, consider limiting the total complexity of tags passed into ParseAcceptLanguage by limiting the number of dashes in the string to 1000 as a temporary workaround until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** Programs that compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases, the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After the fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Reader (affected versions not specified) **Description** The issue is related to the Reader.Read function not setting a limit on the maximum size of file headers. A maliciously crafted archive could cause Reader.Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After the fix, Reader.Read limits the maximum size of header blocks to 1 MiB. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Argo CD versions 0.4.0 through 2.2.10 Argo CD versions 2.3.0 through 2.3.5 Argo CD versions 2.4.0 through 2.4.4 **Description** The issue is related to an improper certificate validation bug in Argo CD, which could cause it to trust a malicious OpenID Connect (OIDC) provider. This bug affects connections to OIDC providers and can be exploited by an attacker to conduct spoofing attacks. The vulnerability is related to the skipping of certificate verification when communicating with the OIDC provider, which opens Argo CD to various risks, such as a machine-in-the-middle attack. **Recommendations** For Argo CD versions 0.4.0 through 2.2.10, update to version 2.2.11 or later. For Argo CD versions 2.3.0 through 2.3.5, update to version 2.3.6 or later. For Argo CD versions 2.4.0 through 2.4.4, update to version 2.4.5 or later. As a temporary workaround for users of an external OIDC provider, consider setting the `oidc.config.rootCA` field in the `argocd-cm` ConfigMap to force certificate validation when the API server handles login flows.

**Name of the Vulnerable Software and Affected Versions** Argo CD versions 2.3.0 through 2.3.5 Argo CD versions 2.4.0 through 2.4.4 **Description** The issue is a cross-site scripting (XSS) bug that could allow an attacker to inject arbitrary JavaScript in the "/auth/callback" page in a victim's browser. This vulnerability only affects Argo CD instances with single sign-on (SSO) enabled. The exploit requires the attacker to have access to the API server's encryption key, a method to add a cookie to the victim's browser, and the ability to convince the victim to visit a malicious "/auth/callback" link. The vulnerability is classified as low severity because access to the API server's encryption key already grants a high level of access. **Recommendations** For Argo CD versions 2.3.0 through 2.3.5, update to version 2.3.6 to resolve the issue. For Argo CD versions 2.4.0 through 2.4.4, update to version 2.4.5 to resolve the issue. As a temporary workaround, consider disabling SSO until a patch is applied. Restrict access to the "/auth/callback" page to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** KubeEdge versions prior to 1.11.1 KubeEdge versions prior to 1.10.2 KubeEdge versions prior to 1.9.4 **Description** KubeEdge is an open source system for extending native containerized application orchestration capabilities to hosts at Edge. Several endpoints in the Cloud AdmissionController, including "/devicemodels", "/rules", "/ruleendpoints", and "/offlinemigration", may be susceptible to a DoS attack if an HTTP request containing a very large Body is sent to it. The consequence of the exhaustion is that the Cloud AdmissionController will be in denial of service. Only an authenticated user can cause this issue. **Recommendations** Update to KubeEdge version 1.11.1 or later to resolve the issue. Update to KubeEdge version 1.10.2 or later to resolve the issue. Update to KubeEdge version 1.9.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable endpoints in the Cloud AdmissionController until a patch is available. Avoid sending HTTP requests with very large Bodies to the Cloud AdmissionController until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** KubeEdge versions prior to 1.11.1 KubeEdge versions prior to 1.10.2 KubeEdge versions prior to 1.9.4 **Description** The Cloud Stream server and the Edge Stream server read the entire message into memory without imposing a limit on the size of this message. An attacker can exploit this by sending a large message to exhaust memory and cause a denial of service. The Cloud Stream server and the Edge Stream server are under denial of service attack in this case. The consequence of the exhaustion is that the CloudCore and EdgeCore will be in a denial of service. Only an authenticated user can cause this issue. It will be affected only when users enable `cloudStream` module in the config file `cloudcore.yaml` and enable `edgeStream` module in the config file `edgecore.yaml`. **Recommendations** For versions prior to 1.11.1, update to version 1.11.1 or later. For versions prior to 1.10.2, update to version 1.10.2 or later. For versions prior to 1.9.4, update to version 1.9.4 or later. As a temporary workaround, disable the `cloudStream` module in the config file `cloudcore.yaml` and disable the `edgeStream` module in the config file `edgecore.yaml`, then restart the cloudcore and edgecore processes.

**Name of the Vulnerable Software and Affected Versions** KubeEdge versions prior to 1.11.1 KubeEdge versions prior to 1.10.2 KubeEdge versions prior to 1.9.4 **Description** The CloudCore Router in KubeEdge does not impose a limit on the size of responses to requests made by the REST handler, allowing an attacker to make a request that will return an HTTP response with a large body and cause a denial of service. This can occur when the `router` module is enabled in the config file `cloudcore.yaml`. Only an authenticated user of the cloud can make an attack. The consequence of the exhaustion is that CloudCore will be in a denial of service. **Recommendations** For versions prior to 1.11.1, update to version 1.11.1 or later. For versions prior to 1.10.2, update to version 1.10.2 or later. For versions prior to 1.9.4, update to version 1.9.4 or later. As a temporary workaround, disable the `router` module in the config file `cloudcore.yaml` by setting `enable` to `false`.

**Name of the Vulnerable Software and Affected Versions** KubeEdge versions prior to 1.11.1 KubeEdge versions prior to 1.10.2 KubeEdge versions prior to 1.9.4 **Description** EdgeCore may be susceptible to a DoS attack on CloudHub if an attacker sends a well-crafted HTTP request to "/edge.crt". If the request has a very large body, it can crash the HTTP service through a memory exhaustion vector. The request body is being read into memory, and a body larger than the available memory can lead to a successful attack. Only authorized users can perform this attack, as the request must pass through authorization. The consequence of the exhaustion is that CloudHub will be in denial of service. This issue affects KubeEdge only when the CloudHub module is enabled in the file `cloudcore.yaml`. **Recommendations** For versions prior to 1.11.1, update to version 1.11.1 or later. For versions prior to 1.10.2, update to version 1.10.2 or later. For versions prior to 1.9.4, update to version 1.9.4 or later. As a temporary workaround, disable the CloudHub switch in the config file `cloudcore.yaml`.

**Name of the Vulnerable Software and Affected Versions** KubeEdge versions prior to 1.11.1 KubeEdge versions prior to 1.10.2 KubeEdge versions prior to 1.9.4 **Description** The ServiceBus server on the edge side may be susceptible to a DoS attack if an HTTP request containing a very large Body is sent to it. It is possible for the node to be exhausted of memory, causing a denial of service for other services on the node, such as other containers. This issue can be exploited by malicious apps that have access to send HTTP requests to localhost, but only when the `ServiceBus` module is enabled in the config file `edgecore.yaml`. **Recommendations** For versions prior to 1.11.1, update to version 1.11.1 or later. For versions prior to 1.10.2, update to version 1.10.2 or later. For versions prior to 1.9.4, update to version 1.9.4 or later. As a temporary workaround, disable the `ServiceBus` module in the config file `edgecore.yaml`.

**Name of the Vulnerable Software and Affected Versions** KubeEdge versions prior to 1.11.1 KubeEdge versions prior to 1.10.2 KubeEdge versions prior to 1.9.4 **Description** A large response received by the viaduct WSClient can cause a denial of service (DoS) from memory exhaustion. The entire body of the response is being read into memory, which could allow an attacker to send a request that returns a response with a large body. The consequence of the exhaustion is that the process which invokes a WSClient will be in a denial of service. This issue affects users who are authenticated to the edge side and connect to `cloudhub` from the edge side through WebSocket protocol. **Recommendations** For versions prior to 1.11.1, update to version 1.11.1 or later. For versions prior to 1.10.2, update to version 1.10.2 or later. For versions prior to 1.9.4, update to version 1.9.4 or later. As a temporary workaround, consider restricting access to the `cloudhub` through WebSocket protocol to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** KubeEdge versions prior to 1.11.0 KubeEdge versions prior to 1.10.1 KubeEdge versions prior to 1.9.3 **Description** A malicious message can crash CloudCore by triggering a nil-pointer dereference in the UDS Server. The attack is limited to the local host network and requires an attacker to be an authenticated user of the Cloud. This issue only affects users who have turned on the unixsocket switch in the config file cloudcore.yaml. **Recommendations** For versions prior to 1.11.0, update to version 1.11.0 to resolve the issue. For versions prior to 1.10.1, update to version 1.10.1 to resolve the issue. For versions prior to 1.9.3, update to version 1.9.3 to resolve the issue. As a temporary workaround, consider disabling the unixsocket switch of CloudHub in the config file cloudcore.yaml.

**Name of the Vulnerable Software and Affected Versions** KubeEdge versions prior to 1.11.0 KubeEdge versions prior to 1.10.1 KubeEdge versions prior to 1.9.3 **Description** A malicious message response from KubeEdge can crash the CSI Driver controller server by triggering a nil-pointer dereference panic, resulting in a denial of service. This issue affects KubeEdge, which extends native containerized application orchestration and device management to hosts at the Edge. An attacker would need to be an authenticated user of the Cloud and launch the `csidriver` to potentially exploit this issue. **Recommendations** For versions prior to 1.11.0, update to version 1.11.0 to resolve the issue. For versions prior to 1.10.1, update to version 1.10.1 to resolve the issue. For versions prior to 1.9.3, update to version 1.9.3 to resolve the issue. As a temporary workaround, consider restricting access to the CSI Driver controller server until a patch is applied. At the moment, there are no other workarounds available.

**Name of the Vulnerable Software and Affected Versions** Argo CD versions 1.3.0 through 2.4.0 Argo CD versions 2.1.0 through 2.1.15 Argo CD versions 2.2.0 through 2.2.9 Argo CD versions 2.3.0 through 2.3.4 **Description** The issue is related to a symlink following bug in Argo CD, allowing a malicious user with repository write access to leak sensitive YAML files from Argo CD's repo-server. A malicious Argo CD user with write access for a repository which is (or may be) used in a Helm-type Application may commit a symlink which points to an out-of-bounds file. If the target file is a valid YAML file, the attacker can read the contents of that file. Sensitive files which could be leaked include manifest files from other Applications' source repositories (potentially decrypted files, if you are using a decryption plugin) or any YAML-formatted secrets which have been mounted as files on the repo-server. **Recommendations** For versions 1.3.0 through 2.1.15, update to version 2.1.16 or later. For versions 2.2.0 through 2.2.9, update to version 2.2.10 or later. For versions 2.3.0 through 2.3.4, update to version 2.3.5 or later. For versions 2.4.0 and earlier, update to version 2.4.1 or later. As a temporary workaround, consider disabling the Helm config management tool if you are using a version >=v2.3.0 and do not have any Helm-type Applications. Avoid mounting YAML-formatted secrets as files on the repo-server. Limit who has push access to manifest repositories. Limit who is allowed to configure new source repositories.

**Name of the Vulnerable Software and Affected Versions** Argo CD versions 1.0.0 through 2.4.0 Argo CD versions 2.1.0 through 2.1.15 Argo CD versions 2.2.0 through 2.2.9 Argo CD versions 2.3.0 through 2.3.4 **Description** Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The issue is related to a cross-site scripting (XSS) bug, allowing a malicious user to inject a `javascript:` link in the UI. When clicked by a victim user, the script will execute with the victim's permissions, up to and including admin. This could enable the creation, modification, and deletion of Kubernetes resources. **Recommendations** For versions prior to 2.1.16, upgrade to version 2.1.16 or later. For versions prior to 2.2.10, upgrade to version 2.2.10 or later. For versions prior to 2.3.5, upgrade to version 2.3.5 or later. For versions prior to 2.4.1, upgrade to version 2.4.1 or later. As a temporary workaround, consider avoiding clicking external links presented in the UI and carefully limiting who has permissions to edit resource manifests.