Avinash Hanwate

**Name of the Vulnerable Software and Affected Versions** Red Hat Advanced Cluster Security (RHACS) (affected versions not specified) **Description** A flaw was found in the Red Hat Advanced Cluster Security (RHACS) portal. When rendering a table view in the portal, for example, on any of the "/main/configmanagement/*" endpoints, the front-end generates a DOM table-element (id="pdf-table"). This information is then populated with unsanitized data using `innerHTML`. An attacker with some control over the data rendered can trigger a cross-site scripting (XSS) vulnerability. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Foreman versions 6.13 through 6.15 Foreman with Gunicorn versions prior to 22.0 **Description** An authentication bypass issue has been identified in Foreman when deployed with External Authentication, due to the puppet-foreman configuration. This issue arises from Apache's mod proxy not properly unsetting headers because of restrictions on underscores in HTTP headers, allowing authentication through a malformed header. The flaw impacts all active Satellite deployments and could potentially enable unauthorized users to gain administrative access. Over 4,000 results are found on ZoomEye, indicating a significant number of potentially affected devices. **Recommendations** For Foreman versions 6.13 through 6.15, update to a version that includes the fix for this issue. For Foreman with Gunicorn versions prior to 22.0, update Gunicorn to version 22.0 or later. As a temporary workaround, consider restricting access to the `puppet-foreman` configuration to minimize the risk of exploitation. Restrict access to the vulnerable `mod proxy` module to minimize the risk of exploitation. Avoid using malformed headers in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Fence Agents Remediation operator (affected versions not specified) **Description** A flaw was found in the Fence Agents Remediation operator, allowing a Remote Code Execution (RCE) primitive by supplying an arbitrary command to execute in the `--ssh-path`/`--telnet-path` arguments. This can lead to a privilege escalation, first as the service account running the operator, then to another service account with cluster-admin privileges. A low-privilege user, such as a user with developer access, can create a specially crafted FenceAgentsRemediation for a fence agent supporting `--ssh-path`/`--telnet-path` arguments to execute arbitrary commands on the operator's pod. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NetworkManager (affected versions not specified) **Description** A flaw was found in NetworkManager, allowing a malicious user to inject a malformed LLDP packet when the system is running NetworkManager with DEBUG logs enabled and an interface configured with LLDP enabled. This could cause NetworkManager to crash, leading to a denial of service. The issue is related to an uncontrolled resource consumption, which can be exploited by a remote attacker to cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: cockpit (affected versions not specified) Description: A flaw was found in the cockpit package, allowing an authenticated user to kill any process when enabling the pam env's `user readenv` option. This leads to a denial of service (DoS) attack. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Pulpcore versions 3.0 and later Gunicorn versions prior to 22.0 **Description** An authentication bypass issue has been identified due to Apache's mod proxy not properly unsetting headers because of restrictions on underscores in HTTP headers, allowing authentication through a malformed header. This flaw impacts all active Satellite deployments (6.13, 6.14, and 6.15) which are using Pulpcore version 3.0+ and could potentially enable unauthorized users to gain administrative access. **Recommendations** For Pulpcore versions 3.0 and later, update Gunicorn to version 22.0 or later to resolve the issue. For Gunicorn versions prior to 22.0, consider disabling the use of Apache's mod proxy until a patch is available. As a temporary workaround, restrict access to the vulnerable configuration to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** PackageKitd (affected versions not specified) **Description** A use-after-free flaw was found in PackageKitd. In some conditions, the order of cleanup mechanics for a transaction could be impacted, resulting in memory access on previously freed memory regions. Once freed, a memory region can be reused for other allocations, and any previously stored data in this memory region is considered lost. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apache server (affected versions not specified) **Description** A flaw was found in the mod proxy cluster in the Apache server, which may allow a malicious user to add a script in the `alias` parameter in the URL to trigger a stored cross-site scripting (XSS) vulnerability. By adding a script to the `alias` parameter on the URL, it adds a new virtual host and adds the script to the cluster-manager page. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Quay (affected versions not specified) **Description** A flaw was found in Quay, where clickjacking allows an attacker to trick a user into clicking on a button or link on another page. The config-editor page is vulnerable to clickjacking, which could allow an attacker to trick an administrator user into clicking on buttons on the config-editor panel, possibly reconfiguring some parts of the Quay instance. Clickjacking is a technique used by attackers to trick users into clicking on something different from what they intend, by using multiple transparent or opaque layers. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Quay (affected versions not specified) **Description** A flaw was found in Quay, allowing cross-site request forgery (CSRF) attacks to force a user to perform unwanted actions in an application. The config-editor page, used to configure the Quay instance, is vulnerable to CSRF. By coercing the victim's browser into sending an attacker-controlled request from another domain, it is possible to reconfigure the Quay instance, including adding users with admin privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** openshift-logging LokiStack (affected versions not specified) **Description** A flaw was found in openshift-logging LokiStack, where the key used for caching is just the token, which is too broad. This issue allows a user with a token valid for one action to execute other actions as long as the authorization allowing the original action is still cached. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** openstack-neutron (affected versions not specified) **Description** An uncontrolled resource consumption flaw was found in openstack-neutron, allowing a remote authenticated user to query a list of security groups for an invalid project. This issue creates resources that are unconstrained by the user's quota, potentially leading to a denial of service if a malicious user submits a significant number of requests. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Quay registry (affected versions not specified) **Description** A flaw was found in the Quay registry where image labels created through Quay undergo validation in the UI and backend using a regex, but the same validation is not performed when the label comes from an image. This allows an attacker to publish a malicious image to a public registry containing a script that can be executed via Cross-site scripting (XSS). **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** coreDNS (affected versions not specified) **Description** A flaw was found in coreDNS, allowing a malicious user to redirect traffic intended for external top-level domains (TLD) to a pod they control by creating projects and namespaces that match the TLD. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** coreDNS (affected versions not specified) **Description** A flaw was found in coreDNS, allowing a malicious user to reroute internal calls to some internal services that were accessed by the FQDN in a format of `<service>.<namespace>.svc`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ovirt-engine (affected versions not specified) **Description** The issue is related to the ovirt-engine management tool for virtual infrastructure, which fails to protect its web page structure when handling the `error description` parameter. This allows a remote attacker to conduct cross-site scripting attacks. The vulnerability is triggered by the failure to sanitize the entry for the `error description` parameter on the Windows Service Accounts home pages. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenShift Container Platform (affected versions not specified) **Description** A user with permissions to create or modify Routes can craft a payload that inserts a malformed entry into one of the cluster router's HAProxy configuration files. This malformed entry can match any arbitrary hostname, or all hostnames in the cluster, and direct traffic to an arbitrary application within the cluster, including one under attacker control. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Red Hat Advanced Cluster Management for Kubernetes (affected versions not specified) **Description** A flaw was found in the search-api container when a query in the search filter gets parsed by the backend. This issue allows an attacker to craft specific strings containing special characters that lead to crashing the pod, affecting system availability while restarting. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CODESYS V2 PLCWinNT and Runtime Toolkit 32 versions prior to V2.4.7.57 **Description** The issue concerns password protection not being enabled by default. In cases where no password is set at the controller, there is no information or prompt to enable password protection at login. **Recommendations** For versions prior to V2.4.7.57, update to version V2.4.7.57 or later to enable password protection by default. As a temporary workaround, consider manually enabling password protection for the controller to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Red Hat Advanced Cluster Security for Kubernetes (affected versions not specified) **Description** A flaw was found in the Red Hat Advanced Cluster Security for Kubernetes, related to insufficient protection of service data in the GraphQL API. This issue allows authenticated users to retrieve Notifiers from the GraphQL API, revealing secrets that can escalate their privileges. The flaw is associated with the inadequate sanitization of Notifier secrets in the GraphQL API. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.