Bzimport

**Name of the Vulnerable Software and Affected Versions** abrt-dbus (affected versions not specified) **Description** A race condition exists in the `ChownProblemDir` method of the abrt-dbus D-Bus service. The `ChownProblemDir` method opens the dump directory using `DD OPEN READONLY` and executes `dd chown()` to change the ownership of all files to the user ID of the caller. This process can succeed even when post-create event handlers maintain a write lock, enabling an attacker to obtain filesystem-level control of the dump directory while privileged event scripts are still active. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

ACM/MCE assisted-service writes raw referenced pull-secret contents into `InfraEnv.status.conditions[].message` when pull-secret validation fails. A namespace principal with the stock `view` ClusterRole cannot directly read Secrets, but can read `InfraEnv` objects and recover the referenced Secret's `.dockerconfigjson` data from status. This bypasses the Kubernetes/OpenShift RBAC separation between read-only namespace viewers and Secret readers. In the reproduced proof, the same ServiceAccount was denied `get` and `list` on Secrets, but recovered synthetic pull-secret `username`, `password`, `email`, and base64 `auth` fields through `InfraEnv.status`.

**Name of the Vulnerable Software and Affected Versions** Keycloak (affected versions not specified) **Description** An access control flaw exists in the OpenID Connect (OIDC) token introspection endpoint. This issue allows a confidential client with valid credentials to bypass audience restrictions and retrieve sensitive token claims intended for other resource servers, which compromises the confidentiality of lightweight access tokens. The flaw can be exploited remotely by any confidential client within the realm. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** gnutls versions prior to 3.8.13-1.1 **Description** A flaw exists where permitted name constraints are incorrectly ignored when previous Certificate Authorities (CAs) only have excluded name constraints. A remote attacker can exploit this to bypass critical name constraint checks during certificate validation, which may lead to the acceptance of invalid certificates and enable spoofing or man-in-the-middle attacks. **Recommendations** Update to version 3.8.13-1.1.

Name of the Vulnerable Software and Affected Versions Keycloak (affected versions not specified) Description A flaw exists in Keycloak where the SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This allows an unauthenticated attacker to forge authorization codes, potentially leading to the creation of admin-capable access tokens and privilege escalation. Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Undertow (affected versions not specified) **Description** A flaw exists in Undertow where the software incorrectly processes HTTP requests containing leading spaces in the first header line, violating HTTP standards. This can be exploited to perform request smuggling, potentially allowing a remote attacker to bypass security mechanisms, access restricted information, or manipulate web caches, leading to unauthorized actions or data exposure. Request smuggling involves crafting malicious requests that are misinterpreted by the server, allowing an attacker to control how requests are processed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Red Hat Satellite Katello Plugin (affected versions not specified) **Description** A flaw exists in the Katello plugin for Red Hat Satellite due to improper sanitization of user-provided input. This allows a remote attacker to inject arbitrary SQL commands into the `sort by` parameter of the `/api/hosts/bootc images` API endpoint. This can lead to a Denial of Service (DoS) by triggering database errors, and potentially enable Boolean-based Blind SQL injection, which could allow an attacker to extract sensitive information from the database. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Red Hat Developer Hub (Backstage) Orchestrator Plugin (affected versions not specified) **Description** A security flaw exists due to insufficient input validation in GraphQL query handling. An authenticated user can inject specially crafted input into API requests, disrupting backend query processing. This can cause the Backstage application to crash and restart, resulting in a Denial of Service (DoS) and temporary loss of access for legitimate users. The affected API requests involve GraphQL queries. The `input` within these queries is not properly validated. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Keylime versions 7.12.0 and later **Description** A flaw exists in Keylime where the registrar does not enforce client-side Transport Layer Security (TLS) authentication. This allows unauthenticated clients with network access to perform administrative operations. These operations include listing agents, retrieving public Trusted Platform Module (TPM) data, and deleting agents by connecting without presenting a client certificate. **Recommendations** Versions 7.12.0 and later require client-side TLS authentication to be enforced to prevent unauthorized administrative operations.

**Name of the Vulnerable Software and Affected Versions** GNU Binutils (affected versions not specified) **Description** A flaw exists in GNU Binutils that involves a heap-based buffer overflow. Specifically, an out-of-bounds read within the bfd linker can allow an attacker to access sensitive information. An attacker can trigger this issue by convincing a user to process a specially crafted XCOFF object file, potentially leading to information disclosure or an application-level denial of service. The XCOFF object file is a specially designed file that exploits the vulnerability. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** libssh (affected versions not specified) **Description** The software contains an issue related to improper sanitation of paths received from SCP servers. This could potentially lead to security consequences. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** QEMU (affected versions not specified) **Description** An error in QEMU’s KVM Xen guest support allows a malicious guest to cause out-of-bounds heap accesses within the QEMU process. This is triggered through the emulated Xen physdev hypercall interface and can lead to a denial of service or potential memory corruption. The issue is an off-by-one error in the `KVM Xen` component. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** libsoup (affected versions not specified) **Description** A flaw exists in libsoup, an HTTP library used in GNOME-based systems. Improper validation of HTTP Range headers when processing specially crafted requests can lead to out-of-bounds read access to server memory in certain configurations. Exploitation requires a vulnerable configuration and access to a server utilizing the embedded SoupServer component. The vulnerable function is `handle partial get()`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: ai-inference-server (affected versions not specified) Description: A flaw was found in the authentication enforcement mechanism of a model inference API. The issue affects the "/v1/*" endpoints, where API key validation is expected but not properly enforced, particularly in the "POST /invocations" endpoint. This results in an authentication bypass, allowing unauthorized users to access protected endpoints and potentially exposing sensitive functionality or allowing unintended access to backend resources. Recommendations: As a temporary workaround, consider disabling the "POST /invocations" endpoint until a patch is available. Restrict access to the "/v1/*" endpoints to minimize the risk of exploitation. Avoid using the ai-inference-server until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MediaWiki versions 1.19.x through 1.19.8 MediaWiki versions 1.20.x through 1.20.7 MediaWiki versions 1.21.x through 1.21.2 **Description** A cross-site scripting issue exists due to insufficient validation of user input. This allows remote attackers to inject arbitrary web script or HTML via the `to` parameter to "index.php". **Recommendations** For MediaWiki versions 1.19.x through 1.19.8, update to version 1.19.9 or later. For MediaWiki versions 1.20.x through 1.20.7, update to version 1.20.8 or later. For MediaWiki versions 1.21.x through 1.21.2, update to version 1.21.3 or later.

**Name of the Vulnerable Software and Affected Versions** MediaWiki versions 1.19.x through 1.19.7 MediaWiki versions 1.20.x through 1.20.6 MediaWiki versions 1.21.x through 1.21.1 **Description** The issue allows remote attackers to conduct cross-site scripting (XSS) attacks. This is achieved via the `siprop` parameter in a query action to "wiki/api.php". The problem arises when there is an even number of "." (period) characters in a string, which is not properly detected by the MediaWiki API. **Recommendations** For MediaWiki versions 1.19.x through 1.19.7, update to version 1.19.8 or later. For MediaWiki versions 1.20.x through 1.20.6, update to version 1.20.7 or later. For MediaWiki versions 1.21.x through 1.21.1, update to version 1.21.2 or later.

**Name of the Vulnerable Software and Affected Versions** MediaWiki versions 1.14.0 through 1.15.0 **Description** A cross-site scripting issue exists in the Special:Block implementation, specifically in the getContribsLink function within SpecialBlockip.php. This allows remote attackers to inject arbitrary web script or HTML via the `ip` parameter. **Recommendations** For MediaWiki versions 1.14.0 through 1.15.0, consider updating to a version where this issue is resolved, as no specific fix is provided for these versions. As a temporary workaround, restrict access to the Special:Block implementation to minimize the risk of exploitation. Avoid using the `ip` parameter in the affected function until the issue is resolved.