Ian Carroll

Name of the Vulnerable Software and Affected Versions: FlyCASS CASS and KCM systems (affected versions not specified) Description: The issue is related to a flaw in SQL query filtering in FlyCASS CASS and KCM systems, making them vulnerable to attack by outside attackers with no authentication. This allows unauthenticated attackers to potentially inject SQL queries. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** dormakaba Saflok system versions prior to November 2023 software update Saflok MT versions prior to November 2023 software update Confidant series versions prior to November 2023 software update Quantum series versions prior to November 2023 software update RT series versions prior to November 2023 software update Saffire series versions prior to November 2023 software update **Description** The issue allows an attacker to unlock arbitrary doors at a property via forged keycards, if the attacker has obtained one active or expired keycard for the specific property. This occurs because the key derivation function relies only on a `UID`. **Recommendations** For dormakaba Saflok system versions prior to November 2023 software update, update to the November 2023 software update or later. For Saflok MT versions prior to November 2023 software update, update to the November 2023 software update or later. For Confidant series versions prior to November 2023 software update, update to the November 2023 software update or later. For Quantum series versions prior to November 2023 software update, update to the November 2023 software update or later. For RT series versions prior to November 2023 software update, update to the November 2023 software update or later. For Saffire series versions prior to November 2023 software update, update to the November 2023 software update or later.

**Name of the Vulnerable Software and Affected Versions** Certifi versions prior to 2023.07.22 **Description** The issue is related to the recognition of "e-Tugra" root certificates by Certifi, a collection of Root Certificates for validating SSL certificates. e-Tugra's root certificates were subject to an investigation due to reported security issues. The problem is associated with insufficient authentication data verification, which could allow a remote attacker to implement a "man-in-the-middle" attack. **Recommendations** For Certifi versions prior to 2023.07.22, update to version 2023.07.22 or later, which removes the "e-Tugra" root certificates from the root store. As a temporary workaround, consider disabling the use of "e-Tugra" root certificates until the update is applied.

Name of the Vulnerable Software and Affected Versions: Redash versions 10.0 and prior Description: Redash is a package for data visualization and sharing. The implementation of URL-loading data sources like JSON, CSV, or Excel in versions 10.0 and prior is vulnerable to advanced methods of Server Side Request Forgery (SSRF). These vulnerabilities are only exploitable on installations where a URL-loading data source is enabled. The `master` and `release/10.x.x` branches address this by applying the Advocate library for making http requests instead of the requests library directly. Recommendations: To resolve the issue, users should upgrade to version 10.0.1 to receive the patch. As a temporary workaround, one can disable the vulnerable data sources entirely by adding an environment variable to the configuration. One can also switch any data source of certain types to be `View Only` for all groups on the Settings > Groups > Data Sources screen. For users unable to update, an admin may modify Redash's configuration through environment variables to mitigate this issue. Depending on the version of Redash, an admin may also need to run a CLI command to re-encrypt some fields in the database. For existing installations, one will need to ensure that explicit values are set for the `REDASH COOKIE SECRET` and `REDASH SECRET KEY` variables.

**Name of the Vulnerable Software and Affected Versions** Redash versions 10.0.0 and prior **Description** Redash is a package for data visualization and sharing. If an admin sets up Redash without explicitly specifying the `REDASH COOKIE SECRET` or `REDASH SECRET KEY` environment variables, a default value is used for both that is the same across all installations. In such cases, the instance is vulnerable to attackers being able to forge sessions using the known default value. This issue only affects installations where the `REDASH COOKIE SECRET` or `REDASH SECRET KEY` environment variables have not been explicitly set. Users of the official Redash cloud images, Redash's Digital Ocean marketplace droplets, or the scripts in the `getredash/setup` repository are not affected, as these instances automatically generate unique secret keys during installation. One can verify whether their instance is affected by checking the value of the `REDASH COOKIE SECRET` environment variable. If it is `c292a0a3aa32397cdb050e233733900f`, they should follow the steps to secure the instance. **Recommendations** To secure the instance, follow the steps outlined in the GitHub Security Advisory if the `REDASH COOKIE SECRET` environment variable is `c292a0a3aa32397cdb050e233733900f`. As a temporary workaround, consider regenerating the `REDASH COOKIE SECRET` and `REDASH SECRET KEY` environment variables with unique values to prevent session forgery. Restrict access to the Redash instance until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Apache Airflow version 2.0.0 **Description** The issue is related to Improper Access Control on the Configurations Endpoint for the Stable API of Apache Airflow. This allows users with Viewer or User role to obtain Airflow Configurations, including sensitive information, even when the `[webserver] expose config` is set to `False` in `airflow.cfg`. This vulnerability enabled a privilege escalation attack. **Recommendations** For Apache Airflow version 2.0.0, consider restricting access to the Configurations Endpoint to prevent unauthorized users from obtaining sensitive information until a patch is available. As a temporary workaround, review and adjust the `[webserver] expose config` setting in `airflow.cfg` to ensure it is properly configured to restrict access to sensitive configurations.

**Name of the Vulnerable Software and Affected Versions** Apache Airflow version 2.0.0 **Description** The issue concerns the lineage endpoint of the deprecated Experimental API in Apache Airflow, which was not protected by authentication. This allowed unauthenticated users to access the endpoint. The attacker needs to be aware of certain parameters to pass to the endpoint, and even then, they can only obtain some metadata about a DAG and a Task. This is considered a low-severity issue. **Recommendations** For Apache Airflow version 2.0.0, consider disabling access to the lineage endpoint of the deprecated Experimental API until a patch is available. Restricting access to this endpoint can minimize the risk of exploitation. Additionally, be cautious when using the endpoint, as it may allow unauthorized access to certain metadata. At the moment, there is no information about a newer version that contains a fix for this vulnerability.