Imre Rad

**Name of the Vulnerable Software and Affected Versions** Kubernetes kubelet versions through 1.28.11 Kubernetes kubelet versions from 1.29.0 through 1.29.6 Kubernetes kubelet versions from 1.30.0 through 1.30.2 **Description** The issue allows arbitrary command execution via specially crafted gitRepo volumes. This can be leveraged by an attacker to execute commands outside of the container's boundary, potentially leading to a container escape. The vulnerability is related to the hooks folder in the target repository. It is estimated that over 3 million results are affected, and the issue has been identified in various Kubernetes versions. **Recommendations** For Kubernetes kubelet versions through 1.28.11, update to version 1.28.12 to resolve the issue. For Kubernetes kubelet versions from 1.29.0 through 1.29.6, update to version 1.29.7 to resolve the issue. For Kubernetes kubelet versions from 1.30.0 through 1.30.2, update to version 1.30.3 to resolve the issue. As a temporary workaround, consider disabling the use of gitRepo volumes until a patch is available. Restrict access to the hooks folder in the target repository to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: GitHub Enterprise Server versions prior to 3.13.0 GitHub Enterprise Server version 3.9.15 GitHub Enterprise Server version 3.10.12 GitHub Enterprise Server version 3.11.10 GitHub Enterprise Server version 3.12.4 Description: An authentication bypass vulnerability was present in the GitHub Enterprise Server when utilizing SAML single sign-on authentication with the optional encrypted assertions feature. This vulnerability allowed an attacker to forge a SAML response to provision and/or gain access to a user with site administrator privileges. Exploitation of this vulnerability would allow unauthorized access to the instance without requiring prior authentication. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited. Recommendations: For GitHub Enterprise Server versions prior to 3.13.0, update to version 3.13.0 or later. For GitHub Enterprise Server version 3.9.15, no additional action is required as this version already contains the fix. For GitHub Enterprise Server version 3.10.12, no additional action is required as this version already contains the fix. For GitHub Enterprise Server version 3.11.10, no additional action is required as this version already contains the fix. For GitHub Enterprise Server version 3.12.4, no additional action is required as this version already contains the fix. As a temporary workaround, consider disabling the SAML single sign-on authentication with encrypted assertions feature until a patch is available. Restrict access to the SAML authentication module to minimize the risk of exploitation. Avoid using the encrypted assertions feature in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** GitHub Enterprise Server versions prior to 3.8.13 GitHub Enterprise Server versions prior to 3.9.8 GitHub Enterprise Server versions prior to 3.10.5 GitHub Enterprise Server versions prior to 3.11.3 **Description** The issue is related to insufficient input validation in the Management Console of GitHub Enterprise Server, allowing an attacker with access to a Management Console user account with the editor role to escalate privileges through a command injection vulnerability. This could enable a remote attacker to execute arbitrary commands and elevate their privileges. **Recommendations** For versions prior to 3.8.13, update to version 3.8.13 or later. For versions prior to 3.9.8, update to version 3.9.8 or later. For versions prior to 3.10.5, update to version 3.10.5 or later. For versions prior to 3.11.3, update to version 3.11.3 or later.

**Name of the Vulnerable Software and Affected Versions** GitHub Enterprise Server versions 3.8 through 3.8.11 GitHub Enterprise Server versions 3.9 through 3.9.6 GitHub Enterprise Server versions 3.10 through 3.10.3 GitHub Enterprise Server versions 3.11 through 3.11.0 **Description** An insufficient entropy issue was identified in GitHub Enterprise Server that allowed an attacker to brute force a user invitation to the Management Console. To exploit this, an attacker would need knowledge that a user invitation was pending. This issue was reported via the GitHub Bug Bounty program. **Recommendations** For GitHub Enterprise Server versions 3.8 through 3.8.11, update to version 3.8.12. For GitHub Enterprise Server versions 3.9 through 3.9.6, update to version 3.9.7. For GitHub Enterprise Server versions 3.10 through 3.10.3, update to version 3.10.4. For GitHub Enterprise Server versions 3.11 through 3.11.0, update to version 3.11.1.

**Name of the Vulnerable Software and Affected Versions** GitHub Enterprise Server versions 3.8.0 through 3.8.11 GitHub Enterprise Server versions 3.9.0 through 3.9.5 GitHub Enterprise Server versions 3.10.0 through 3.10.2 **Description** The issue is related to improper privilege management, allowing users with authorized access to the management console and an editor role to escalate their privileges. This is achieved by making requests to the endpoint used for bootstrapping the instance. **Recommendations** For GitHub Enterprise Server versions 3.8.0 through 3.8.11, update to version 3.8.12. For GitHub Enterprise Server versions 3.9.0 through 3.9.5, update to version 3.9.6. For GitHub Enterprise Server versions 3.10.0 through 3.10.2, update to version 3.10.3. As a temporary workaround, consider restricting access to the endpoint used for bootstrapping the instance until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Microsoft Windows Support Diagnostic Tool (MSDT) (affected versions not specified) **Description** The issue is caused by a buffer overflow in memory, allowing an attacker to execute arbitrary code. This can be exploited by remote attackers, affecting the system. The vulnerability is being actively exploited in the wild. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft Windows (affected versions not specified) **Description** The issue is related to insufficient access restrictions in the Diagnostics Hub Standard Collector Service of Microsoft Windows operating systems. This can allow an attacker to elevate their privileges. An elevation-of-privilege vulnerability exists, enabling attackers to impact the system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Microsoft Windows (affected versions not specified) Description: The issue is related to insufficient access restrictions in the Diagnostics Hub Standard Collector Service of Microsoft Windows operating systems. This can allow an attacker to elevate their privileges. An elevation-of-privilege vulnerability exists, enabling attackers to impact the system. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft Windows (affected versions not specified) **Description** The issue is related to insufficient access restrictions in the Diagnostics Hub Standard Collector Service of Microsoft Windows operating systems. This can be exploited to elevate privileges, allowing an attacker to affect the system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Go versions prior to 1.14.12 Go versions prior to 1.15.5 **Description** The issue allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive. This can occur when running commands that build untrusted code, such as go get on a malicious package. The problem is caused by the injection of malicious flags through a #cgo directive, enabling argument injection. **Recommendations** For Go versions prior to 1.14.12, update to version 1.14.12 or later to resolve the issue. For Go versions prior to 1.15.5, update to version 1.15.5 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `#cgo` directive until a patch is applied. Avoid using malicious gcc flags specified via a `#cgo` directive in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Windows Update Orchestrator Service (affected versions not specified) **Description** The issue is related to an elevation of privilege vulnerability that exists when the Windows Update Orchestrator Service improperly handles file operations. This vulnerability can be exploited by an attacker to elevate their privileges and potentially execute arbitrary code using a specially crafted application. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Android versions 4.0.4 **Description** A directory traversal issue exists in the Android debug bridge, allowing physically proximate attackers with a direct connection to the target device to write to arbitrary system-owned files by using a .. (dot dot) in the tar archive headers. **Recommendations** For Android version 4.0.4, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Windows Modules Installer Service (affected versions not specified) **Description** The issue is related to the improper disclosure of file information by the Windows Modules Installer Service, which can allow an attacker to gain unauthorized access to protected data using a specially crafted application. This can potentially lead to the disclosure of sensitive information and affect the system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** icedtea-web versions 1.7.2 and earlier icedtea-web versions 1.8.2 and earlier **Description** The issue is related to insufficient authentication of data, allowing an attacker to inject executable code into a JAR file without compromising signature verification. This flaw can be exploited by a remote attacker to inject arbitrary code into a trusted JAR, which would be executed inside the sandbox. **Recommendations** For icedtea-web versions 1.7.2 and earlier, update to a version later than 1.7.2 to resolve the issue. For icedtea-web versions 1.8.2 and earlier, update to a version later than 1.8.2 to resolve the issue. As a temporary workaround, consider restricting the execution of code inside the sandbox to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** IcedTea-Web versions 1.7.2 and 1.8.2 **Description** The issue is related to the improper sanitization of paths from `jar/` elements in JNLP files. This could allow an attacker to trick a victim into running a specially crafted application, potentially leading to the upload of arbitrary files to arbitrary locations on the user's system. The vulnerability can be exploited by a remote attacker using a specially crafted application to write arbitrary files to the device's file system. **Recommendations** For IcedTea-Web versions 1.7.2 and 1.8.2, consider disabling the processing of JNLP files until a patch is available to prevent the exploitation of this issue. Restrict access to the `jar/` elements in JNLP files to minimize the risk of arbitrary file uploads. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** icedtea-web versions 1.7.2 and earlier icedtea-web versions 1.8.2 and earlier **Description** The issue is related to a zip-slip attack during auto-extraction of a JAR file, which could allow an attacker to write files to arbitrary locations. This could potentially be used to replace the main running application and possibly break out of the sandbox. The vulnerability is also associated with incorrect restriction of the directory path name with limited access, allowing a remote attacker to write arbitrary files to the device's file system using a specially crafted file in formats such as .tar, .jar, .war, .cpio, .apk, .rar, or .7z. **Recommendations** For icedtea-web versions 1.7.2 and earlier, update to a version later than 1.7.2 to resolve the issue. For icedtea-web versions 1.8.2 and earlier, update to a version later than 1.8.2 to resolve the issue. As a temporary workaround, consider disabling the auto-extraction of JAR files until a patch is available. Restrict access to the directory with limited access to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GNU patch versions prior to 2.7.7 **Description** The issue is related to the `do ed script` function in the GNU Patch utility, which fails to neutralize special elements used in operating system commands. This can be exploited by opening a crafted patch file containing an ed style diff payload with shell metacharacters, potentially allowing an attacker to access confidential information and execute arbitrary commands. **Recommendations** For GNU patch versions prior to 2.7.7, update to version 2.7.7 or later to resolve the issue. As a temporary workaround, consider avoiding the use of crafted patch files that contain ed style diff payloads with shell metacharacters until a patch is available.

**Name of the Vulnerable Software and Affected Versions** WampServer versions prior to 3.1.9 **Description** The issue concerns an incomplete synchronizer pattern implementation, which was intended as a remediation measure. This incompleteness leads to a CSRF issue in the add vhost.php file, allowing an attacker to add or delete vhosts without the owner's consent. **Recommendations** For versions prior to 3.1.9, update to version 3.1.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the add vhost.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** shellinabox versions prior to 2.20 **Description** The issue is related to an implementation flaw in the HTTP request parsing logic. By sending a crafted `multipart/form-data` HTTP request, an attacker could exploit this to force the service into an infinite loop, exhausting available CPU resources and taking the service down. **Recommendations** For versions prior to 2.20, update to version 2.20 or later to resolve the issue. As a temporary workaround, consider restricting access to the service to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** knc versions prior to 1.11-1 **Description** The issue concerns a denial of service (memory exhaustion) that can be exploited remotely without authentication, potentially affecting other services running on the targeted host. This is due to a problem in the read packet function. **Recommendations** For versions prior to 1.11-1, update to version 1.11-1 or later to resolve the issue.