John Walker

**Name of the Vulnerable Software and Affected Versions** Samba versions prior to 4.22.10 Samba versions prior to 4.23.8 Samba versions prior to 4.24.3 **Description** A flaw exists in the Samba printing subsystem where the software passes a client-controlled job description string to the command configured in the "print command" setting using the `%J` substitution character. Because shell meta characters are not properly escaped, a remote unauthenticated attacker can send a specially crafted print job description containing unescaped shell characters to execute arbitrary code on the affected system. **Recommendations** Update to version 4.22.10. Update to version 4.23.8. Update to version 4.24.3. As a temporary workaround, remove `%J` from the "print command" configurations in the `smb.conf` file.

**Name of the Vulnerable Software and Affected Versions** Apache NiFi (affected versions not specified) **Description** The TinkerpopClientService component of the Apache NiFi data processing platform contains access control errors. Specifically, it lacks the required Execute Code permission, which could allow a remote attacker to execute arbitrary code. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CRI-O versions 1.19 through 1.23.1 CRI-O versions prior to 1.19.6 CRI-O versions prior to 1.20.7 CRI-O versions prior to 1.21.6 CRI-O versions prior to 1.22.3 CRI-O versions prior to 1.23.2 CRI-O version 1.24.0 and earlier **Description** A flaw was found in CRI-O in the way it set kernel options for a pod, allowing anyone with rights to deploy a pod on a Kubernetes cluster that uses the CRI-O runtime to achieve a container escape and arbitrary code execution as root on the cluster node. The issue is related to the lack of proper validation of kernel parameters, which can be exploited by an attacker to bypass safeguards and set arbitrary kernel parameters on the host. This can lead to container escape and arbitrary code execution as root on any node in the cluster. **Recommendations** For CRI-O versions 1.19 through 1.23.1, update to version 1.23.2 or later to fix the issue. For CRI-O versions prior to 1.19.6, update to version 1.19.6 or later to fix the issue. For CRI-O versions prior to 1.20.7, update to version 1.20.7 or later to fix the issue. For CRI-O versions prior to 1.21.6, update to version 1.21.6 or later to fix the issue. For CRI-O versions prior to 1.22.3, update to version 1.22.3 or later to fix the issue. For CRI-O versions prior to 1.23.2, update to version 1.23.2 or later to fix the issue. For CRI-O version 1.24.0 and earlier, update to a version later than 1.24.0 to fix the issue. As a temporary workaround, consider setting manage ns lifecycle to false, which causes the sysctls to be configured by the OCI runtime, or creating an admission webhook to deny pods that specify a `+` in the sysctl value of a pod.