Sagi Tzadik

**Name of the Vulnerable Software and Affected Versions** Azure Entra ID (affected versions not specified) **Description** An issue exists in Azure Entra ID where external initialization of trusted variables or data stores can allow an unauthorized attacker to elevate privileges locally. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GitHub Enterprise Server versions prior to 3.14.25 GitHub Enterprise Server versions prior to 3.15.20 GitHub Enterprise Server versions prior to 3.16.16 GitHub Enterprise Server versions prior to 3.17.13 GitHub Enterprise Server versions prior to 3.18.8 GitHub Enterprise Server versions prior to 3.19.4 GitHub Enterprise Server versions prior to 3.20.0 **Description** An improper neutralization of special elements allows an authenticated attacker with push access to a repository to achieve remote code execution on the instance. During a `git push` operation, user-supplied push option values are not properly sanitized before being included in internal service headers. Specifically, the `babeld` proxy embeds these options into the `X-Stat` header without sanitizing semicolons (`;`), which serve as delimiter characters. This allows an attacker to inject and override internal metadata fields, such as `rails env`, `custom hooks dir`, and `repo pre receive hooks`, bypassing sandboxing and executing arbitrary commands via pre-receive hooks as the git service user. On GitHub Enterprise Server, this can lead to full server compromise, including access to all hosted repositories and internal secrets. On the cloud platform, the issue allowed remote code execution on shared storage nodes, potentially exposing millions of public and private repositories through cross-tenant exposure. Forensic investigations found no evidence of real-world exploitation prior to the patch. **Recommendations** Upgrade to version 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.8, 3.19.4, 3.20.0 or newer. As a temporary workaround, avoid running `git push` operations, especially those using the `-o` flag or custom push options, until the system is upgraded.

**Name of the Vulnerable Software and Affected Versions** ingress-nginx versions prior to v1.11.5 ingress-nginx versions v1.12.0-beta.0 through v1.12.1 **Description** A security issue exists in ingress-nginx where the `mirror-target` and `mirror-host` Ingress annotations can be exploited to inject arbitrary configuration into nginx. Successful exploitation can lead to arbitrary code execution within the context of the ingress-nginx controller and potential disclosure of Secrets accessible to the controller. In a default installation, the controller has access to all Secrets cluster-wide. The issue stems from unsanitized mirror annotations. **Recommendations** Upgrade to ingress-nginx version 1.11.5 or later. Upgrade to ingress-nginx version 1.12.1 or later.

**Name of the Vulnerable Software and Affected Versions** ingress-nginx versions prior to 1.11.5 ingress-nginx versions 1.12.0-beta.0 through 1.12.0 **Description** A security issue exists where the `auth-tls-match-cn` Ingress annotation can be used to inject configuration into nginx. This may allow a remote attacker to execute arbitrary code within the context of the ingress-nginx controller and disclose Secrets accessible to the controller. In default installations, the controller typically has access to all Secrets cluster-wide. **Recommendations** Update to version 1.11.5 or later. Update to version 1.12.1 or later. As a temporary workaround, restrict or avoid using the `auth-tls-match-cn` annotation.

**Name of the Vulnerable Software and Affected Versions** ingress-nginx versions prior to v1.11.5 ingress-nginx versions from v1.12.0-beta.0 through v1.12.1 **Description** A security issue exists in ingress-nginx where the `auth-url` Ingress annotation can be exploited to inject configuration into nginx. Successful exploitation can lead to arbitrary code execution within the context of the ingress-nginx controller and potential disclosure of Secrets accessible to the controller. In a default installation, the controller has access to all Secrets within the cluster. The issue is due to insufficient input validation. **Recommendations** Update to a version of ingress-nginx greater than or equal to v1.11.5. Update to a version of ingress-nginx greater than or equal to v1.12.1.

**Name of the Vulnerable Software and Affected Versions** Ingress-nginx versions prior to 1.12.1, from 1.12.0-beta.0 before 1.12.1 **Description** Ingress-nginx is vulnerable to a critical remote code execution (RCE) vulnerability (CVE-2025-1974) with a CVSS score of 9.8. This flaw allows unauthenticated attackers with access to the pod network to execute arbitrary code within the ingress-nginx controller. Successful exploitation could lead to full cluster takeover and exposure of sensitive secrets. The vulnerability stems from improper isolation or compartmentalization within the controller. A proof-of-concept (PoC) exploit is publicly available. This vulnerability is actively being exploited. The Admission Controller, listening on port 8443, is a key component affected by this issue. **Recommendations** Upgrade Ingress-nginx to version 1.12.1 or later. Restrict network access to the Admission Controller, specifically port 8443. Implement network segmentation, strong authentication, and authorization policies for services on port 8443. Regularly audit and patch vulnerabilities. Remove any server-snippet annotations from your ingress configurations.

**Name of the Vulnerable Software and Affected Versions** Redis versions 5.7.0 through 5.8.0 Redict versions 7.3.2+ds-1ubuntu0.1 Valkey versions prior to 8.1.1+dfsg1-3+deb13u1 **Description** Redis and Redict are vulnerable to a Lua scripting interface issue that could allow an authenticated attacker to trigger a use-after-free condition, potentially leading to remote code execution. Valkey is vulnerable to multiple security issues in its Lua scripting interface that could result in arbitrary code execution or denial of service. **Recommendations** Upgrade Redis to version 5.7.0.15-1~deb12u6 for bookworm or 5.8.0.2-3+deb13u1 for trixie. Upgrade Redict to version 7.3.2+ds-1ubuntu0.1. Upgrade Valkey to version 8.1.1+dfsg1-3+deb13u1.

**Name of the Vulnerable Software and Affected Versions** Ubuntu kernels (affected versions not specified) **Description** The issue is related to a local privilege escalation vulnerability in Ubuntu kernels, specifically in the overlayfs `ovl copy up meta inode data` function, which skips permission checks when calling `ovl do setxattr`. This allows an attacker to execute arbitrary code or cause a denial of service. The vulnerability has been exploited in real-world incidents to achieve easy root access. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ubuntu kernels carrying both c914c0e27eb0 and "UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs" **Description** The issue is related to the overlayfs file system in Ubuntu kernels, where an unprivileged user may set privileged extended attributes on mounted files without proper security checks, potentially leading to arbitrary code execution or denial of service. This is due to a missing authorization check in the overlayfs file system. **Recommendations** As a temporary workaround, consider disabling the overlayfs file system until a patch is available. Restrict access to the mounted files to minimize the risk of exploitation. Avoid using privileged extended attributes on the mounted files until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft ODBC and OLE DB (affected versions not specified) **Description** The issue exists due to insufficient input validation in the Windows operating system's ODBC and OLE DB drivers. Exploitation of this issue may allow a remote attacker to execute arbitrary code. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft ODBC and OLE DB (affected versions not specified) **Description** The issue exists due to insufficient input validation in the Windows operating system's ODBC and OLE DB drivers. Exploitation of this issue may allow an attacker to execute arbitrary code. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft Excel (affected versions not specified) **Description** The issue is related to an information disclosure vulnerability in Microsoft Excel. It is associated with a buffer overflow in memory, which can allow an attacker to gain unauthorized access to protected information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft Office (affected versions not specified) **Description** The issue is related to an information disclosure vulnerability in Microsoft Office. It is caused by a lack of protection for sensitive data. Exploitation of this issue may allow an attacker to disclose protected information and affect the system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft Office (affected versions not specified) **Description** The issue is related to incorrect code generation management in Microsoft Office, which can be exploited by attackers to execute arbitrary code using a specially crafted file. This allows remote attackers to execute arbitrary code. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft Windows DNS Server versions 2013 through 2019 **Description** A remote code execution issue exists in Windows Domain Name System servers when they fail to properly handle requests. This can be exploited by a remote attacker using a specially crafted DNS request, allowing them to execute arbitrary code. The vulnerability is also known as 'Windows DNS Server Remote Code Execution Vulnerability' and has been present for 17 years, affecting Windows DNS Servers from 2013 to 2019 editions. It is a 'wormable' bug, enabling attackers to launch malware attacks that can spread from one vulnerable computer to another without human interaction. **Recommendations** For Microsoft Windows DNS Server versions 2013 through 2019, apply the patch provided by Microsoft to fix the vulnerability. At the moment, there is no information about other newer versions that contain a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** LearnPress Wordpress plugin versions prior to and including 3.2.6.7 **Description** The issue is related to SQL Injection. There is no information provided about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited. **Recommendations** For versions prior to and including 3.2.6.7, update to a version later than 3.2.6.7 to resolve the issue.