Yarden Porat

**Name of the Vulnerable Software and Affected Versions** MuPDF version 1.27.0 **Description** An integer overflow exists in the 'pdf-image.c' file within MuPDF version 1.27.0. A specially crafted PDF document can trigger an integer overflow within the `pdf load image imp` function. This can lead to a heap out-of-bounds write, potentially enabling arbitrary code execution. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CrewAI (affected versions not specified) **Description** CrewAI contains a server-side request forgery condition that allows for the acquisition of content from internal and cloud services. This is facilitated by Retrieval-Augmented Generation (RAG) search tools that do not properly validate URLs provided during runtime. The issue allows an attacker to potentially access resources that should not be publicly accessible. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CrewAI (affected versions not specified) **Description** The software contains a flaw where the JSON loader tool reads files without proper path validation. This allows unauthorized access to files on the server. The issue involves an arbitrary local file read. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CrewAI versions (affected versions not specified) **Description** The CodeInterpreter tool within CrewAI reverts to SandboxPython when Docker is unreachable. This fallback can allow for Remote Code Execution (RCE) through the ability to call arbitrary C functions. The tool utilizes the `SandboxPython` environment, and the issue arises when it cannot connect to Docker, potentially enabling malicious code execution. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CrewAI (affected versions not specified) **Description** CrewAI does not adequately verify the continued operation of Docker during runtime. If Docker is not running, the software reverts to a sandbox configuration that permits Remote Code Execution (RCE) exploitation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Vault versions prior to 1.20.2 Vault Enterprise versions prior to 1.20.2 Vault Enterprise version 1.19.8 Vault Enterprise version 1.18.13 Vault Enterprise version 1.16.24 **Description** The LDAP authentication method in Vault and Vault Enterprise may not have correctly enforced multi-factor authentication (MFA) when `username as alias` was set to true and a user had multiple Common Names (CNs) that were equal but contained leading or trailing spaces. **Recommendations** Upgrade to Vault Community Edition version 1.20.2 or later. Upgrade to Vault Enterprise version 1.20.2 or later. Upgrade to Vault Enterprise version 1.19.8. Upgrade to Vault Enterprise version 1.18.13. Upgrade to Vault Enterprise version 1.16.24.

**Name of the Vulnerable Software and Affected Versions** Vault versions prior to 1.20.1 Vault Enterprise versions prior to 1.20.1, 1.19.7, 1.18.12, and 1.16.23 **Description** Vault and Vault Enterprise’s login MFA rate limits could be bypassed, and TOTP tokens could be reused. **Recommendations** Update Vault to version 1.20.1 or later. Update Vault Enterprise to version 1.20.1, 1.19.7, 1.18.12, or 1.16.23 or later.

**Name of the Vulnerable Software and Affected Versions** Vault versions prior to 1.20.1 Vault Enterprise versions prior to 1.20.1, 1.19.7, 1.18.12, and 1.16.23 **Description** The user lockout feature in Vault and Vault Enterprise could be bypassed for Userpass and LDAP authentication methods. **Recommendations** Update to Vault Community Edition version 1.20.1 or later. Update to Vault Enterprise version 1.20.1, 1.19.7, 1.18.12, or 1.16.23 or later.

**Name of the Vulnerable Software and Affected Versions** Vault Community Edition versions prior to 1.20.0 Vault Enterprise versions prior to 1.20.0 Vault Enterprise version 1.19.6 Vault Enterprise version 1.18.11 Vault Enterprise version 1.16.22 **Description** A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s token privileges to Vault’s root policy. **Recommendations** Update Vault Community Edition to version 1.20.0 or later. Update Vault Enterprise to version 1.20.0 or later. Update Vault Enterprise to version 1.19.6 or later. Update Vault Enterprise to version 1.18.11 or later. Update Vault Enterprise to version 1.16.22 or later.

**Name of the Vulnerable Software and Affected Versions** HashiCorp Vault versions prior to 1.20.1 HashiCorp Vault versions 1.19.7 and earlier HashiCorp Vault versions 1.18.12 and earlier HashiCorp Vault versions 1.16.23 and earlier HashiCorp Vault versions 0.8.0 through 1.16.22 HashiCorp Vault versions 1.17.x HashiCorp Vault versions 1.18.x HashiCorp Vault versions 1.19.x HashiCorp Vault versions 1.20.0 **Description** A privileged Vault operator within the root namespace, possessing write permission to the `{{sys/audit}}` endpoint, may achieve code execution on the underlying host if a plugin directory is configured within Vault’s configuration. The vulnerability allows for remote code execution (RCE) via misconfigured plugin directories. **Recommendations** HashiCorp Vault versions prior to 1.20.1: Upgrade to version 1.20.1 or later. HashiCorp Vault versions 1.19.7 and earlier: Upgrade to version 1.19.7 or later. HashiCorp Vault versions 1.18.12 and earlier: Upgrade to version 1.18.12 or later. HashiCorp Vault versions 1.16.23 and earlier: Upgrade to version 1.16.23 or later. HashiCorp Vault versions 0.8.0 through 1.16.22: Upgrade to version 1.20.1 or later. HashiCorp Vault versions 1.17.x: Upgrade to version 1.20.1 or later. HashiCorp Vault versions 1.18.x: Upgrade to version 1.20.1 or later. HashiCorp Vault versions 1.19.x: Upgrade to version 1.20.1 or later. HashiCorp Vault versions 1.20.0: Upgrade to version 1.20.1 or later.

**Name of the Vulnerable Software and Affected Versions** Vault versions prior to 1.20.1 Vault Enterprise versions prior to 1.20.1 Vault Enterprise version 1.19.7 Vault Enterprise version 1.18.12 Vault Enterprise version 1.16.23 **Description** The Time-based One-Time Password (TOTP) Secrets Engine in Vault and Vault Enterprise is susceptible to code reuse within its validity period due to an issue with the code validation endpoint. **Recommendations** Update Vault to version 1.20.1 or later. Update Vault Enterprise to version 1.20.1 or later. Update Vault Enterprise to version 1.19.7 or later. Update Vault Enterprise to version 1.18.12 or later. Update Vault Enterprise to version 1.16.23 or later.

**Name of the Vulnerable Software and Affected Versions** Vault versions prior to 1.20.1 Vault Enterprise versions prior to 1.20.1 Vault Enterprise versions prior to 1.19.7 Vault Enterprise versions prior to 1.18.12 Vault Enterprise versions prior to 1.16.23 **Description** The TLS certificate auth method in Vault and Vault Enterprise did not correctly validate client certificates when configured with a non-CA certificate as a trusted certificate. This allowed an attacker to potentially craft a malicious certificate to impersonate another user. **Recommendations** Update Vault to version 1.20.1 or later. Update Vault Enterprise to version 1.20.1 or later. Update Vault Enterprise to version 1.19.7 or later. Update Vault Enterprise to version 1.18.12 or later. Update Vault Enterprise to version 1.16.23 or later.

**Name of the Vulnerable Software and Affected Versions** Vault versions prior to 1.20.1 Vault Enterprise versions prior to 1.20.1 Vault Enterprise version 1.19.7 Vault Enterprise version 1.18.12 Vault Enterprise version 1.16.23 **Description** A timing side channel in the userpass authentication method allowed an attacker to differentiate between existing and non-existing users, potentially enabling the enumeration of valid usernames. **Recommendations** Update Vault to version 1.20.1 or later. Update Vault Enterprise to version 1.20.1 or later. Update Vault Enterprise to version 1.19.7 or later. Update Vault Enterprise to version 1.18.12 or later. Update Vault Enterprise to version 1.16.23 or later.

**Name of the Vulnerable Software and Affected Versions** Conjur OSS versions 1.19.5 through 1.22.0 Secrets Manager, Self-Hosted versions 13.1 through 13.6 **Description** Conjur provides secrets management and application identity for infrastructure. A malformed regular expression allows an attacker manipulating headers signed by AWS to redirect the authentication validation request sent by Secrets Manager, Self-Hosted to a malicious server. This redirection could bypass the IAM Authenticator, granting the attacker permissions granted to the client whose request was manipulated. **Recommendations** Conjur OSS version 1.22.1 or later Secrets Manager, Self-Hosted version 13.5.1 or later Secrets Manager, Self-Hosted version 13.6.1 or later

**Name of the Vulnerable Software and Affected Versions** CyberArk Secrets Manager, Self-Hosted versions prior to 13.5.1 and 13.6.1 Conjur OSS versions prior to 1.22.1 **Description** An attacker with access to a misconfigured network device routing traffic from Secrets Manager to AWS can redirect authentication requests to a malicious server under their control. CyberArk believes that very few installations are susceptible to active exploitation. **Recommendations** Update CyberArk Secrets Manager, Self-Hosted to version 13.5.1 or 13.6.1. Update Conjur OSS to version 1.22.1.

**Name of the Vulnerable Software and Affected Versions** Conjur Secrets Manager, Self-Hosted versions prior to 13.5.1 and 13.6.1 Conjur OSS versions prior to 1.22.1 **Description** Conjur provides secrets management and application identity for infrastructure. An authenticated attacker who is able to load policy can use the policy YAML parser to reference files on the Secrets Manager, Self-Hosted server. These references may be used for reconnaissance to understand the folder structure of the Secrets Manager/Conjur server or to have the YAML parser include files on the server in the YAML that is processed when the policy loads. **Recommendations** Upgrade Conjur Secrets Manager, Self-Hosted to version 13.5.1 or 13.6.1. Upgrade Conjur OSS to version 1.22.1.

**Name of the Vulnerable Software and Affected Versions** Conjur Secrets Manager, Self-Hosted versions prior to 13.5.1 and 13.6.1 Conjur OSS versions prior to 1.22.1 **Description** Conjur provides secrets management and application identity for infrastructure. Missing validations in Secrets Manager, Self-Hosted allows authenticated attackers to inject resources into the database and bypass permission checks. **Recommendations** Update Conjur Secrets Manager, Self-Hosted to version 13.5.1 or 13.6.1. Update Conjur OSS to version 1.22.1.

**Name of the Vulnerable Software and Affected Versions** Conjur OSS versions 1.19.5 through 1.21.1 Secrets Manager, Self-Hosted versions 13.1 through 13.4.1 **Description** Conjur provides secrets management and application identity for infrastructure. An authenticated attacker who can inject secrets or templates into the Secrets Manager, Self-Hosted database could exploit an exposed API endpoint to execute arbitrary Ruby code within the Secrets Manager process. This issue affects both Secrets Manager, Self-Hosted and Conjur OSS. **Recommendations** Update Conjur OSS to version 1.21.2 or later. Update Secrets Manager, Self-Hosted to version 13.5 or later.