Open Source Security Mailing List

Discussion of security flaws, concepts, and practices in the Open Source community

List Archives

Latest Posts

[kubernetes] CVE-2025-0426: Node Denial of Service via kubelet Checkpoint API Craig Ingram (Feb 13)
Hello Kubernetes Community,

A security issue was discovered in Kubernetes where a large number of
container checkpoint requests made to the unauthenticated kubelet read-only
HTTP endpoint may cause a Node Denial of Service by filling the Node's
disk.

This issue has been rated Medium (6.2) (
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H>),
and...

CVE-2024-46910: Apache Atlas: An authenticated user can perform XSS and potentially impersonate another user Madhan Neethiraj (Feb 12)
Severity: important

Affected versions:

- Apache Atlas 2.0.0 through 2.3.0

Description:

An authenticated user can perform XSS and potentially impersonate another user.

This issue affects Apache Atlas versions 2.3.0 and earlier.

Users are recommended to upgrade to version 2.4.0, which fixes the issue.

Credit:

basavaraj () seciqtech com (finder)

References:

https://atlas.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-46910

CVE-2024-32838: Apache Fineract: SQL injection vulnerabilities in offices API endpoint Arnout Engelen (Feb 12)
Severity: important

Affected versions:

- Apache Fineract 1.4 through 1.9

Description:

SQL Injection vulnerability in various API endpoints - offices, dashboards, etc. Apache Fineract versions 1.9 and
before have a vulnerability that allows an authenticated attacker to inject malicious data into some of the REST API
endpoints' query parameter. 
Users are recommended to upgrade to version 1.10.1, which fixes this issue.

A SQL Validator...

Re: CVE-2024-12797: OpenSSL: RFC7250 handshakes with unauthenticated servers don't abort as expected sjw (Feb 11)
I assume a minor typo in the official advisory:

*should upgrade to OpenSSL 3.3.3.

Could you fix it on https://openssl-library.org/news/secadv/20250211.txt?

Thanks!

CVE-2024-12797: OpenSSL: RFC7250 handshakes with unauthenticated servers don't abort as expected Tomas Mraz (Feb 11)
OpenSSL Security Advisory [11th February 2025]
==============================================

RFC7250 handshakes with unauthenticated servers don't abort as expected (CVE-2024-12797)
========================================================================================

Severity: High

Issue summary: Clients using RFC7250 Raw Public Keys (RPKs) to authenticate a
server may fail to notice that the server was not authenticated, because...

CVE-2025-26467: Apache Cassandra: User with MODIFY permission on ALL KEYSPACES can escalate privileges to superuser via unsafe actions (4.0.16 only) Paulo Motta (Feb 11)
Severity: moderate

Affected versions:

- Apache Cassandra 4.0.16

Description:

Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. An user with MODIFY permission ON ALL
KEYSPACES can escalate privileges to superuser within a targeted Cassandra cluster via unsafe actions to a system
resource. Operators granting data MODIFY permission on all keyspaces on affected versions should review data access
rules for potential...

Re: CVE-2025-23015: Apache Cassandra: User with MODIFY permission on ALL KEYSPACES can escalate privileges to superuser via unsafe actions Paulo Motta (Feb 11)
A performance regression was detected in the security releases 3.0.31
[1] and 3.11.18 [2]. Users affected by this vulnerability are
recommended to upgrade to versions 3.0.32 and 3.11.19 instead.

Remaining versions are unaffected.

[1] - https://lists.apache.org/thread/yprngr9cmp9c43m1c56thv1v0v6y5ywq
[2] - https://lists.apache.org/thread/hc9shwlm1kmxdxosbh3qo2xooqoo3sc6

FELIX-6751: CVE-2025-25247: Apache Felix Webconsole: XSS in services console Carsten Ziegeler (Feb 09)
Severity: moderate

Affected versions:

- Apache Felix Webconsole Version 4.x through 4.9.8
- Apache Felix Webconsole Version 5.x through 5.0.8

Description:

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Felix
Webconsole.

This issue affects Apache Felix Webconsole 4.x up to 4.9.8 and 5.x up to 5.0.8.

Users are recommended to upgrade to version 4.9.10 or 5.0.10 or higher,...

WebKitGTK and WPE WebKit Security Advisory WSA-2025-0001 Adrian Perez de Castro (Feb 09)
------------------------------------------------------------------------
WebKitGTK and WPE WebKit Security Advisory WSA-2025-0001
------------------------------------------------------------------------

Date reported : February 09, 2025
Advisory ID : WSA-2025-0001
WebKitGTK Advisory URL : https://webkitgtk.org/security/WSA-2025-0001.html
WPE WebKit Advisory URL :...

CVE-2025-25069: Apache Kvrocks: Cross-Protocol Scripting Vulnerability Mingyang Liu (Feb 07)
Severity: Moderate

Affected versions:

- Apache Kvrocks through 2.11.0

Description:

A Cross-Protocol Scripting vulnerability is found in Apache Kvrocks.

Since Kvrocks didn't detect if "Host:" or "POST" appears in RESP requests,
a valid HTTP request can also be sent to Kvrocks as a valid RESP request
and trigger some database operations, which can be dangerous when
it is chained with SSRF.

It is similiar...

Re: pam_pkcs11: Possible Authentication Bypass in Error Situations (CVE-2025-24531) Jacob Bachmeyer (Feb 07)
I have pruned the entire quote down to that paragraph because that is
the root cause of this and other issues.  A similar issue occurred two
weeks ago with pam-u2f (CVE-2025-23013) and the same problem of utility
modules returning PAM_SUCCESS despite not actually authenticating anything.

These problems are going to keep happening as long as utility modules
continue to misuse PAM_SUCCESS.

There might be a possible workaround of adding a new...

Re: AMD Microcode Signature Verification Vulnerability Jacob Bachmeyer (Feb 06)
That resolves the issue for the VM owner, but still does not address the
more interesting question:  is there a way on current AMD processors to
perform calculations that cannot be upset by tampered microcode?  (There
*was* a subset of instructions on the AMD K8 like that.)

If you are correct that the /actual signing key/ used depends on the
microcode version, then (logically) the signing key *must* be somewhere
in the microcode.  If...

Re: AMD Microcode Signature Verification Vulnerability trinity pointard (Feb 06)
Attestations are cryptographically signed by the cpu, and meant to be sent
elsewhere and verified remotely. The key used to sign (VCEK) are dependent on
the microcode version, so it shouldn't be possible to forge new-looking
signature with old microcodes (i would hope this hold would someone be able to
decrypt a microcode, though i couldn't find information on that subject).

Re: pam_pkcs11: Possible Authentication Bypass in Error Situations (CVE-2025-24531) Douglas R. Reno (Feb 06)
Hello Matthias!

I wanted to chime in here on behalf of my official capacity at Linux
From Scratch. We don't carry the pam_pkcs11 module, so I don't think
our users are affected by this particular vulnerability either.

Douglas Reno
Linux From Scratch

Fwd: libtasn1-4.20.0 released [fixes CVE-2024-12133] Alan Coopersmith (Feb 06)
At the very bottom of the message below, you will find that this release
includes a fix for:

- Fix CVE-2024-12133: Potential DoS in handling of numerous SEQUENCE OF or SET OF elements

The CVE record is not yet published, but a writeup appears to be available at:
https://gitlab.com/gnutls/libtasn1/-/blob/master/doc/security/CVE-2024-12133.md?ref_type=heads

It says:

==================================================================...

More Lists

Dozens of other network security lists are archived at SecLists.Org.