Cluster Administrator Privilege Escalation in GKE Autopilot
Escaping to the Node Virtual Machine
Escaping to the Node Virtual Machine
Two issues, first an XSS requiring two injection points to bypass the web-application firewall and a cache poisoning attack making it possible for the XSS to be stored.
Background
The vulnerability here is just a straight forward case of reading a size from the attacker, and using it in a memcpy into a fixed size destination buffer on the stack.
Two Facebook Canvas issues enabling an attacker application to get privileged first-party API keys by pretending to be Instagram or another first-party application.
Abusing an otherwise secure call to shell_execallows users to control part of the sed commands leading to code execution.One thing of note is that this is the FreeBSD version of sed which differs from the more common GNU version in that it doesn’t include the commands to directly execute commands…
Permissive parsing strikes again, MySQLjs by would accept objects as values for a parameterized query with a somewhat surprising default behaviour. The key issue here though is that MySQLjs exposes an interface entirely like prepared statements, but is actually crafting the query on the client side rather than using server-side prepared statements.
The core problem is an integer truncation due to a difference in the size of the long primitive type between Windows and Linux systems.On Linux and BSD systems, sizeof(long) will return 8, but on Windows this value is 4…
This is one of those cases where assumptions about state are made that can be violated.In nft_fwd_dup_netdev_offload when offloading a dup or fwd rule to hardware the num_actions value is used to index the actions array and incremented…
Off-by-one issue in computing the bits_required value. This computation was performed with a while loop, right-shifting the vlaue by 1 until it is zero, number of shifts is the number of bits needed.
There is an out-of-bounds access that comes because of a difference between parsing the huffman tables vs using the huffman tables.While parsing the table, the function ensures that each identifier can only be between 0 and 3…
I want to say the root of this issue is from trying to determine by name whether an identifier is a commit hash or a branch name.While git allows the creation of branches consisting of 40 hex characters, GitHub will reject the branch…
We touched on a similar issue last week in Zabbix where the ability to access the setup process after it was complete could lead to compromising the system. In this situation no extra trickery was necessary as it appears to have been a bad conditional allowing reentry to the setup functionality.
Multiple bugs in Carbon Black and vRealize Operations Manager, authentication bypassing through proxy trickery, server-side request forgery, credential leaking, and ultimately RCE.
A secure boot bypass by finding an issue before the boot image has been verified.