Cluster Administrator Privilege Escalation in GKE Autopilot
Escaping to the Node Virtual Machine
Escaping to the Node Virtual Machine
Two issues, first an XSS requiring two injection points to bypass the web-application firewall and a cache poisoning attack making it possible for the XSS to be stored.
Background
The vulnerability here is just a straight forward case of reading a size from the attacker, and using it in a memcpy
into a fixed size destination buffer on the stack.
Two Facebook Canvas issues enabling an attacker application to get privileged first-party API keys by pretending to be Instagram or another first-party application.
Abusing an otherwise secure call to shell_exec
allows users to control part of the sed
commands leading to code execution.One thing of note is that this is the FreeBSD version of sed
which differs from the more common GNU version in that it doesn’t include the commands to directly execute commands…
Permissive parsing strikes again, MySQLjs by would accept objects as values for a parameterized query with a somewhat surprising default behaviour. The key issue here though is that MySQLjs exposes an interface entirely like prepared statements, but is actually crafting the query on the client side rather than using server-side prepared statements.
The core problem is an integer truncation due to a difference in the size of the long
primitive type between Windows and Linux systems.On Linux and BSD systems, sizeof(long)
will return 8, but on Windows this value is 4…
This is one of those cases where assumptions about state are made that can be violated.In nft_fwd_dup_netdev_offload
when offloading a dup
or fwd
rule to hardware the num_actions
value is used to index the actions
array and incremented…
Off-by-one issue in computing the bits_required
value. This computation was performed with a while loop, right-shifting the vlaue by 1 until it is zero, number of shifts is the number of bits needed.