Description
parent
95899eee43
commit
b0a9be9d08
|
@ -5,9 +5,10 @@ info:
|
||||||
author: 0xceeb
|
author: 0xceeb
|
||||||
severity: medium
|
severity: medium
|
||||||
tags: cve,cve2019,debug
|
tags: cve,cve2019,debug
|
||||||
|
description: The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port. The go pprof endpoint is exposed over the Kubelet's healthz port. This debugging endpoint can potentially leak sensitive information such as internal Kubelet memory addresses and configuration, or for limited denial of service. Versions prior to 1.15.0, 1.14.4, 1.13.8, and 1.12.10 are affected. The issue is of medium severity, but not exposed by the default configuration.
|
||||||
# https://medium.com/bugbountywriteup/my-first-bug-bounty-21d3203ffdb0
|
reference:
|
||||||
# http://mmcloughlin.com/posts/your-pprof-is-showing
|
- https://medium.com/bugbountywriteup/my-first-bug-bounty-21d3203ffdb0
|
||||||
|
- http://mmcloughlin.com/posts/your-pprof-is-showing
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
|
|
|
@ -3,6 +3,11 @@ info:
|
||||||
author: bing0o
|
author: bing0o
|
||||||
name: Grafana unauthenticated API
|
name: Grafana unauthenticated API
|
||||||
severity: medium
|
severity: medium
|
||||||
|
description: In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana.
|
||||||
|
reference: |
|
||||||
|
- https://grafana.com/blog/2019/08/29/grafana-5.4.5-and-6.3.4-released-with-important-security-fix/
|
||||||
|
- https://community.grafana.com/t/grafana-5-4-5-and-6-3-4-security-update/20569 Vendor Advisory
|
||||||
|
- https://community.grafana.com/t/release-notes-v6-3-x/19202
|
||||||
tags: cve,cve2019,grafana
|
tags: cve,cve2019,grafana
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
|
|
@ -3,6 +3,8 @@ info:
|
||||||
name: Harbor Enables Privilege Escalation From Zero to admin
|
name: Harbor Enables Privilege Escalation From Zero to admin
|
||||||
author: pikpikcu
|
author: pikpikcu
|
||||||
severity: critical
|
severity: critical
|
||||||
|
description: |
|
||||||
|
core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API, when Harbor is setup with DB as authentication backend and allow user to do self-registration. Fixed version: v1.7.6 v1.8.3. v.1.9.0. Workaround without applying the fix: configure Harbor to use non-DB authentication backend such as LDAP.
|
||||||
issues: https://github.com/goharbor/harbor/issues/8951
|
issues: https://github.com/goharbor/harbor/issues/8951
|
||||||
reference: https://unit42.paloaltonetworks.com/critical-vulnerability-in-harbor-enables-privilege-escalation-from-zero-to-admin-cve-2019-16097/
|
reference: https://unit42.paloaltonetworks.com/critical-vulnerability-in-harbor-enables-privilege-escalation-from-zero-to-admin-cve-2019-16097/
|
||||||
tags: cve,cve2019,intrusive,harbor
|
tags: cve,cve2019,intrusive,harbor
|
||||||
|
|
Loading…
Reference in New Issue