⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Drafts

Create draft to convert the suggestion into a draft security issue that can be edited before publishing.

Dismiss to remove a suggestion from the queue.

CVE-2024-48899
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 3 months, 2 weeks ago by @fricklerhandwerk Activity log
  • Created automatic suggestion 3 months, 3 weeks ago
  • @fricklerhandwerk removed
    3 packages
    • pkgs.moodle-dl 2.2.2.4
    • pkgs.moodle-dl 2.3.12
    • pkgs.texlivePackages.moodle 1.0
    3 months, 2 weeks ago
  • @fricklerhandwerk accepted as draft 3 months, 2 weeks ago
Moodle: idor when accessing list of course badges

A vulnerability was found in Moodle. Additional checks are required to ensure users can only fetch the list of course badges for courses that they are intended to have access to.

moodle
<4.4.4

pkgs.moodle

Free and open-source learning management system (LMS) written in PHP
Notify package maintainers: 1
CVE-2024-10492
updated 3 months, 2 weeks ago by @fricklerhandwerk Activity log
  • Created automatic suggestion 3 months, 3 weeks ago
  • @ANONYMOUS dismissed 3 months, 3 weeks ago
  • @ANONYMOUS marked as untriaged 3 months, 3 weeks ago
  • @ANONYMOUS removed
    2 packages
    • pkgs.python311Packages.python-keycloak 4.0.0
    • pkgs.python312Packages.python-keycloak 4.0.0
    3 months, 2 weeks ago
  • @ANONYMOUS accepted as draft 3 months, 2 weeks ago
  • @fricklerhandwerk removed package pkgs.terraform-providers.keycloak 4.4.0 3 months, 2 weeks ago
Keycloak-quarkus-server: keycloak path trasversal

A vulnerability was found in Keycloak. A user with high privileges could read sensitive information from a Vault file that is not within the expected context. This attacker must have previous high access to the Keycloak server in order to perform resource creation, for example, an LDAP provider configuration and set up a Vault read file, which will only inform whether that file exists or not.

keycloak
<26.0.6
rhbk/keycloak-rhel9
*
rhbk/keycloak-rhel9-operator
*
rhbk/keycloak-operator-bundle
*
org.keycloak/keycloak-quarkus-server

pkgs.keycloak

Identity and access management for modern applications and services
Notify package maintainers: 3
CVE-2024-9632
7.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 3 months, 3 weeks ago by @Erethon Activity log
  • Created automatic suggestion 3 months, 3 weeks ago
  • @Erethon accepted as draft 3 months, 3 weeks ago
  • @Erethon removed package pkgs.tigervnc 1.14.0 3 months, 3 weeks ago
Xorg-x11-server: tigervnc: heap-based buffer overflow privilege escalation vulnerability

A flaw was found in the X.org server. Due to improperly tracked allocation size in _XkbSetCompatMap, a local attacker may be able to trigger a buffer overflow condition via a specially crafted payload, leading to denial of service or local privilege escalation in distributions where the X.org server is run with root privileges.

tigervnc
*
xorg-x11-server
*
xorg-x11-server-Xwayland
*