Advisory Week


Week 46, 2024
Apple Security Advisory
 
visionOS 2.1.1 - Apple Security Content
iOS 18.1.1 and iPadOS 18.1.1 - Apple Security Content
iOS 17.7.2 and iPadOS 17.7.2 - Apple Security Content
macOS Sequoia 15.1.1 - Apple Security Content
Safari 18.1.1 - Apple Security Content
National Cyber Awareness System
 
CISA Releases Insights from Red Team Assessment of a U.S. Critical Infrastructure Sector Organization
CISA Releases Seven Industrial Control Systems Advisories
CISA Adds Three Known Exploited Vulnerabilities to Catalog
2024 CWE Top 25 Most Dangerous Software Weaknesses
CISA Adds Two Known Exploited Vulnerabilities to Catalog
USDA Releases Success Story Detailing the Implementation of Phishing-Resistant Multi-Factor Authentication
Apple Releases Security Updates for Multiple Products
CISA and Partners Release Update to BianLian Ransomware Cybersecurity Advisory
CISA Releases One Industrial Control Systems Advisory
CISA Adds Three Known Exploited Vulnerabilities to Catalog
Adobe Security Bulletins and Advisories
 
Security Update Available for Adobe InDesign | APSB24-91
Oracle Security Alerts
 
Oracle Security Alert for CVE-2024-21287 - 18 November 2024
Ubuntu Security Notices
 
Python regressions: USN-7015-6
Linux kernel (Low Latency) vulnerabilities: USN-7120-3 / USN-7089-7
ZBar vulnerabilities: USN-7118-1
Ruby vulnerabilities: USN-7091-2
Linux kernel vulnerabilities: USN-7120-2 / USN-7121-1 / USN-7120-1
Linux kernel (Azure) vulnerabilities: USN-7121-2 / USN-7123-1
Linux kernel vulnerability: USN-7122-1
Linux kernel (IoT) vulnerabilities: USN-7119-1
needrestart and Module::ScanDeps vulnerabilities: USN-7117-1
Waitress vulnerabilities: USN-7115-1
Python vulnerabilities: USN-7015-5
Python vulnerability: USN-7116-1
GLib vulnerability: USN-7114-1
curl vulnerability: USN-7104-1
WebKitGTK vulnerabilities: USN-7113-1
AsyncSSH vulnerabilities: USN-7108-1
Red Hat Security Advisory
 
Important: ACS 4.5 enhancement update: RHSA-2024:10186
Important: Red Hat Advanced Cluster Management 2.8.8 bug fixes and container updates: RHSA-2024:10183
Important: Multicluster Engine for Kubernetes 2.3.8 bug fixes and container updates: RHSA-2024:10179
Important: Red Hat build of Keycloak 26.0.6 Update: RHSA-2024:10178
Important: Red Hat build of Keycloak 26.0.6 Images Update: RHSA-2024:10177
Important: Red Hat build of Keycloak 24.0.9 Update: RHSA-2024:10176
Important: Red Hat build of Keycloak 24.0.9 Images Update: RHSA-2024:10175
Moderate: RHOSP 17.1.4 (openstack-tripleo-common and python-tripleoclient) security update: RHSA-2024:9990 / RHSA-2024:9991
Moderate: RHOSP 17.1.4 (python-sqlparse) security update: RHSA-2024:9984 / RHSA-2024:9986
Moderate: RHOSP 17.1.4 (python-webob) security update: RHSA-2024:9983 / RHSA-2024:9989
Important: RHOSP 17.1.4 (openstack-ironic) security update: RHSA-2024:9982
Moderate: RHOSP 17.1.4 (openstack-tripleo-heat-templates) security update: RHSA-2024:9978
Moderate: RHOSP 17.1.4 (python-zipp) security update: RHSA-2024:9977
Important: RHOSP 17.1.4 (python-werkzeug) security update: RHSA-2024:9976 / RHSA-2024:9975
Moderate: RHOSP 17.1.4 (python-requests) security update: RHSA-2024:9988
Moderate: RHOSP 17.1.4 (python-urllib3) security update: RHSA-2024:9985
Low: Updated service-interconnect rhel9 container images for 1.4 LTS: RHSA-2024:10135
Moderate: rhc-worker-script security update: RHSA-2024:10133
Important: tigervnc security update: RHSA-2024:10090 / RHSA-2024:9901 / RHSA-2024:9820 / RHSA-2024:9819 / RHSA-2024:9818 / RHSA-2024:9816
Important: OpenShift Container Platform 4.14.41 packages and security update: RHSA-2024:9623
Important: OpenShift Container Platform 4.14.41 bug fix and security update: RHSA-2024:9620
Important: OpenShift Container Platform 4.16.23 packages and security update: RHSA-2024:9618
Moderate: OpenShift Container Platform 4.16.23 bug fix and security update: RHSA-2024:9615
Critical: Red Hat Build of Apache Camel 4.4 for Quarkus 3.8 update is now available (RHBQ 3.8.6.SP2): RHSA-2024:10035
Important: OpenShift Container Platform 4.17.5 security update: RHSA-2024:9613
Moderate: OpenShift Container Platform 4.17.5 security update: RHSA-2024:9610
Important: OpenShift API for Data Protection (OADP) 1.3.4 security and bug fix update: RHSA-2024:9960
Moderate: edk2 security update: RHSA-2024:9956 / RHSA-2024:9946 / RHSA-2024:9930 / RHSA-2024:9921
Moderate: kernel security update: RHSA-2024:9942
Moderate: haproxy security update: RHSA-2024:9945
Moderate: kernel-rt security update: RHSA-2024:9943
Moderate: pam security update: RHSA-2024:9941
Moderate: buildah security update: RHSA-2024:9926
Moderate: python3.12-urllib3 security update: RHSA-2024:9923
Moderate: python3.11-urllib3 security update: RHSA-2024:9922
Moderate: gnome-shell security update: RHSA-2024:9915
Moderate: qemu-kvm security update: RHSA-2024:9912
Moderate: Red Hat Ansible Automation Platform 2.5 Product Release Update: RHSA-2024:9894
Moderate: libvpx security update: RHSA-2024:9827
Important: squid:4 security update: RHSA-2024:9815 / RHSA-2024:9814 / RHSA-2024:9813
Moderate: Secondary Scheduler Operator for Red Hat OpenShift 1.2.2 for RHEL 9: RHSA-2024:8219
PHP Advisories
 
6 Vulnerabilities Fixed in PHP 8.1.31
6 Vulnerabilities Fixed in PHP 8.3.14
6 Vulnerabilities Fixed in PHP 8.2.26
Atlassian Security Advisories
 
Security Bulletin - November 19 2024
Microsoft Security
 
Microsoft November 2024 Security Update Guide
CVE-2024-49054 Microsoft Edge (Chromium-based) Spoofing Vulnerability
Google Security Advisories
 
Android Security Bulletin—September 2018 | Android Open Source Project
Android Security Bulletin—July 2018 | Android Open Source Project
Github Security Advisories
 
[GHSA-pqhp-25j4-6hq9] smol-toml has a Denial of Service via malicious TOML document using deeply nested inline tables
[GHSA-v5h2-q2w4-gpcx] Sentry improper error handling leaks Application Integration Client Secret
[GHSA-8w49-h785-mj3c] Tornado has an HTTP cookie parsing DoS vulnerability
[GHSA-m52v-24p8-654f] SurrealDB has an Uncaught Exception Sorting Tables by Random Order
[GHSA-jc55-246c-r88f] SurrealDB has an Uncaught Exception Handling Nonexistent Role
[GHSA-h4f5-h82v-5w4r] SurrealDB has an Uncaught Exception in Function Generating Random Time
[GHSA-49cc-xrjf-9qf7] SFTPGo allows administrators to restrict command execution from the EventManager
[GHSA-rmxg-6qqf-x8mr] GeoNode Server Side Request forgery
[GHSA-5cph-wvm9-45gj] Flowise OverrideConfig security vulnerability
[GHSA-hj3w-wrh4-44vp] LLama Factory Remote OS Command Injection Vulnerability
[GHSA-jh6x-7xfg-9cq2] Searching Opencast may cause a denial of service
[GHSA-gjcc-jvgw-wvwj] Litestar allows unbounded resource consumption (DoS vulnerability)
[GHSA-r4pg-vg54-wxx4] cert-manager ha a potential slowdown / DoS when parsing specially crafted PEM inputs
[GHSA-9c5p-35gj-jqp4] Rancher Helm Applications may have sensitive values leaked
[GHSA-ffp2-8p2h-4m5j] Password Pusher rate limiter can be bypassed by forging proxy headers
[GHSA-7225-m954-23v7] ASA-2024-010: cosmossdk.io/math: Mismatched bit-length validation in sdk.Int and sdk.Dec can lead to panic
[GHSA-j5hq-5jcr-xwx7] github.com/rancher/steve's users can issue watch commands for arbitrary resources
[GHSA-5jfw-gq64-q45f] HTML Cleaner allows crafted scripts in special contexts like svg or math to pass through
[GHSA-hrxh-9w67-g4cv] Rclone has Improper Permission and Ownership Handling on Symlink Targets with --links and --metadata
[GHSA-p7f6-8mcm-fwv3] Statamic CMS has a Path Traversal in Asset Upload
[GHSA-g85v-wf27-67xc] Harden-Runner has a command injection weaknesses in `setup.ts` and `arc-runner.ts`
[GHSA-8495-4g3g-x7pr] aiohttp allows request smuggling due to incorrect parsing of chunk extensions
[GHSA-27mf-ghqm-j3j8] aiohttp has a memory leak when middleware is enabled when requesting a resource with a non-allowed method
[GHSA-vggm-3478-vm5m] Graylog concurrent PDF report rendering can leak other users' reports
[GHSA-7cc9-j4mv-vcjp] XXE in PHPSpreadsheet's XLSX reader
[GHSA-jw4x-v69f-hh5w] XmlScanner bypass leads to XXE
[GHSA-m26c-fcgh-cp6h] cobbler allows anyone to connect to cobbler XML-RPC server with known password and make changes
Drupal Security Advisories
 
Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-008
Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-007
Drupal core - Less critical - Gadget chain - SA-CORE-2024-006
Drupal core - Critical - Cross Site Scripting - SA-CORE-2024-005
Drupal core - Moderately critical - Access bypass - SA-CORE-2024-004
Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2024-003
Spring Security Advisories
 
CVE-2024-38827 - Medium - CVE-2024-38827: Spring Security Authorization Bypass for Case Sensitive Comparisons
CVE-2024-38829 - Low - CVE-2024-38829: Spring LDAP Spring LDAP sensitive data exposure for case-sensitive comparisons
CISA Known Exploted Vulnerabilities
 
Palo Alto Networks PAN-OS Management Interface OS Command Injection Vulnerability CVE-2024-9474
Palo Alto Networks PAN-OS Management Interface Authentication Bypass Vulnerability CVE-2024-0012
Progress Kemp LoadMaster OS Command Injection Vulnerability CVE-2024-1212
VMware vCenter Server Privilege Escalation Vulnerability CVE-2024-38813
VMware vCenter Server Heap-Based Buffer Overflow Vulnerability CVE-2024-38812
Oracle Agile Product Lifecycle Management (PLM) Incorrect Authorization Vulnerability CVE-2024-21287
Apple Multiple Products Cross-Site Scripting (XSS) Vulnerability CVE-2024-44309
Apple Multiple Products Code Execution Vulnerability CVE-2024-44308

The known exploited vulnerabilities list contains vulnerabilities that are known to be activly exploited. They may not be new or recently discovered. Vulnerabilities listed here were added to this list in the past week.