cosign verify-attestation used with the –type flag will report a false positive verification when:
There is at least one attestation with a valid signature
There are NO attestations of the type being verified (–type defaults to “custom”)
This can h…
PolicyController will report a false positive, resulting in an admission when it should not be admitted when:
There is at least one attestation with a valid signature
There are NO attestations of the type being verified (–type defaults to “custom”)
…
The GitHub Security Lab discovered sixteen ways to exploit a cross-site scripting vulnerability in nbconvert. When using nbconvert to generate an HTML version of a user-controllable notebook, it is possible to inject arbitrary HTML which may lead to cr…
graphql-go (aka GraphQL for Go) through 0.8.0 has infinite recursion in the type definition parser.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-37315
https://github.com/graphql-go/graphql/issues/637
https://github.com/advisories/GHSA-h3qm-jrr…
In Eclipse Californium versions 2.0.0 to 2.7.2 and 3.0.0-3.5.0 a DTLS resumption handshake falls back to a DTLS full handshake on a parameter mismatch without using a HelloVerifyRequest. Especially, if used with certificate based cipher suites, that re…
A missing permission check in Jenkins Git Plugin 4.11.3 and earlier allows unauthenticated attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit.
Reference…
Jenkins Git client plugin 3.11.0 and earlier does not perform SSH host key verification when connecting to Git repositories via SSH, enabling man-in-the-middle attacks. Git client plugin 3.11.1 provides strategies for performing host key verification f…
A cross-site request forgery (CSRF) vulnerability in Jenkins Git Plugin 4.11.3 and earlier allows attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit.
Re…
Jenkins Deployer Framework Plugin 85.v1d1888e8c021 and earlier does not restrict the application path of the applications when configuring a deployment, allowing attackers with Item/Configure permission to upload arbitrary files from the Jenkins contro…
Jenkins Compuware ISPW Operations Plugin 1.0.8 and earlier does not restrict execution of a controller/agent message to agents, allowing attackers able to control agent processes to retrieve Java system properties.
References
https://nvd.nist.gov/vuln…
