Log

AVG-2251 created at 03 Aug 2021 20:13:20
Packages
+ gitlab
Issues
+ CVE-2021-22236
+ CVE-2021-22237
+ CVE-2021-22239
Status
+ Vulnerable
Severity
+ Unknown
Affected
+ 14.1.1-1
Fixed
Ticket
Advisory qualified
+ Yes
References
+ https://about.gitlab.com/releases/2021/08/03/security-release-gitlab-14-1-2-released/
Notes
+ The advisory contains 14 more security issues for which a CVE ID has been request, but has not been assigned yet.
CVE-2021-22237 created at 03 Aug 2021 20:13:20
AVG-2250 edited at 03 Aug 2021 16:24:59
Severity
- Unknown
+ Medium
CVE-2021-36156 edited at 03 Aug 2021 16:24:59
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Remote
Type
- Unknown
+ Directory traversal
Description
+ An issue was discovered in Grafana Loki through 2.2.1. The header value X-Scope-OrgID is used to construct file paths for rules files, and if crafted to conduct directory traversal such as a ../../sensitive/path/in/deployment pathname, then Loki will attempt to parse a rules file at that location and include some of the contents in the error message.
References
+ https://github.com/grafana/loki/pull/4020
+ https://github.com/grafana/loki/commit/2fd633cded9a97c8c6b29160549a157678d1fa2f
Notes
AVG-2250 created at 03 Aug 2021 16:23:24
Packages
+ loki
Issues
+ CVE-2021-36156
Status
+ Vulnerable
Severity
+ Unknown
Affected
+ 2.2.1-3
Fixed
Ticket
Advisory qualified
+ Yes
References
Notes
CVE-2021-36156 created at 03 Aug 2021 16:23:24
AVG-2249 edited at 03 Aug 2021 16:00:22
Affected
- 77.0.4054.277-1
+ 78.0.4093.112-1
AVG-2203 edited at 03 Aug 2021 16:00:17
Status
- Vulnerable
+ Fixed
Fixed
+ 78.0.4093.112-1
CVE-2021-22149 edited at 03 Aug 2021 15:59:23
Severity
- Unknown
+ High
Remote
- Unknown
+ Remote
Type
- Unknown
+ Access restriction bypass
Description
+ A flaw in Elastic App Search in Elastic Enterprise Search versions prior to 7.14.0 was discovered where API keys were missing authorization via an alternate route. Using this vulnerability, an authenticated attacker could utilize API keys belonging to higher privileged users.
References
+ https://discuss.elastic.co/t/elastic-stack-7-14-0-security-update/280344
CVE-2021-22148 edited at 03 Aug 2021 15:58:25
Severity
- Unknown
+ High
Remote
- Unknown
+ Remote
Type
- Unknown
+ Access restriction bypass
Description
+ A flaw in Elastic App Search in Elastic Enterprise Search versions prior to 7.14.0 was discovered where API keys were not bound to the same engines as their creator. This could lead to a less privileged user gaining access to unauthorized engines.
References
+ https://discuss.elastic.co/t/elastic-stack-7-14-0-security-update/280344
CVE-2021-22147 edited at 03 Aug 2021 15:57:30
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Remote
Type
- Unknown
+ Information disclosure
Description
+ A flaw was discovered in Elasticsearch versions 7.11.0 to 7.13.4 where document and field level security was not applied to searchable snapshots. This could lead to an authenticated user gaining access to information that they are unauthorized to view.
References
+ https://discuss.elastic.co/t/elastic-stack-7-14-0-security-update/280344
AVG-1884 edited at 03 Aug 2021 15:56:49
Issues
CVE-2021-22140
+ CVE-2021-22147
+ CVE-2021-22148
+ CVE-2021-22149
CVE-2021-22147 created at 03 Aug 2021 15:56:49
Severity
+ Unknown
Remote
+ Unknown
Type
+ Unknown
Description
References
Notes
AVG-1884 edited at 03 Aug 2021 15:56:49
Issues
CVE-2021-22140
+ CVE-2021-22147
+ CVE-2021-22148
+ CVE-2021-22149
CVE-2021-22148 created at 03 Aug 2021 15:56:49
Severity
+ Unknown
Remote
+ Unknown
Type
+ Unknown
Description
References
Notes