rpm package
opensuse/velociraptor&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/velociraptor&distro=openSUSE%20Tumbleweed
Vulnerabilities (85)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-44270 | — | < 0.7.0.4.git142.862ef23-1.1 | 0.7.0.4.git142.862ef23-1.1 | Sep 29, 2023 | An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be inc | ||
| CVE-2022-25883 | — | < 0.7.0.4.git74.3426c0a-9.1 | 0.7.0.4.git74.3426c0a-9.1 | Jun 21, 2023 | Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range. | ||
| CVE-2023-1732 | — | < 0.7.0.4.git142.862ef23-1.1 | 0.7.0.4.git142.862ef23-1.1 | May 10, 2023 | When sampling randomness for a shared secret, the implementation of Kyber and FrodoKEM, did not check whether crypto/rand.Read() returns an error. In rare deployment cases (error thrown by the Read() function), this could lead to a predictable shared secret. The tkn20 and blindr | ||
| CVE-2023-0290 | — | < 0.6.7.5~git78.2bef6fc-2.1 | 0.6.7.5~git78.2bef6fc-2.1 | Jan 18, 2023 | Rapid7 Velociraptor did not properly sanitize the client ID parameter to the CreateCollection API, allowing a directory traversal in where the collection task could be written. It was possible to provide a client id of "../clients/server" to schedule the collection for the server | ||
| CVE-2023-0242 | — | < 0.6.7.5~git78.2bef6fc-2.1 | 0.6.7.5~git78.2bef6fc-2.1 | Jan 18, 2023 | Rapid7 Velociraptor allows users to be created with different privileges on the server. Administrators are generally allowed to run any command on the server including writing arbitrary files. However, lower privilege users are generally forbidden from writing or modifying files |
- CVE-2023-44270Sep 29, 2023affected < 0.7.0.4.git142.862ef23-1.1fixed 0.7.0.4.git142.862ef23-1.1
An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be inc
- CVE-2022-25883Jun 21, 2023affected < 0.7.0.4.git74.3426c0a-9.1fixed 0.7.0.4.git74.3426c0a-9.1
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
- CVE-2023-1732May 10, 2023affected < 0.7.0.4.git142.862ef23-1.1fixed 0.7.0.4.git142.862ef23-1.1
When sampling randomness for a shared secret, the implementation of Kyber and FrodoKEM, did not check whether crypto/rand.Read() returns an error. In rare deployment cases (error thrown by the Read() function), this could lead to a predictable shared secret. The tkn20 and blindr
- CVE-2023-0290Jan 18, 2023affected < 0.6.7.5~git78.2bef6fc-2.1fixed 0.6.7.5~git78.2bef6fc-2.1
Rapid7 Velociraptor did not properly sanitize the client ID parameter to the CreateCollection API, allowing a directory traversal in where the collection task could be written. It was possible to provide a client id of "../clients/server" to schedule the collection for the server
- CVE-2023-0242Jan 18, 2023affected < 0.6.7.5~git78.2bef6fc-2.1fixed 0.6.7.5~git78.2bef6fc-2.1
Rapid7 Velociraptor allows users to be created with different privileges on the server. Administrators are generally allowed to run any command on the server including writing arbitrary files. However, lower privilege users are generally forbidden from writing or modifying files
Page 5 of 5