2024-46 - Apple, Adobe, Oracle, Canonical, Red Hat, PHP, Atlassian, Microsoft, Google, GitHub 🗂️

2024 » Published on November 25, 2024

What's AdvisoryWeek?

AdvisoryWeek is a once weekly email that rounds up the latest security advisories published in the past week.

Can't find a way to get security emails from your favorite vendors? Not all vendors provide email notifications, you can use AdvisoryWeek to make sure you get important security advisories and bulletins.
Security FOMO? Don't fret, AdvisoryWeek tracks security advisories from major vendors like Microsoft, Adobe, Apple, Oracle, and many more.
Too much noise? AdvisoryWeek is one email per week, with organized links to each vendor security advisory.

Advisory Week

Week 46, 2024

Apple Security Advisory

visionOS 2.1.1 - Apple Security Content

iOS 18.1.1 and iPadOS 18.1.1 - Apple Security Content

iOS 17.7.2 and iPadOS 17.7.2 - Apple Security Content

macOS Sequoia 15.1.1 - Apple Security Content

Safari 18.1.1 - Apple Security Content

National Cyber Awareness System

CISA Releases Insights from Red Team Assessment of a U.S. Critical Infrastructure Sector Organization

CISA Releases Seven Industrial Control Systems Advisories

CISA Adds Three Known Exploited Vulnerabilities to Catalog

2024 CWE Top 25 Most Dangerous Software Weaknesses

CISA Adds Two Known Exploited Vulnerabilities to Catalog

USDA Releases Success Story Detailing the Implementation of Phishing-Resistant Multi-Factor Authentication

Apple Releases Security Updates for Multiple Products

CISA and Partners Release Update to BianLian Ransomware Cybersecurity Advisory

CISA Releases One Industrial Control Systems Advisory

CISA Adds Three Known Exploited Vulnerabilities to Catalog

Adobe Security Bulletins and Advisories

Security Update Available for Adobe InDesign | APSB24-91

Oracle Security Alerts

Oracle Security Alert for CVE-2024-21287 - 18 November 2024

Ubuntu Security Notices

Python regressions: USN-7015-6

Linux kernel (Low Latency) vulnerabilities: USN-7120-3 / USN-7089-7

ZBar vulnerabilities: USN-7118-1

Ruby vulnerabilities: USN-7091-2

Linux kernel vulnerabilities: USN-7120-2 / USN-7121-1 / USN-7120-1

Linux kernel (Azure) vulnerabilities: USN-7121-2 / USN-7123-1

Linux kernel vulnerability: USN-7122-1

Linux kernel (IoT) vulnerabilities: USN-7119-1

needrestart and Module::ScanDeps vulnerabilities: USN-7117-1

Waitress vulnerabilities: USN-7115-1

Python vulnerabilities: USN-7015-5

Python vulnerability: USN-7116-1

GLib vulnerability: USN-7114-1

curl vulnerability: USN-7104-1

WebKitGTK vulnerabilities: USN-7113-1

AsyncSSH vulnerabilities: USN-7108-1

Red Hat Security Advisory

Important: ACS 4.5 enhancement update: RHSA-2024:10186

Important: Red Hat Advanced Cluster Management 2.8.8 bug fixes and container updates: RHSA-2024:10183

Important: Multicluster Engine for Kubernetes 2.3.8 bug fixes and container updates: RHSA-2024:10179

Important: Red Hat build of Keycloak 26.0.6 Update: RHSA-2024:10178

Important: Red Hat build of Keycloak 26.0.6 Images Update: RHSA-2024:10177

Important: Red Hat build of Keycloak 24.0.9 Update: RHSA-2024:10176

Important: Red Hat build of Keycloak 24.0.9 Images Update: RHSA-2024:10175

Moderate: RHOSP 17.1.4 (openstack-tripleo-common and python-tripleoclient) security update: RHSA-2024:9990 / RHSA-2024:9991

Moderate: RHOSP 17.1.4 (python-sqlparse) security update: RHSA-2024:9984 / RHSA-2024:9986

Moderate: RHOSP 17.1.4 (python-webob) security update: RHSA-2024:9983 / RHSA-2024:9989

Important: RHOSP 17.1.4 (openstack-ironic) security update: RHSA-2024:9982

Moderate: RHOSP 17.1.4 (openstack-tripleo-heat-templates) security update: RHSA-2024:9978

Moderate: RHOSP 17.1.4 (python-zipp) security update: RHSA-2024:9977

Important: RHOSP 17.1.4 (python-werkzeug) security update: RHSA-2024:9976 / RHSA-2024:9975

Moderate: RHOSP 17.1.4 (python-requests) security update: RHSA-2024:9988

Moderate: RHOSP 17.1.4 (python-urllib3) security update: RHSA-2024:9985

Low: Updated service-interconnect rhel9 container images for 1.4 LTS: RHSA-2024:10135

Moderate: rhc-worker-script security update: RHSA-2024:10133

Important: tigervnc security update: RHSA-2024:10090 / RHSA-2024:9901 / RHSA-2024:9820 / RHSA-2024:9819 / RHSA-2024:9818 / RHSA-2024:9816

Important: OpenShift Container Platform 4.14.41 packages and security update: RHSA-2024:9623

Important: OpenShift Container Platform 4.14.41 bug fix and security update: RHSA-2024:9620

Important: OpenShift Container Platform 4.16.23 packages and security update: RHSA-2024:9618

Moderate: OpenShift Container Platform 4.16.23 bug fix and security update: RHSA-2024:9615

Critical: Red Hat Build of Apache Camel 4.4 for Quarkus 3.8 update is now available (RHBQ 3.8.6.SP2): RHSA-2024:10035

Important: OpenShift Container Platform 4.17.5 security update: RHSA-2024:9613

Moderate: OpenShift Container Platform 4.17.5 security update: RHSA-2024:9610

Important: OpenShift API for Data Protection (OADP) 1.3.4 security and bug fix update: RHSA-2024:9960

Moderate: edk2 security update: RHSA-2024:9956 / RHSA-2024:9946 / RHSA-2024:9930 / RHSA-2024:9921

Moderate: kernel security update: RHSA-2024:9942

Moderate: haproxy security update: RHSA-2024:9945

Moderate: kernel-rt security update: RHSA-2024:9943

Moderate: pam security update: RHSA-2024:9941

Moderate: buildah security update: RHSA-2024:9926

Moderate: python3.12-urllib3 security update: RHSA-2024:9923

Moderate: python3.11-urllib3 security update: RHSA-2024:9922

Moderate: gnome-shell security update: RHSA-2024:9915

Moderate: qemu-kvm security update: RHSA-2024:9912

Moderate: Red Hat Ansible Automation Platform 2.5 Product Release Update: RHSA-2024:9894

Moderate: libvpx security update: RHSA-2024:9827

Important: squid:4 security update: RHSA-2024:9815 / RHSA-2024:9814 / RHSA-2024:9813

Moderate: Secondary Scheduler Operator for Red Hat OpenShift 1.2.2 for RHEL 9: RHSA-2024:8219

PHP Advisories

6 Vulnerabilities Fixed in PHP 8.1.31

6 Vulnerabilities Fixed in PHP 8.3.14

6 Vulnerabilities Fixed in PHP 8.2.26

Atlassian Security Advisories

Security Bulletin - November 19 2024

Microsoft Security

Microsoft November 2024 Security Update Guide

CVE-2024-49054 Microsoft Edge (Chromium-based) Spoofing Vulnerability

Google Security Advisories

Android Security Bulletin—September 2018 | Android Open Source Project

Android Security Bulletin—July 2018 | Android Open Source Project

Github Security Advisories

[GHSA-pqhp-25j4-6hq9] smol-toml has a Denial of Service via malicious TOML document using deeply nested inline tables

[GHSA-v5h2-q2w4-gpcx] Sentry improper error handling leaks Application Integration Client Secret

[GHSA-8w49-h785-mj3c] Tornado has an HTTP cookie parsing DoS vulnerability

[GHSA-m52v-24p8-654f] SurrealDB has an Uncaught Exception Sorting Tables by Random Order

[GHSA-jc55-246c-r88f] SurrealDB has an Uncaught Exception Handling Nonexistent Role

[GHSA-h4f5-h82v-5w4r] SurrealDB has an Uncaught Exception in Function Generating Random Time

[GHSA-49cc-xrjf-9qf7] SFTPGo allows administrators to restrict command execution from the EventManager

[GHSA-rmxg-6qqf-x8mr] GeoNode Server Side Request forgery

[GHSA-5cph-wvm9-45gj] Flowise OverrideConfig security vulnerability

[GHSA-hj3w-wrh4-44vp] LLama Factory Remote OS Command Injection Vulnerability

[GHSA-jh6x-7xfg-9cq2] Searching Opencast may cause a denial of service

[GHSA-gjcc-jvgw-wvwj] Litestar allows unbounded resource consumption (DoS vulnerability)

[GHSA-r4pg-vg54-wxx4] cert-manager ha a potential slowdown / DoS when parsing specially crafted PEM inputs

[GHSA-9c5p-35gj-jqp4] Rancher Helm Applications may have sensitive values leaked

[GHSA-ffp2-8p2h-4m5j] Password Pusher rate limiter can be bypassed by forging proxy headers

[GHSA-7225-m954-23v7] ASA-2024-010: cosmossdk.io/math: Mismatched bit-length validation in sdk.Int and sdk.Dec can lead to panic

[GHSA-j5hq-5jcr-xwx7] github.com/rancher/steve's users can issue watch commands for arbitrary resources

[GHSA-5jfw-gq64-q45f] HTML Cleaner allows crafted scripts in special contexts like svg or math to pass through

[GHSA-hrxh-9w67-g4cv] Rclone has Improper Permission and Ownership Handling on Symlink Targets with --links and --metadata

[GHSA-p7f6-8mcm-fwv3] Statamic CMS has a Path Traversal in Asset Upload

[GHSA-g85v-wf27-67xc] Harden-Runner has a command injection weaknesses in `setup.ts` and `arc-runner.ts`

[GHSA-8495-4g3g-x7pr] aiohttp allows request smuggling due to incorrect parsing of chunk extensions

[GHSA-27mf-ghqm-j3j8] aiohttp has a memory leak when middleware is enabled when requesting a resource with a non-allowed method

[GHSA-vggm-3478-vm5m] Graylog concurrent PDF report rendering can leak other users' reports

[GHSA-7cc9-j4mv-vcjp] XXE in PHPSpreadsheet's XLSX reader

[GHSA-jw4x-v69f-hh5w] XmlScanner bypass leads to XXE

[GHSA-m26c-fcgh-cp6h] cobbler allows anyone to connect to cobbler XML-RPC server with known password and make changes

Drupal Security Advisories

Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-008

Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-007

Drupal core - Less critical - Gadget chain - SA-CORE-2024-006

Drupal core - Critical - Cross Site Scripting - SA-CORE-2024-005

Drupal core - Moderately critical - Access bypass - SA-CORE-2024-004

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2024-003

Spring Security Advisories

CVE-2024-38827 - Medium - CVE-2024-38827: Spring Security Authorization Bypass for Case Sensitive Comparisons

CVE-2024-38829 - Low - CVE-2024-38829: Spring LDAP Spring LDAP sensitive data exposure for case-sensitive comparisons

CISA Known Exploted Vulnerabilities

Palo Alto Networks PAN-OS Management Interface OS Command Injection Vulnerability CVE-2024-9474

Palo Alto Networks PAN-OS Management Interface Authentication Bypass Vulnerability CVE-2024-0012

Progress Kemp LoadMaster OS Command Injection Vulnerability CVE-2024-1212

VMware vCenter Server Privilege Escalation Vulnerability CVE-2024-38813

VMware vCenter Server Heap-Based Buffer Overflow Vulnerability CVE-2024-38812

Oracle Agile Product Lifecycle Management (PLM) Incorrect Authorization Vulnerability CVE-2024-21287

Apple Multiple Products Cross-Site Scripting (XSS) Vulnerability CVE-2024-44309

Apple Multiple Products Code Execution Vulnerability CVE-2024-44308

The known exploited vulnerabilities list contains vulnerabilities that are known to be activly exploited. They may not be new or recently discovered. Vulnerabilities listed here were added to this list in the past week.