Уязвимость демона firewalld программного средства для создания систем контейнерной изоляции Moby, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Уязвимость пакетного менеджера для Kubernetes Helm, связанная с использованием неинициализированного ресурса, позволяющая нарушителю вызвать отказ в обслуживании

Уязвимость пакетного менеджера для Kubernetes Helm, связанная с распределением ресурсов без ограничений и регулирования, позволяющая нарушителю вызвать отказ в обслуживании

The Kubernetes API server component in versions prior to 1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via successful API requests.

Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various other downstream projects/products. In versions 28.2.0 through 28.3.2, when the firewalld service is reloaded it removes all iptables rules including those created by Docker. While Docker should automatically recreate these rules, versions before 28.3.3 fail to recreate the specific rules that block external access to containers. This means that after a firewalld reload, containers with ports published to localhost (like 127.0.0.1:8080) become accessible from remote machines that have network routing to the Docker bridge, even though they should only be accessible from the host itself. The vulnerability only affects explicitly published ports - unpublished ports remain protected. This issue is fixed in version 28.3.3.

Helm is a package manager for Charts for Kubernetes. Prior to version 3.18.5, when parsing Chart.yaml and index.yaml files, an improper validation of type error can lead to a panic. This issue has been resolved in Helm 3.18.5. A workaround involves ensuring YAML files are formatted as Helm expects prior to processing them with Helm.

Helm is a package manager for Charts for Kubernetes. Prior to version 3.18.5, it is possible to craft a JSON Schema file in a manner which could cause Helm to use all available memory and have an out of memory (OOM) termination. This issue has been resolved in Helm 3.18.5. A workaround involves ensuring all Helm charts that are being loaded into Helm do not have any reference of $ref pointing to /dev/zero.

A flaw was found in CIRCL's implementation of the FourQ elliptic curve. This vulnerability allows an attacker to compromise session security via low-order point injection and incorrect point validation during Diffie-Hellman key exchange.

CIRCL-Fourq: Missing and wrong validation can lead to incorrect results

Kubernetes API Server DoS Via API Requests

Helm Charts with Specific JSON Schema Values Can Cause Memory Exhaustion

Helm May Panic Due To Incorrect YAML Content

mapstructure May Leak Sensitive Information in Logs When Processing Malformed Data

Moby firewalld reload makes published container ports accessible from remote hosts