#redis

Red Hat Security Advisory 2024-3321-03 - An update for pcp is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

### Summary By default, the Redis database server is not password-protected. Consequently, an attacker with access to the Redis server can gain read/write access to the data in Redis. The attacker can also modify the "mfst" (manifest) key to cause ArgoCD to execute any deployment, potentially leveraging ArgoCD's high privileges to take over the cluster. Updating the "cacheEntryHash" in the manifest JSON is necessary, but since it doesn't use a private key for signing its integrity, a simple script can generate a new FNV64a hash matching the new manifest values. The repo-server, unable to verify if its cache is compromised, will read the altered "mfst" key and initiate an update process for the injected deployment. It's also possible to edit the "app|resources-tree" key, causing the ArgoCD server to load any Kubernetes resource into the live manifest section of the app preview. This could lead to an information leak. The fact that the cache in Redis is neither signed nor validated, co...

TrojanSpy.Win64.EMOTET.A malware suffers from a code execution vulnerability.

Backdoor.Win32.AsyncRat malware suffers from a code execution vulnerability.

Panel.SmokeLoader malware suffers from cross site request forgery, and cross site scripting vulnerabilities.

Panel.SmokeLoader malware suffers from a cross site scripting vulnerability.

Panel Amadey.d.c malware suffers from cross site scripting vulnerabilities.

By Uzair Amir Remember Minesweeper? It's not just a game - it's a hidden training ground for work skills! Sharpen your decision-making, focus, and strategic thinking with every click. This is a post from HackRead.com Read the original post: A Mind at Play: Rediscovering Minesweeper in the Professional Arena

### Impact Any instance of Apollo Router 1.44.0 or 1.45.0 that is using Distributed Query Plan Caching is impacted. These versions were released on 2024-04-12 and 2024-04-22 respectively. The affected versions of Apollo Router contain a bug that could lead to unexpected operations being executed, which can result in unintended data or effects. This only affects Router instances configured to use distributed query plan caching. Router versions other than the ones listed above, and all Router deployments that are not using distributed query plan caching, are unaffected by this defect. If you are using the affected versions, you can check your router’s configuration YAML to verify if you are impacted: ```yaml supergraph: query_planning: cache: # Look for this config below redis: urls: ["redis://..."] ``` A full reference on the[ Distributed Query Plan Caching feature is available here.](https://www.apollographql.com/docs/router/configuration/distributed-cachi...

### Summary Attackers with commit access to the default branch of a repo using Renovate could manipulate helmv3 registryAliases to execute arbitrary commands. ### Details Since [#26848](https://github.com/renovatebot/renovate/pull/26848), `registryAliases` has become mergeable. This means that the helmv3 manager started honoring its value and uses a `helm repo add <key> <parameters>` command for each defined alias. See source code: https://github.com/renovatebot/renovate/blob/23f3df6216375cb5bcfe027b0faee304f877f891/lib/modules/manager/helmv3/artifacts.ts#L80 The key was not quoted, leading to the ability to use variable references (`$FOO`) in it and have them printed by Renovate on the pull request, or even running any shell commands. ### PoC Inside a repository where Renovate runs, add a Helm chart with an outdated dependency, for example: test-chart/Chart.yaml: ``` apiVersion: v2 name: redis version: 1.0.0 dependencies: - name: redis version: 18.13.10 repository: oc...