SB2023120163 - Fedora 40 update for golang-cloud-google, golang-cloud-google-bigquery, golang-cloud-google-compute, golang-cloud-google-compute-metadata, golang-cloud-google-datacatalog, golang-cloud-google-datastore, golang-cloud-google-firestore, golang-cloud-google-i
Published: December 1, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Improper access control (CVE-ID: CVE-2023-47037)
The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote authenticated and DAG-view authorized user can modify some DAG run detail values when submitting notes.
Note, the vulnerability was reported as patched in version 2.7.1, however the vendor has failed to apply it.
2) Improper access control (CVE-ID: CVE-2023-40712)
The vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due to improper access restrictions. A remote user with access to the task/dag in the UI can unmask the secret configuration of the task.
3) Inclusion of functionality from untrusted control sphere (CVE-ID: CVE-2023-41267)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability is caused by an error in software documentation, which instructed users to install an unclaimed pip package. An attacker could claim the package name and potentially compromise the affected system.
Remediation
Install update from vendor's website.