In the packages `aws-cdk-lib` 2.0.0 until 2.80.0 and 1.57.0 until 1.202.0, `eks.Cluster` and `eks.FargateCluster` constructs create two roles, `CreationRole` and `default MastersRole`, that have an overly permissive trust policy. png) is used.ĪWS Cloud Development Kit (AWS CDK) is an open-source software development framework to define cloud infrastructure in code and provision it through AWS CloudFormation. directory traversal and do not ensure that an intended file extension (.csv or. Packages/backend/src/routers in Lightdash before 0.510.3 has insecure file endpoints, e.g., they allow. This issue has been patched in Knowage version 8.1.8. This vulnerability allows a low privileged attacker to exfiltrate sensitive configuration file. However, starting in the 6.x.x branch and prior to version 8.1.8, the application does not sanitize the `_templateName_ `parameter allowing an attacker to use `*./*` in it, and escaping the directory the template are normally placed and download any file from the system. The endpoint `_/knowage/restful-services/dossier/importTemplateFile_` allows authenticated users to download template hosted on the server. Knowage is the professional open source suite for modern business analytics over traditional sources and big data systems.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |