New CVE's - Security Bulletin

content/docs/09.5-security/20-security-bulletins/10-cve-reports.md

@@ -31,6 +31,352 @@ _Are there any links users can visit to find out more?_
 
 -->
 
+## September 01, 2023 - CVE-2023-22809 Sudo Vulnerability - 7.8 CVSS
+
+
+The sudo program version 1.9.12p2 and earlier mishandles extra arguments passed in the user-provided environment variables `SUDO_EDITOR`, `VISUAL`, and `EDITOR` when the `sudoedit` command is executed. 
+
+The mishandling allows a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor may contain the `--` argument that defeats a protection mechanism. For example, an attacker may issue the following command `EDITOR='vim -- /path/to/extra/file` value.
+
+<br />
+
+### Impact
+
+
+This vulnerability affects the following Palette components:
+
+- Self-hosted Palette instances with versions older than 4.0.0
+
+
+- Private Cloud Gateways instances with versions older than 4.0.0
+
+
+- Clusters deployed with Palette versions older than 4.0.0
+
+<br />
+
+### Patches
+
+For self-hosted Palette environments, upgrade to Palette version 4.0.0 or greater. Upgrading Palette will automatically update the Operating System (OS).
+
+<br />
+
+### Workarounds
+
+For clusters and Private Cloud Gateways, patch the OS. You can use the on-demand or scheduled features to apply the OS security patches. Refer to the [OS Patching](/clusters/cluster-management/os-patching) documentation for more information.
+
+<br />
+
+### References
+
+- [CVE-2023-22809](https://nvd.nist.gov/vuln/detail/cve-2023-22809)
+
+<br />
+
+
+
+## September 01, 2023 - CVE-2023-38408 OpenSSH Vulnerability - 9.8 CVSS
+
+
+The PKCS#11 feature in the OpenSSH ssh-agent before version 9.3p2 has an insufficiently trustworthy search path. This may lead to remote code execution if an agent is forwarded to an attacker-controlled system. Code in the folder **/usr/lib** may be unsafe to load into the ssh-agent. This issue exists because of an incomplete fix for [CVE-2016-10009](https://nvd.nist.gov/vuln/detail/cve-2016-10009).
+
+<br />
+
+### Impact
+
+This vulnerability affects the following Palette components:
+
+- Self-hosted Palette instances with versions older than 4.0.0
+
+
+- Private Cloud Gateways instances with versions older than 4.0.0
+
+
+- Clusters deployed with Palette versions older than 4.0.0
+
+<br />
+
+### Patches
+
+- For self-hosted Palette environments, upgrade to Palette version 4.0.0 or greater. Upgrading Palette will automatically update the Operating System (OS).
+
+<br />
+
+### Workarounds
+
+- For clusters and Private Cloud Gateways, patch the OS. You can use the on-demand or scheduled features to apply the OS security patches. Refer to the [OS Patching](/clusters/cluster-management/os-patching) documentation for more information.
+
+<br />
+
+### References
+
+- [CVE-2023-38408](https://nvd.nist.gov/vuln/detail/CVE-2023-38408)
+
+
+##  September 01, 2023 - CVE-2023-29400 - HTML Template Vulnerability Security Advisory - 7.3 CVSS
+
+
+When using Go templates with actions in unquoted HTML attributes, such as `attr={{.}}`, unexpected output may occur due to HTML normalization rules if invoked with an empty input. This may allow the injection of arbitrary attributes into tags.
+
+<br />
+
+### Impact
+
+
+No impact. We use the Go package [html/template](https://pkg.go.dev/html/template) and our HTML templates are static. Our templates do not contain characters mentioned in the CVE.  We also do not accept or parse any provided user data
+
+
+<br />
+
+<br />
+
+### Patches
+
+Not applicable.
+
+<br />
+
+### Workarounds
+
+Not applicable.
+
+<br />
+
+### References
+
+- [CVE-2023-29400](https://nvd.nist.gov/vuln/detail/CVE-2023-29400)
+
+
+- [GO-2023-1753](https://pkg.go.dev/vuln/GO-2023-1753)
+
+## September 01, 2023 - CVE-2023-24539 - HTML Template Vulnerability Security Advisory - 7.3 CVSS
+
+Angle brackets `<>` are not considered dangerous characters when inserted into Cascading Style Sheets (CSS) contexts. Go templates containing multiple actions separated by a `/` character can result in unexpectedly closing the CSS context and allowing for the injection of unexpected HTML if executed with untrusted input.
+
+<br />
+
+### Impact
+
+No impact. We use the Go package [html/template](https://pkg.go.dev/html/template) and our HTML templates are static. We also do not accept or parse any provided user data.
+
+<br />
+
+
+<br />
+
+### Patches
+
+Not applicable.
+
+<br />
+
+
+### Workarounds
+
+Not applicable.
+
+<br />
+
+
+### References
+
+- [CVE-2023-24539](https://nvd.nist.gov/vuln/detail/CVE-2023-24539)
+
+
+- [GO-2023-1751](https://pkg.go.dev/vuln/GO-2023-1751)
+
+
+## September 01, 2023 - CVE-2023-24538 - HTML Template Vulnerability - Security Advisory - 9.8 CVSS
+
+Go templates do not consider backticks as a Javascript string delimiter and, as a result, do not escape them as expected. Backticks have been used since ES6 for JS template literals. If a Go template contains an action within a literal Javascript template, the action's contents can be used to terminate the literal and potentially inject arbitrary Javascript code into the Go template.
+
+Go template actions are disallowed from being used inside of them, for example, `"var a = {{.}}"` since there is no safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. With this fix, `Template.Parse()` returns an error when it encounters templates containing actions with literal JavaScript. The ErrorCode has a value of 12. This ErrorCode is currently unexported but will be exported in the release of Go 1.21. Users who rely on the previous behavior can re-enable it using the `GODEBUG flag jstmpllitinterp=1` with the caveat that backticks will now be escaped.
+
+<br />
+
+### Impact
+
+No impact. We use the Go package [html/template](https://pkg.go.dev/html/template) and our HTML templates are static. We also do not accept or parse any provided user data.
+
+<br />
+
+### Affected Products
+
+Not applicable.
+
+<br />
+
+### Patches
+
+Not applicable.
+
+<br />
+
+### Workarounds
+
+Not applicable.
+
+<br />
+
+
+### References
+
+- [CVE-2023-24538](https://nvd.nist.gov/vuln/detail/CVE-2023-24538)
+
+
+- [GO-2023-1703](https://pkg.go.dev/vuln/GO-2023-1703)
+
+
+## September 01, 2023 - CVE-2023-29404 - CGO LDFLAGS Vulnerability Security Advisory - 9.8 CVSS
+
+
+The `go` command can execute any code during the build process when using cgo. This can happen when using `go get` command on a malicious module or any other command that builds untrusted code. It can also be triggered by linker flags specified through the `#cgo LDFLAGS` directive. The non-optional flags in LDFLAGS sanitization allow disallowed flags to be used with gc and gccgo compilers.
+
+<br />
+
+### Impact
+
+No impact. This is not a runtime issue and we do not compile untrusted code.
+
+<br />
+
+### Affected Products
+
+Not applicable.
+
+<br />
+
+### Patches
+
+Not applicable.
+
+<br />
+
+
+### Workarounds
+
+Not applicable.
+
+<br />
+
+### References
+
+- [CVE-2023-29402](https://nvd.nist.gov/vuln/detail/CVE-2023-29402)
+
+
+- [GO-2023-1841](https://pkg.go.dev/vuln/GO-2023-1841)
+
+
+## September 01, 2023 - CVE-2023-29402 - Go Modules Vulnerability Security Advisory - 9.8 CVSS
+
+
+The go command may generate unexpected code at build time when using cgo. Using unexpected code with cgo can cause unexpected behavior in Go programs. This may occur when an untrusted module contains directories with newline characters in their names. Go modules retrieved using the command `go get` are unaffected. Modules retrieved using the legacy module retrieve method with the environment variables `GOPATH` and `GO111MODULE=off` may be affected.
+
+<br />
+
+### Impact
+
+No impact. This is not a runtime issue and we do not compile untrusted code.
+
+<br />
+
+### Affected Products
+
+Not applicable.
+
+<br />
+
+### Patches
+
+Not applicable.
+
+<br />
+
+### Workarounds
+
+Not applicable.
+
+<br />
+
+### References
+
+- [CVE-2023-29402](https://nvd.nist.gov/vuln/detail/CVE-2023-29402)
+
+
+- [GO-2023-1839](https://pkg.go.dev/vuln/GO-2023-1839)
+
+
+## September 01, 2023 - CVE-2023-29402 - Go get Vulnerability Security Advisory - 9.8 CVSS
+
+The go command may execute arbitrary code at build time when using cgo. The arbitrary code execution may occur when the command `go get` is issued on a malicious module or when using any other command that builds untrusted code. This can be triggered by linker flags specified via a `#cgo LDFLAGS directive`. Flags containing embedded spaces are mishandled, and disallowed flags are smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects the gccgo compiler.
+
+<br />
+
+### Impact
+
+No impact. This is not a runtime issue and we do not compile untrusted code.
+
+<br />
+
+### Affected Products
+
+Not applicable.
+
+<br />
+
+### Patches
+
+Not applicable.
+
+<br />
+
+### Workarounds
+
+Not applicable.
+
+<br />
+
+
+### References
+
+- [CVE-2023-29402](https://nvd.nist.gov/vuln/detail/CVE-2023-29402)
+
+
+- [GO-2023-1842](https://pkg.go.dev/vuln/GO-2023-1842)
+
+
+
+## September 01, 2023 - CVE-2023-24540 - HTML Template Security Advisory - 9.8 CVSS
+
+
+Not all valid JavaScript whitespace characters are considered to be whitespace. JavaScript templates containing whitespace characters outside of the character set `\t\n\f\r\u0020\u2028\u2029` may not be properly sanitized during execution.
+
+<br />
+
+### Impact
+
+No impact - We use the Go package [html/template](https://pkg.go.dev/html/template) but our HTML templates are static. We also do not accept or parse any provided user data.
+
+<br />
+
+### Patches
+
+Not applicable.
+
+<br />
+
+### Workarounds
+
+Not applicable.
+
+### References
+
+- [CVE-2023-24540](https://nvd.nist.gov/vuln/detail/CVE-2023-24540)
+
+
+- [GO-2023-1752](https://pkg.go.dev/vuln/GO-2023-1752)
+
+
 
 
 ## March 20, 2023 - CVE-2023-22809 Sudo Vulnerability in Palette - 7.8 CVSS
@@ -94,8 +440,4 @@ Update cluster profiles using the vSphere CSI pack to version v2.6 or greater. A
 
 #### References
 
-- [CVE-2022-1292](https://nvd.nist.gov/vuln/detail/CVE-2022-1292)
-
-
-<br />
-<br />
+- [CVE-2022-1292](https://nvd.nist.gov/vuln/detail/CVE-2022-1292)

content/docs/09.5-security/20-security-bulletins/20-index.md

@@ -12,6 +12,33 @@ The following is an index of all Palette-related CVEs and their disclosure year.
 
 # 2023
 
+- [September 01, 2023 - CVE-2023-22809 Sudo Vulnerability - 7.8 CVSS](/security/security-bulletins/cve-reports#september01,2023-cve-2023-22809sudovulnerability-7.8cvss)
+
+
+- [September 01, 2023 - CVE-2023-38408 OpenSSH Vulnerability - 9.8 CVSS](/security/security-bulletins/cve-reports#september01,2023-cve-2023-38408opensshvulnerability-9.8cvss)
+
+
+- [September 01, 2023 - CVE-2023-29400 - HTML Template Vulnerability Security Advisory](/security/security-bulletins/cve-reports#september01,2023-cve-2023-29400-htmltemplatevulnerabilitysecurityadvisory-7.3cvss)
+
+
+- [September 01, 2023 - CVE-2023-24539 - HTML Template Vulnerability Security Advisory - 7.3 CVSS](/security/security-bulletins/cve-reports#september01,2023-cve-2023-24539-htmltemplatevulnerabilitysecurityadvisory-7.3cvss)
+
+
+- [September 01, 2023 - CVE-2023-24538 - HTML Template Vulnerability - Security Advisory - 9.8 CVSS](/security/security-bulletins/cve-reports#september01,2023-cve-2023-24538-htmltemplatevulnerability-securityadvisory-9.8cvss)
+
+
+- [September 01, 2023 - CVE-2023-29404 - CGO LDFLAGS Vulnerability Security Advisory - 9.8 CVSS](/security/security-bulletins/cve-reports#september01,2023-cve-2023-29404-cgoldflagsvulnerabilitysecurityadvisory-9.8cvss)
+
+
+- [September 01, 2023 - CVE-2023-29402 - Go Modules Vulnerability Security Advisory - 9.8 CVSS](/security/security-bulletins/cve-reports#september01,2023-cve-2023-29402-gomodulesvulnerabilitysecurityadvisory-9.8cvss)
+
+
+- [eptember 01, 2023 - CVE-2023-29402 - Go get Vulnerability Security Advisory - 9.8 CVSS](/security/security-bulletins/cve-reports#september01,2023-cve-2023-29402-gogetvulnerabilitysecurityadvisory-9.8cvss)
+
+
+- [September 01, 2023 - CVE-2023-24540 - HTML Template Security Advisory - 9.8 CVSS](/security/security-bulletins/cve-reports#september01,2023-cve-2023-24540-htmltemplatesecurityadvisory-9.8cvss)
+
+
 - [March 20, 2023 - CVE-2023-22809 Sudo Vulnerability in Palette - 7.8 CVSS](/security/security-bulletins/cve-reports#march20,2023-cve-2023-22809sudovulnerabilityinpalette-7.8cvss)