r0binak

7 exploits Active since Oct 2023
CVE-2024-3094 NOMISEC CRITICAL WORKING POC
xz <5.6.0 - Code Injection
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
14 stars
CVSS 10.0
CVE-2024-0132 NOMISEC CRITICAL WORKING POC
NVIDIA Container Toolkit < 1.16.2 - Time-of-check Time-of-use Race Condition
NVIDIA Container Toolkit 1.16.1 or earlier contains a Time-of-check Time-of-Use (TOCTOU) vulnerability when used with default configuration where a specifically crafted container image may gain access to the host file system. This does not impact use cases where CDI is used. A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.
6 stars
CVSS 9.0
CVE-2023-5044 NOMISEC HIGH WORKING POC
ingress-nginx < 1.9.0 - Code Injection via nginx.ingress.kubernetes.io/permanent-redirect Annotation
Code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation.
4 stars
CVSS 7.6
CVE-2025-23266 NOMISEC CRITICAL WORKING POC
NVIDIA Container Toolkit < 1.17.8 - Untrusted Search Path via Container Initialization Hooks
NVIDIA Container Toolkit for all platforms contains a vulnerability in some hooks used to initialize the container, where an attacker could execute arbitrary code with elevated permissions. A successful exploit of this vulnerability might lead to escalation of privileges, data tampering, information disclosure, and denial of service.
1 stars
CVSS 9.0
CVE-2024-7646 NOMISEC HIGH WORKING POC
Kubernetes ingress-nginx - Unauthenticated Command Injection via Ingress Annotation Bypass
A security issue was discovered in ingress-nginx where an actor with permission to create Ingress objects (in the `networking.k8s.io` or `extensions` API group) can bypass annotation validation to inject arbitrary commands and obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.
CVSS 8.8
CVE-2023-5043 NOMISEC HIGH WORKING POC
ingress-nginx < 1.9.0 - OS Command Injection via Annotation
Ingress nginx annotation injection causes arbitrary command execution.
CVSS 7.6
CVE-2024-0132 EXPLOITDB CRITICAL text WORKING POC
NVIDIA Container Toolkit < 1.16.2 - Time-of-check Time-of-use Race Condition
NVIDIA Container Toolkit 1.16.1 or earlier contains a Time-of-check Time-of-Use (TOCTOU) vulnerability when used with default configuration where a specifically crafted container image may gain access to the host file system. This does not impact use cases where CDI is used. A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.
CVSS 9.0