A 9.9 SSRF-to-cred-theft in FireFighter's Jira bot, plus PgBouncer pre-auth overflow

FireFighter's Jira bot endpoint is wide open: no authentication despite what the docstring claims. An unauthenticated attacker who can reach the ingress can make the pod fetch any URL they choose, then read the response back as a Jira attachment. On EC2/EKS clusters that haven't enforced IMDSv2, this is a straight path to stealing the pod's AWS IAM credentials.

Included because

CVSS 9.9; unauthenticated; internet-facing; SSRF to credential theft; no exploit complexity

Affected estate

FireFighter incident management app versions prior to 0.0.54 deployed behind any reachable ingress, especially on AWS EC2/EKS.

How to check

Check your FireFighter deployment's image tag or pip package version. Confirm whether IMDSv2 is enforced on underlying EC2 instances (`aws ec2 describe-instances --query 'Reservations[].Instances[].MetadataOptions'`).

Action

Upgrade FireFighter to 0.0.54. Enforce IMDSv2 on all EC2 instances as a defense-in-depth measure.

Urgency

Patch immediately

Why it matters

An unauthenticated SSRF lets anyone steal AWS credentials from the pod's IAM role, giving them whatever permissions that role has in your account.

Source

FireFighter GitHub advisory

A bug in the Linux kernel's rxrpc subsystem fails to properly unshare DATA and RESPONSE packets when paged fragments are present. A local attacker could exploit this to escalate privileges. You need local access to trigger it, which lowers the real-world risk for most environments.

Included because

CVSS 7.8; local privilege escalation; kernel-level bug

Affected estate

Azure Linux 3.0 hosts running kernel 6.6.138.1-1.

How to check

Run `uname -r` on Azure Linux hosts. If it shows 6.6.138.1-1, you're affected.

Action

Update the kernel via `tdnf update kernel` and schedule a reboot.

Urgency

Patch this week

Why it matters

Local privilege escalation in the kernel lets any user with shell access become root.

Source

Azure Linux CVE advisory

A malicious Go module proxy can serve modules that bypass the checksum database verification in `cmd/go`. This means a compromised or rogue proxy could slip tampered code into your Go builds without the checksum mismatch being caught. If you build Go code in CI/CD pipelines or on dev machines that pull from untrusted proxies, you're at risk of supply chain compromise.

Included because

CVSS 7.5; supply chain risk; affects build infrastructure; no auth required by proxy

Affected estate

Azure Linux 3.0 hosts with golang 1.25.9-1 or 1.26.2-1 installed, especially CI/CD build agents.

How to check

Run `go version` on build hosts. Check `tdnf list installed golang` for the exact package version.

Action

Update golang via `tdnf update golang` on all build hosts and CI runners.

Urgency

Patch this week

Why it matters

A bypassed checksum database means a rogue module proxy can inject tampered dependencies into your builds undetected.

Source

Azure Linux CVE advisory

HireFlow v1.2 has no object-level authorization on candidate and interview endpoints. Any authenticated user can read every other user's candidate profiles and interview notes just by incrementing the integer ID in the URL. This is a full horizontal privilege escalation: one valid account gives access to the entire dataset.

Included because

CVSS 8.1; low attack complexity; authenticated but trivially exploitable; sensitive HR data exposure

Affected estate

HireFlow v1.2 instances, particularly those accessible to multiple users or exposed to the internet.

How to check

Check your HireFlow deployment version. Test by logging in as a low-privilege user and accessing /candidate/1 or /interview/1 for a record you don't own.

Action

Upgrade HireFlow to a fixed version. If unavailable, add authorization middleware or restrict network access immediately.

Urgency

Patch within 24 hours

Why it matters

Any authenticated user can read every candidate profile and interview note in the system, which is a full data breach of HR/recruiting records.

Source

NVD