Vulnerabilities (CVE)

Filtered by vendor Palantir Subscribe
Total 33 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-22833 1 Palantir 1 Foundry 2024-11-21 N/A 7.6 HIGH
Palantir Foundry deployments running Lime2 versions between 2.519.0 and 2.532.0 were vulnerable a bug that allowed authenticated users within a Foundry organization to bypass discretionary or mandatory access controls under certain circumstances.
CVE-2022-48308 1 Palantir 1 Sls-logging 2024-11-21 N/A 6.3 MEDIUM
It was discovered that the sls-logging was not verifying hostnames in TLS certificates due to a misuse of the javax.net.ssl.SSLSocketFactory API. A malicious attacker in a privileged network position could abuse this to perform a man-in-the-middle attack. A successful man-in-the-middle attack would allow them to intercept, read, or modify network communications to and from the affected service.
CVE-2022-48307 1 Palantir 1 Magritte-ftp 2024-11-21 N/A 6.3 MEDIUM
It was discovered that the Magritte-ftp was not verifying hostnames in TLS certificates due to a misuse of the javax.net.ssl.SSLSocketFactory API. A malicious attacker in a privileged network position could abuse this to perform a man-in-the-middle attack. A successful man-in-the-middle attack would allow them to intercept, read, or modify network communications to and from the affected service. In the case of a successful man in the middle attack on magritte-ftp, an attacker would be able to read and modify network traffic such as authentication tokens or raw data entering a Palantir Foundry stack.
CVE-2022-48306 1 Palantir 1 Gotham Chat Irc 2024-11-21 N/A 5.7 MEDIUM
Improper Validation of Certificate with Host Mismatch vulnerability in Gotham Chat IRC helper of Palantir Gotham allows A malicious attacker in a privileged network position could abuse this to perform a man-in-the-middle attack. A successful man-in-the-middle attack would allow them to intercept, read, or modify network communications to and from the affected service. This issue affects: Palantir Palantir Gotham Chat IRC helper versions prior to 30221005.210011.9242.
CVE-2022-27897 1 Palantir 1 Gotham 2024-11-21 N/A 5.3 MEDIUM
Palantir Gotham versions prior to 3.22.11.2 included an unauthenticated endpoint that would load portions of maliciously crafted zip files to memory. An attacker could repeatedly upload a malicious zip file, which would allow them to exhaust memory resources on the dispatch server.
CVE-2022-27896 1 Palantir 1 Foundry Code-workbooks 2024-11-21 N/A 4.2 MEDIUM
Information Exposure Through Log Files vulnerability discovered in Foundry Code-Workbooks where the endpoint backing that console was generating service log records of any Python code being run. These service logs included the Foundry token that represents the Code-Workbooks Python console. Upgrade to Code-Workbooks version 4.461.0. This issue affects Palantir Foundry Code-Workbooks version 4.144 to version 4.460.0 and is resolved in 4.461.0.
CVE-2022-27895 1 Palantir 1 Foundry Build2 2024-11-21 N/A 4.2 MEDIUM
Information Exposure Through Log Files vulnerability discovered in Foundry when logs were captured using an underlying library known as Build2. This issue was present in versions earlier than 1.785.0. Upgrade to Build2 version 1.785.0 or greater.
CVE-2022-27894 1 Palantir 1 Foundry Blobster 2024-11-21 N/A 4.8 MEDIUM
The Foundry Blobster service was found to have a cross-site scripting (XSS) vulnerability that could have allowed an attacker with access to Foundry to launch attacks against other users. This vulnerability is resolved in Blobster 3.228.0.
CVE-2022-27892 1 Palantir 1 Gotham 2024-11-21 N/A 5.3 MEDIUM
Palantir Gotham versions prior to 3.22.11.2 included an unauthenticated endpoint that would have allowed an attacker to exhaust the memory of the Gotham dispatch service.
CVE-2022-27891 1 Palantir 1 Gotham 2024-11-21 N/A 5.3 MEDIUM
Palantir Gotham included an unauthenticated endpoint that listed all active usernames on the stack with an active session. The affected services have been patched and automatically deployed to all Apollo-managed Gotham instances. It is highly recommended that customers upgrade all affected services to the latest version. This issue affects: Palantir Gotham versions prior to 103.30221005.0.
CVE-2022-27890 1 Palantir 1 Atlasdb 2024-11-21 N/A 6.3 MEDIUM
It was discovered that the sls-logging was not verifying hostnames in TLS certificates due to a misuse of the javax.net.ssl.SSLSocketFactory API. A malicious attacker in a privileged network position could abuse this to perform a man-in-the-middle attack. A successful man-in-the-middle attack would allow them to intercept, read, or modify network communications to and from the affected service. In the case of AtlasDB, the vulnerability was mitigated by other network controls such as two-way TLS when deployed as part of a Palantir platform. Palantir still recommends upgrading to a non-vulnerable version out of an abundance of caution.
CVE-2022-27889 1 Palantir 1 Foundry Multipass 2024-11-21 6.4 MEDIUM 5.3 MEDIUM
The Multipass service was found to have code paths that could be abused to cause a denial of service for authentication or authorization operations. A malicious attacker could perform an application-level denial of service attack, potentially causing authentication and/or authorization operations to fail for the duration of the attack. This could lead to performance degradation or login failures for customer Palantir Foundry environments. This vulnerability is resolved in Multipass 3.647.0. This issue affects: Palantir Foundry Multipass versions prior to 3.647.0.
CVE-2022-27888 1 Palantir 1 Foundry Issues 2024-11-21 2.1 LOW 5.5 MEDIUM
Foundry Issues service versions 2.244.0 to 2.249.0 was found to be logging in a manner that captured sensitive information (session tokens). This issue was fixed in 2.249.1.