High

Alex Pettifer Miłosz Gaczkowski
6 Feb 2024

eLinkSmart - Unlocking Bluetooth LE padlocks with polite requests

A critical security analysis of eLinkSmart Bluetooth padlocks revealed multiple severe vulnerabilities. The locks have hardcoded encryption keys, an insecure web API with SQL injection flaws, and weak authentication controls. These vulnerabilities allow attackers to unlock any lock within Bluetooth range and access sensitive user information.

2 Feb 2024

runc working directory breakout (CVE-2024-21626)

A critical vulnerability in runc (CVE-2024-21626) allows attackers to break out of container filesystems by exploiting a file descriptor leak. The flaw enables setting a container's working directory to the host filesystem, potentially granting unauthorized access to host systems in Kubernetes and containerized environments. Attackers can leverage this vulnerability to access host filesystems, execute malicious code, and potentially compromise multi-tenant Kubernetes clusters.