π¦Ώ CES 2021: All of the business tech news you need to know π¦Ώ
π Read
via "Tech Republic".
Don't miss TechRepublic's CES 2021 coverage, which includes product announcements from Lenovo, Samsung, LG, and Dell about PCs, laptops, software, robots, monitors, and TVs.π Read
via "Tech Republic".
TechRepublic
CES 2021: All of the business tech news you need to know
Don't miss TechRepublic's CES 2021 coverage, which includes product announcements from Lenovo, Samsung, LG, and Dell about PCs, laptops, software, robots, monitors, and TVs.
β Google Boots 164 Apps from Play Marketplace for Shady Ad Practices β
π Read
via "Threat Post".
The tech giant removes 164 more offending Android apps after banning software showing this type of behavior from the store last year.π Read
via "Threat Post".
Threat Post
Google Boots 164 Apps from Play Marketplace for Shady Ad Practices
The tech giant removes 164 more offending Android apps after banning software showing this type of behavior from the store last year.
π¦Ώ How next-gen cloud SIEM tools can offer critical visibility companies for effective threat hunting π¦Ώ
π Read
via "Tech Republic".
Virtual workforces face escalated threats due to their remote access from various networks. Learn how security information and event management tools can help in the battle.π Read
via "Tech Republic".
TechRepublic
How next-gen cloud SIEM tools can offer critical visibility companies for effective threat hunting
Virtual workforces face escalated threats due to their remote access from various networks. Learn how security information and event management tools can help in the battle.
β Apple Kills MacOS Feature Allowing Apps to Bypass Firewalls β
π Read
via "Threat Post".
Security researchers lambasted the controversial macOS Big Sur feature for exposing users' sensitive data.π Read
via "Threat Post".
Threat Post
Apple Kills MacOS Feature Allowing Apps to Bypass Firewalls
Security researchers lambasted the controversial macOS Big Sur feature for exposing users' sensitive data.
π΄ Successful Malware Incidents Rise as Attackers Shift Tactics π΄
π Read
via "Dark Reading".
As employees moved to working from home and on mobile devices, attackers followed them and focused on weekend attacks, a security firm says.π Read
via "Dark Reading".
Dark Reading
Successful Malware Incidents Rise as Attackers Shift Tactics
As employees moved to working from home and on mobile devices, attackers followed them and focused on weekend attacks, a security firm says.
βΌ CVE-2021-22168 βΌ
π Read
via "National Vulnerability Database".
A regular expression denial of service issue has been discovered in NuGet API affecting all versions of GitLab starting from version 12.8.π Read
via "National Vulnerability Database".
βΌ CVE-2021-22166 βΌ
π Read
via "National Vulnerability Database".
An attacker could cause a Prometheus denial of service in GitLab 13.7+ by sending an HTTP request with a malformed methodπ Read
via "National Vulnerability Database".
βΌ CVE-2021-22167 βΌ
π Read
via "National Vulnerability Database".
An issue has been discovered in GitLab affecting all versions starting from 12.1. Incorrect headers in specific project page allows attacker to have a temporary read access to the private repositoryπ Read
via "National Vulnerability Database".
βΌ CVE-2020-26414 βΌ
π Read
via "National Vulnerability Database".
An issue has been discovered in GitLab affecting all versions starting from 12.4. The regex used for package names is written in a way that makes execution time have quadratic growth based on the length of the malicious input string.π Read
via "National Vulnerability Database".
βΌ CVE-2021-22171 βΌ
π Read
via "National Vulnerability Database".
Insufficient validation of authentication parameters in GitLab Pages for GitLab 11.5+ allows an attacker to steal a victim's API token if they click on a maliciously crafted linkπ Read
via "National Vulnerability Database".
βΌ CVE-2021-20189 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.π Read
via "National Vulnerability Database".
βΌ CVE-2020-24640 βΌ
π Read
via "National Vulnerability Database".
There is a vulnerability caused by insufficient input validation that allows for arbitrary command execution in a containerized environment within Airwave Glass before 1.3.3. Successful exploitation can lead to complete compromise of the underlying host operating system.π Read
via "National Vulnerability Database".
βΌ CVE-2021-21244 βΌ
π Read
via "National Vulnerability Database".
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, There is a vulnerability that enabled pre-auth server side template injection via Bean validation message tampering. Full details in the reference GHSA. This issue was fixed in 4.0.3 by disabling validation interpolation completely.π Read
via "National Vulnerability Database".
βΌ CVE-2021-21243 βΌ
π Read
via "National Vulnerability Database".
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, a Kubernetes REST endpoint exposes two methods that deserialize untrusted data from the request body. These endpoints do not enforce any authentication or authorization checks. This issue may lead to pre-auth RCE. This issue was fixed in 4.0.3 by not using deserialization at KubernetesResource side.π Read
via "National Vulnerability Database".
βΌ CVE-2020-24639 βΌ
π Read
via "National Vulnerability Database".
There is a vulnerability caused by unsafe Java deserialization that allows for arbitrary command execution in a containerized environment within Airwave Glass before 1.3.3. Successful exploitation can lead to complete compromise of the underlying host operating system.π Read
via "National Vulnerability Database".
βΌ CVE-2020-24641 βΌ
π Read
via "National Vulnerability Database".
In Aruba AirWave Glass before 1.3.3, there is a Server-Side Request Forgery vulnerability through an unauthenticated endpoint that if successfully exploited can result in disclosure of sensitive information. This can be used to perform an authentication bypass and ultimately gain administrative access on the web administrative interface.π Read
via "National Vulnerability Database".
βΌ CVE-2020-24638 βΌ
π Read
via "National Vulnerability Database".
Multiple authenticated remote command executions are possible in Airwave Glass before 1.3.3 via the glassadmin cli. These allow for a user with glassadmin privileges to execute arbitrary code as root on the underlying host operating system.π Read
via "National Vulnerability Database".
β Microsoft Implements Windows Zerologon Flaw βEnforcement Modeβ β
π Read
via "Threat Post".
Starting Feb. 9, Microsoft will enable Domain Controller βenforcement modeβ by default to address CVE-2020-1472.π Read
via "Threat Post".
Threat Post
Microsoft Implements Windows Zerologon Flaw βEnforcement Modeβ
Starting Feb. 9, Microsoft will enable Domain Controller βenforcement modeβ by default to address CVE-2020-1472.
β Tractors, Pod Ice Cream and Lipstick Awarded CES 2021 Worst in Show β
π Read
via "Threat Post".
Expert panel awards dubious honors to 2021 Consumer Electronics Showβs biggest flops, including security and privacy failures.π Read
via "Threat Post".
Threat Post
CES 2021 Gadgets: Worst in Privacy and Security Awards
Expert panel awards dubious honors to 2021 Consumer Electronics Showβs biggest flops, including security and privacy failures.
βΌ CVE-2021-21250 βΌ
π Read
via "National Vulnerability Database".
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which may lead to arbitrary file read. When BuildSpec is provided in XML format, the spec is processed by XmlBuildSpecMigrator.migrate(buildSpecString); which processes the XML document without preventing the expansion of external entities. These entities can be configured to read arbitrary files from the file system and dump their contents in the final XML document to be migrated. If the files are dumped in properties included in the YAML file, it will be possible for an attacker to read them. If not, it is possible for an attacker to exfiltrate the contents of these files Out Of Band. This issue was addressed in 4.0.3 by ignoring ENTITY instructions in xml file.π Read
via "National Vulnerability Database".
βΌ CVE-2021-21245 βΌ
π Read
via "National Vulnerability Database".
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to upload a WebShell to OneDev server. This issue is addressed in 4.0.3 by only allowing uploaded file to be in attachments folder. The webshell issue is not possible as OneDev never executes files in attachments folder.π Read
via "National Vulnerability Database".