π U.S. Intelligence Community Warns About China Collecting Healthcare Data π
π Read
via "Digital Guardian".
China's voracious collection of U.S. healthcare data, including DNA, can pose a national security risk, not to mention harm the privacy of Americans.π Read
via "Digital Guardian".
Digital Guardian
U.S. Intelligence Community Warns About China Collecting Healthcare Data
China's voracious collection of U.S. healthcare data, including DNA, can pose a national security risk, not to mention harm the privacy of Americans.
βΌ CVE-2020-7775 βΌ
π Read
via "National Vulnerability Database".
This affects all versions of package freediskspace. The vulnerability arises out of improper neutralization of arguments in line 71 of freediskspace.js.π Read
via "National Vulnerability Database".
βΌ CVE-2020-1910 βΌ
π Read
via "National Vulnerability Database".
A missing bounds check in WhatsApp for Android prior to v2.21.1.13 and WhatsApp Business for Android prior to v2.21.1.13 could have allowed out-of-bounds read and write if a user applied specific image filters to a specially crafted image and sent the resulting image.π Read
via "National Vulnerability Database".
βΌ CVE-2021-21292 βΌ
π Read
via "National Vulnerability Database".
Traccar is an open source GPS tracking system. In Traccar before version 4.12 there is an unquoted Windows binary path vulnerability. Only Windows versions are impacted. Attacker needs write access to the filesystem on the host machine. If Java path includes a space, then attacker can lift their privilege to the same as Traccar service (system). This is fixed in version 4.12.π Read
via "National Vulnerability Database".
βΌ CVE-2020-14255 βΌ
π Read
via "National Vulnerability Database".
HCL Digital Experience 9.5 containers include vulnerabilities that could expose sensitive data to unauthorized parties via crafted requests. These affect containers only. These do not affect traditional on-premise installations.π Read
via "National Vulnerability Database".
βΌ CVE-2021-21289 βΌ
π Read
via "National Vulnerability Database".
Mechanize is an open-source ruby library that makes automated web interaction easy. In Mechanize from version 2.0.0 and before version 2.7.7 there is a command injection vulnerability. Affected versions of mechanize allow for OS commands to be injected using several classes' methods which implicitly use Ruby's Kernel.open method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls: Mechanize::CookieJar#load, Mechanize::CookieJar#save_as, Mechanize#download, Mechanize::Download#save, Mechanize::File#save, and Mechanize::FileResponse#read_body. This is fixed in version 2.7.7.π Read
via "National Vulnerability Database".
βΌ CVE-2021-23271 βΌ
π Read
via "National Vulnerability Database".
The TIBCO EBX Web Server component of TIBCO Software Inc.'s TIBCO EBX contains a vulnerability that theoretically allows a low privileged attacker with network access to execute a Stored Cross Site Scripting (XSS) attack on the affected system. Affected releases are TIBCO Software Inc.'s TIBCO EBX: versions 5.9.12 and below.π Read
via "National Vulnerability Database".
βΌ CVE-2020-28498 βΌ
π Read
via "National Vulnerability Database".
All versions of package elliptic are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.π Read
via "National Vulnerability Database".
βΌ CVE-2021-25912 βΌ
π Read
via "National Vulnerability Database".
Prototype pollution vulnerability in 'dotty' versions 0.0.1 through 0.1.0 allows attackers to cause a denial of service and may lead to remote code execution.π Read
via "National Vulnerability Database".
βΌ CVE-2021-21291 βΌ
π Read
via "National Vulnerability Database".
OAuth2 Proxy is an open-source reverse proxy and static file server that provides authentication using Providers (Google, GitHub, and others) to validate accounts by email, domain or group. In OAuth2 Proxy before version 7.0.0, for users that use the whitelist domain feature, a domain that ended in a similar way to the intended domain could have been allowed as a redirect. For example, if a whitelist domain was configured for ".example.com", the intention is that subdomains of example.com are allowed. Instead, "example.com" and "badexample.com" could also match. This is fixed in version 7.0.0 onwards. As a workaround, one can disable the whitelist domain feature and run separate OAuth2 Proxy instances for each subdomain.π Read
via "National Vulnerability Database".
βΌ CVE-2020-14221 βΌ
π Read
via "National Vulnerability Database".
HCL Digital Experience 8.5, 9.0, and 9.5 exposes information about the server to unauthorized users.π Read
via "National Vulnerability Database".
βΌ CVE-2021-20199 βΌ
π Read
via "National Vulnerability Database".
Rootless containers run with Podman, receive all traffic with a source IP address of 127.0.0.1 (including from remote hosts). This impacts containerized applications that trust localhost (127.0.01) connections by default and do not require authentication. This issue affects Podman 1.8.0 onwards.π Read
via "National Vulnerability Database".
π΄ Average Ransom Payments Declined Last Quarter π΄
π Read
via "Dark Reading".
More victims appear to be realizing that paying a ransom doesn't guarantee stolen data will be purged.π Read
via "Dark Reading".
Dark Reading
Average Ransom Payments Declined Last Quarter
More victims appear to be realizing that paying a ransom doesn't guarantee stolen data will be purged.
β TrickBot Continues Resurgence with Port-Scanning Module β
π Read
via "Threat Post".
The infamous malware has incorporated the legitimate Masscan tool, which looks for open TCP/IP ports with lightning-fast results.π Read
via "Threat Post".
Threat Post
TrickBot Continues Resurgence with Port-Scanning Module
The infamous malware has incorporated the legitimate Masscan tool, which looks for open TCP/IP ports with lightning-fast results.
βΌ CVE-2020-29662 βΌ
π Read
via "National Vulnerability Database".
In Harbor 2.0 before 2.0.5 and 2.1.x before 2.1.2 the catalogΓ’β¬β’s registry API is exposed on an unauthenticated path.π Read
via "National Vulnerability Database".
βΌ CVE-2020-8734 βΌ
π Read
via "National Vulnerability Database".
Improper input validation in the firmware for Intel(R) Server Board M10JNP2SB before version 7.210 may allow a privileged user to potentially enable escalation of privilege via local access.π Read
via "National Vulnerability Database".
βΌ CVE-2021-21294 βΌ
π Read
via "National Vulnerability Database".
Http4s (http4s-blaze-server) is a minimal, idiomatic Scala interface for HTTP services. Http4s before versions 0.21.17, 0.22.0-M2, and 1.0.0-M14 have a vulnerability which can lead to a denial-of-service. Blaze-core, a library underlying http4s-blaze-server, accepts connections unboundedly on its selector pool. This has the net effect of amplifying degradation in services that are unable to handle their current request load, since incoming connections are still accepted and added to an unbounded queue. Each connection allocates a socket handle, which drains a scarce OS resource. This can also confound higher level circuit breakers which work based on detecting failed connections. http4s provides a general "MaxActiveRequests" middleware mechanism for limiting open connections, but it is enforced inside the Blaze accept loop, after the connection is accepted and the socket opened. Thus, the limit only prevents the number of connections which can be simultaneously processed, not the number of connections which can be held open. In 0.21.17, 0.22.0-M2, and 1.0.0-M14, a new "maxConnections" property, with a default value of 1024, has been added to the `BlazeServerBuilder`. Setting the value to a negative number restores unbounded behavior, but is strongly disrecommended. The NIO2 backend does not respect `maxConnections`. Its use is now deprecated in http4s-0.21, and the option is removed altogether starting in http4s-0.22. There are several possible workarounds described in the refrenced GitHub Advisory GHSA-xhv5-w9c5-2r2w.π Read
via "National Vulnerability Database".
βΌ CVE-2020-8672 βΌ
π Read
via "National Vulnerability Database".
Out of bound read in BIOS firmware for 8th, 9th Generation Intel(R) Core(TM), Intel(R) Celeron(R) Processor 4000 Series Processors may allow an unauthenticated user to potentially enable elevation of privilege or denial of service via local access.π Read
via "National Vulnerability Database".
βΌ CVE-2020-24490 βΌ
π Read
via "National Vulnerability Database".
Improper buffer restrictions in BlueZ may allow an unauthenticated user to potentially enable denial of service via adjacent access. This affects all Linux kernel versions that support BlueZ.π Read
via "National Vulnerability Database".
βΌ CVE-2021-3395 βΌ
π Read
via "National Vulnerability Database".
A cross-site scripting (XSS) vulnerability in Pryaniki 6.44.3 allows remote authenticated users to upload an arbitrary file. The JavaScript code will execute when someone visits the attachment.π Read
via "National Vulnerability Database".
βΌ CVE-2021-21293 βΌ
π Read
via "National Vulnerability Database".
blaze is a Scala library for building asynchronous pipelines, with a focus on network IO. All servers running blaze-core before version 0.14.15 are affected by a vulnerability in which unbounded connection acceptance leads to file handle exhaustion. Blaze, accepts connections unconditionally on a dedicated thread pool. This has the net effect of amplifying degradation in services that are unable to handle their current request load, since incoming connections are still accepted and added to an unbounded queue. Each connection allocates a socket handle, which drains a scarce OS resource. This can also confound higher level circuit breakers which work based on detecting failed connections. The vast majority of affected users are using it as part of http4s-blaze-server <= 0.21.16. http4s provides a mechanism for limiting open connections, but is enforced inside the Blaze accept loop, after the connection is accepted and the socket opened. Thus, the limit only prevents the number of connections which can be simultaneously processed, not the number of connections which can be held open. The issue is fixed in version 0.14.15 for "NIO1SocketServerGroup". A "maxConnections" parameter is added, with a default value of 512. Concurrent connections beyond this limit are rejected. To run unbounded, which is not recommended, set a negative number. The "NIO2SocketServerGroup" has no such setting and is now deprecated. There are several possible workarounds described in the refrenced GitHub Advisory GHSA-xmw9-q7x9-j5qc.π Read
via "National Vulnerability Database".