π Friday Five 4/1 π
π Read
via "".
Hacked satellites, how technology enables data protection, and the fastest ransomware - catch up on the infosec news of the week with the Friday Five!π Read
via "".
Digital Guardian
Friday Five 4/1
Hacked satellites, how technology enables data protection, and the fastest ransomware - catch up on the infosec news of the week with the Friday Five!
π΄ What You Need to Know About PCI DSS 4.0's New Requirements π΄
π Read
via "Dark Reading".
The goal for PCI DSS v4.0 is to βaddress emerging threats and technologies and enable innovative methods to combat new threatsβ to customer payment information, the PCI Security Standards Council says.π Read
via "Dark Reading".
Dark Reading
What You Need to Know About PCI DSS 4.0's New Requirements
The updated security payment standard's goal is to βaddress emerging threats and technologies and enable innovative methods to combat new threatsβ to customer payment information, the PCI Security Standards Council says.
βΌ CVE-2022-22404 βΌ
π Read
via "National Vulnerability Database".
IBM App Connect Enterprise Certified Container Dashboard UI (IBM App Connect Enterprise Certified Container 1.5, 2.0, 2.1, 3.0, and 3.1) may be vulnerable to denial of service due to excessive rate limiting.π Read
via "National Vulnerability Database".
βΌ CVE-2022-22332 βΌ
π Read
via "National Vulnerability Database".
IBM Sterling Partner Engagement Manager 6.2.0 could allow an attacker to impersonate another user due to missing revocation mechanism for the JWT token. IBM X-Force ID: 219131.π Read
via "National Vulnerability Database".
βΌ CVE-2022-21235 βΌ
π Read
via "National Vulnerability Database".
The package github.com/masterminds/vcs before 1.13.3 are vulnerable to Command Injection via argument injection. When hg is executed, argument strings are passed to hg in a way that additional flags can be set. The additional flags can be used to perform a command injection.π Read
via "National Vulnerability Database".
βΌ CVE-2022-22328 βΌ
π Read
via "National Vulnerability Database".
IBM SterlingPartner Engagement Manager 6.2.0 could allow a malicious user to elevate their privileges and perform unintended operations to another users data. IBM X-Force ID: 218871.π Read
via "National Vulnerability Database".
βΌ CVE-2022-22331 βΌ
π Read
via "National Vulnerability Database".
IBM SterlingPartner Engagement Manager 6.2.0 could allow a remote authenticated attacker to obtain sensitive information or modify user details caused by an insecure direct object vulnerability (IDOR). IBM X-Force ID: 219130.π Read
via "National Vulnerability Database".
βΌ CVE-2022-22327 βΌ
π Read
via "National Vulnerability Database".
IBM UrbanCode Deploy (UCD) 7.0.5, 7.1.0, 7.1.1, and 7.1.2 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 218859.π Read
via "National Vulnerability Database".
π΄ NSA Employee Indicted for Sending Classified Data Outside the Agency π΄
π Read
via "Dark Reading".
Even the NSA has a malicious insider problem. The employee used his personal emails to send classified data to unauthorized outsiders on 13 different occasions.π Read
via "Dark Reading".
Dark Reading
NSA Employee Indicted for Sending Classified Data Outside the Agency
Even the NSA has a malicious insider problem. The employee used his personal emails to send classified data to unauthorized outsiders on 13 different occasions.
βΌ CVE-2022-21223 βΌ
π Read
via "National Vulnerability Database".
The package cocoapods-downloader before 1.6.2 are vulnerable to Command Injection via hg argument injection. When calling the download function (when using hg), the url (and/or revision, tag, branch) is passed to the hg clone command in a way that additional flags can be set. The additional flags can be used to perform a command injection.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24440 βΌ
π Read
via "National Vulnerability Database".
The package cocoapods-downloader before 1.6.0, from 1.6.2 and before 1.6.3 are vulnerable to Command Injection via git argument injection. When calling the Pod::Downloader.preprocess_options function and using git, both the git and branch parameters are passed to the git ls-remote subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2022-1207 βΌ
π Read
via "National Vulnerability Database".
Out-of-bounds read in GitHub repository radareorg/radare2 prior to 5.6.8. This vulnerability allows attackers to read sensitive information from outside the allocated buffer boundary.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23158 βΌ
π Read
via "National Vulnerability Database".
Wyse Device Agent version 14.6.1.4 and below contain a sensitive data exposure vulnerability. A local authenticated user with standard privilege could potentially exploit this vulnerability and provide incorrect port information and get connected to valid WMS serverπ Read
via "National Vulnerability Database".
βΌ CVE-2022-23157 βΌ
π Read
via "National Vulnerability Database".
Wyse Device Agent version 14.6.1.4 and below contain a sensitive data exposure vulnerability. A authenticated malicious user could potentially exploit this vulnerability in order to view sensitive information from the WMS Server.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24426 βΌ
π Read
via "National Vulnerability Database".
Dell Command | Update, Dell Update, and Alienware Update versions prior to 4.5 contain a Local Privilege Escalation Vulnerability in the Advanced Driver Restore component. A local malicious user could potentially exploit this vulnerability, leading to privilege escalation.π Read
via "National Vulnerability Database".
βΌ CVE-2022-26562 βΌ
π Read
via "National Vulnerability Database".
An issue in provider/libserver/ECKrbAuth.cpp of Kopano-Core v11.0.2.51 contains an issue which allows attackers to authenticate even if the user account or password is expired.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23156 βΌ
π Read
via "National Vulnerability Database".
Wyse Device Agent version 14.6.1.4 and below contain an Improper Authentication vulnerability. A malicious user could potentially exploit this vulnerability by providing invalid input in order to obtain a connection to WMS server.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23155 βΌ
π Read
via "National Vulnerability Database".
Dell Wyse Management Suite versions 2.0 through 3.5.2 contain an unrestricted file upload vulnerability. A malicious user with admin privileges can exploit this vulnerability in order to execute arbitrary code on the system.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24066 βΌ
π Read
via "National Vulnerability Database".
The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of [CVE-2022-24433](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199) which only patches against the git fetch attack vector. A similar use of the --upload-pack feature of git is also supported for git clone, which the prior fix didn't cover.π Read
via "National Vulnerability Database".
π΄ Apple's Zero-Day Woes Continue π΄
π Read
via "Dark Reading".
Two new bugs in macOS and iOS disclosed this week add to the growing list of zero-days the company has rushed to patch over the past year.π Read
via "Dark Reading".
Dark Reading
Apple's Zero-Day Woes Continue
Two new bugs in macOS and iOS disclosed this week add to the growing list of zero-days the company has rushed to patch over the past year.
βΌ CVE-2022-22963 βΌ
π Read
via "National Vulnerability Database".
In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.π Read
via "National Vulnerability Database".