βΌ CVE-2022-24844 βΌ
π Read
via "National Vulnerability Database".
Gin-vue-admin is a backstage management system based on vue and gin, which separates the front and rear of the full stack. The problem occurs in the following code in server/service/system/sys_auto_code_pgsql.go, which means that PostgreSQL must be used as the database for this vulnerability to occur. Users must: Require JWT loginΓΒ―ΓΒΌΓ’β¬Β° and be using PostgreSQL to be affected. This issue has been resolved in version 2.5.1. There are no known workarounds.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24818 βΌ
π Read
via "National Vulnerability Database".
GeoTools is an open source Java library that provides tools for geospatial data. The GeoTools library has a number of data sources that can perform unchecked JNDI lookups, which in turn can be used to perform class deserialization and result in arbitrary code execution. Similar to the Log4J case, the vulnerability can be triggered if the JNDI names are user-provided, but requires admin-level login to be triggered. The lookups are now restricted in GeoTools 26.4, GeoTools 25.6, and GeoTools 24.6. Users unable to upgrade should ensure that any downstream application should not allow usage of remotely provided JNDI strings.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24816 βΌ
π Read
via "National Vulnerability Database".
JAI-EXT is an open-source project which aims to extend the Java Advanced Imaging (JAI) API. Programs allowing Jiffle script to be provided via network request can lead to a Remote Code Execution as the Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects the downstream GeoServer project. Version 1.2.22 will contain a patch that disables the ability to inject malicious code into the resulting script. Users unable to upgrade may negate the ability to compile Jiffle scripts from the final application, by removing janino-x.y.z.jar from the classpath.π Read
via "National Vulnerability Database".
π΄ Secure Systems Need Hardware-Enhanced Tools, Intel Says π΄
π Read
via "Dark Reading".
A new Intel study finds that while adoption of hardware-assisted security is still low, there is a lot of interest in how it can secure system layers such as the operating system and hypervisor.π Read
via "Dark Reading".
Darkreading
Secure Systems Need Hardware-Enhanced Tools, Intel Says
A new Intel study finds that while adoption of hardware-assisted security is still low, there is a lot of interest in how it can secure system layers such as the operating system and hypervisor.
βΌ CVE-2022-24845 βΌ
π Read
via "National Vulnerability Database".
Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In affected versions, the return of `<iface>.returns_int128()` is not validated to fall within the bounds of `int128`. This issue can result in a misinterpretation of the integer value and lead to incorrect behavior. As of v0.3.0, `<iface>.returns_int128()` is validated in simple expressions, but not complex expressions. Users are advised to upgrade. There is no known workaround for this issue.π Read
via "National Vulnerability Database".
βΌ CVE-2021-43154 βΌ
π Read
via "National Vulnerability Database".
Cross Site Scripting (XSS) vulnerability exists in CMS Made Simple 2.2.15 via the Name field in an Add Category action in moduleinterface.php.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24847 βΌ
π Read
via "National Vulnerability Database".
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The GeoServer security mechanism can perform an unchecked JNDI lookup, which in turn can be used to perform class deserialization and result in arbitrary code execution. The same can happen while configuring data stores with data sources located in JNDI, or while setting up the disk quota mechanism. In order to perform any of the above changes, the attack needs to have obtained admin rights and use either the GeoServer GUI, or its REST API. The lookups are going to be restricted in GeoServer 2.21.0, 2.20.4, 1.19.6. Users unable to upgrade should restrict access to the `geoserver/web` and `geoserver/rest` via a firewall and ensure that the GeoWebCache is not remotely accessible.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24843 βΌ
π Read
via "National Vulnerability Database".
Gin-vue-admin is a backstage management system based on vue and gin, which separates the front and rear of the full stack. Gin-vue-admin 2.50 has arbitrary file read vulnerability due to a lack of parameter validation. This has been resolved in version 2.5.1. There are no known workarounds for this issue.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1350 βΌ
π Read
via "National Vulnerability Database".
A vulnerability classified as problematic was found in Ghostscript 9.55.0. This vulnerability affects the function chunk_free_object of the file gsmchunk.c. The manipulation with a malicious file leads to a memory corruption. The attack can be initiated remotely but requires user interaction. The exploit has been disclosed to the public as a POC and may be used. It is recommended to apply the patches to fix this issue.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1279 βΌ
π Read
via "National Vulnerability Database".
A vulnerability in the encryption implementation of EBICS messages in the open source librairy ebics-java/ebics-java-client allows an attacker sniffing network traffic to decrypt EBICS payloads. This issue affects: ebics-java/ebics-java-client versions prior to 1.2.π Read
via "National Vulnerability Database".
π2
β US cryptocurrency coder gets 5 years for North Korea sanctions busting β
π Read
via "Naked Security".
Cryptocurrency expert didn't take "No" for an answer when the US authorities said he couldn't pursue cryptocoin opps in North Korea.π Read
via "Naked Security".
Naked Security
US cryptocurrency coder gets 5 years for North Korea sanctions busting
Cryptocurrency expert didnβt take βNoβ for an answer when the US authorities said he couldnβt pursue cryptocoin opps in North Korea.
π€1
β S3 Ep78: Darkweb hydra, Ruby, quantum computing, and a robot revolution [Podcast] β
π Read
via "Naked Security".
Latest episode - listen now!π Read
via "Naked Security".
Naked Security
S3 Ep78: Darkweb hydra, Ruby, quantum computing, and a robot revolution [Podcast]
Latest episode β listen now!
π1
βΌ CVE-2022-27445 βΌ
π Read
via "National Vulnerability Database".
MariaDB Server v10.9 and below was discovered to contain a segmentation fault via the component sql/sql_window.cc.π Read
via "National Vulnerability Database".
βΌ CVE-2021-43289 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in ThoughtWorks GoCD before 21.3.0. An attacker who has compromised a GoCD agent can upload a malicious file into an arbitrary directory of a GoCD server, but does not control the filename.π Read
via "National Vulnerability Database".
βΌ CVE-2022-27451 βΌ
π Read
via "National Vulnerability Database".
MariaDB Server v10.9 and below was discovered to contain a segmentation fault via the component sql/field_conv.cc.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2022-27452 βΌ
π Read
via "National Vulnerability Database".
MariaDB Server v10.9 and below was discovered to contain a segmentation fault via the component sql/item_cmpfunc.cc.π Read
via "National Vulnerability Database".
βΌ CVE-2022-27446 βΌ
π Read
via "National Vulnerability Database".
MariaDB Server v10.9 and below was discovered to contain a segmentation fault via the component sql/item_cmpfunc.h.π Read
via "National Vulnerability Database".
βΌ CVE-2022-27457 βΌ
π Read
via "National Vulnerability Database".
MariaDB Server v10.6.3 and below was discovered to contain an use-after-free in the component my_mb_wc_latin1 at /strings/ctype-latin1.c.π Read
via "National Vulnerability Database".
βΌ CVE-2022-26507 βΌ
π Read
via "National Vulnerability Database".
** UNSUPPORTED WHEN ASSIGNED ** A heap-based buffer overflow exists in XML Decompression DecodeTreeBlock in AT&T Labs Xmill 0.7. A crafted input file can lead to remote code execution. This is not the same as any of: CVE-2021-21810, CVE-2021-21811, CVE-2021-21812, CVE-2021-21815, CVE-2021-21825, CVE-2021-21826, CVE-2021-21828, CVE-2021-21829, or CVE-2021-21830. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.π Read
via "National Vulnerability Database".
βΌ CVE-2021-43287 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in ThoughtWorks GoCD before 21.3.0. The business continuity add-on, which is enabled by default, leaks all secrets known to the GoCD server to unauthenticated attackers.π Read
via "National Vulnerability Database".
βΌ CVE-2022-27448 βΌ
π Read
via "National Vulnerability Database".
There is an Assertion failure in MariaDB Server v10.9 and below via 'node->pcur->rel_pos == BTR_PCUR_ON' at /row/row0mysql.cc.π Read
via "National Vulnerability Database".