π΄ Microsoft Launches Purview Platform to Govern, Protect, and Manage Sensitive Data π΄
π Read
via "Dark Reading".
The rebranded Microsoft Purview platform integrates Microsoft 365 Compliance and Azure Purview, and adds new capabilities and products to help manage data no matter where it resides.π Read
via "Dark Reading".
Dark Reading
Microsoft Launches Purview Platform to Govern, Protect, and Manage Sensitive Data
The rebranded Microsoft Purview platform integrates Microsoft 365 Compliance and Azure Purview, and adds new capabilities and products to help manage data no matter where it resides.
βΌ CVE-2022-24858 βΌ
π Read
via "National Vulnerability Database".
next-auth v3 users before version 3.29.2 are impacted. next-auth version 4 users before version 4.3.2 are also impacted. Upgrading to 3.29.2 or 4.3.2 will patch this vulnerability. If you are not able to upgrade for any reason, you can add a configuration to your callbacks option. If you already have a `redirect` callback, make sure that you match the incoming `url` origin against the `baseUrl`.π Read
via "National Vulnerability Database".
βΌ CVE-2021-3100 βΌ
π Read
via "National Vulnerability Database".
The Apache Log4j hotpatch package before log4j-cve-2021-44228-hotpatch-1.1-12 didnΓ’β¬β’t mimic the permissions of the JVM being patched, allowing it to escalate privileges.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2022-0071 βΌ
π Read
via "National Vulnerability Database".
Incomplete fix for CVE-2021-3101. Hotdog, prior to v1.0.2, did not mimic the resource limits, device restrictions, or syscall filters of the target JVM process. This would allow a container to exhaust the resources of the host, modify devices, or make syscalls that would otherwise be blocked.π Read
via "National Vulnerability Database".
βΌ CVE-2021-3101 βΌ
π Read
via "National Vulnerability Database".
Hotdog, prior to v1.0.1, did not mimic the capabilities or the SELinux label of the target JVM process. This would allow a container to gain full privileges on the host, bypassing restrictions set on the container.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0070 βΌ
π Read
via "National Vulnerability Database".
Incomplete fix for CVE-2021-3100. The Apache Log4j hotpatch package starting with log4j-cve-2021-44228-hotpatch-1.1-16 will now explicitly mimic the Linux capabilities and cgroups of the target Java process that the hotpatch is applied to.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24860 βΌ
π Read
via "National Vulnerability Database".
Databasir is a team-oriented relational database model document management platform. Databasir 1.01 has Use of Hard-coded Cryptographic Key vulnerability. An attacker can use hard coding to generate login credentials of any user and log in to the service background located at different IP addresses.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24826 βΌ
π Read
via "National Vulnerability Database".
On Windows, if Git LFS operates on a malicious repository with a `..exe` file as well as a file named `git.exe`, and `git.exe` is not found in `PATH`, the `..exe` program will be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems. Similarly, if the malicious repository contains files named `..exe` and `cygpath.exe`, and `cygpath.exe` is not found in `PATH`, the `..exe` program will be executed when certain Git LFS commands are run. More generally, if the current working directory contains any file with a base name of `.` and a file extension from `PATHEXT` (except `.bat` and `.cmd`), and also contains another file with the same base name as a program Git LFS intends to execute (such as `git`, `cygpath`, or `uname`) and any file extension from `PATHEXT` (including `.bat` and `.cmd`), then, on Windows, when Git LFS attempts to execute the intended program the `..exe`, `..com`, etc., file will be executed instead, but only if the intended program is not found in any directory listed in `PATH`. The vulnerability occurs because when Git LFS detects that the program it intends to run does not exist in any directory listed in `PATH` then Git LFS passes an empty string as the executable file path to the Go `os/exec` package, which contains a bug such that, on Windows, it prepends the name of the current working directory (i.e., `.`) to the empty string without adding a path separator, and as a result searches in that directory for a file with the base name `.` combined with any file extension from `PATHEXT`, executing the first one it finds. (The reason `..bat` and `..cmd` files are not executed in the same manner is that, although the Go `os/exec` package tries to execute them just as it does a `..exe` file, the Microsoft Win32 API `CreateProcess()` family of functions have an undocumented feature in that they apparently recognize when a caller is attempting to execute a batch script file and instead run the `cmd.exe` command interpreter, passing the full set of command line arguments as parameters. These are unchanged from the command line arguments set by Git LFS, and as such, the intended program's name is the first, resulting in a command line like `cmd.exe /c git`, which then fails.) Git LFS has resolved this vulnerability by always reporting an error when a program is not found in any directory listed in `PATH` rather than passing an empty string to the Go `os/exec` package in this case. The bug in the Go `os/exec` package has been reported to the Go project and is expected to be patched after this security advisory is published. The problem was introduced in version 2.12.1 and is patched in version 3.1.3. Users of affected versions should upgrade to version 3.1.3. There are currently no known workarounds at this time.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2022-27629 βΌ
π Read
via "National Vulnerability Database".
Cross-site request forgery (CSRF) vulnerability in 'MicroPayments - Paid Author Subscriptions, Content, Downloads, Membership' versions prior to 1.9.6 allows a remote unauthenticated attacker to hijack the authentication of an administrator and perform unintended operation via unspecified vectors.π Read
via "National Vulnerability Database".
β Google: 2021 was a Banner Year for Exploited 0-Day Bugs β
π Read
via "Threat Post".
Last year, Google Project Zero tracked a record 58 exploited-in-the-wild zero-day security holes.π Read
via "Threat Post".
Threat Post
Google: 2021 was a Banner Year for Exploited 0-Day Bugs
Last year, Google Project Zero tracked a record 58 exploited-in-the-wild zero-day security holes.
π΄ Fortress Tackles Supply Chain Security, One Asset at a Time π΄
π Read
via "Dark Reading".
Fortress Information Security will expand its Asset to Vendor Library to include hardware bill of materials and software bill of materials information.π Read
via "Dark Reading".
Dark Reading
Fortress Tackles Supply Chain Security, One Asset at a Time
Fortress Information Security will expand its Asset to Vendor Library to include hardware bill of materials and software bill of materials information.
ποΈ UK government employees receive βbillionsβ of malicious emails per year β report ποΈ
π Read
via "The Daily Swig".
Phishing, malware, and spam are popular techniques deployed by attackersπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
UK government employees receive βbillionsβ of malicious emails per year β report
Phishing, malware, and spam are popular techniques deployed by attackers
π΄ From Passive Recovery to Active Readiness π΄
π Read
via "Dark Reading".
This is the shift that companies need to make after a cyberattack.π Read
via "Dark Reading".
Dark Reading
From Passive Recovery to Active Readiness
This is the shift that companies need to make after a cyberattack.
βΌ CVE-2022-1254 βΌ
π Read
via "National Vulnerability Database".
A URL redirection vulnerability in Skyhigh SWG in main releases 10.x prior to 10.2.9, 9.x prior to 9.2.20, 8.x prior to 8.2.27, and 7.x prior to 7.8.2.31, and controlled release 11.x prior to 11.1.3 allows a remote attacker to redirect a user to a malicious website controlled by the attacker. This is possible because SWG incorrectly creates a HTTP redirect response when a user clicks a carefully constructed URL. Following the redirect response, the new request is still filtered by the SWG policy.π Read
via "National Vulnerability Database".
βΌ CVE-2022-25344 βΌ
π Read
via "National Vulnerability Database".
An XSS issue was discovered on Kyocera d-COLOR MF3555 2XD_S000.002.271 devices. The Web Application doesn't properly check parameters, sent in a /dvcset/sysset/set.cgi POST request via the arg01.Hostname field, before saving them on the server. In addition, the JavaScript malicious content is then reflected back to the end user and executed by the web browser.π Read
via "National Vulnerability Database".
βΌ CVE-2022-25343 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered on Kyocera d-COLOR MF3555 2XD_S000.002.271 devices. The Web Application is affected by Denial of Service. An unauthenticated attacker, who can send POST requests to the /download/set.cgi page by manipulating the failhtmfile variable, is able to cause interruption of the service provided by the Web Application.π Read
via "National Vulnerability Database".
βΌ CVE-2022-25342 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered on Kyocera d-COLOR MF3555 2XD_S000.002.271 devices. The Web Application is affected by Broken Access Control. It does not properly validate requests for access to data and functionality under the /mngset/authset path. By not verifying permissions for access to resources, it allows a potential attacker to view pages that are not allowed.π Read
via "National Vulnerability Database".
β Beanstalk cryptocurrency heist: scammer votes himself all the money β
π Read
via "Naked Security".
Voting safeguards based on commuity collateral don't work if one person can use a momentary loan to "become" 75% of the community.π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
π΄ Backward-Compatible Post-Quantum Communications Is a Matter of National Security π΄
π Read
via "Dark Reading".
When a quantum computer can decipher the asymmetric encryption protecting our vital systems, Q-Day will arrive.π Read
via "Dark Reading".
Dark Reading
Backward-Compatible Post-Quantum Communications Is a Matter of National Security
When a quantum computer can decipher the asymmetric encryption protecting our vital systems, Q-Day will arrive.
β Most Email Security Approaches Fail to Block Common Threats β
π Read
via "Threat Post".
A full 89 percent of organizations experienced one or more successful email breaches during the previous 12 months, translating into big-time costs.π Read
via "Threat Post".
Threat Post
Most Email Security Approaches Fail to Block Common Threats
A full 89 percent of organizations experienced one or more successful email breaches during the previous 12 months, translating into big-time costs.
β Critical cryptographic Java security blunder patched β update now! β
π Read
via "Naked Security".
Either know the private key and use it scrupulously in your digital signature calculation.... or just send a bunch of zeros instead.π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News