‼ CVE-2022-29166 ‼
📖 Read
via "National Vulnerability Database".
matrix-appservice-irc is a Node.js IRC bridge for Matrix. The vulnerability in node-irc allows an attacker to manipulate a Matrix user into executing IRC commands by having them reply to a maliciously crafted message. The vulnerability has been patched in matrix-appservice-irc 0.33.2. Refrain from replying to messages from untrusted participants in IRC-bridged Matrix rooms. There are no known workarounds for this issue.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-29173 ‼
📖 Read
via "National Vulnerability Database".
go-tuf is a Go implementation of The Update Framework (TUF). go-tuf does not correctly implement the client workflow for updating the metadata files for roles other than the root role. Specifically, checks for rollback attacks are not implemented correctly meaning an attacker can cause clients to install software that is older than the software which the client previously knew to be available, and may include software with known vulnerabilities. In more detail, the client code of go-tuf has several issues in regards to preventing rollback attacks: 1. It does not take into account the content of any previously trusted metadata, if available, before proceeding with updating roles other than the root role (i.e., steps 5.4.3.1 and 5.5.5 of the detailed client workflow). This means that any form of version verification done on the newly-downloaded metadata is made using the default value of zero, which always passes. 2. For both timestamp and snapshot roles, go-tuf saves these metadata files as trusted before verifying if the version of the metafiles they refer to is correct (i.e., steps 5.5.4 and 5.6.4 of the detailed client workflow). A fix is available in version 0.3.0 or newer. No workarounds are known for this issue apart from upgrading.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-29176 ‼
📖 Read
via "National Vulnerability Database".
Rubygems is a package registry used to supply software for the Ruby language ecosystem. Due to a bug in the yank action, it was possible for any RubyGems.org user to remove and replace certain gems even if that user was not authorized to do so. To be vulnerable, a gem needed: one or more dashes in its name creation within 30 days OR no updates for over 100 days At present, we believe this vulnerability has not been exploited. RubyGems.org sends an email to all gem owners when a gem version is published or yanked. We have not received any support emails from gem owners indicating that their gem has been yanked without authorization. An audit of gem changes for the last 18 months did not find any examples of this vulnerability being used in a malicious way. A deeper audit for any possible use of this exploit is ongoing, and we will update this advisory once it is complete. Using Bundler in --frozen or --deployment mode in CI and during deploys, as the Bundler team has always recommended, will guarantee that your application does not silently switch to versions created using this exploit. To audit your application history for possible past exploits, review your Gemfile.lock and look for gems whose platform changed when the version number did not change. For example, gemname-3.1.2 updating to gemname-3.1.2-java could indicate a possible abuse of this vulnerability. RubyGems.org has been patched and is no longer vulnerable to this issue as of the 5th of May 2022.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-29175 ‼
📖 Read
via "National Vulnerability Database".
Vyper is a pythonic smart contract language for the ethereum virtual machine. Since version 0.3.2, decimals use the full range of the underlying int168 type. multiplication of 168 bit integers can wrap in 256-bit arithmetic, but safemul does not check for that. This has been patched in v0.3.4. There are no known workarounds for this issue.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-29172 ‼
📖 Read
via "National Vulnerability Database".
Auth0 is an authentication broker that supports both social and enterprise identity providers, including Active Directory, LDAP, Google Apps, and Salesforce. In versions before `11.33.0`, when the “additional signup fieldsâ€? feature [is configured](https://github.com/auth0/lock#additional-sign-up-fields), a malicious actor can inject invalidated HTML code into these additional fields, which is then stored in the service `user_metdata` payload (using the `name` property). Verification emails, when applicable, are generated using this metadata. It is therefor possible for an actor to craft a malicious link by injecting HTML, which is then rendered as the recipient's name within the delivered email template. You are impacted by this vulnerability if you are using `auth0-lock` version `11.32.2` or lower and are using the “additional signup fieldsâ€? feature in your application. Upgrade to version `11.33.0`.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-29167 ‼
📖 Read
via "National Vulnerability Database".
Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse `Host` HTTP header (`Hawk.utils.parseHost()`), which was subject to regular expression DoS attack - meaning each added character in the attacker's input increases the computation time exponentially. `parseHost()` was patched in `9.0.1` to use built-in `URL` class to parse hostname instead. `Hawk.authenticate()` accepts `options` argument. If that contains `host` and `port`, those would be used instead of a call to `utils.parseHost()`.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-29535 ‼
📖 Read
via "National Vulnerability Database".
Zoho ManageEngine OPManager through 125588 allows SQL Injection via a few default reports.📖 Read
via "National Vulnerability Database".
📢 Millions of Lenovo laptops thought to be vulnerable to newly discovered UEFI malware attacks 📢
📖 Read
via "ITPro".
ESET researchers said the core vulnerabilities were 'easy' to spot due to "unfortunate" and "honest" driver names📖 Read
via "ITPro".
IT PRO
Millions of Lenovo laptops thought to be vulnerable to newly discovered UEFI malware attacks | IT PRO
ESET researchers said the core vulnerabilities were 'easy' to spot due to "unfortunate" and "honest" driver names
📢 ConnectWise unveils new incident response service 📢
📖 Read
via "ITPro".
New offering provides an “immediate lifeline” to a team of cyber experts in the event of a security breach📖 Read
via "ITPro".
IT PRO
ConnectWise unveils new incident response service | IT PRO
New offering provides an “immediate lifeline” to a team of cyber experts in the event of a security breach
📢 REvil ransomware group's infrastructure comes back online hinting at fresh campaign 📢
📖 Read
via "ITPro".
The ransomware gang's old deep web infrastructure is now redirecting to a new website with new victims📖 Read
via "ITPro".
IT PRO
REvil ransomware group's infrastructure comes back online hinting at fresh campaign | IT PRO
The ransomware gang's old deep web infrastructure is now redirecting to a new website with new victims
📢 Exclusive: Former Shiseido staff say company was aware of data breach weeks before official notice 📢
📖 Read
via "ITPro".
Fake companies were created using the stolen identities of hundreds of Shiseido employees, former staff claim📖 Read
via "ITPro".
IT PRO
Exclusive: Former Shiseido staff say company was aware of data breach weeks before official notice | IT PRO
Fake companies were created using the stolen identities of hundreds of Shiseido employees, former staff claim
📢 Report: UK businesses are less secure when using police-endorsed cyber security tool 📢
📖 Read
via "ITPro".
The cyber security researcher found the developer of the free software to be "incompetent" and the myriad flaws in the cyber crime-fighting monitoring tool left businesses more at risk of cyber attacks📖 Read
via "ITPro".
IT PRO
Report: UK businesses are less secure when using police-endorsed cyber security tool | IT PRO
The cyber security researcher found the developer of the free software to be "incompetent" and the myriad flaws in the cyber crime-fighting monitoring tool left businesses more at risk of cyber attacks
📢 Microsoft announces lucrative new bug bounty awards for M365 products and services 📢
📖 Read
via "ITPro".
The new awards will focus on scenario-based weaknesses and offer bonuses of up to 30% for the most severe bugs📖 Read
via "ITPro".
ITPro
Microsoft announces lucrative new bug bounty awards for M365 products and services
The new awards will focus on scenario-based weaknesses and offer bonuses of up to 30% for the most severe bugs
📢 Tech leaders share how to break into the tech industry 📢
📖 Read
via "ITPro".
“You have to feel like a true member of the IT world before you actually become a member"📖 Read
via "ITPro".
IT PRO
Tech leaders share how to break into the tech industry | IT PRO
“You have to feel like a true member of the IT world before you actually become a member"
📢 Funky Pigeon site offline after "cyber incident" 📢
📖 Read
via "ITPro".
The WH Smith-owned card site has reported the breach to "the relevant regulators"📖 Read
via "ITPro".
IT PRO
Funky Pigeon site offline after "cyber incident" | IT PRO
The WH Smith-owned card site has reported the breach to "the relevant regulators"
📢 Encryption battle plays out in Australian Parliament 📢
📖 Read
via "ITPro".
The opposition said that the government is “addicted to secrecy”📖 Read
via "ITPro".
IT PRO
Encryption battle plays out in Australian Parliament | IT PRO
The opposition said that the government is “addicted to secrecy”
‼ CVE-2022-24902 ‼
📖 Read
via "National Vulnerability Database".
TkVideoplayer is a simple library to play video files in tkinter. Uncontrolled memory consumption in versions of TKVideoplayer prior to 2.0.0 can theoretically lead to performance degradation. There are no known workarounds. This issue has been patched and users are advised to upgrade to version 2.0.0 or later.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-29171 ‼
📖 Read
via "National Vulnerability Database".
Sourcegraph is a fast and featureful code search and navigation engine. Versions before 3.38.0 are vulnerable to Remote Code Execution in the gitserver service. The Gitolite code host integration with Phabricator allows Sourcegraph site admins to specify a `callsignCommand`, which is used to obtain the Phabricator metadata for a Gitolite repository. An administrator who is able to edit or add a Gitolite code host and has administrative access to Sourcegraph’s bundled Grafana instance can change this command arbitrarily and run it remotely. This grants direct access to the infrastructure underlying the Sourcegraph installation. The attack requires: site-admin privileges on the instance of Sourcegraph, Administrative privileges on the bundled Grafana monitoring instance, Knowledge of the gitserver IP address or DNS name (if running in Kubernetes). This can be found through Grafana. The issue is patched in version 3.38.0. You may disable Gitolite code hosts. We still highly encourage upgrading regardless of workarounds.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-24903 ‼
📖 Read
via "National Vulnerability Database".
Rsyslog is a rocket-fast system for log processing. Modules for TCP syslog reception have a potential heap buffer overflow when octet-counted framing is used. This can result in a segfault or some other malfunction. As of our understanding, this vulnerability can not be used for remote code execution. But there may still be a slight chance for experts to do that. The bug occurs when the octet count is read. While there is a check for the maximum number of octets, digits are written to a heap buffer even when the octet count is over the maximum, This can be used to overrun the memory buffer. However, once the sequence of digits stop, no additional characters can be added to the buffer. In our opinion, this makes remote exploits impossible or at least highly complex. Octet-counted framing is one of two potential framing modes. It is relatively uncommon, but enabled by default on receivers. Modules `imtcp`, `imptcp`, `imgssapi`, and `imhttp` are used for regular syslog message reception. It is best practice not to directly expose them to the public. When this practice is followed, the risk is considerably lower. Module `imdiag` is a diagnostics module primarily intended for testbench runs. We do not expect it to be present on any production installation. Octet-counted framing is not very common. Usually, it needs to be specifically enabled at senders. If users do not need it, they can turn it off for the most important modules. This will mitigate the vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-24817 ‼
📖 Read
via "National Vulnerability Database".
Flux2 is an open and extensible continuous delivery solution for Kubernetes. Flux2 versions between 0.1.0 and 0.29.0, helm-controller 0.1.0 to v0.19.0, and kustomize-controller 0.1.0 to v0.23.0 are vulnerable to Code Injection via malicious Kubeconfig. In multi-tenancy deployments this can also lead to privilege escalation if the controller's service account has elevated permissions. Workarounds include disabling functionality via Validating Admission webhooks by restricting users from setting the `spec.kubeConfig` field in Flux `Kustomization` and `HelmRelease` objects. Additional mitigations include applying restrictive AppArmor and SELinux profiles on the controller’s pod to limit what binaries can be executed. This vulnerability is fixed in kustomize-controller v0.23.0 and helm-controller v0.19.0, both included in flux2 v0.29.0📖 Read
via "National Vulnerability Database".
‼ CVE-2022-24899 ‼
📖 Read
via "National Vulnerability Database".
Contao is a powerful open source CMS that allows you to create professional websites and scalable web applications. In versions of Contao prior to 4.13.3 it is possible to inject code into the canonical tag. As a workaround users may disable canonical tags in the root page settings.📖 Read
via "National Vulnerability Database".