๐ข Microsoft announces lucrative new bug bounty awards for M365 products and services ๐ข
๐ Read
via "ITPro".
The new awards will focus on scenario-based weaknesses and offer bonuses of up to 30% for the most severe bugs๐ Read
via "ITPro".
ITPro
Microsoft announces lucrative new bug bounty awards for M365 products and services
The new awards will focus on scenario-based weaknesses and offer bonuses of up to 30% for the most severe bugs
๐ข Tech leaders share how to break into the tech industry ๐ข
๐ Read
via "ITPro".
โYou have to feel like a true member of the IT world before you actually become a member"๐ Read
via "ITPro".
IT PRO
Tech leaders share how to break into the tech industry | IT PRO
โYou have to feel like a true member of the IT world before you actually become a member"
๐ข Funky Pigeon site offline after "cyber incident" ๐ข
๐ Read
via "ITPro".
The WH Smith-owned card site has reported the breach to "the relevant regulators"๐ Read
via "ITPro".
IT PRO
Funky Pigeon site offline after "cyber incident" | IT PRO
The WH Smith-owned card site has reported the breach to "the relevant regulators"
๐ข Encryption battle plays out in Australian Parliament ๐ข
๐ Read
via "ITPro".
The opposition said that the government is โaddicted to secrecyโ๐ Read
via "ITPro".
IT PRO
Encryption battle plays out in Australian Parliament | IT PRO
The opposition said that the government is โaddicted to secrecyโ
โผ CVE-2022-24902 โผ
๐ Read
via "National Vulnerability Database".
TkVideoplayer is a simple library to play video files in tkinter. Uncontrolled memory consumption in versions of TKVideoplayer prior to 2.0.0 can theoretically lead to performance degradation. There are no known workarounds. This issue has been patched and users are advised to upgrade to version 2.0.0 or later.๐ Read
via "National Vulnerability Database".
โผ CVE-2022-29171 โผ
๐ Read
via "National Vulnerability Database".
Sourcegraph is a fast and featureful code search and navigation engine. Versions before 3.38.0 are vulnerable to Remote Code Execution in the gitserver service. The Gitolite code host integration with Phabricator allows Sourcegraph site admins to specify a `callsignCommand`, which is used to obtain the Phabricator metadata for a Gitolite repository. An administrator who is able to edit or add a Gitolite code host and has administrative access to Sourcegraphรขโฌโขs bundled Grafana instance can change this command arbitrarily and run it remotely. This grants direct access to the infrastructure underlying the Sourcegraph installation. The attack requires: site-admin privileges on the instance of Sourcegraph, Administrative privileges on the bundled Grafana monitoring instance, Knowledge of the gitserver IP address or DNS name (if running in Kubernetes). This can be found through Grafana. The issue is patched in version 3.38.0. You may disable Gitolite code hosts. We still highly encourage upgrading regardless of workarounds.๐ Read
via "National Vulnerability Database".
โผ CVE-2022-24903 โผ
๐ Read
via "National Vulnerability Database".
Rsyslog is a rocket-fast system for log processing. Modules for TCP syslog reception have a potential heap buffer overflow when octet-counted framing is used. This can result in a segfault or some other malfunction. As of our understanding, this vulnerability can not be used for remote code execution. But there may still be a slight chance for experts to do that. The bug occurs when the octet count is read. While there is a check for the maximum number of octets, digits are written to a heap buffer even when the octet count is over the maximum, This can be used to overrun the memory buffer. However, once the sequence of digits stop, no additional characters can be added to the buffer. In our opinion, this makes remote exploits impossible or at least highly complex. Octet-counted framing is one of two potential framing modes. It is relatively uncommon, but enabled by default on receivers. Modules `imtcp`, `imptcp`, `imgssapi`, and `imhttp` are used for regular syslog message reception. It is best practice not to directly expose them to the public. When this practice is followed, the risk is considerably lower. Module `imdiag` is a diagnostics module primarily intended for testbench runs. We do not expect it to be present on any production installation. Octet-counted framing is not very common. Usually, it needs to be specifically enabled at senders. If users do not need it, they can turn it off for the most important modules. This will mitigate the vulnerability.๐ Read
via "National Vulnerability Database".
โผ CVE-2022-24817 โผ
๐ Read
via "National Vulnerability Database".
Flux2 is an open and extensible continuous delivery solution for Kubernetes. Flux2 versions between 0.1.0 and 0.29.0, helm-controller 0.1.0 to v0.19.0, and kustomize-controller 0.1.0 to v0.23.0 are vulnerable to Code Injection via malicious Kubeconfig. In multi-tenancy deployments this can also lead to privilege escalation if the controller's service account has elevated permissions. Workarounds include disabling functionality via Validating Admission webhooks by restricting users from setting the `spec.kubeConfig` field in Flux `Kustomization` and `HelmRelease` objects. Additional mitigations include applying restrictive AppArmor and SELinux profiles on the controllerรขโฌโขs pod to limit what binaries can be executed. This vulnerability is fixed in kustomize-controller v0.23.0 and helm-controller v0.19.0, both included in flux2 v0.29.0๐ Read
via "National Vulnerability Database".
โผ CVE-2022-24899 โผ
๐ Read
via "National Vulnerability Database".
Contao is a powerful open source CMS that allows you to create professional websites and scalable web applications. In versions of Contao prior to 4.13.3 it is possible to inject code into the canonical tag. As a workaround users may disable canonical tags in the root page settings.๐ Read
via "National Vulnerability Database".
โผ CVE-2022-29164 โผ
๐ Read
via "National Vulnerability Database".
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. In affected versions an attacker can create a workflow which produces a HTML artifact containing an HTML file that contains a script which uses XHR calls to interact with the Argo Server API. The attacker emails the deep-link to the artifact to their victim. The victim opens the link, the script starts running. As the script has access to the Argo Server API (as the victim), so may read information about the victimรขโฌโขs workflows, or create and delete workflows. Note the attacker must be an insider: they must have access to the same cluster as the victim and must already be able to run their own workflows. The attacker must have an understanding of the victimรขโฌโขs system. We have seen no evidence of this in the wild. We urge all users to upgrade to the fixed versions.๐ Read
via "National Vulnerability Database".
โผ CVE-2022-24878 โผ
๐ Read
via "National Vulnerability Database".
Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious `kustomization.yaml` allows an attacker to cause a Denial of Service at the controller level. Workarounds include automated tooling in the user's CI/CD pipeline to validate `kustomization.yaml` files conform with specific policies. This vulnerability is fixed in kustomize-controller v0.24.0 and included in flux2 v0.29.0. Users are recommended to upgrade.๐ Read
via "National Vulnerability Database".
โผ CVE-2022-24877 โผ
๐ Read
via "National Vulnerability Database".
Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious `kustomization.yaml` allows an attacker to expose sensitive data from the controllerรยขรขโยฌรขโยขs pod filesystem and possibly privilege escalation in multi-tenancy deployments. Workarounds include automated tooling in the user's CI/CD pipeline to validate `kustomization.yaml` files conform with specific policies. This vulnerability is fixed in kustomize-controller v0.24.0 and included in flux2 v0.29.0.๐ Read
via "National Vulnerability Database".
๐1
โผ CVE-2021-25745 โผ
๐ Read
via "National Vulnerability Database".
A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the spec.rules[].http.paths[].path field of an Ingress object (in the networking.k8s.io or extensions API group) to obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.๐ Read
via "National Vulnerability Database".
โผ CVE-2021-25746 โผ
๐ Read
via "National Vulnerability Database".
A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use .metadata.annotations in an Ingress object (in the networking.k8s.io or extensions API group) to obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.๐ Read
via "National Vulnerability Database".
โผ CVE-2022-24884 โผ
๐ Read
via "National Vulnerability Database".
ecdsautils is a tiny collection of programs used for ECDSA (keygen, sign, verify). `ecdsa_verify_[prepare_]legacy()` does not check whether the signature values `r` and `s` are non-zero. A signature consisting only of zeroes is always considered valid, making it trivial to forge signatures. Requiring multiple signatures from different public keys does not mitigate the issue: `ecdsa_verify_list_legacy()` will accept an arbitrary number of such forged signatures. Both the `ecdsautil verify` CLI command and the libecdsautil library are affected. The issue has been fixed in ecdsautils 0.4.1. All older versions of ecdsautils (including versions before the split into a library and a CLI utility) are vulnerable.๐ Read
via "National Vulnerability Database".
โผ CVE-2022-29161 โผ
๐ Read
via "National Vulnerability Database".
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The XWiki Crypto API will generate X509 certificates signed by default using SHA1 with RSA, which is not considered safe anymore for use in certificate signatures, due to the risk of collisions with SHA1. The problem has been patched in XWiki version 13.10.6, 14.3.1 and 14.4-rc-1. Since then, the Crypto API will generate X509 certificates signed by default using SHA256 with RSA. Administrators are advised to upgrade their XWiki installation to one of the patched versions. If the upgrade is not possible, it is possible to patch the module xwiki-platform-crypto in a local installation by applying the change exposed in 26728f3 and re-compiling the module.๐ Read
via "National Vulnerability Database".
โผ CVE-2022-30294 โผ
๐ Read
via "National Vulnerability Database".
In WebKitGTK through 2.36.0 (and WPE WebKit), there is a use-after-free in WebCore::TextureMapperLayer::setContentsLayer in WebCore/platform/graphics/texmap/TextureMapperLayer.cpp.๐ Read
via "National Vulnerability Database".
โผ CVE-2022-30295 โผ
๐ Read
via "National Vulnerability Database".
uClibc-ng through 1.0.40 and uClibc through 0.9.33.2 use predictable DNS transaction IDs that may lead to DNS cache poisoning. This is related to a reset of a value to 0x2.๐ Read
via "National Vulnerability Database".
โผ CVE-2022-30293 โผ
๐ Read
via "National Vulnerability Database".
In WebKitGTK through 2.36.0 (and WPE WebKit), there is a heap-based buffer overflow in WebCore::TextureMapperLayer::setContentsLayer in WebCore/platform/graphics/texmap/TextureMapperLayer.cpp.๐ Read
via "National Vulnerability Database".
๐๏ธ UK government calls for tougher protections against malicious mobile apps ๐๏ธ
๐ Read
via "The Daily Swig".
NCSC proposes new code of conduct for app stores๐ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
UK government calls for tougher protections against malicious mobile apps
NCSC proposes new code of conduct for app stores
๐๏ธ WordPress sites getting hacked โwithin secondsโ of TLS certificates being issued ๐๏ธ
๐ Read
via "The Daily Swig".
Attackers pounce before site owners can activate the installation wizard๐ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
WordPress sites getting hacked โwithin secondsโ of TLS certificates being issued
Attackers pounce before site owners can activate the installation wizard