βΌ CVE-2022-28181 βΌ
π Read
via "National Vulnerability Database".
NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer, where an unprivileged regular user on the network can cause an out-of-bounds write through a specially crafted shader, which may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering. The scope of the impact may extend to other components.π Read
via "National Vulnerability Database".
βΌ CVE-2022-29162 βΌ
π Read
via "National Vulnerability Database".
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. A bug was found in runc prior to version 1.1.2 where `runc exec --cap` created processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2). This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in runc 1.1.2. This fix changes `runc exec --cap` behavior such that the additional capabilities granted to the process being executed (as specified via `--cap` arguments) do not include inheritable capabilities. In addition, `runc spec` is changed to not set any inheritable capabilities in the created example OCI spec (`config.json`) file.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1359 βΌ
π Read
via "National Vulnerability Database".
The affected On-Premise cnMaestro is vulnerable to an arbitrary file-write through improper limitation of a pathname to a restricted directory inside a specific route. If an attacker supplied path traversal charters (../) as part of a filename, the server will save the file where the attacker chooses. This could allow an attacker to write any data to any file in the server.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28191 βΌ
π Read
via "National Vulnerability Database".
NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (nvidia.ko), where uncontrolled resource consumption can be triggered by an unprivileged regular user, which may lead to denial of service.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28183 βΌ
π Read
via "National Vulnerability Database".
NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer, where an unprivileged regular user can cause an out-of-bounds read, which may lead to denial of service and information disclosure.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28185 βΌ
π Read
via "National Vulnerability Database".
NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the ECC layer, where an unprivileged regular user can cause an out-of-bounds write, which may lead to denial of service and data tampering.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28182 βΌ
π Read
via "National Vulnerability Database".
NVIDIA GPU Display Driver for Windows contains a vulnerability in the DirectX11 user mode driver (nvwgf2um/x.dll), where an unauthorized attacker on the network can cause an out-of-bounds write through a specially crafted shader, which may lead to code execution to cause denial of service, escalation of privileges, information disclosure, and data tampering. The scope of the impact may extend to other components.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28186 βΌ
π Read
via "National Vulnerability Database".
NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where the product receives input or data, but does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly, which may lead to denial of service or data tampering.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28187 βΌ
π Read
via "National Vulnerability Database".
NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys), where the memory management software does not release a resource after its effective lifetime has ended, which may lead to denial of service.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28616 βΌ
π Read
via "National Vulnerability Database".
A remote server-side request forgery (ssrf) vulnerability was discovered in HPE OneView version(s): Prior to 7.0. HPE has provided a software update to resolve this vulnerability in HPE OneView.π Read
via "National Vulnerability Database".
βΌ CVE-2022-29174 βΌ
π Read
via "National Vulnerability Database".
countly-server is the server-side part of Countly, a product analytics solution. Prior to versions 22.03.7 and 21.11.4, a malicious actor who knows an account email address/username and full name specified in the database is capable of guessing the password reset token. The actor may use this information to reset the password and take over the account. The problem has been patched in Countly Server version 22.03.7 for servers using the new user interface and in 21.11.4 for servers using the old user interface.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24388 βΌ
π Read
via "National Vulnerability Database".
Vulnerability in rconfig Γ’β¬ΕdateΓ’β¬οΏ½ enables an attacker with user level access to the CLI to inject root level commands into Fidelis Network and Deception CommandPost, Collector, Sensor, and Sandbox components as well as neighboring Fidelis components. The vulnerability is present in Fidelis Network and Deception versions prior to 9.4.5. Patches and updates are available to address this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1118 βΌ
π Read
via "National Vulnerability Database".
Connected Components Workbench (v13.00.00 and prior), ISaGRAF Workbench (v6.0 though v6.6.9), and Safety Instrumented System Workstation (v1.2 and prior (for Trusted Controllers)) do not limit the objects that can be deserialized. This allows attackers to craft a malicious serialized object that, if opened by a local user in Connected Components Workbench, may result in arbitrary code execution. This vulnerability requires user interaction to be successfully exploitedπ Read
via "National Vulnerability Database".
βοΈ When Your Smart ID Card Reader Comes With Malware βοΈ
π Read
via "Krebs on Security".
Millions of U.S. government employees and contractors have been issued a secure smart ID card that enables physical access to buildings and controlled spaces, and provides access to government computer networks and systems at the cardholder's appropriate security level. But many government employees aren't issued an approved card reader device that lets them use these cards at home or remotely, and so turn to low-cost readers they find online. What could go wrong? Here's one example.π Read
via "Krebs on Security".
Krebs on Security
When Your Smart ID Card Reader Comes With Malware
Millions of U.S. government employees and contractors have been issued a secure smart ID card that enables physical access to buildings and controlled spaces, and provides access to government computer networks and systems at the cardholder's appropriateβ¦
ποΈ Facebook account takeover: Researcher scoops $40k bug bounty for chained exploit ποΈ
π Read
via "The Daily Swig".
Youssef Sammouda returns with more Facebook hacks β this time leveraging stolen Google authentication tokens to gain access to social media accountsπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Facebook account takeover: Researcher scoops $40k bug bounty for chained exploit
Youssef Sammouda returns with more Facebook hacks β this time leveraging stolen Google authentication tokens to gain access to social media accounts
π1
βΌ CVE-2022-30976 βΌ
π Read
via "National Vulnerability Database".
GPAC 2.0.0 misuses a certain Unicode utf8_wcslen (renamed gf_utf8_wcslen) function in utils/utf.c, resulting in a heap-based buffer over-read, as demonstrated by MP4Box.π Read
via "National Vulnerability Database".
βΌ CVE-2022-30975 βΌ
π Read
via "National Vulnerability Database".
In Artifex MuJS through 1.2.0, jsP_dumpsyntax in jsdump.c has a NULL pointer dereference, as demonstrated by mujs-pp.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41946 βΌ
π Read
via "National Vulnerability Database".
In FiberHome VDSL2 Modem HG150-Ub_V3.0, a stored cross-site scripting (XSS) vulnerability in Parental Control --> Access Time Restriction --> Username field, a user cannot delete the rule due to the XSS.π Read
via "National Vulnerability Database".
βΌ CVE-2022-30974 βΌ
π Read
via "National Vulnerability Database".
compile in regexp.c in Artifex MuJS through 1.2.0 results in stack consumption because of unlimited recursion, a different issue than CVE-2019-11413.π Read
via "National Vulnerability Database".
βΌ CVE-2019-25061 βΌ
π Read
via "National Vulnerability Database".
The random_password_generator (aka RandomPasswordGenerator) gem through 1.0.0 for Ruby uses Kernel#rand to generate passwords, which, due to its cyclic nature, can facilitate password prediction.π Read
via "National Vulnerability Database".
β Pwn2Own hacking schedule released β Windows and Linux are top targets β
π Read
via "Naked Security".
What's better? Disclose early, patch fast? Or dig deep, disclose in full, patch more slowly?π Read
via "Naked Security".
Naked Security
Pwn2Own hacking schedule released β Windows and Linux are top targets
Whatβs better? Disclose early, patch fast? Or dig deep, disclose in full, patch more slowly?
π1