βΌ CVE-2022-24896 βΌ
π Read
via "National Vulnerability Database".
Tuleap is a Free & Open Source Suite to manage software developments and collaboration. In versions prior to 13.7.99.239 Tuleap does not properly verify authorizations when displaying the content of tracker report renderer and chart widgets. Malicious users could use this vulnerability to retrieve the name of a tracker they cannot access as well as the name of the fields used in reports.π Read
via "National Vulnerability Database".
βΌ CVE-2022-29254 βΌ
π Read
via "National Vulnerability Database".
silverstripe-omnipay is a SilverStripe integration with Omnipay PHP payments library. For a subset of Omnipay gateways (those that use intermediary states like `isNotification()` or `isRedirect()`), if the payment identifier or success URL is exposed it is possible for payments to be prematurely marked as completed without payment being taken. This is mitigated by the fact that most payment gateways hide this information from users, however some issuing banks offer flawed 3DSecure implementations that may inadvertently expose this data. The following versions have been patched to fix this issue: `2.5.2`, `3.0.2`, `3.1.4`, and `3.2.1`. There are no known workarounds for this vulnerability.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2022-29255 βΌ
π Read
via "National Vulnerability Database".
Vyper is a Pythonic Smart Contract Language for the ethereum virtual machine. In versions prior to 0.3.4 when a calling an external contract with no return value, the contract address (including side effects) could be evaluated twice. This may result in incorrect outcomes for contracts. This issue has been addressed in v0.3.4.π Read
via "National Vulnerability Database".
β SSNDOB Market domains seized, identity theft βbrokerageβ shut down β
π Read
via "Naked Security".
The online identity "brokerage" SSNDOB Market didn't want people to be in any doubt what it was selling.π Read
via "Naked Security".
Naked Security
SSNDOB Market domains seized, identity theft βbrokerageβ shut down
The online identity βbrokerageβ SSNDOB Market didnβt want people to be in any doubt what it was selling.
ποΈ Turkish flight operator Pegasus Airlines suffers data breach ποΈ
π Read
via "The Daily Swig".
Data protection regulator confirms sensitive information was leakedπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Turkish flight operator Pegasus Airlines suffers data breach
Data protection regulator confirms sensitive information was leaked
β S3 Ep86: The crooks were in our network for HOW long?! [Podcast + Transcript] β
π Read
via "Naked Security".
Latest episode - listen (or read) now!π Read
via "Naked Security".
Naked Security
S3 Ep86: The crooks were in our network for HOW long?! [Podcast + Transcript]
Latest episode β listen (or read) now!
π΄ How Poor Communication Opens the Door to Ransomware and Extortion π΄
π Read
via "Dark Reading".
Organizations can no longer rely on traditional responses to ransomware.π Read
via "Dark Reading".
Dark Reading
How Poor Communication Opens the Door to Ransomware and Extortion
Organizations can no longer rely on traditional responses to ransomware.
βΌ CVE-2022-31026 βΌ
π Read
via "National Vulnerability Database".
Trilogy is a client library for MySQL. When authenticating, a malicious server could return a specially crafted authentication packet, causing the client to read and return up to 12 bytes of data from an uninitialized variable in stack memory. Users of the trilogy gem should upgrade to version 2.1.1 This issue can be avoided by only connecting to trusted servers.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31019 βΌ
π Read
via "National Vulnerability Database".
Vapor is a server-side Swift HTTP web framework. When using automatic content decoding an attacker can craft a request body that can make the server crash with the following request: `curl -d "array[_0][0][array][_0][0][array]$(for f in $(seq 1100); do echo -n '[_0][0][array]'; done)[string][_0]=hello%20world" http://localhost:8080/foo`. The issue is unbounded, attacker controlled stack growth which will at some point lead to a stack overflow and a process crash. This issue has been fixed in version 4.61.1.π Read
via "National Vulnerability Database".
βΌ CVE-2021-40668 βΌ
π Read
via "National Vulnerability Database".
The Android application HTTP File Server (Version 1.4.1) by 'slowscript' is affected by a path traversal vulnerability that permits arbitrary directory listing, file read, and file write.π Read
via "National Vulnerability Database".
βΌ CVE-2021-40610 βΌ
π Read
via "National Vulnerability Database".
Emlog Pro v 1.0.4 cross-site scripting (XSS) in Emlog Pro background management.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31027 βΌ
π Read
via "National Vulnerability Database".
OAuthenticator is an OAuth token library for the JupyerHub login handler. CILogonOAuthenticator is provided by the OAuthenticator package, and lets users log in to a JupyterHub via CILogon. This is primarily used to restrict a JupyterHub only to users of a given institute. The allowed_idps configuration trait of CILogonOAuthenticator is documented to be a list of domains that indicate the institutions whose users are authorized to access this JupyterHub. This authorization is validated by ensuring that the *email* field provided to us by CILogon has a *domain* that matches one of the domains listed in `allowed_idps`.If `allowed_idps` contains `berkeley.edu`, you might expect only users with valid current credentials provided by University of California, Berkeley to be able to access the JupyterHub. However, CILogonOAuthenticator does *not* verify which provider is used by the user to login, only the email address provided. So a user can login with a GitHub account that has email set to `<something>@berkeley.edu`, and that will be treated exactly the same as someone logging in using the UC Berkeley official Identity Provider. The patch fixing this issue makes a *breaking change* in how `allowed_idps` is interpreted. It's no longer a list of domains, but configuration representing the `EntityID` of the IdPs that are allowed, picked from the [list maintained by CILogon](https://cilogon.org/idplist/). Users are advised to upgrade.π Read
via "National Vulnerability Database".
π΄ 37 Major Companies and Organizations Pledge to Enhance Cyber Resiliency and Counter Evolving Global Threats π΄
π Read
via "Dark Reading".
π Read
via "Dark Reading".
Dark Reading
37 Major Companies and Organizations Pledge to Enhance Cyber Resiliency and Counter Evolving Global Threats
π΄ ReliaQuest Bolsters Extended Detection With Threat Intelligence π΄
π Read
via "Dark Reading".
ReliaQuest CTO Joe Partlow joins Dark Reading's Terry Sweeney at Dark Reading News Desk during RSA Conference to discuss extended detection response β and acquisition news.π Read
via "Dark Reading".
Darkreading
ReliaQuest Bolsters Extended Detection With Threat Intelligence
ReliaQuest CTO Joe Partlow joins Dark Reading's Terry Sweeney at Dark Reading News Desk during RSA Conference to discuss extended detection response β and acquisition news.
ποΈ Chinese cyber threat actors are widely abusing well-known attacks to infiltrate networks, CISA warns ποΈ
π Read
via "The Daily Swig".
APTs hammering unpatched vulnerabilitiesπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Chinese cyber threat actors are widely abusing well-known attacks to infiltrate networks, CISA warns
APTs hammering unpatched vulnerabilities
ποΈ Formidable developer fights back against βcriticalβ CVE vulnerability assignment ποΈ
π Read
via "The Daily Swig".
βThis false accusation messed up the release of one of our services,β maintainer lamentsπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Researcher defends Formidable in fight against βcriticalβ CVE vulnerability assignment
βThis false accusation messed up the release of one of our services,β security pro laments
π΄ Automox Adds Automation to Patching, Vuln Management π΄
π Read
via "Dark Reading".
Automox's Paul Zimski joins Dark Reading's Terry Sweeney at Dark Reading News Desk during RSA Conference to talk about automated patch management.π Read
via "Dark Reading".
Darkreading
Automox Adds Automation to Patching, Vuln Management
Automox's Paul Zimski joins Dark Reading's Terry Sweeney at Dark Reading News Desk during RSA Conference to talk about automated patch management.
π΄ Why AIs Will Become Hackers π΄
π Read
via "Dark Reading".
At a 2022 RSA Conference keynote, technologist Bruce Schneier asserted that artificial intelligence agents will start to hack human systems β and what that will mean for us.π Read
via "Dark Reading".
Dark Reading
Why AIs Will Become Hackers
At a 2022 RSA Conference keynote, technologist Bruce Schneier asserted that artificial intelligence agents will start to hack human systems β and what that will mean for us.
π΄ Uptycs: Observability Is Key to Cloud Security π΄
π Read
via "Dark Reading".
Uptycs' Ganesh Pai joins Dark Reading's Terry Sweeney at Dark Reading News Desk during RSA Conference to talk about cloud security and observability.π Read
via "Dark Reading".
Darkreading
Uptycs: Observability Is Key to Cloud Security
Uptycs' Ganesh Pai joins Dark Reading's Terry Sweeney at Dark Reading News Desk during RSA Conference to talk about cloud security and observability.
βΌ CVE-2022-31030 βΌ
π Read
via "National Vulnerability Database".
containerd is an open source container runtime. A bug was found in the containerd's CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the `ExecSync` API. This can cause containerd to consume all available memory on the computer, denying service to other legitimate workloads. Kubernetes and crictl can both be configured to use containerd's CRI implementation; `ExecSync` may be used when running probes or when executing processes via an "exec" facility. This bug has been fixed in containerd 1.6.6 and 1.5.13. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1998 βΌ
π Read
via "National Vulnerability Database".
A use after free in the Linux kernel File System notify functionality was found in the way user triggers copy_info_records_to_user() call to fail in copy_event_to_user(). A local user could use this flaw to crash the system or potentially escalate their privileges on the system.π Read
via "National Vulnerability Database".