βΌ CVE-2020-29507 βΌ
π Read
via "National Vulnerability Database".
Dell BSAFE Crypto-C Micro Edition, versions before 4.1.4, and Dell BSAFE Micro Edition Suite, versions before 4.4, contain an Improper Input Validation Vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31075 βΌ
π Read
via "National Vulnerability Database".
KubeEdge is an open source system for extending native containerized application orchestration capabilities to hosts at Edge. Prior to versions 1.11.1, 1.10.2, and 1.9.4, EdgeCore may be susceptible to a DoS attack on CloudHub if an attacker was to send a well-crafted HTTP request to `/edge.crt`. If an attacker can send a well-crafted HTTP request to CloudHub, and that request has a very large body, that request can crash the HTTP service through a memory exhaustion vector. The request body is being read into memory, and a body that is larger than the available memory can lead to a successful attack. Because the request would have to make it through authorization, only authorized users may perform this attack. The consequence of the exhaustion is that CloudHub will be in denial of service. KubeEdge is affected only when users enable the CloudHub module in the file `cloudcore.yaml`. This bug has been fixed in Kubeedge 1.11.1, 1.10.2, and 1.9.4. As a workaround, disable the CloudHub switch in the config file `cloudcore.yaml`.π Read
via "National Vulnerability Database".
βΌ CVE-2020-35164 βΌ
π Read
via "National Vulnerability Database".
Dell BSAFE Crypto-C Micro Edition, versions before 4.1.5, and Dell BSAFE Micro Edition Suite, versions before 4.6, contain an Observable Timing Discrepancy Vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31140 βΌ
π Read
via "National Vulnerability Database".
Valinor is a PHP library that helps to map any input into a strongly-typed value object structure. Prior to version 0.12.0, Valinor can use `Throwable#getMessage()` when it should not have permission to do so. This is a problem with cases such as an SQL exception showing an SQL snippet, a database connection exception showing database IP address/username/password, or a timeout detail / out of memory detail. Attackers could use this information for potential data exfiltration, denial of service attacks, enumeration attacks, etc. Version 0.12.0 contains a patch for this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2020-35168 βΌ
π Read
via "National Vulnerability Database".
Dell BSAFE Crypto-C Micro Edition, versions before 4.1.5, and Dell BSAFE Micro Edition Suite, versions before 4.6, contain an Observable Timing Discrepancy Vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31073 βΌ
π Read
via "National Vulnerability Database".
KubeEdge is an open source system for extending native containerized application orchestration capabilities to hosts at Edge. Prior to versions 1.11.1, 1.10.2, and 1.9.4, the ServiceBus server on the edge side may be susceptible to a DoS attack if an HTTP request containing a very large Body is sent to it. It is possible for the node to be exhausted of memory. The consequence of the exhaustion is that other services on the node, e.g. other containers, will be unable to allocate memory and thus causing a denial of service. Malicious apps accidentally pulled by users on the host and have the access to send HTTP requests to localhost may make an attack. It will be affected only when users enable the `ServiceBus` module in the config file `edgecore.yaml`. This bug has been fixed in Kubeedge 1.11.1, 1.10.2, and 1.9.4. As a workaround, disable the `ServiceBus` module in the config file `edgecore.yaml`.π Read
via "National Vulnerability Database".
βΌ CVE-2020-35166 βΌ
π Read
via "National Vulnerability Database".
Dell BSAFE Crypto-C Micro Edition, versions before 4.1.5, and Dell BSAFE Micro Edition Suite, versions before 4.6, contain an Observable Timing Discrepancy Vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2020-35167 βΌ
π Read
via "National Vulnerability Database".
Dell BSAFE Crypto-C Micro Edition, versions before 4.1.5, and Dell BSAFE Micro Edition Suite, versions before 4.6, contain an Observable Timing Discrepancy Vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2020-29505 βΌ
π Read
via "National Vulnerability Database".
Dell BSAFE Crypto-C Micro Edition, versions before 4.1.5, and Dell BSAFE Micro Edition Suite, versions before 4.5.2, contain a Key Management Error Vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31080 βΌ
π Read
via "National Vulnerability Database".
KubeEdge is an open source system for extending native containerized application orchestration capabilities to hosts at Edge. Prior to versions 1.11.1, 1.10.2, and 1.9.4, a large response received by the viaduct WSClient can cause a DoS from memory exhaustion. The entire body of the response is being read into memory which could allow an attacker to send a request that returns a response with a large body. The consequence of the exhaustion is that the process which invokes a WSClient will be in a denial of service. The software is affected If users who are authenticated to the edge side connect to `cloudhub` from the edge side through WebSocket protocol. This bug has been fixed in Kubeedge 1.11.1, 1.10.2, and 1.9.4. There are currently no known workarounds.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31079 βΌ
π Read
via "National Vulnerability Database".
KubeEdge is an open source system for extending native containerized application orchestration capabilities to hosts at Edge. Prior to versions 1.11.1, 1.10.2, and 1.9.4, the Cloud Stream server and the Edge Stream server reads the entire message into memory without imposing a limit on the size of this message. An attacker can exploit this by sending a large message to exhaust memory and cause a DoS. The Cloud Stream server and the Edge Stream server are under DoS attack in this case. The consequence of the exhaustion is that the CloudCore and EdgeCore will be in a denial of service. Only an authenticated user can cause this issue. It will be affected only when users enable `cloudStream` module in the config file `cloudcore.yaml` and enable `edgeStream` module in the config file `edgecore.yaml`. This bug has been fixed in Kubeedge 1.11.1, 1.10.2, and 1.9.4. As a workaround, disable cloudStream module in the config file `cloudcore.yaml` and disable edgeStream module in the config file `edgecore.yaml`.π Read
via "National Vulnerability Database".
βΌ CVE-2020-35163 βΌ
π Read
via "National Vulnerability Database".
Dell BSAFE Crypto-C Micro Edition, versions before 4.1.5, and Dell BSAFE Micro Edition Suite, versions before 4.6, contain a Use of Insufficiently Random Values Vulnerability.π Read
via "National Vulnerability Database".
π΄ Fake Google Software Updates Spread New Ransomware π΄
π Read
via "Dark Reading".
"HavanaCrypt" is also using a command-and-control server that is hosted on a Microsoft Hosting Service IP address, researchers say.π Read
via "Dark Reading".
Dark Reading
Fake Google Software Updates Spread New Ransomware
"HavanaCrypt" is also using a command-and-control server that is hosted on a Microsoft Hosting Service IP address, researchers say.
π΄ Paladin Cloud Launches New Cloud Security and Governance Platform π΄
π Read
via "Dark Reading".
The new open source security-as-code platform will help developers and security teams automatically detect security policy violations across the organization's cloud infrastructure.π Read
via "Dark Reading".
Dark Reading
Paladin Cloud Launches New Cloud Security and Governance Platform
The new open source security-as-code platform will help developers and security teams automatically detect security policy violations across the organization's cloud infrastructure.
βΌ CVE-2022-22682 βΌ
π Read
via "National Vulnerability Database".
Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in Event Management in Synology Calendar before 2.4.5-10930 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.π Read
via "National Vulnerability Database".
ποΈ UK NCSC and ICO urge legal sector to discourage businesses from paying ransomware demands ποΈ
π Read
via "The Daily Swig".
Advice comes as cost of cybercrime βincreasesβπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
UK NCSC and ICO urge legal sector to discourage businesses from paying ransomware demands
Advice comes as cost of cybercrime βincreasesβ
β βCallbackβ Phishing Campaign Impersonates Security Firms β
π Read
via "Threat Post".
Victims instructed to make a phone call that will direct them to a link for downloading malware.π Read
via "Threat Post".
Threat Post
βCallbackβ Phishing Campaign Impersonates Security Firms
Victims instructed to make a phone call that will direct them to a link for downloading malware.
βΌ CVE-2022-34466 βΌ
π Read
via "National Vulnerability Database".
A vulnerability has been identified in Mendix Applications using Mendix 9 (All versions >= V9.11 < V9.15), Mendix Applications using Mendix 9 (V9.12) (All versions < V9.12.3). An expression injection vulnerability was discovered in the Workflow subsystem of Mendix Runtime, that can affect the running applications. The vulnerability could allow a malicious user to leak sensitive information in a certain configuration.π Read
via "National Vulnerability Database".
βΌ CVE-2022-34748 βΌ
π Read
via "National Vulnerability Database".
A vulnerability has been identified in Simcenter Femap (All versions < V2022.2). The affected application contains an out of bounds write past the end of an allocated structure while parsing specially crafted X_T files. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-17293)π Read
via "National Vulnerability Database".
βΌ CVE-2022-34464 βΌ
π Read
via "National Vulnerability Database".
A vulnerability has been identified in SICAM GridEdge Essential ARM (All versions), SICAM GridEdge Essential Intel (All versions < V2.7.3), SICAM GridEdge Essential with GDS ARM (All versions), SICAM GridEdge Essential with GDS Intel (All versions < V2.7.3). Affected software uses an improperly protected file to import SSH keys. Attackers with access to the filesystem of the host on which SICAM GridEdge runs, are able to inject a custom SSH key to that file.π Read
via "National Vulnerability Database".
βΌ CVE-2022-34272 βΌ
π Read
via "National Vulnerability Database".
A vulnerability has been identified in PADS Standard/Plus Viewer (All versions). The affected application is vulnerable to an out of bounds read past the end of an allocated buffer when parsing PCB files. An attacker could leverage this vulnerability to execute code in the context of the current process. (FG-VD-22-037, FG-VD-22-059)π Read
via "National Vulnerability Database".