‼ CVE-2022-39368 ‼
📖 Read
via "National Vulnerability Database".
Eclipse Californium is a Java implementation of RFC7252 - Constrained Application Protocol for IoT Cloud services. In versions prior to 3.7.0, and 2.7.4, Californium is vulnerable to a Denial of Service. Failing handshakes don't cleanup counters for throttling, causing the threshold to be reached without being released again. This results in permanently dropping records. The issue was reported for certificate based handshakes, but may also affect PSK based handshakes. It generally affects client and server as well. This issue is patched in version 3.7.0 and 2.7.4. There are no known workarounds. main: commit 726bac57659410da463dcf404b3e79a7312ac0b9 2.7.x: commit 5648a0c27c2c2667c98419254557a14bac2b1f3f📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3819 ‼
📖 Read
via "National Vulnerability Database".
An improper authorization issue in GitLab CE/EE affecting all versions from 15.0 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows a malicious users to set emojis on internal notes they don't have access to.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3486 ‼
📖 Read
via "National Vulnerability Database".
An open redirect vulnerability in GitLab EE/CE affecting all versions from 9.3 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2, allows an attacker to redirect users to an arbitrary location if they trust the URL.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3413 ‼
📖 Read
via "National Vulnerability Database".
Incorrect authorization during display of Audit Events in GitLab EE affecting all versions from 14.5 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2, allowed Developers to view the project's Audit Events and Developers or Maintainers to view the group's Audit Events. These should have been restricted to Project Maintainers, Group Owners, and above.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3706 ‼
📖 Read
via "National Vulnerability Database".
Improper authorization in GitLab CE/EE affecting all versions from 7.14 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows a user retrying a job in a downstream pipeline to take ownership of the retried jobs in the upstream pipeline even if the user doesn't have access to that project.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3265 ‼
📖 Read
via "National Vulnerability Database".
A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. It was possible to exploit a vulnerability in setting the labels colour feature which could lead to a stored XSS that allowed attackers to perform arbitrary actions on behalf of victims at client side.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3726 ‼
📖 Read
via "National Vulnerability Database".
Lack of sand-boxing of OpenAPI documents in GitLab CE/EE affecting all versions from 12.6 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to trick a user to click on the Swagger OpenAPI viewer and issue HTTP requests that affect the victim's account.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-2761 ‼
📖 Read
via "National Vulnerability Database".
An information disclosure issue in GitLab CE/EE affecting all versions from 14.4 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to use GitLab Flavored Markdown (GFM) references in a Jira issue to disclose the names of resources they don't have access to.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3285 ‼
📖 Read
via "National Vulnerability Database".
Bypass of healthcheck endpoint allow list affecting all versions from 12.0 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 allows an unauthorized attacker to prevent access to GitLab📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3793 ‼
📖 Read
via "National Vulnerability Database".
An improper authorization issue in GitLab CE/EE affecting all versions from 14.4 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to read variables set directly in a GitLab CI/CD configuration file they don't have access to.📖 Read
via "National Vulnerability Database".
⚠ Exchange 0-days fixed (at last) – plus 4 brand new Patch Tuesday 0-days! ⚠
📖 Read
via "Naked Security".
In all the excitement, we kind of lost track ourselves. Were there six 0-days, or only four?📖 Read
via "Naked Security".
Naked Security
Exchange 0-days fixed (at last) – plus 4 brand new Patch Tuesday 0-days!
In all the excitement, we kind of lost track ourselves. Were there six 0-days, or only four?
⚠ Emergency code execution patch from Apple – but not an 0-day ⚠
📖 Read
via "Naked Security".
Not a zero-day, but important enough for a quick-fire patch to one system system library...📖 Read
via "Naked Security".
Sophos News
Naked Security – Sophos News
🗓️ Google Pixel screen-lock hack earns researcher $70k 🗓️
📖 Read
via "The Daily Swig".
Android security pwned by PUK reset trick📖 Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Google Pixel screen-lock hack earns researcher $70k
Android security pwned by PUK reset trick
🕴 Global Automotive Cybersecurity Market Report 2022: Expected Mandate for Cybersecurity Protocols to Significantly Boost Sector 🕴
📖 Read
via "Dark Reading".
As vehicle security expands to cover cyber threats on the vehicle as well as the vehicle's external network, cross-industry collaboration and market opportunities are expected to increase.📖 Read
via "Dark Reading".
Dark Reading
Global Automotive Cybersecurity Market Report 2022: Expected Mandate for Cybersecurity Protocols to Significantly Boost Sector
As vehicle security expands to cover cyber threats on the vehicle as well as the vehicle's external network, cross-industry collaboration and market opportunities are expected to increase.
🕴 Where Are All of the Container Breaches? 🕴
📖 Read
via "Dark Reading".
Containers and their supporting infrastructure are too important to ignore.📖 Read
via "Dark Reading".
Dark Reading
Where Are All of the Container Breaches?
Containers and their supporting infrastructure are too important to ignore.
🕴 Now That EDR Is Obvious, What Comes Next? 🕴
📖 Read
via "Dark Reading".
First in our series addressing the top 10 unanswered questions in security: What's going to replace EDR?📖 Read
via "Dark Reading".
Dark Reading
Now That EDR Is Obvious, What Comes Next?
First in our series addressing the top 10 unanswered questions in security: What's going to replace EDR?
🕴 The Art of Calculating the Cost of Risk 🕴
📖 Read
via "Dark Reading".
Insurance and legislation affect how enterprises balance between protecting against breaches and recovering from them.📖 Read
via "Dark Reading".
Dark Reading
The Art of Calculating the Cost of Risk
Insurance and legislation affect how enterprises balance between protecting against breaches and recovering from them.
🕴 Cyber-Threat Actor Uses Booby-Trapped VPN App to Deploy Android Spyware 🕴
📖 Read
via "Dark Reading".
"SandStrike," the latest example of espionage-aimed Android malware, relies on elaborate social media efforts and back-end infrastructure.📖 Read
via "Dark Reading".
Dark Reading
Cyber-Threat Actor Uses Booby-Trapped VPN App to Deploy Android Spyware
"SandStrike," the latest example of espionage-aimed Android malware, relies on elaborate social media efforts and back-end infrastructure.
🕴 LastPass Research Finds False Sense of Cybersecurity Running Rampant 🕴
📖 Read
via "Dark Reading".
Cybersecurity concerns and education have not mitigated the overuse of the same passwords in 2022.📖 Read
via "Dark Reading".
Dark Reading
LastPass Research Finds False Sense of Cybersecurity Running Rampant
Cybersecurity concerns and education have not mitigated the overuse of the same passwords in 2022.
🕴 Name That Edge Toon: Talk Turkey 🕴
📖 Read
via "Dark Reading".
Come up with a clever caption, and our panel of experts will reward the winner with a $25 Amazon gift card.📖 Read
via "Dark Reading".
Dark Reading
Name That Edge Toon: Talk Turkey
Come up with a clever caption, and our panel of experts will reward the winner with a $25 Amazon gift card.
🕴 FTC Gives Chegg an 'F' for Careless Cybersecurity Impacting 40M Students 🕴
📖 Read
via "Dark Reading".
Ed-tech company Chegg is ordered by FTC to secure its systems after repeated breaches that exposed tens of millions of users' personal data.📖 Read
via "Dark Reading".
Dark Reading
FTC Gives Chegg an 'F' for Careless Cybersecurity Impacting 40M Students
Ed-tech company Chegg is ordered by FTC to secure its systems after repeated breaches that exposed tens of millions of users' personal data.