βΌ CVE-2023-25163 βΌ
π Read
via "National Vulnerability Database".
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v2.6.0-rc1 have an output sanitization bug which leaks repository access credentials in error messages. These error messages are visible to the user, and they are logged. The error message is visible when a user attempts to create or update an Application via the Argo CD API (and therefor the UI or CLI). The user must have `applications, create` or `applications, update` RBAC access to reach the code which may produce the error. The user is not guaranteed to be able to trigger the error message. They may attempt to spam the API with requests to trigger a rate limit error from the upstream repository. If the user has `repositories, update` access, they may edit an existing repository to introduce a URL typo or otherwise force an error message. But if they have that level of access, they are probably intended to have access to the credentials anyway. A patch for this vulnerability has been released in version 2.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-38778 βΌ
π Read
via "National Vulnerability Database".
A flaw (CVE-2022-38900) was discovered in one of KibanaΓ’β¬β’s third party dependencies, that could allow an authenticated user to perform a request that crashes the Kibana server process.π Read
via "National Vulnerability Database".
βΌ CVE-2022-45982 βΌ
π Read
via "National Vulnerability Database".
thinkphp 6.0.0~6.0.13 and 6.1.0~6.1.1 contains a deserialization vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload.π Read
via "National Vulnerability Database".
π΄ Lessons From the Cold War: How Quality Trumps Quantity in Cybersecurity π΄
π Read
via "Dark Reading".
High-quality tools and standards remain critical components in cybersecurity efforts even as budgets decline. It's important that staff knows response procedures and their roles, and also communicates well.π Read
via "Dark Reading".
Dark Reading
Lessons From the Cold War: How Quality Trumps Quantity in Cybersecurity
High-quality tools and standards remain critical components in cybersecurity efforts even as budgets decline. It's important that staff knows response procedures and their roles, and also communicates well.
βΌ CVE-2023-0760 βΌ
π Read
via "National Vulnerability Database".
Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to V2.1.0-DEV.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0759 βΌ
π Read
via "National Vulnerability Database".
Privilege Chaining in GitHub repository cockpit-hq/cockpit prior to 2.3.8.π Read
via "National Vulnerability Database".
β OpenSSL fixes High Severity data-stealing bug β patch now! β
π Read
via "Naked Security".
7 memory mismanagements and a timing attack. We explain all the jargon bug terminology in plain English...π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
π±1
βΌ CVE-2023-22953 βΌ
π Read
via "National Vulnerability Database".
In ExpressionEngine before 7.2.6, remote code execution can be achieved by an authenticated Control Panel user.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0624 βΌ
π Read
via "National Vulnerability Database".
OrangeScrum version 2.0.11 allows an external attacker to obtain arbitrary user accounts from the application. This is possible because the application returns malicious user input in the response with the content-type set to text/html.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0574 βΌ
π Read
via "National Vulnerability Database".
Server-Side Request Forgery (SSRF), Improperly Controlled Modification of Dynamically-Determined Object Attributes, Improper Restriction of Excessive Authentication Attempts vulnerability in YugaByte, Inc. Yugabyte Managed allows Accessing Functionality Not Properly Constrained by ACLs, Communication Channel Manipulation, Authentication Abuse.This issue affects Yugabyte Managed: from 2.0 through 2.13.π Read
via "National Vulnerability Database".
π΄ Twitter Implements API Paywall; But Will That Solve Its Enormous Bot Crisis? π΄
π Read
via "Dark Reading".
Restricting the Twitter API will have implications across Twitter, the broader Internet, and society, experts say. Is there a cybersecurity silver lining, or will threat actors pay to play?π Read
via "Dark Reading".
Dark Reading
Twitter Implements API Paywall, but Will That Solve Its Enormous Bot Crisis?
Restricting the Twitter API will have implications across Twitter, the broader Internet, and society, experts say. Is there a cybersecurity silver lining, or will threat actors pay to play?
ποΈ New XSS Hunter host Truffle Security faces privacy backlash ποΈ
π Read
via "The Daily Swig".
Anonymized numbers of bug discoveries swiftly deleted after pushbackπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
New XSS Hunter host Truffle Security faces privacy backlash
Anonymized numbers of bug discoveries swiftly deleted after pushback
β S3 Ep121: Can you get hacked and then prosecuted for it? [Audio + Text] β
π Read
via "Naked Security".
Latest epsiode. Listen now!π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
π΄ In Perfect Harmony: Cybersecurity Regulation Harmonization π΄
π Read
via "Dark Reading".
By simplifying compliance management, security and risk teams can focus on managing operational risk, not compliance risk β and better counter threats.π Read
via "Dark Reading".
Dark Reading
In Perfect Harmony: Cybersecurity Regulation Harmonization
By simplifying compliance management, security and risk teams can focus on managing operational risk, not compliance risk β and better counter threats.
π1
π΄ NIST Picks IoT Standard for Small Electronics Cybersecurity π΄
π Read
via "Dark Reading".
NIST announces that it will use Ascon as a cryptography standard for lightweight IoT device protection.π Read
via "Dark Reading".
Dark Reading
NIST Picks IoT Standard for Small Electronics Cybersecurity
NIST announces that it will use Ascon as a cryptography standard for lightweight IoT device protection.
βΌ CVE-2022-48293 βΌ
π Read
via "National Vulnerability Database".
The Bluetooth module has an OOM vulnerability. Successful exploitation of this vulnerability may affect data confidentiality.π Read
via "National Vulnerability Database".
βΌ CVE-2022-48301 βΌ
π Read
via "National Vulnerability Database".
The bundle management module lacks permission verification in some APIs. Successful exploitation of this vulnerability may restore the pre-installed apps that have been uninstalled.π Read
via "National Vulnerability Database".
βΌ CVE-2022-48295 βΌ
π Read
via "National Vulnerability Database".
The IHwAntiMalPlugin interface lacks permission verification. Successful exploitation of this vulnerability can lead to filling problems (batch installation of applications).π Read
via "National Vulnerability Database".
βΌ CVE-2023-22605 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: noneπ Read
via "National Vulnerability Database".
βΌ CVE-2022-48292 βΌ
π Read
via "National Vulnerability Database".
The Bluetooth module has an out-of-memory (OOM) vulnerability. Successful exploitation of this vulnerability may affect data confidentiality.π Read
via "National Vulnerability Database".
βΌ CVE-2023-22604 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.π Read
via "National Vulnerability Database".