🕴 Google Workspace Extends Enterprise-Grade Security and Device Management for Hybrid Work With Okta and VMware 🕴
📖 Read
via "Dark Reading".
JumpCloud integrates with Google Workspace to extend enterprise-quality security capabilities to small and midsize organizations.📖 Read
via "Dark Reading".
Dark Reading
Google Workspace Extends Enterprise-Grade Security and Device Management for Hybrid Work With Okta and VMware
JumpCloud integrates with Google Workspace to extend enterprise-quality security capabilities to small and midsize organizations.
‼ CVE-2023-2250 ‼
📖 Read
via "National Vulnerability Database".
A flaw was found in the Open Cluster Management (OCM) when a user have access to the worker nodes which has the cluster-manager-registration-controller or cluster-manager deployments. A malicious user can take advantage of this and bind the cluster-admin to any service account or using the service account to list all secrets for all kubernetes namespaces, leading into a cluster-level privilege escalation.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-30626 ‼
📖 Read
via "National Vulnerability Database".
Jellyfin is a free-software media system. Versions starting with 10.8.0 and prior to 10.8.10 and prior have a directory traversal vulnerability inside the `ClientLogController`, specifically `/ClientLog/Document`. When combined with a cross-site scripting vulnerability (CVE-2023-30627), this can result in file write and arbitrary code execution. Version 10.8.10 has a patch for this issue. There are no known workarounds.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-28484 ‼
📖 Read
via "National Vulnerability Database".
In libxml2 before 2.10.4, parsing of certain invalid XSD schemas can lead to a NULL pointer dereference and subsequently a segfault. This occurs in xmlSchemaFixupComplexType in xmlschemas.c.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-2259 ‼
📖 Read
via "National Vulnerability Database".
Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository alfio-event/alf.io prior to 2.0-M4-2304.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-30627 ‼
📖 Read
via "National Vulnerability Database".
jellyfin-web is the web client for Jellyfin, a free-software media system. Starting in version 10.1.0 and prior to version 10.8.10, a stored cross-site scripting vulnerability in device.js can be used to make arbitrary calls to the `REST` endpoints with admin privileges. When combined with CVE-2023-30626, this results in remote code execution on the Jellyfin instance in the context of the user who's running it. This issue is patched in version 10.8.10. There are no known workarounds.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-2006 ‼
📖 Read
via "National Vulnerability Database".
A race condition was found in the Linux kernel's RxRPC network protocol, within the processing of RxRPC bundles. This issue results from the lack of proper locking when performing operations on an object. This may allow an attacker to escalate privileges and execute arbitrary code in the context of the kernel.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-29469 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there is an attempt to use the first byte of an empty string, and any value is possible (not solely the '\0' value).📖 Read
via "National Vulnerability Database".
‼ CVE-2023-2258 ‼
📖 Read
via "National Vulnerability Database".
Improper Neutralization of Formula Elements in a CSV File in GitHub repository alfio-event/alf.io prior to 2.0-M4-2304.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-28354 ‼
📖 Read
via "National Vulnerability Database".
In the Active Threads Plugin 1.3.0 for MyBB, the activethreads.php date parameter is vulnerable to XSS when setting a time period.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-2260 ‼
📖 Read
via "National Vulnerability Database".
Improper Authorization of Index Containing Sensitive Information in GitHub repository alfio-event/alf.io prior to 2.0-M4-2304.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-29530 ‼
📖 Read
via "National Vulnerability Database".
Laminas Diactoros provides PSR HTTP Message implementations. In versions 2.18.0 and prior, 2.19.0, 2.20.0, 2.21.0, 2.22.0, 2.23.0, 2.24.0, and 2.25.0, users who create HTTP requests or responses using laminas/laminas-diactoros, when providing a newline at the start or end of a header key or value, can cause an invalid message. This can lead to denial of service vectors or application errors. The problem has been patched in following versions 2.18.1, 2.19.1, 2.20.1, 2.21.1, 2.22.1, 2.23.1, 2.24.1, and 2.25.1. As a workaround, validate HTTP header keys and/or values, and if using user-supplied values, filter them to strip off leading or trailing newline characters before calling `withHeader()`.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-2019 ‼
📖 Read
via "National Vulnerability Database".
A flaw was found in the Linux kernel's netdevsim device driver, within the scheduling of events. This issue results from the improper management of a reference count. This may allow an attacker to create a denial of service condition on the system.📖 Read
via "National Vulnerability Database".
🕴 Millions of Artifacts, Misconfigured Enterprise Software Registries Are Ripe for Pwning 🕴
📖 Read
via "Dark Reading".
Researchers find 250 million artifacts and 65,000 container images exposed in registries and repositories scattered across the Internet.📖 Read
via "Dark Reading".
Dark Reading
Millions of Artifacts, Misconfigured Enterprise Software Registries Are Ripe for Pwning
Researchers find 250 million artifacts and 65,000 container images exposed in registries and repositories scattered across the Internet.
🕴 Tangled Up: 'Tomiris' APT Uses Turla Malware, Confusing Researchers 🕴
📖 Read
via "Dark Reading".
Researchers are unraveling the threads connecting two separate, but in some ways overlapping, Russian-language APTs.📖 Read
via "Dark Reading".
Dark Reading
Tangled Up: 'Tomiris' APT Uses Turla Malware, Confusing Researchers
Researchers are unraveling the threads connecting two separate, but in some ways overlapping, Russian-language APTs.
‼ CVE-2023-30414 ‼
📖 Read
via "National Vulnerability Database".
Jerryscript commit 1a2c047 was discovered to contain a stack overflow via the component vm_loop at /jerry-core/vm/vm.c.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-30623 ‼
📖 Read
via "National Vulnerability Database".
`embano1/wip` is a GitHub Action written in Bash. Prior to version 2, the `embano1/wip` action uses the `github.event.pull_request.title` parameter in an insecure way. The title parameter is used in a run statement - resulting in a command injection vulnerability due to string interpolation. This vulnerability can be triggered by any user on GitHub. They just need to create a pull request with a commit message containing an exploit. (Note that first-time PR requests will not be run - but the attacker can submit a valid PR before submitting an invalid PR). The commit can be genuine, but the commit message can be malicious. This can be used to execute code on the GitHub runners and can be used to exfiltrate any secrets used in the CI pipeline, including repository tokens. Version 2 has a fix for this issue.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-30629 ‼
📖 Read
via "National Vulnerability Database".
Vyper is a Pythonic Smart Contract Language for the ethereum virtual machine. In versions 0.3.1 through 0.3.7, the Vyper compiler generates the wrong bytecode. Any contract that uses the `raw_call` with `revert_on_failure=False` and `max_outsize=0` receives the wrong response from `raw_call`. Depending on the memory garbage, the result can be either `True` or `False`. A patch is available and, as of time of publication, anticipated to be part of Vyper 0.3.8. As a workaround, one may always put `max_outsize>0`.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-30406 ‼
📖 Read
via "National Vulnerability Database".
Jerryscript commit 1a2c047 was discovered to contain a segmentation violation via the component ecma_find_named_property at /base/ecma-helpers.c.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-30408 ‼
📖 Read
via "National Vulnerability Database".
Jerryscript commit 1a2c047 was discovered to contain a segmentation violation via the component build/bin/jerry.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-30410 ‼
📖 Read
via "National Vulnerability Database".
Jerryscript commit 1a2c047 was discovered to contain a stack overflow via the component ecma_op_function_construct at /operations/ecma-function-object.c.📖 Read
via "National Vulnerability Database".