Security
Headlines
HeadlinesLatestCVEs

Tag

#auth

Orgs Scramble to Fix Actively Exploited Bug in Apache Struts 2

A newly discovered vulnerability, CVE-2024-53677, in the aging Apache framework is going to cause major headaches for IT teams, since patching isn't enough to fix it.

DARKReading
Open in Source
#vulnerability#web#apple#apache#git#java#rce#auth
Bridging the 'Keyboard-to-Chair' Gap With Identity Verification

Modern identity verification (IDV) approaches aim to connect digital credentials and real-world identity without sacrificing usability.

Vendors Chase Potential of Non-Human Identity Management

Non-human identities authenticate machine-to-machine communication. The big challenge now is to secure their elements and processes — before attackers can intercept.

Malvertisers Fool Google With AI-Generated Decoy Content

Seemingly innocent "white pages," including an elaborate Star Wars-themed site, are bypassing Google's malvertising filters, showing up high in search results to lure users to second-stage phishing sites.

CISA Releases Draft of National Cyber Incident Response Plan

The draft of the long-awaited update to the NCIRP outlines the efforts, mechanisms, involved parties, and decisions the US government will use in response to a large-scale cyber incident.

GHSA-5pf6-cq2v-23ww: WhoDB Allows Unbounded Memory Consumption in Authentication Middleware Can Lead to Denial of Service

### Summary A Denial of Service (DoS) vulnerability in the authentication middleware allows any client to cause memory exhaustion by sending large request bodies. The server reads the entire request body into memory without size limits, creating multiple copies during processing, which can lead to Out of Memory conditions. Affects all versions up to the latest one (v0.43.0). ### Details The vulnerability exists in the AuthMiddleware function in `core/src/auth/auth.go`. The middleware processes all API requests (`/api/*`) and reads the entire request body using `io.ReadAll` without any size limits: ```go func AuthMiddleware(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r http.Request) { // No size limit on body reading body, err := io.ReadAll(r.Body) // ... // Creates another copy of the body r.Body = io.NopCloser(bytes.NewReader(body)) // ... // Unmarshals the body again, creating more copies if err := j...

GHSA-49w6-73cw-chjr: Astro's server source code is exposed to the public if sourcemaps are enabled

### Summary A bug in the build process allows any unauthenticated user to read parts of the server source code. ### Details During build, along with client assets such as css and font files, the sourcemap files **for the server code** are moved to a publicly-accessible folder. https://github.com/withastro/astro/blob/176fe9f113fd912f9b61e848b00bbcfecd6d5c2c/packages/astro/src/core/build/static-build.ts#L139 Any outside party can read them with an unauthorized HTTP GET request to the same server hosting the rest of the website. While some server files are hashed, making their access obscure, the files corresponding to the file system router (those in `src/pages`) are predictably named. For example. the sourcemap file for `src/pages/index.astro` gets named `dist/client/pages/index.astro.mjs.map`. ### PoC Here is one example of an affected open-source website: https://creatorsgarten.org/pages/index.astro.mjs.map <image width="500" height="263" src="https://github.com/user-attachments/...

Supply Chain Risk Mitigation Must Be a Priority in 2025

A balance of rigorous supplier validation, purposeful data exposure, and meticulous preparation is key to managing and mitigating risk.

Google Calendar Phishing Scam Targets Users with Malicious Invites

Protect yourself from sophisticated phishing attacks that leverage Google Calendar to steal your personal information.

New Mobile Phishing Targets Executives with Fake DocuSign Links

Cybercriminals are using advanced techniques to target executives with mobile-specific phishing attacks.