Security
Headlines
HeadlinesLatestCVEs

Tag

#auth

GHSA-4xh5-jcj2-ch8q: Flux Operator Web UI Impersonation Bypass via Empty OIDC Claims

A privilege escalation vulnerability exists in the Flux Operator Web UI authentication code that allows an attacker to bypass Kubernetes RBAC impersonation and execute API requests with the operator's service account privileges. After OIDC token claims are processed through CEL expressions, there is no validation that the resulting `username` and `groups` values are non-empty. When both values are empty, the Kubernetes client-go library does not add impersonation headers to API requests, causing them to be executed with the flux-operator service account's credentials instead of the authenticated user's limited permissions. ### Impact - **Privilege Escalation**: Any authenticated user can escalate to operator-level read permissions and perform suspend/resume/reconcile actions - **Data Exposure**: Unauthorized read access to Flux resources across all namespaces, bypassing RBAC restrictions - **Information Disclosure**: View sensitive GitOps pipeline configurations, source URLs, and de...

ghsa
Open in Source
#vulnerability#web#microsoft#git#kubernetes#oauth#auth
GHSA-4fqp-r85r-hxqh: Copier safe template has arbitrary filesystem write access via directory symlinks when _preserve_symlinks: true

### Impact Copier suggests that it's safe to generate a project from a safe template, i.e. one that doesn't use [unsafe](https://copier.readthedocs.io/en/stable/configuring/#unsafe) features like custom Jinja extensions which would require passing the `--UNSAFE,--trust` flag. As it turns out, a safe template can currently write to arbitrary directories outside the destination path by using directory a symlink along with [`_preserve_symlinks: true`](https://copier.readthedocs.io/en/stable/configuring/#preserve_symlinks) and a [generated directory structure](https://copier.readthedocs.io/en/stable/configuring/#generating-a-directory-structure) whose rendered path is inside the symlinked directory. This way, a malicious template author can create a template that overwrites arbitrary files (according to the user's write permissions), e.g., to cause havoc. > [!NOTE] > > At the time of writing, the exploit is non-deterministic, as Copier walks the template's file tree using [`os.scandir`](...

GHSA-xjhm-gp88-8pfx: Copier safe template has arbitrary filesystem read access via symlinks when _preserve_symlinks: false

### Impact Copier suggests that it's safe to generate a project from a safe template, i.e. one that doesn't use [unsafe](https://copier.readthedocs.io/en/stable/configuring/#unsafe) features like custom Jinja extensions which would require passing the `--UNSAFE,--trust` flag. As it turns out, a safe template can currently include arbitrary files/directories outside the local template clone location by using symlinks along with [`_preserve_symlinks: false`](https://copier.readthedocs.io/en/stable/configuring/#preserve_symlinks) (which is Copier's default setting). Imagine, e.g., a malicious template author who creates a template that reads SSH keys or other secrets from well-known locations and hopes for a user to push the generated project to a public location like [github.com](https://github.com/) where the template author can extract the secrets. Reproducible example: - Illegally include a file in the generated project via symlink resolution: ```shell echo "s3cr3t" > se...

GHSA-cv78-6m8q-ph82: Argo Workflows affected by stored XSS in the artifact directory listing

### Summary Stored XSS in the artifact directory listing allows any workflow author to execute arbitrary JavaScript in another user’s browser under the Argo Server origin, enabling API actions with the victim’s privileges. ### Details The directory listing response in `server/artifacts/artifact_server.go` renders object names directly into HTML via `fmt.Fprintf` without escaping. Object names come from `driver.ListObjects(...)` and are attacker‑controlled when a workflow writes files into an output artifact directory. https://github.com/argoproj/argo-workflows/blob/9872c296d29dcc5e9c78493054961ede9fc30797/server/artifacts/artifact_server.go#L194-L244 ### PoC 1. Deploy Argo Workflows: ``` kubectl create ns argo kubectl apply --server-side -f manifests/base/crds/full kubectl apply --server-side -k manifests/quick-start/postgres ``` 2. Port‑forward Argo Server: ``` kubectl -n argo port-forward deploy/argo-server 2746:2746 ``` 3. Create the PoC workflow: ```yml cat > /tmp/argo-xss.yaml ...

'Contagious Interview' Attack Now Delivers Backdoor Via VS Code

Once trust is granted to the repository's author, a malicious app executes arbitrary commands on the victim's system with no other user interaction.

Iranian TV Transmission Hacked With Message from Exiled Prince

Unidentified hackers disrupted Iranian state television to broadcast messages from exiled Crown Prince Reza Pahlavi. Read about the economic crisis, the internet blackout, and the latest reports on the protest death toll.

North Korean PurpleBravo Campaign Targeted 3,136 IP Addresses via Fake Job Interviews

As many as 3,136 individual IP addresses linked to likely targets of the Contagious Interview activity have been identified, with the campaign claiming 20 potential victim organizations spanning artificial intelligence (AI), cryptocurrency, financial services, IT services, marketing, and software development sectors in Europe, South Asia, the Middle East, and Central America. The new findings

Can you use too many LOLBins to drop some RATs?

An attempt to drop two RATs on a system used an uncanny assortment of legitimate Windows tools.

GHSA-339m-4qw5-j2g3: Tendenci Affected by Authenticated Remote Code Execution via Pickle Deserialization

A critical deserialization vulnerability exists in Tendenci Helpdesk module (NOTE, by default, Helpdesk is NOT enabled), affecting the version 15.3.11 and earlier. This vulnerability allows remote code execution (RCE) by an authenticated user with staff security level due to using Python's pickle module on the helpdesk /reports/. The damage is contained to the user that your Tendenci application runs. **Key Finding:** The original CVE-2020-14942 was incompletely patched. While `ticket_list()` was fixed to use safe JSON deserialization, the `run_report()` function still uses unsafe `pickle.loads()`. **Permission Scoping:** The impact is limited to the permissions of the user running the application, typically www-data, which generally lacks write (except for upload directories) and execute permissions. ## Vulnerability Details ### Affected Version - **Version:** Tendenci 15.3.11 and earlier (all versions since incomplete CVE-2020-14942 patch) - **Component:** `tendenci/apps/helpdesk...

GHSA-fqcv-8859-86x2: CoreShop Vulnerable to SQL Injection via Admin customer-company-modifier

# SQL Injection in CustomerTransformerController ## Summary An **error-based SQL Injection vulnerability** was identified in the `CustomerTransformerController` within the CoreShop admin panel. The affected endpoint improperly interpolates user-supplied input into a SQL query, leading to database error disclosure and potential data extraction. This issue is classified as **MEDIUM severity**, as it allows SQL execution in an authenticated admin context. --- ## Details The vulnerability exists in the company name duplication check endpoint: ``` /admin/coreshop/customer-company-modifier/duplication-name-check?value= ``` Source code analysis indicates that user input is directly embedded into a SQL condition without parameterization. **Vulnerable file:** ``` /app/repos/coreshop/src/CoreShop/Bundle/CustomerBundle/Controller/CustomerTransformerController.php ``` **Vulnerable code pattern:** ```php sprintf('name LIKE "%%%s%%"', (string) $value) ``` The `$value` parameter is fully u...