#auth

### Summary The expected `protocDigest` is ignored when protoc is taken from the `PATH`. ### Details The documentation for the `protocDigest` parameter says: > ... Users may wish to specify this if using a `PATH`-based binary ... However, when specifying `<protoc>PATH</protoc>` the `protocDigest` is not actually checked because the code returns here already https://github.com/ascopes/protobuf-maven-plugin/blob/59097aae8062c461129a13dcda2f4116b90a8765/protobuf-maven-plugin/src/main/java/io/github/ascopes/protobufmavenplugin/protoc/ProtocResolver.java#L91-L93 before the digest check: https://github.com/ascopes/protobuf-maven-plugin/blob/59097aae8062c461129a13dcda2f4116b90a8765/protobuf-maven-plugin/src/main/java/io/github/ascopes/protobufmavenplugin/protoc/ProtocResolver.java#L106 ### PoC Specify: ```xml <protoc>PATH</protoc> <protocDigest>sha256:0000000000000000000000000000000000000000000000000000000000000000</protocDigest> ``` And notice how the `protoc` on the `PATH` is not rejec...

## Summary Cross-namespace Secret access vulnerability in DiscoveryServiceCertificate allows users to bypass RBAC and access Secrets in unauthorized namespaces. ## Affected Versions All versions prior to v0.13.4 ## Patched Versions v0.13.4 and later ## Impact Users with permission to create DiscoveryServiceCertificate resources in one namespace can indirectly read Secrets from other namespaces, completely bypassing Kubernetes RBAC security boundaries. ## Workarounds Restrict DiscoveryServiceCertificate create permissions to cluster administrators only until patched version is deployed. ## Credit Thanks to @debuggerchen for the responsible disclosure.

### Impact The `/api/images/cache` which is used to download media posters from the server accepted an `url` parameter, which was directly passed to the cache package and that downloaded the poster from this URL. This URL parameter can be used to make the jellysweep server download arbitrary content. The API endpoint can only be used by authenticated users. ### Patches Fixed in `v0.13.0`. The affected (and now fixed) library was also moved to `internal/` because it wasn't meant to be imported. ### References https://github.com/jon4hz/jellysweep/security/code-scanning/28

Details have emerged about a now-patched critical security flaw in the popular "@react-native-community/cli" npm package that could be potentially exploited to run malicious operating system (OS) commands under certain conditions. "The vulnerability allows remote unauthenticated attackers to easily trigger arbitrary OS command execution on the machine running react-native-community/cli's

In January 2023, Getty Images filed a major lawsuit in the UK High Court against Stability AI, an…

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 10.0 ATTENTION: Exploitable remotely/low attack complexity Vendor: Radiometrics Equipment: VizAir Vulnerabilities: Missing Authentication for Critical Function, Insufficiently Protected Credentials 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow attackers to manipulate critical weather parameters and runway settings, mislead air traffic control and pilots, extract sensitive meteorological data, and cause significant disruption to airport operations, leading to hazardous flight conditions. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Radiometrics VizAir are affected: VizAir: Versions prior to 08/2025 3.2 VULNERABILITY OVERVIEW 3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306 Radiometrics VizAir is vulnerable to any remote attacker via access to the admin panel of the VizAir system without authentication. Once inside, the attacker can modify critical weather parameters such as wind sh...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Survision Equipment: License Plate Recognition (LPR) Camera Vulnerability: Missing Authentication for Critical Function 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to fully access the system without requiring authentication. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Survision LPR Camera are affected: License Plate Recognition LPR Camera: All versions 3.2 VULNERABILITY OVERVIEW 3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306 The Survision LPR Camera system does not enforce password protection by default. This allows access to the configuration wizard immediately without a login prompt or credentials check. CVE-2025-12108 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). A CVSS v4 score has also be...

Ransomware is malicious software designed to block access to a computer system or encrypt data until a ransom is paid. This cyberattack is one of the most prevalent and damaging threats in the digital landscape, affecting individuals, businesses, and critical infrastructure worldwide. A ransomware attack typically begins when the malware infiltrates a system through various vectors such as

New reports show China-based hackers are targeting US federal, state, and global government networks via unpatched Cisco firewalls. Get the full details and necessary steps to secure devices.

Threat actors are leveraging weaponized attachments distributed via phishing emails to deliver malware likely targeting the defense sector in Russia and Belarus. According to multiple reports from Cyble and Seqrite Labs, the campaign is designed to deploy a persistent backdoor on compromised hosts that uses OpenSSH in conjunction with a customized Tor hidden service that employs obfs4 for