Security
Headlines
HeadlinesLatestCVEs

Tag

#auth

Beyond the lingo: What does Red Hat Insights and FedRAMP mean for your workload?

Here at Red Hat, we’ve spent over a decade building up the power of Red Hat Insights, making it one of the most valuable pieces of technology included in your Red Hat subscription. We’ve integrated with industry-leading technologies like IBM X-Force, we’ve grown invaluable data sets from our own support cases, and we’ve extended our reach to deliver Insights wherever you work. See What the Insights portfolio can do for you.One thing that's been a blocker for US government customers and contractors has been FedRAMP. But that's a blocker no more! Through a long process of sponsorship, d

Red Hat Blog
Open in Source
#vulnerability#web#amazon#red_hat#aws#auth#ibm
Private Internet Search Is Still Finding Its Way

The quest to keep data private while still being able to search may soon be within reach, with different companies charting their own paths.

UnitedHealth Congressional Testimony Reveals Rampant Security Fails

The breach was carried out with stolen Citrix credentials for an account that lacked multifactor authentication. Attackers went undetected for days, and Change's backup strategy failed.

Shadow APIs: An Overlooked Cyber-Risk for Orgs

Unmanaged and unknown Web services endpoints are just some of the challenges organizations must address to improve API security.

Qantas Customers' Boarding Passes Exposed in Flight App Mishap

Some customers found that they had the ability to cancel a stranger's flight to another country after opening the app, which was showing other individuals' flight details.

'Cuttlefish' Zero-Click Malware Steals Private Cloud Data

The newly discovered malware, which has so far mainly targeted Turkish telcos and has links to HiatusRat, infects routers and performs DNS and HTTP hijacking attacks on connections to private IP addresses.

GHSA-2xp3-57p7-qf4v: xml-crypto vulnerable to XML signature verification bypass due improper verification of signature/signature spoofing

### Summary Default configuration does not check authorization of the signer, it only checks the validity of the signature per section 3.2.2 of https://www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-CoreValidation. As such, without additional validation steps, the default configuration allows a malicious actor to re-sign an XML document, place the certificate in a `<KeyInfo />` element, and pass `xml-crypto` default validation checks. ### Details Affected `xml-crypto` versions between versions `>= 4.0.0` and `< 6.0.0`. `xml-crypto` trusts by default any certificate provided via digitally signed XML document's `<KeyInfo />`. `xml-crypto` prefers to use any certificate provided via digitally signed XML document's `<KeyInfo />` even if library was configured to use specific certificate (`publicCert`) for signature verification purposes. Attacker can spoof signature verification by modifying XML document and replacing existing signature with signature generated with malicious pri...

The US Government Is Asking Big Tech to Promise Better Cybersecurity

The Biden administration is asking tech companies to sign a pledge, obtained by WIRED, to improve their digital security, including reduced default password use and improved vulnerability disclosures.

Vulnerabilities in employee management system could lead to remote code execution, login credential theft

Talos also recently helped to responsibly disclose and patch other vulnerabilities in the Foxit PDF Reader and two open-source libraries that support the processing and handling of DICOM files.

Online Tours And Travels Management System 1.0 SQL Injection

Online Tours and Travels Management System version 1.0 suffers from a remote SQL injection vulnerability.