#aws

Cybersecurity trends in 2025 reveal rising AI threats, quantum risks, and supply chain attacks, pushing firms to adapt or face major data and financial losses.

### Description There's an SSRF in the file upload processing system that allows remote attackers to make arbitrary HTTP requests from the server without authentication. The vulnerability exists in the serialization/deserialization handlers for multipart form data and JSON requests, which automatically download files from user-provided URLs without proper validation of internal network addresses. The framework automatically registers any service endpoint with file-type parameters (`pathlib.Path`, `PIL.Image.Image`) as vulnerable to this attack, making it a framework-wide security issue that affects most real-world ML services handling file uploads. While BentoML implements basic URL scheme validation in the `JSONSerde` path, the `MultipartSerde` path has no validation whatsoever, and neither path restricts access to internal networks, cloud metadata endpoints, or localhost services. The documentation explicitly promotes this URL-based file upload feature, making it an intended but i...

A hacker injected a malicious prompt into Amazon Q via GitHub, aiming to delete user files and wipe AWS data, exposing a major security flaw.

Newly appointed Amazon Web Services CISO Amy Herzog believes security culture goes beyond frameworks and executive structures. Having the right philosophy throughout the organization is key.

Flowable’s 2025.1 update brings powerful Agentic AI features to automate workflows, boost efficiency, and scale intelligent business operations.

A 72-hour sprint that produced working solutions for one of game development's hardest problems: making it accessible to non-programmers.

The intelligence-gathering cyber campaign introduces the novel HazyBeacon backdoor and uses legitimate cloud communication channels for command-and-control (C2) and exfiltration to hide its malicious activities.

Governmental organizations in Southeast Asia are the target of a new campaign that aims to collect sensitive information by means of a previously undocumented Windows backdoor dubbed HazyBeacon. The activity is being tracked by Palo Alto Networks Unit 42 under the moniker CL-STA-1020, where "CL" stands for "cluster" and "STA" refers to "state-backed motivation." "The threat actors behind this

Millions of people are accessing harmful AI “nudify” websites. New analysis says the sites are making millions and rely on tech from US companies.

Jenkins Statistics Gatherer Plugin 2.0.3 and earlier stores the AWS Secret Key unencrypted in its global configuration file `org.jenkins.plugins.statistics.gatherer.StatisticsConfiguration.xml` on the Jenkins controller as part of its configuration. This key can be viewed by users with access to the Jenkins controller file system. Additionally, the global configuration form does not mask this key, increasing the potential for attackers to observe and capture it. As of publication of this advisory, there is no fix.