Security
Headlines
HeadlinesLatestCVEs

Tag

#dos

⚡ Weekly Recap: Bootkit Malware, AI-Powered Attacks, Supply Chain Breaches, Zero-Days & More

In a world where threats are persistent, the modern CISO’s real job isn't just to secure technology—it's to preserve institutional trust and ensure business continuity. This week, we saw a clear pattern: adversaries are targeting the complex relationships that hold businesses together, from supply chains to strategic partnerships. With new regulations and the rise of AI-driven attacks, the

The Hacker News
Open in Source
#vulnerability#web#ios#android#mac#windows#apple#google#microsoft#cisco#ddos#dos#nodejs#js#git#java#kubernetes#wordpress#intel#backdoor#rce#botnet#samsung#auth#zero_day#ruby#chrome#sap#wifi#ssl#The Hacker News
GHSA-rcv9-qm8p-9p6j: Hugging Face Transformers library has Regular Expression Denial of Service

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the `normalize_numbers()` method of the `EnglishNormalizer` class. This vulnerability affects versions up to 4.52.4 and is fixed in version 4.53.0. The issue arises from the method's handling of numeric strings, which can be exploited using crafted input strings containing long sequences of digits, leading to excessive CPU consumption. This vulnerability impacts text-to-speech and number normalization tasks, potentially causing service disruption, resource exhaustion, and API vulnerabilities.

GHSA-f3hf-r62c-mfrj: Liferay Portal: Missing Rate Limiting in GraphQL Endpoint Enables Resource Exhaustion Attack

Liferay Portal 7.4.0 through 7.4.3.101, and Liferay DXP 2023.Q3.0 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA though update 35 does not limit the number of objects returned from a GraphQL queries, which allows remote attackers to perform denial-of-service (DoS) attacks on the application by executing queries that return a large number of objects.

GHSA-92vj-g62v-jqhh: Hono has Body Limit Middleware Bypass

### Summary A flaw in the `bodyLimit` middleware could allow bypassing the configured request body size limit when conflicting HTTP headers were present. ### Details The middleware previously prioritized the `Content-Length` header even when a `Transfer-Encoding: chunked` header was also included. According to the HTTP specification, `Content-Length` must be ignored in such cases. This discrepancy could allow oversized request bodies to bypass the configured limit. Most standards-compliant runtimes and reverse proxies may reject such malformed requests with `400 Bad Request`, so the practical impact depends on the runtime and deployment environment. ### Impact If body size limits are used as a safeguard against large or malicious requests, this flaw could allow attackers to send oversized request bodies. The primary risk is denial of service (DoS) due to excessive memory or CPU consumption when handling very large requests. ### Resolution The implementation has been updated to alig...

GHSA-59p9-h35m-wg4g: Hugging Face Transformers is vulnerable to ReDoS through its MarianTokenizer

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically affecting the MarianTokenizer's `remove_language_code()` method. This vulnerability is present in version 4.52.4 and has been fixed in version 4.53.0. The issue arises from inefficient regex processing, which can be exploited by crafted input strings containing malformed language code patterns, leading to excessive CPU consumption and potential denial of service.

Siemens SINEC OS

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v4 2.3 ATTENTION: Exploitable from adjacent network Vendor: Siemens Equipment: SINEC OS Vulnerabilities: Uncontrolled Resource Consumption, Exposure of Sensitive Information to an Unauthorized Actor 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to access non-sensitive information without authentication or potentially cause a temporary denial of service. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports that the following products are affected: Siemens RUGGEDCOM RST2428P (6GK6242-6PA00): All versions 3.2 VULNERABILITY OVERVIEW 3.2.1 UNCONTROLLED RESOURCE CONSUMPTION CWE-400 The affected d...

Siemens User Management Component (UMC)

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: User Management Component (UMC) Vulnerabilities: Stack-based Buffer Overflow, Out-of-bounds Read 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an unauthenticated remote attacker to execute arbitrary code or to cause a denial-of-service condition. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports that the following products are affected: Siemens SIMATIC PCS neo V4.1: All versions Siemens SIMATIC PCS neo V5.0: All versions Siemens User Management Component (UMC): Versions prior to 2.15.1.3 3.2 VULNERABILITY OVERVIE...

Siemens Industrial Edge Management OS (IEM-OS)

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.7 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: Industrial Edge Management OS (IEM-OS) Vulnerability: Allocation of Resources Without Limits or Throttling 2. RISK EVALUATION Successful exploitation of this vulnerability could allow a remote attacker to cause a denial-of-service condition. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports that the following products are affected: Industrial Edge Management OS (IEM-OS): All versions 3.2 VULNERABILITY OVERVIEW 3.2.1 ALLOCATION OF RESOURCES WITHOUT LIMITS OR THROTTLING CWE-770 Allocation of resources for multipart headers with insufficient limits ...

Schneider Electric EcoStruxure

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 4.1 ATTENTION: Exploitable from an adjacent network Vendor: Schneider Electric Equipment: EcoStruxure Vulnerabilities: Uncontrolled Resource Consumption, Exposure of Sensitive Information to an Unauthorized Actor 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service condition or disclose sensitive credential data. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Schneider Electric products are affected: EcoStruxure Building Operation Enterprise Server 7.x: Versions prior to 7.0.2.348 EcoStruxure Building Operation Enterprise Server 6.x: Versions prior to 6.0.4.10001 (CP8) EcoStruxure Building Operation Enterprise Server 5.x: Versions prior to 5.0.3.17009 (CP16) EcoStruxure Enterprise Server 7.x: Versions prior to 7.0.2.348 EcoStruxure Enterprise Server 6.x: Versions prior to 6.0.4.10001 (CP8) EcoStruxure Enterprise Server 5.x: Versions prior to 5.0.3.17009 (CP16) EcoStruxur...