Security
Headlines
HeadlinesLatestCVEs

Tag

#git

GHSA-vp47-9734-prjw: ASTEVAL Allows Malicious Tampering of Exposed AST Nodes Leads to Sandbox Escape

### Summary If an attacker can control the input to the asteval library, they can bypass its safety restrictions and execute arbitrary Python code within the application's context. ### Details The vulnerability is rooted in how `asteval` performs attribute access verification. In particular, the [`on_attribute`](https://github.com/lmfit/asteval/blob/8d7326df8015cf6a57506b1c2c167a1c3763e090/asteval/asteval.py#L565) node handler prevents access to attributes that are either present in the `UNSAFE_ATTRS` list or are formed by names starting and ending with `__`, as shown in the code snippet below: ```py def on_attribute(self, node): # ('value', 'attr', 'ctx') """Extract attribute.""" ctx = node.ctx.__class__ if ctx == ast.Store: msg = "attribute for storage: shouldn't be here!" self.raise_exception(node, exc=RuntimeError, msg=msg) sym = self.run(node.value) if ctx == ast.Del: return delattr(sym, node.at...

ghsa
Open in Source
#vulnerability#mac#git
Cloudflare CDN Bug Outs User Locations on Signal, Discord

Attackers can use a zero- or one-click flaw to send a malicious image to targets — an image that can deanonymize a user within seconds, posing a threat to journalists, activists, hackers, and others whose locations are sensitive.

Chinese PlushDaemon APT Targets S. Korean IPany VPN with Backdoor

Cybersecurity firm ESET uncovers PlushDaemon, a previously unknown APT group targeting South Korea, deploying a SlowStepper backdoor. This…

GHSA-27c6-mcxv-x3fh: Unlimited consumption of resources in @fastify/multipart

### Impact The `saveRequestFiles` function does not delete the uploaded temporary files when user cancels the request. ### Patches Fixed in version 8.3.1 and 9.0.3 ### Workarounds Do not use `saveRequestFiles`. ### References This was identified in https://github.com/fastify/fastify-multipart/issues/546 and fixed in https://github.com/fastify/fastify-multipart/pull/567.

GHSA-74j9-xhqr-6qv3: Reflected Cross Site Scripting (XSS) in error message

If a website has been set to the "dev" environment mode, a URL can be provided which includes an XSS payload which will be executed in the resulting error message.

GHSA-gmj9-h825-chq2: try/except* clauses could allow bypass RestrictedPython via type confusion bug in the CPython interpreter

### Impact Via a type confusion bug in the CPython interpreter when using `try/except*` RestrictedPython could be bypassed. We believe this should be fixed upstream in Python itself until that we remove support for `try/except*` from RestrictedPython. (It has been fixed for some Python versions.) ### Patches Patched in version 8.0 by removing support for `try/except*` clauses ### Workarounds There is no workaround. ### References none

Memcyco Announces Next-Gen, AI Solution to Combat Fraud and Impersonation Attacks in Real Time

Memcyco’s AI-based solution enables organizations of all sizes to better protect their customers from phishing, impersonation fraud and…

You are Not Alone, ChatGPT is Down

ChatGPT Outage: Service Down on Jan 23, 2025. Learn about the potential causes (DDoS or technical glitch) and…