Tag
#git
### Impact Because UPDATE validation is not being applied, it is possible for an actor with access to an instance of the [initializingworkspaces virtual workspace](https://docs.kcp.io/kcp/latest/concepts/workspaces/workspace-initialization/) to run arbitrary patches on the status field of `LogicalCluster` objects while the workspace is initializing. This allows to add or remove any initializers as well as changing the phase of a `LogicalCluster` (to "Ready" for example). As this effectively allows to skip certain initializers or the entire initialization phase, potential integrations with external systems such as billing or security could be affected. Their initializers could be skipped by a `WorkspaceType` that adds another initializer and grants permissions to the virtual workspace to a rogue or compromised entity. _Who is impacted?_ * Impacts other owners of `WorkspaceTypes` with initializers that are inherited by other `WorkspaceTypes`. * Impacts developers using the `virtual/...
### Impact A **Cross-Site Request Forgery (CSRF)** vulnerability was identified in Apollo’s **Embedded Sandbox** and **Embedded Explorer**. The vulnerability arises from missing origin validation in the client-side code that handles `window.postMessage` events. A malicious website can send forged messages to the embedding page, causing the victim’s browser to execute arbitrary GraphQL queries or mutations against their GraphQL server while authenticated with the victim’s cookies. #### Who is impacted Anyone embedding [Apollo Sandbox](https://www.apollographql.com/docs/graphos/platform/sandbox#embedding-sandbox) or [Apollo Explorer](https://www.apollographql.com/docs/graphos/platform/explorer/embed) in their website may have been affected by this vulnerability. - Users who embed Apollo Sandbox or Apollo Explorer in their websites via npm packages (`@apollo/sandbox` and `@apollo/explorer`) or direct links to Apollo’s CDN. - Users running Apollo Router with [embedded Sandbox enabled]...
### Summary A vulnerability in `get-jwks` can lead to cache poisoning in the JWKS key-fetching mechanism. ### Details When the `iss` (issuer) claim is validated only after keys are retrieved from the cache, it is possible for cached keys from an unexpected issuer to be reused, resulting in a bypass of issuer validation. This design flaw enables a potential attack where a malicious actor crafts a pair of JWTs, the first one ensuring that a chosen public key is fetched and stored in the shared JWKS cache, and the second one leveraging that cached key to pass signature validation for a targeted `iss` value. The vulnerability will work only if the `iss` validation is done after the use of `get-jwks` for keys retrieval, which usually is the common case. ### PoC Server code: ```js const express = require('express') const buildJwks = require('get-jwks') const { createVerifier } = require('fast-jwt') const jwks = buildJwks({ providerDiscovery: true }); const keyFetcher = async (jwt) => ...
### Impact A vulnerability has been identified within Rancher Manager where a missing server-side validation on the `.username` field in Rancher can allow users with update permissions on other User resources to cause denial of access for targeted accounts. Specifically: - Username takeover: A user with permission to update another user’s resource can set its `.username` to "admin", preventing both the legitimate admin and the affected user from logging in, as Rancher enforces uniqueness at login time. - Account lockout: A user with update permissions on the admin account can change the admin’s username, effectively blocking administrative access to the Rancher UI. This issue enables a malicious or compromised account with elevated update privileges on User resources to disrupt platform administration and user authentication. **Note:** The users with these permissions to modify accounts and resources are considered as privileged users. For more information, please consult Rancher M...
### Impact A vulnerability has been identified within Rancher Manager whereby the SAML authentication from the Rancher CLI tool is vulnerable to phishing attacks. The custom authentication protocol for SAML-based providers can be abused to steal Rancher’s authentication tokens. Rancher Manager deployments without SAML authentication enabled are not affected by this vulnerability. An attacker can generate a phishing SAML login URL which contains a `publicKey` and `requestId` controlled by the attacker. The attacker can then give the link to another user (eg: admin) and if the victim goes to the link unsuspectingly, they might not notice the bad parameters in the URL. The user will be prompted to login and might believe that its session has ended so they need to re-login. By clicking on the link, they will be logged in and an encrypted token will be created with the attacker's public key. The attacker can then decrypt the victim’s Rancher token, enabling the attack Please consult th...
### Impact A vulnerability has been identified within Rancher Manager whereby `Impersonate-Extra-*` headers are being sent to an external entity, for example `amazonaws.com`, via the `/meta/proxy` Rancher endpoint. These headers may contain identifiable and/or sensitive information e.g. email addresses. If the authentication provider is configured to have email or other sensitive and/or identifiable information as part of the username and principal ID then when a new cloud credential is being created in Rancher Manager this information is sent to an external entity such as `amazonaws.com`, in case of an AWS cloud credentials, in `Impersonate-Extra-Username` and/or `Impersonate-Extra-Principalid` headers. Please note that neither password, password hashes or Rancher’s related authentication tokens are leaked in those requests. The entities to which such information is sent to are limited by the whitelisted domains specified in `nodedrivers.management.cattle.io` objects. For example...
A command injection vulnerability exists in SonarQube GitHub Action prior to v6.0.0 when workflows pass user-controlled input to the args parameter on Windows runners without proper validation. This vulnerability bypasses a previous security fix and allows arbitrary command execution, potentially leading to exposure of sensitive environment variables and compromise of the runner environment. ### Patches The vulnerability has been fixed in version v6.0.0. Users should upgrade to this version or later. ### References - Community Post: https://community.sonarsource.com/t/sonarqube-scanner-github-action-v6/149281 - Fix release: https://github.com/SonarSource/sonarqube-scan-action/releases/tag/v6.0.0
Cybersecurity researchers have discovered an updated version of a known Apple macOS malware called XCSSET that has been observed in limited attacks. "This new variant of XCSSET brings key changes related to browser targeting, clipboard hijacking, and persistence mechanisms," the Microsoft Threat Intelligence team said in a Thursday report. "It employs sophisticated encryption and obfuscation
The U.K. National Cyber Security Centre (NCSC) has revealed that threat actors have exploited the recently disclosed security flaws impacting Cisco firewalls as part of zero-day attacks to deliver previously undocumented malware families like RayInitiator and LINE VIPER. "The RayInitiator and LINE VIPER malware represent a significant evolution on that used in the previous campaign, both in
Hazel celebrates unseen effort in cybersecurity and shares some PII. Completely unrelated, but did you know “Back to the Future” turns 40 this year?