Security
Headlines
HeadlinesLatestCVEs

Tag

#git

GHSA-7pq6-v88g-wf3w: Sentry's improper authentication on SAML SSO process allows user impersonation

### Impact A critical vulnerability was discovered in the SAML SSO implementation of Sentry. It was reported to us via our private bug bounty program. The vulnerability allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on the same Sentry instance. The victim email address must be known in order to exploit this vulnerability. ### Patches - [Sentry SaaS](https://sentry.io): The fix was deployed on Jan 14, 2025. - [Self-Hosted Sentry](https://github.com/getsentry/self-hosted): If only a single organization is allowed (`SENTRY_SINGLE_ORGANIZATION = True`), then no action is needed. Otherwise, users should upgrade to version 25.1.0 or higher. ### Workarounds No known workarounds. ### References - https://github.com/getsentry/sentry/pull/83407

ghsa
Open in Source
#vulnerability#web#git#auth
Black Basta-Style Cyberattack Hits Inboxes with 1,165 Emails in 90 Minutes

A recent cyberattack, mimicking the tactics of the notorious Black Basta ransomware group, targeted one of SlashNext’s clients.…

GHSA-2c6g-pfx3-w7h8: Insecure Temporary File in RESTEasy

### Impact In RESTEasy the insecure `File.createTempFile()` is used in the `DataSourceProvider`, `FileProvider` and `Mime4JWorkaround` classes which creates temp files with insecure permissions that could be read by a local user. ### Patches Fixed in the following pull requests: * https://github.com/resteasy/resteasy/pull/3409 (7.0.0.Alpha1) * https://github.com/resteasy/resteasy/pull/3423 (6.2.3.Final) * https://github.com/resteasy/resteasy/pull/3412 (5.0.6.Final) * https://github.com/resteasy/resteasy/pull/3413 (4.7.8.Final) * https://github.com/resteasy/resteasy/pull/3410 (3.15.5.Final) ### Workarounds There is no workaround for this issue. ### References * https://nvd.nist.gov/vuln/detail/CVE-2023-0482 * https://bugzilla.redhat.com/show_bug.cgi?id=2166004 * https://github.com/advisories/GHSA-jrmh-v64j-mjm9

GHSA-5m7j-6gc4-ff5g: Mattermost fails to properly validate post props

Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.

GHSA-45v9-w9fh-33j6: Mattermost fails to properly validate post props

Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.

GHSA-8j3q-gc9x-7972: Mattermost Incorrect Type Conversion or Cast

Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate the style of proto supplied to an action's style in post.props.attachments, which allows an attacker to crash the frontend via crafted malicious input.

North Korea's Lazarus APT Evolves Developer-Recruitment Attacks

"Operation 99" uses job postings to lure freelance software developers into downloading malicious Git repositories. From there, malware infiltrates developer projects to steal source code, secrets, and cryptocurrency.

The great Google Ads heist: criminals ransack advertiser accounts via fake Google ads

An ongoing malvertising campaign steals Google advertiser accounts via fraudulent ads for Google Ads itself.