Tag
#git
### Impact The local file storage implementation does not restrict the size of uploaded files. An attacker could exploit this by uploading excessively large files, potentially causing the server to run out of space and return HTTP 500 error, resulting in a denial of service. The severity of the vulnerability is mitigated by the fact that the application UI and the generic REST API are typically accessible only to authenticated users. ### Patches The problem has been fixed in CUBA 7.2.23. ### Workarounds A workaround for those who are unable to upgrade: [Disable Files Endpoint in CUBA Application](https://docs.jmix.io/jmix/files-vulnerabilities.html#disable-files-endpoint-in-cuba-application). ### References [Files Functionality Vulnerabilities :: Jmix Documentation](https://docs.jmix.io/jmix/files-vulnerabilities.html) Similar vulnerability in Jmix: [DoS in the Local File Storage · Advisory · jmix-framework/jmix](https://github.com/jmix-framework/jmix/security/advisories/GHSA-...
### Impact Attackers could manipulate the `FileRef` parameter to access files on the system where the Jmix application is deployed, provided the application server has the necessary permissions. This can be accomplished either by modifying the `FileRef` directly in the database or by supplying a harmful value in the `fileRef` parameter of the `/files` endpoint of the generic REST API. Arbitrary file reading on the operating system where the Jmix process is running. The severity of the vulnerability is mitigated by the fact that the application UI and the generic REST API are typically accessible only to authenticated users. Additionally, the `/files` endpoint in Jmix requires specific permissions and is disabled by default. ### Workarounds A workaround for those who are unable to upgrade: [Fix Path Traversal in Jmix Application](https://docs.jmix.io/jmix/files-vulnerabilities.html#fix-path-traversal-in-jmix-application). ### Credit Cai, Qi Qi of Siemens China Cybersecurity Testing...
### Impact OctoPrint versions up until and including 1.10.3 contain a vulnerability that allows an attacker to bypass the login redirect and directly access the rendered HTML of certain frontend pages. The impact on data exposure is minimal because, typically, data is loaded via API requests that correctly enforce user authentication. In the current codebase, cases where data is directly embedded in the page content are rare. However, one notable exception is the authenticated variant of the reverse proxy test page, which displays the IP addresses of configured reverse proxies. The primary risk lies in potential future modifications to the codebase that might incorrectly rely on the vulnerable internal functions for authentication checks, leading to security vulnerabilities. ### Patches The vulnerability has been patched in version 1.11.0. ### Details An authentication bypass vulnerability exists in the following functions defined in [octoprint/server/util/init.py](https://git...
Terrance, United States / California, 22nd April 2025, CyberNewsWire
All Google accounts could end up compromised by a clever replay attack on Gmail users that abuses Google infrastructure.
Was your Microsoft Entra ID account locked? Find out about the recent widespread lockouts caused by the new…
A security architect with the National Labor Relations Board (NLRB) alleges that employees from Elon Musk's Department of Government Efficiency (DOGE) transferred gigabytes of sensitive data from agency case files in early March, using short-lived accounts configured to leave few traces of network activity. The NLRB whistleblower said the unusual large data outflows coincided with multiple blocked login attempts from an Internet address in Russia that tried to use valid credentials for a newly-created DOGE user account.
### Summary Harden-Runner includes a policy option `disable-sudo` to prevent the GitHub Actions runner user from using sudo. This is implemented by removing the runner user from the sudoers file. However, this control can be bypassed as the runner user, being part of the docker group, can interact with the Docker daemon to launch privileged containers or access the host filesystem. This allows the attacker to regain root access or restore the sudoers file, effectively bypassing the restriction. For an attacker to bypass this control, they would first need the ability to run their malicious code (e.g., by a supply chain attack similar to tj-actions or exploiting a Pwn Request vulnerability)) on the runner. This vulnerability has been fixed in Harden-Runner version `v2.12.0`. ### Impact An attacker with the ability to run their malicious code on a runner configured with `disable-sudo: true` can escalate privileges to root using Docker, defeating the intended security control. ### Aff...
# Prevent token leakage / privilege escalation ## MinIO Operator STS: A Quick Overview MinIO Operator STS is a native IAM Authentication for Kubernetes. MinIO Operator offers support for [Secure Tokens](https://min.io/docs/minio/linux/developers/security-token-service.html?ref=op-gh) (a.k.a. STS) which are a form of temporary access credentials for your MinIO Tenant. In essence, this allows you to control access to your MinIO tenant from your applications without having to explicitly create credentials for each application. For an application to gain access into a MinIO Tenant, a `PolicyBinding` resource is required, granting explicit access to the applications by validating the kubernetes [Service Account](https://kubernetes.io/docs/concepts/security/service-accounts/) authorization token. The service account token is validated as follows: 1. The application calls `AssumeRoleWithWebIdentity` API MinIO Operator provides. 2. MinIO Operator verifies the Service Account token agains...
## Summary Nokogiri v1.18.8 upgrades its dependency libxml2 to [v2.13.8](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.8). libxml2 v2.13.8 addresses: - CVE-2025-32414 - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/889 - CVE-2025-32415 - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/890 ## Impact ### CVE-2025-32414: No impact In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters. **There is no impact** from this CVE for Nokogiri users. ### CVE-2025-32415: Low impact In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a craft...