Security
Headlines
HeadlinesLatestCVEs

Tag

#git

CVE-2023-46894: Cryptographic API Misuse Vulnerability: AES ECB used for initialization (ESPTOOL-756) · Issue #926 · espressif/esptool

An issue discovered in esptool 4.6.2 allows attackers to view sensitive information via weak cryptographic algorithm.

CVE
#vulnerability#git
GHSA-72fp-w44g-625q: Signing DynamoDB Sets when using the AWS Database Encryption SDK.

### Impact This advisory addresses an issue when a DynamoDB Set attribute is marked as SIGN_ONLY in the AWS Database Encryption SDK (DB-ESDK) for DynamoDB. This also includes when a Set is part of a List or a Map. DB-ESDK for DynamoDB supports `SIGN_ONLY` and `ENCRYPT_AND_SIGN` attribute actions. In version 3.1.0 and below, when a Set type is assigned a `SIGN_ONLY` attribute action, there is a chance that signature validation of the record containing a Set will fail on read, even if the Set attributes contain the same values. The probability of a failure depends on the order of the elements in the Set combined with how DynamoDB returns this data, which is undefined. This update addresses the issue by ensuring that any Set values are canonicalized in the same order while written to DynamoDB as when read back from DynamoDB. ### Patches Fixed in version 3.1.1 We recommend all users upgrade as soon as possible. ### Workarounds None ### References For more information on how to addres...

GHSA-xfm3-hjcc-gv78: Any value can be changed in the configuration table by an employee having access to block reassurance module

### Impact An ajax function in module blockreassurance allows modifying any value in the configuration table ### Patches v5.1.4 ### Workarounds no workaround available ### References

CVE-2023-47373: CVE-reports/DRAGON FAMILY.md at main · syz913/CVE-reports

The leakage of channel access token in DRAGON FAMILY Line 13.6.1 allows remote attackers to send malicious notifications to victims.

CVE-2023-47372: CVE-reports/UPDATESALON C-LOUNGE.md at main · syz913/CVE-reports

The leakage of channel access token in UPDATESALON C-LOUNGE Line 13.6.1 allows remote attackers to send malicious notifications to victims.

CVE-2023-47370: CVE-reports/bluetrick.md at main · syz913/CVE-reports

The leakage of channel access token in bluetrick Line 13.6.1 allows remote attackers to send malicious notifications to victims.

CVE-2023-47368: CVE-reports/taketorinoyu.md at main · syz913/CVE-reports

The leakage of channel access token in taketorinoyu Line 13.6.1 allows remote attackers to send malicious notifications to victims.

GHSA-f475-x83m-rx5m: Label Studio has Hardcoded Django `SECRET_KEY` that can be Abused to Forge Session Tokens

# Introduction This write-up describes a vulnerability found in [Label Studio](https://github.com/HumanSignal/label-studio), a popular open source data labeling tool. The vulnerability was found to affect versions before `1.8.2`, where a patch was introduced. # Overview In [Label Studio version 1.8.1](https://github.com/HumanSignal/label-studio/tree/1.8.1), a hard coded Django `SECRET_KEY` was set in the application settings. The Django `SECRET_KEY` is used for signing session tokens by the web application framework, and should never be shared with unauthorised parties. However, the Django framework inserts a `_auth_user_hash` claim in the session token that is a HMAC hash of the account's password hash. That claim would normally prevent forging a valid Django session token without knowing the password hash of the account. However, any authenticated user can exploit an Object Relational Mapper (ORM) Leak vulnerability in Label Studio to leak the password hash of any account on the ...

CVE-2023-47364: CVE-reports/nagaoka taxi.md at main · syz913/CVE-reports

The leakage of channel access token in nagaoka taxi Line 13.6.1 allows remote attackers to send malicious notifications to victims

CVE-2023-47363: CVE-reports/F.B.P members.md at main · syz913/CVE-reports

The leakage of channel access token in F.B.P members Line 13.6.1 allows remote attackers to send malicious notifications to victims.