An attacker is able to arbitrarily create an account in MLflow bypassing any authentication requirement.

**MLflow authentication requirement bypass can allow a user to arbitrarily create an account**

Critical severity GitHub Reviewed Published Nov 16, 2023 to the GitHub Advisory Database • Updated Nov 17, 2023

GHSA-4qq5-mxxx-m6gg: MLflow authentication requirement bypass can allow a user to arbitrarily create an account

Access to two URLs used in both Rundeck Open Source and Process Automation products could allow authenticated users to access the URL path, which would allow access to view or delete jobs, without the necessary authorization checks.

The affected URLs are:
- `http[s]://[host]/context/rdJob/*` 
- `http[s]://[host]/context/api/*/incubator/jobs`

### Impact

Rundeck, Process Automation version 4.12.0 up to 4.16.0

### Patches

Patched versions: 4.17.3

### Workarounds

Access to two URLs used in either Rundeck Open Source or Process Automation products could be blocked at a load balancer level.
- `http[s]://host/context/rdJob/*` 
- `http[s]://host/context/api/*/incubator/jobs`

### For more information

If you have any questions or comments about this advisory:
* Open an issue in [our forums](https://community.pagerduty.com/forum/c/process-automation)
* Enterprise Customers can open a [Support ticket](https://support.rundeck.com)



1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2023-48222

**Authenticated Rundeck users can view or delete jobs they do not have authorization for.**

High severity GitHub Reviewed Published Nov 16, 2023 in rundeck/rundeck • Updated Nov 16, 2023

**Package**

maven org.rundeck:rundeck (Maven)

**Affected versions**

\>= 4.12.0, < 4.17.3

Access to two URLs used in both Rundeck Open Source and Process Automation products could allow authenticated users to access the URL path, which would allow access to view or delete jobs, without the necessary authorization checks.

The affected URLs are:

*   http[s]://[host]/context/rdJob/*
*   http[s]://[host]/context/api/*/incubator/jobs

**Impact**

Rundeck, Process Automation version 4.12.0 up to 4.16.0

**Patches**

Patched versions: 4.17.3

**Workarounds**

Access to two URLs used in either Rundeck Open Source or Process Automation products could be blocked at a load balancer level.

*   http[s]://host/context/rdJob/*
*   http[s]://host/context/api/*/incubator/jobs

**For more information**

If you have any questions or comments about this advisory:

*   Open an issue in our forums
*   Enterprise Customers can open a Support ticket

**References**

*   GHSA-phmw-jx86-x666

Published to the GitHub Advisory Database

Nov 16, 2023

Last updated

Nov 16, 2023

GHSA-phmw-jx86-x666: Authenticated Rundeck users can view or delete jobs they do not have authorization for.

Prosecutors in Finland this week commenced their criminal trial against Julius Kivimäki, a 26-year-old Finnish man charged with extorting a once popular and now-bankrupt online psychotherapy practice and thousands of its patients. In a 2,200-page report, Finnish authorities laid out how they connected the extortion spree to Kivimäki, a notorious hacker who was convicted in 2015 of perpetrating tens of thousands of cybercrimes, including data breaches, payment fraud, operating a botnet and calling in bomb threats.

Prosecutors in Finland this week commenced their criminal trial against **Julius Kivimäki**, a 26-year-old Finnish man charged with extorting a once popular and now-bankrupt online psychotherapy practice and thousands of its patients. In a 2,200-page report, Finnish authorities laid out how they connected the extortion spree to Kivimäki, a notorious hacker who was convicted in 2015 of perpetrating tens of thousands of cybercrimes, including data breaches, payment fraud, operating a botnet and calling in bomb threats.

In November 2022, Kivimäki was charged with attempting to extort money from the **Vastaamo Psychotherapy Center**. In that breach, which occurred in October 2020, a hacker using the handle “Ransom Man” threatened to publish patient psychotherapy notes if Vastaamo did not pay a six-figure ransom demand.

Vastaamo refused, so Ransom Man shifted to extorting individual patients — sending them targeted emails threatening to publish their therapy notes unless paid a 500-euro ransom. When Ransom Man found little success extorting patients directly, they uploaded to the dark web a large compressed file containing all of the stolen Vastaamo patient records.

Security experts soon discovered Ransom Man had mistakenly included an entire copy of their home folder, where investigators found many clues pointing to Kivimäki’s involvement. By that time, Kivimäki was no longer in Finland, but the Finnish government nevertheless charged Kivimäki in absentia with the Vastaamo hack. The 2,200-page evidence document against Kivimäki suggests he enjoyed a lavish lifestyle while on the lam, frequenting luxury resorts and renting fabulously expensive cars and living quarters.

But in February 2023, Kivimäki was arrested in France after authorities there responded to a domestic disturbance call and found the defendant sleeping off a hangover on the couch of a woman he’d met the night before. The French police grew suspicious when the 6′ 3″ blonde, green-eyed man presented an ID that stated he was of Romanian nationality.

A redacted copy of an ID Kivimaki gave to French authorities claiming he was from Romania.

Finnish prosecutors showed that Kivimäki’s credit card had been used to pay for the virtual server that hosted the stolen Vastaamo patient notes. What’s more, the home folder included in the Vastaamo patient data archive also allowed investigators to peer into other cybercrime projects of the accused, including domains that Ransom Man had access to as well as a lengthy history of commands he’d executed on the rented virtual server.

Some of those domains allegedly administered by Kivimäki were set up to smear the reputations of different companies and individuals. One of those was a website that claimed to have been authored by a person who headed up IT infrastructure for a major bank in Norway which discussed the idea of legalizing child sexual abuse.

Another domain hosted a fake blog that besmirched the reputation of a Tulsa, Okla. man whose name was attached to blog posts about supporting the “white pride” movement and calling for a pardon of the Oklahoma City bomber Timothy McVeigh.

Kivimäki appears to have sought to sully the name of this reporter as well. The 2,200-page document shows that Kivimäki owned and operated the domain **krebsonsecurity\[.\]org**, which hosted various hacking tools that Kivimäki allegedly used, including programs for mass-scanning the Internet for systems vulnerable to known security flaws, as well as scripts for cracking database server usernames and passwords, and downloading databases.

Ransom Man inadvertently included a copy of his home directory in the leaked Vastaamo patient data. A lengthy history of the commands run by that user show they used krebsonsecurity-dot-org to host hacking and scanning tools.

**Mikko Hyppönen**, chief research officer at WithSecure (formerly F-Secure), said the Finnish authorities have done “amazing work,” and that “it’s rare to have this much evidence for a cybercrime case.”

**Petteri Järvinen** is a respected IT expert and author who has been following the trial, and he said the prosecution’s case so far has been strong.

“The National Bureau of Investigation has done a good job and Mr Kivimäki for his part some elementary mistakes,” Järvinen wrote on LinkedIn. “This sends an important message: online crime does not pay. Traces are left in the digital world too, even if it is very tedious for the police to collect them from servers all around the world.”

**Antti Kurittu** is an information security specialist and a former criminal investigator. In 2013, Kurittu worked on an investigation involving Kivimäki’s use of the Zbot botnet, among other activities Kivimäki engaged in as a member of the hacker group Hack the Planet (HTP). Kurittu said it remains to be seen if the prosecution can make their case, and if the defense has any answers to all of the evidence presented.

“Based on the public pretrial investigation report, it looks like the case has a lot of details that seem very improbable to be coincidental,” Kurittu told KrebsOnSecurity. “For example, a full copy of the Vastaamo patient database was found on a server that belonged to Scanifi, a company with no reasonable business that Kivimäki was affiliated with. The leaked home folder contents were also connected to Kivimäki and were found on servers that were under his control.”

The Finnish daily _yle.fi_ reports that Kivimäki’s lawyers sought to have their client released from confinement for the remainder of his trial, noting that the defendant has already been detained for eight months.

The court denied that request, saying the defendant was still a flight risk. Kivimäki’s trial is expected to continue until February 2024, in part to accommodate testimony from a large number of victims. Prosecutors are seeking a seven-year sentence for Kivimäki.

Alleged Extortioner of Psychotherapy Patients Faces Trial

nagayama_copabowl Line 13.6.1 is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-48134: CVE-reports/nagayama_copabowl.md at main · syz913/CVE-reports

YouTube’s new rules may not be around for long anyway, because they might run afoul of European Union regulations

Thursday, November 16, 2023 14:00

I don’t think this is a particularly bold take — but I’m not afraid to say that ad blockers are good! 

Ever since I started using one sometime in 2016, my experience of using the internet has improved exponentially. I can finally easily find a recipe for dinner on a random influencer’s blog, get a faster answer to “how to replace my car’s headlights” and likely avoid hundreds of pieces of malvertising. 

But their use has increasingly come into question with YouTube’s new policies on preventing users from using ad blockers on its site, with new warnings saying the user has a certain number of videos they can watch before they must allowlist youtube.com in their ad blocker, thus allowing the site to display ads before YouTube videos. 

The second this popped up for me two weeks ago, I immediately started researching workarounds and quickly found a secure solution that works for my browsing habits. The easy explanation for why Google (YouTube’s parent company) wants to get rid of ad blockers is, simply, money. They run the Google Ads service that provides the stereotypical ads everyone has been used to seeing on websites since the early aughts. Unfortunately, bad actors will often use enticing headlines, fake images or sales pitches to trick people into clicking on links that lead to malicious sites, attacker-run scams or downloads that are malware. 

Ad blockers are a major tool users can deploy to block this type of threat, so the explanation for why everyone should be using one is also clear. 

Google isn’t the only major company looking to bypass ad blockers, either. Spotify’s terms of service explicitly outlaws “circumventing or blocking advertisements or creating or distributing tools designed to block advertisements” on its platforms, and many news websites like CNBC have warnings about turning off your ad blocker before you can proceed to read an article. 

I am all for publishers charging for their content or putting it behind a paywall, or even “premium” subscriptions to disable ads from podcasts or videos. But we all need to universally agree that ad blockers (at least legitimate ones) are good for the internet at large and keep users safer. The FBI and CIA agree with me on this and have both advised that users enable ad blockers in web browsers before.

The argument that ads benefit the creators, and therefore we’re robbing them of money, is largely off-base from these corporations. 

Creators who are part of the YouTube Partner program, which means they have filled out an application and meet a minimum standard for views and subscribers, make between $1.61 and $29.30 for every 1,000 views on their videos through YouTube’s ads. So Mr. Beast might make a decent payday out of that every month, but I’m sure Mr. Beast would also be doing just fine without the extra few thousand dollars in his pocket currently. 

The people who are just trying to be helpful by showing me how to fix my washing machine or install a car seat properly are likely not missing my singular ad view when I use an ad blocker.  

Thankfully, YouTube’s new rules may not be around for long anyway, because they might run afoul of European Union regulations, and privacy advocates have already filed a formal challenge to the EU’s independent data regulator.  

**The one big thing **

Microsoft disclosed three zero-day vulnerabilities as part of its monthly security update this week, and all three have already been added to CISA’s Known Exploited Vulnerabilities catalog. However, Patch Tuesday only included three critical vulnerabilities, an unusually small number based on previous months’ Patch Tuesdays. CVE-2023-36033 is an elevation of privilege vulnerability in the Windows DWM Core Library that could allow an attacker to gain SYSTEM-level privileges. According to Microsoft, this vulnerability has already been exploited in the wild and there is proof-of-concept code available. Another zero-day elevation of privilege vulnerability, CVE-2023-36036, exists in the Windows Cloud Files mini-filter driver that could also allow an attacker to gain SYSTEM privileges. 

**Why do I care? **

Unfortunately, zero-days have become commonplace for Patch Tuesdays this year, and it seems like a few more pop up each month. In these cases, attackers were able to discover the exploits before Microsoft had a chance to patch them, and CISA already acknowledged that attackers are exploiting these vulnerabilities in the wild.  

**So now what? **

All Microsoft users should ensure their updates are installed correctly if you have auto-update on, or make sure to manually download the patches as soon as possible otherwise. The Talos blog also has a rundown of Snort rules that can detect the exploitation of many of the vulnerabilities Microsoft disclosed this week. 

**Top security headlines of the week **

**U.S. intelligence agencies are warning that the Royal ransomware group could soon be headed for a rebrand and may already be operating under the name “BlackSuit.”** Government sanctions have previously limited Royal’s ability to make money off their ransomware attacks, but new research from private firms and government agencies indicate that Royal may be connected to BlackSuit, another threat actor that uses similar open-source tools. Royal is a prolific ransomware group that the FBI says is responsible for infecting more than 350 companies, generating revenue in excess of $275 million. Security researchers are also speculating that Royal may have formed from the splintering of the former Conti ransomware gang, which was also the victim of sanctions and government takedown efforts. The U.S. and U.K. announced sanctions against 11 individuals believed to be a part of Conti in September. (TechCrunch, The Register) 

**Fighting election misinformation has only gotten more difficult since the 2020 presidential election.** New reporting and testimony indicate that many key programs and partnerships dedicated to fighting fake news and disinformation online have eroded over the past few years after political attacks from right-wing leaders and organizations. FBI Director Chris Wray told a Senate committee last week that an alliance of federal agencies, tech companies, election officials and security researchers dedicated to fighting foreign propaganda has fallen apart recently, with little to no communication between the various parties involved. Other officials in charge of fighting election disinformation say its been months since they heard from the FBI after once connecting with the agency regularly about fighting fake news on social media platforms. Additionally, many poll workers and election officials are afraid to discuss the topic after years of online pushback from right-wing voters who view the word “misinformation” as a synonym for censorship. (NBC News, NPR) 

**Chip makers Intel and AMD disclosed new vulnerabilities this week that could lead to privilege escalation.** Some Intel CPUs are vulnerable to the newly discovered “Reptar” vulnerability (CVE-2023-23583) that was disclosed on Tuesday. Adversaries can exploit this high-severity flaw if they already have access to the targeted system, eventually causing a crash on the machine leading to privilege escalation or the disclosure of sensitive system information. Another attack on AMD CPUs called “CacheWarp” could allow an attacker to infiltrate encrypted virtual machines and perform privilege escalation. This vulnerability, identified as CVE-2023-20592, affects AMD's Secure Encrypted Virtualization (SEV) technology. Users do not need to take any additional actions to address these vulnerabilities other than ensuring drivers and operating systems are up-to-date and patched. (SecurityWeek, The Hacker News) 

**Can’t get enough Talos? **

Rather than putting a bunch of links here this week, I instead encourage you to watch this whole segment from Fox 11 in Los Angeles, featuring Nick Biasini from Talos Outreach. The story covers online scams, but features Nick discussing Talos’ recent research into various scams in the online video game “Roblox.” 

**Upcoming events where you can find Talos **

**misecCON** **(Nov. 17)** 

_Lansing, Michigan_ 

> _Terryn Valikodath from Talos Incident Response will deliver a talk providing advice on the best ways to conduct analysis, learning from his years of experience (and mishaps). He will speak about the everyday tasks he and his Talos IR teammates must go through to properly perform analysis. This talk covers topics such as planning, finding evil, recording findings, correlation and creating your own timelines._ 

**"Power of the Platform” by Cisco** **(Dec. 5 & 7)** 

_Virtual (Please note: This presentation will only be given in German)_ 

> _The annual IT event at the end of the year where Cisco experts, including Gergana Karadzhova-Dangela from Cisco Talos Incident Response, discuss the future-oriented topics in the implementation of digitalization together with you._  

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256:** 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647   
**MD5:** bbcf7a68f4164a9f5f5cb2d9f30d9790   
**Typical Filename:** bbcf7a68f4164a9f5f5cb2d9f30d9790.vir   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::1201 

**SHA 256:** b9ddbd1a4cec61e6b022a275d66312b5b676f9a0a9537a7708de9aa8ce34de59   
**MD5:** 3b100bdcd61bb1da816cd7eaf9ef13ba   
**Typical Filename:** vt-upload-C6In1   
**Claimed Product:** N/A    
**Detection Name:** Backdoor:KillAV-tpd 

**SHA 256:** 1fa0222e5ae2b891fa9c2dad1f63a9b26901d825dc6d6b9dcc6258a985f4f9ab   
**MD5:** 4c648967aeac81b18b53a3cb357120f4   
**Typical Filename:** yypnexwqivdpvdeakbmmd.exe   
**Claimed Product:** N/A    
**Detection Name:** Win.Dropper.Scar::1201 

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5:** 7bdbd180c081fa63ca94f9c22c457376   
**Typical Filename:** c0dwjdi6a.dll   
**Claimed Product:** N/A    
**Detection Name:** Trojan.GenericKD.33515991 

**SHA 256:** bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a   
**MD5:** 200206279107f4a2bb1832e3fcd7d64c   
**Typical Filename:** lsgkozfm.bat   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::tpd

We all just need to agree that ad blockers are good

MLflow allowed arbitrary files to be PUT onto the server.

**MLflow allowed arbitrary files to be PUT onto the server**

Critical severity GitHub Reviewed Published Nov 16, 2023 to the GitHub Advisory Database • Updated Nov 16, 2023

GHSA-f798-qm4r-23r5: MLflow allowed arbitrary files to be PUT onto the server

Missing SSL certificate validation in HTTPie v3.2.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack.

**HTTPie allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack**

Moderate severity GitHub Reviewed Published Nov 16, 2023 to the GitHub Advisory Database • Updated Nov 16, 2023

GHSA-8r96-8889-qg2x: HTTPie allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack

PyPinkSign v0.5.1 uses a non-random or static IV for Cipher Block Chaining (CBC) mode in AES encryption. This vulnerability can lead to the disclosure of information and communications.

**PyPinkSign uses a non-random or static IV for Cipher Block Chaining (CBC) mode in AES encryption**

Moderate severity GitHub Reviewed Published Nov 16, 2023 to the GitHub Advisory Database • Updated Nov 17, 2023

GHSA-fxff-wxxv-c2jc: PyPinkSign uses a non-random or static IV for Cipher Block Chaining (CBC) mode in AES encryption

Archery v1.10.0 uses a non-random or static IV for Cipher Block Chaining (CBC) mode in AES encryption. This vulnerability can lead to the disclosure of information and communications.

\# Cryptographic API Misuse Vulnerability in Archery v1.10.0 - Do not use constant key for encryption - Do not use non-random/static predictable IVs in CBC ### Description: In the Archery v1.10.0 , it is a SQL audit query platform. - It uses a hard-coded, constant key for encryption operations, which is a security risk as it makes encrypted data susceptible to being decrypted by anyone who has access to the source code or the constant key itself. \`salt=eCcGFZQj6PNoSSma31LR39rTzTbLkU8E\` - It utilizes a non-random or static IV for Cipher Block Chaining (CBC) mode in AES encryption. Using predictable IVs can lead to vulnerabilities like the disclosure of information about the plaintext of subsequent messages. \`IV=0000000000000000\` ### Affected Version v1.10.0 ### Location: https://github.com/hhyo/Archery/blob/master/common/utils/aes\_decryptor.py#L7 https://github.com/hhyo/Archery/blob/master/common/utils/aes\_decryptor.py#L13 https://github.com/hhyo/Archery/blob/master/common/utils/aes\_decryptor.py#L33 ### Reference - CWE-259: Use of Hard-coded Password - CWE-329: Generation of Predictable IV with CBC Mode - CWE-330: Use of Insufficiently Random Values ### Expected Behavior: - The encryption key should be random , generated dynamically and stored securely. - The IV for CBC mode should be random and unpredictable for each encryption operation to ensure the security of the encryption scheme. ### Actual Behavior: - The code uses a constant key for encryption which is visible and accessible to anyone who examines the code. \`salt=eCcGFZQj6PNoSSma31LR39rTzTbLkU8E\` - A static IV is used across encryption operations, making the encrypted data less secure and potentially leading to patterns that can be exploited by attackers. \`IV=0000000000000000\` ### Recommendation: 1. Implement a secure method to generate a encryption key for each user or session, and store it using secure storage mechanisms. 2. Modify the encryption process to generate a random IV each time an encryption operation is performed. Addressing these issues is critical to maintaining the confidentiality and integrity of the data processed by Archery. It is recommended to take immediate action to correct these vulnerabilities and prevent potential exploits.

CVE-2023-48053

SuperAGI v0.0.13 was discovered to use a hardcoded key for encryption operations. This vulnerability can lead to the disclosure of information and communications.

\# Cryptographic API Misuse Vulnerability : Do not use constant key for encryption ### Description: In the SuperAGI v0.0.13,which is a A dev-first open source autonomous AI agent framework. It utilizes a constant default key to encryption sensitive data. This practice undermines the security of the encryption scheme by making it vulnerable to various attacks, as the key can be extracted from the source code and used to decrypt sensitive data. \`key = b'e3mp0E0Jr3jnVb96A31\_lKzGZlSTPIp4-rPaVseyn58='\` ### Affected Version \[v0.0.13\](https://github.com/TransformerOptimus/SuperAGI/releases/tag/v0.0.13) ### Location: - https://github.com/TransformerOptimus/SuperAGI/blob/4afbd7c04e368c7ed6c07fc0956f80b7a93ced19/superagi/helper/encyption\_helper.py#L5 - https://github.com/TransformerOptimus/SuperAGI/blob/4afbd7c04e368c7ed6c07fc0956f80b7a93ced19/superagi/helper/encyption\_helper.py#L7 - https://github.com/TransformerOptimus/SuperAGI/blob/4afbd7c04e368c7ed6c07fc0956f80b7a93ced19/superagi/helper/encyption\_helper.py#L39 ### Reference - CWE-326: Inadequate Encryption Strength - CWE-259: Use of Hard-coded Password ### Expected Behavior: Encryption keys should be dynamically generated, securely managed, and should remain confidential to ensure the security of encrypted data. Ideally, the keys would be stored in a secure environment or retrieved from a secure key management service. ### Actual Behavior: - https://github.com/TransformerOptimus/SuperAGI/blob/4afbd7c04e368c7ed6c07fc0956f80b7a93ced19/superagi/controllers/config.py#L69 - https://github.com/TransformerOptimus/SuperAGI/blob/4afbd7c04e368c7ed6c07fc0956f80b7a93ced19/superagi/models/models\_config.py#L83 It use constant key function to encrypt the API key for configuration, as indicated in the referenced code snippets. \`key = b'e3mp0E0Jr3jnVb96A31\_lKzGZlSTPIp4-rPaVseyn58='\` This allows anyone with access to the codebase to easily compromise the encryption and decrypt any data encrypted with this key. ### Recommendation - Do not use constant key for encryption - Implement a process for securely generating and rotating encryption keys regularly - Use a secure key management system to store the encryption keys outside of the codebase It's imperative to resolve this vulnerability to protect the data integrity and privacy of users of the SuperAGI framework. An immediate fix and release are recommended.

Tag

#git