Insufficient Session Expiration in GitHub repository nocodb/nocodb prior to 0.91.7+.

@@ -71,7 +71,8 @@ export async function signup(req: Request, res: Response<TableType>) { password, email\_verification\_token, invite\_token: null, invite\_token\_expires: null invite\_token\_expires: null, email: user.email }); } else { NcError.badRequest('User already exist'); @@ -95,14 +96,17 @@ export async function signup(req: Request, res: Response<TableType>) { } }  
const token\_version \= randomTokenString();  
await User.insert({ firstname, lastname, email, salt, password, email\_verification\_token, roles roles, token\_version }); } user \= await User.getByEmail(email); @@ -126,7 +130,8 @@ export async function signup(req: Request, res: Response<TableType>) { await promisify((req as any).login.bind(req))(user); const refreshToken \= randomTokenString(); await User.update(user.id, { refresh\_token: refreshToken refresh\_token: refreshToken, email: user.email });  
setTokenCookie(res, refreshToken); @@ -148,7 +153,8 @@ export async function signup(req: Request, res: Response<TableType>) { firstname: user.firstname, lastname: user.lastname, id: user.id, roles: user.roles roles: user.roles, token\_version: user.token\_version }, Noco.getConfig().auth.jwt.secret, Noco.getConfig().auth.jwt.options @@ -178,8 +184,15 @@ async function successfulSignIn({ await promisify((req as any).login.bind(req))(user); const refreshToken \= randomTokenString();  
let token\_version \= user.token\_version; if (!token\_version) { token\_version \= randomTokenString(); }  
await User.update(user.id, { refresh\_token: refreshToken refresh\_token: refreshToken, email: user.email, token\_version }); setTokenCookie(res, refreshToken);  
@@ -198,7 +211,8 @@ async function successfulSignIn({ firstname: user.firstname, lastname: user.lastname, id: user.id, roles: user.roles roles: user.roles, token\_version },  
Noco.getConfig().auth.jwt.secret, @@ -249,6 +263,7 @@ async function googleSignin(req, res, next) { function randomTokenString(): string { return crypto.randomBytes(40).toString('hex'); }  
function setTokenCookie(res, token): void { // create http only cookie with refresh token that expires in 7 days const cookieOptions \= { @@ -285,7 +300,8 @@ async function passwordChange(req: Request<any, any>, res): Promise<any> { await User.update(user.id, { salt, password, email: user.email email: user.email, token\_version: null });  
Audit.insert({ @@ -311,8 +327,10 @@ async function passwordForgot(req: Request<any, any>, res): Promise<any> { if (user) { const token \= uuidv4(); await User.update(user.id, { email: user.email, reset\_password\_token: token, reset\_password\_expires: new Date(Date.now() + 60 \* 60 \* 1000) reset\_password\_expires: new Date(Date.now() + 60 \* 60 \* 1000), token\_version: null }); try { const template \= (await import('./ui/emailTemplates/forgotPassword')) @@ -363,6 +381,9 @@ async function tokenValidate(req, res): Promise<any> { if (user.reset\_password\_expires < new Date()) { NcError.badRequest('Password reset url expired'); } if (!user.token\_version) { NcError.badRequest('Token Expired. Please login again.'); } res.json(true); }  
@@ -389,8 +410,10 @@ async function passwordReset(req, res): Promise<any> { await User.update(user.id, { salt, password, email: user.email, reset\_password\_expires: null, reset\_password\_token: '' reset\_password\_token: '', token\_version: null });  
Audit.insert({ @@ -416,6 +439,7 @@ async function emailVerification(req, res): Promise<any> { }  
await User.update(user.id, { email: user.email, email\_verification\_token: '', email\_verified: true }); @@ -446,6 +470,7 @@ async function refreshToken(req, res): Promise<any> { const refreshToken \= randomTokenString();  
await User.update(user.id, { email: user.email, refresh\_token: refreshToken });

CVE-2022-2064: Merge pull request #2338 from nocodb/fix/insufficient-session-expiration · nocodb/nocodb@c9b5111

Many people reportedly died after struggling to access medical care during a brutal lockdown. The families want to make sure these deaths are counted.

ZHOU SHENGNI NEEDED a doctor, and fast. The 49-year-old, who was having an asthma attack, was being driven by her family to Shanghai East Hospital, where she worked as a nurse, for urgent treatment. It was March 23, and the Chinese city was under a strict Covid lockdown.

However, when they arrived at the emergency department, Zhou’s family found that it was closed for disinfection under Shanghai’s rules to contain the spread of Covid. In urgent need of medical care, they had no choice but to drive to another hospital about 9 kilometers away. Zhou later died.

Zhou’s death caused outrage on Chinese social media, but it was not an isolated incident. Shanghai’s citywide lockdown lasted two months, with most restrictions removed on June 1. But, for those two months, almost nothing moved—including the city’s hospitals, which were hit by sudden closures, with many restricting their services to emergencies only. Patients in need of medical help were told to present a negative PCR test to access care.

From February to May, health authorities in Shanghai had reported 588 deaths related to Covid-19, the majority elderly residents. But officials didn’t count people like Zhou, who may have died as a result of the city’s lockdown restrictions.

Discussions about the collateral damage of China’s zero-Covid policy are heavily restricted in the country. Censors have blocked comments from people opposing the pandemic strategy, including remarks made by World Health Organization director-general Tedros Adhanom Ghebreyesus. But, as ever in China, censorship has not stopped people from finding technical workarounds to express dissent.

On April 14, a WeChat account called Shi You shared an article entitled “Shanghai Deceased,” which reported on people in the city who had seemingly died as a result of harsh lockdown restrictions. The article’s comment section was quickly flooded with messages from people saying they had also heard of or knew someone who had died during the lockdown.

Capser Yu immediately realized that both the article and its comments were important. A Shanghai native now working in Singapore, Yu had heard stories of people back home who had lost loved ones during lockdown. One of those lost was Chen Xiangru, a 3-year-old girl who was reportedly unable to receive timely treatment when she developed a serious fever in late March. Chen died in hospital while waiting for the result of a PCR test doctors required to provide treatment.

Worried that censors would hide crucial evidence, Yu started taking screenshots of the WeChat article. A few hours later, WeChat scrubbed the article. When people in China tried to open the article again, all that was left was a message saying it “violates regulations.”

Yu reposted the content on a blog he created, called Real China, to help keep his parents in Shanghai informed about how news in China was being reported overseas. Within hours, Chinese censors blocked the reposted content. Yu says the article, which is still accessible outside China, was read by more than 20,000 people before it was censored. The link has since started working again for unknown reasons and, by the end of June, had become the most-read post on Yu’s blog.

During the past two months, several projects trying to document deaths linked to Shanghai’s recent lockdown have appeared online. One of the largest, on the collaboration service Airtable, has been live since April. The page is a mix of basic descriptions, images of dead bodies, location information, scans of documents, and photos of the smiling faces of the loved ones who have now passed away. The database went viral but was swiftly blocked on WeChat and Weibo for containing “non-compliant content.” Though users in China can still access it, discussions of the database have been restricted on social media.

By early June, the database contained 210 entries, each representing a life reportedly lost. It’s unclear how many of these deaths might be directly linked to Shanghai’s lockdown, but a separate tally, conducted by Singapore-based news outlet Initium Media, claimed that at least 170 people had died as a result of lockdown measures by early May. Many of the deaths were linked to difficulties accessing urgent medical treatment, the report claimed.

A Shanghai-based recruiter, who asks not to be named for security reasons, says he felt “hopeless” when he found out about the death of an industry colleague’s mother, who had skin cancer and was reportedly denied treatment because she had Covid. Though he didn’t know the woman personally, the recruiter decided not to let her death go unreported. On Reddit, he found a shared Google Sheet that, like the Airtable database, kept a record of the deceased.

The recruiter added details he knew about the woman to the spreadsheet for fact-checking. Volunteers working on the document are required to list their sources, and each link is archived by the Wayback Machine in case the post disappears. The shared document has stricter sourcing rules and fewer entries than the Airtable database—just 60 cases—and was last updated in early May.

The recruiter says he has no idea who created the document or who he was working with, but he feels safer this way. “I would be a bit afraid if we talk to each other in private,” he says, adding that he is still haunted by an experience of being reprimanded at school for speaking out on Twitter against an influential official.

It’s almost impossible to grasp the scale of the suffering caused by Shanghai’s recent lockdown. But Daohouer, a volunteer-run mutual aid network created to help people access food, treatment, and medication during the lockdown, hints at the level of desperation. The site worked by encouraging residents in urgent need of supplies or health care to leave a message, with volunteers then contacting them to help. A visualization of requests submitted to the network shows that over half of the requests dealt with medical accessibility.

The page has kept a record of 1,297 requests in Shanghai involving seriously ill people since April 11, when the data became available. The number of such requests peaked in mid-April, when the site reported a surge in messages from people seeking help accessing medical care.

The cases from Daohouer were visualized by two Chinese people living in Canada who form part of a tech collective called O3O. The pair plan to archive the data submitted to the platform in case it is somehow scrubbed by censors. “The older generation has a habit of hoarding food,” says one of O3O’s cofounders, who asks to remain anonymous. “But the younger generation has the habit of taking screenshots of all things that might be considered sensitive.” The duo also maintains a website called Our Pandemic Memory that invites people to record stories of their lockdown lives. The site, preempting likely censorship in China, automatically submits every story to the Wayback Machine.

Despite efforts to record deaths in the city, the Shanghai-based recruiter remains skeptical that the government will launch an official investigation into the number of people who reportedly died as a result of the recent lockdown. No such efforts have been announced following similar citywide lockdowns in cities such as Xi’an, where deaths related to difficulties in accessing health care have also been reported.

Still, the recruiter hopes that projects to remember and record the dead could, one day, help people learn what life, and death, was really like in Shanghai during the harshest of lockdowns. “Maybe one day in the future, when we can discuss the outbreak and learn lessons, these materials will be used for reference.”

Shanghai’s Censors Can’t Hide Stories of the Dead

Cross-site scripting vulnerability exists in WP Statistics versions prior to 13.2.0 because it improperly processes a platform parameter. By exploiting this vulnerability, an arbitrary script may be executed on the web browser of the user who is logging in to the website using the product.

CVE-2022-27231: WP Statistics

In the SEOmatic plugin up to 3.4.11 for Craft CMS 3, it is possible for unauthenticated attackers to perform a Server-Side Template Injection, allowing for remote code execution.

CVE-2021-41749: craft-seomatic/CHANGELOG.md at develop · nystudio107/craft-seomatic

GUnet Open eClass (aka openeclass) before 3.12.2 allows XSS via the modules/auth/formuser.php auth parameter.

**Υποστήριξη Διαδραστικού Περιεχομένου τύπου H5P**

*   Ενσωμάτωση διαδραστικού περιεχομένου τύπου H5P (https://h5p.org/) στα μαθήματα.
    
*   Υποστήριξη εισαγωγής και δημιουργίας / διόρθωσης.
    

**Πιστοποίηση χρηστών**

*   Διόρθωση και αναβάθμιση του τρόπου πιστοποίησης χρηστών μέσω λογαριασμών κοινωνικών δικτύων (π.χ. Twitter, Facebook, Google, κ.λπ.)
    

**Δικαιώματα χρηστών**

*   Διάφορες διορθώσεις στα δικαιώματα του χρήστη διαχειριστή τμημάτων.
    

**Θεματικές ενότητες**

*   Προσθήκη _Διαδραστικού περιεχομένου H5P_, _Ιστολογίου_ στις ενότητες του μαθήματος.
    

**Ανανέωση μαθήματος**

*   Επιλογής απόκρυψης εργασιών
    

**Ομάδες χρηστών**

*   Διορθώσεις
    

**Γραμμή μάθησης**

*   Διορθώσεις
    

**Γενικά**

*   Υποστήριξη της έκδοσης PHP 8.0

CVE-2021-44266: Open eClass Documentation

A vulnerability was found in SICUNET Access Controller 0.32-05z. It has been declared as problematic. This vulnerability affects unknown code of the component Password Storage. The manipulation leads to weak encryption. Attacking locally is a requirement.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Full Disclosure mailing list archives****SICUNET Physical Access Controller - Multiple Vulnerabilities**

_From_: Andrew Griffiths <agriffiths+fd () google com>  
_Date_: Wed, 8 Mar 2017 11:17:13 -0800  

SICUNET Physical Access Controller - Multiple Vulnerabilities

-------------------------------------------------------------

Introduction

============

Multiple vulnerabilities were identified in the SICUNET Access Controller
Products. The vulnerabilities were discovered during a black box security
assessment and therefore the vulnerability list should not be considered
exhaustive.

Affected Software and Versions

==============================

Known vulnerable version is 0.32-05z. This version string was taken from
Spider.db.

CVE

===

No CVEs have been assigned.

Vulnerability Overview

======================

0. SN-01: HIGH: Outdated software

1. SN-02: HIGH: PHP include()

2. SN-03: CRITICAL: Unauthenticated remote code execution

3. SN-04: CRITICAL: Hardcoded root credentials

4. SN-05: High: Passwords stored in plaintext

Vulnerability Details

=====================

------------------------

SN-01: Outdated software

------------------------

Severity: High

A variety of software running on the device is outdated, making
exploitation of certain bugs far easier than it would be had they been
patched, or running up to date software.

 /usr/local/php\_b2/bin # ./php -v

 PHP 5.2.14 (cli) (built: Jul  8 2012 22:45:11)

 Copyright (c) 1997-2010 The PHP Group

 Zend Engine v2.2.0, Copyright (c) 1998-2010 Zend Technologies

http://php.net/eol.php has more information about PHP 5.2 being End Of
Life, and associated security issues.

 /usr/local/lighttpd/sbin # ./arm-linux-lighttpd -v

 lighttpd/1.4.30 (ssl) - a light and fast webserver

 Build-Date: Dec 26 2013 15:13:53

https://www.lighttpd.net/download/ has more information about security
changes in lighttpd.

 # uname -a
 Linux SICUNET 2.6.32.9 #72 PREEMPT Tue Feb 28 15:25:12 KST 2012 armv7l
 GNU/Linux


It is recommended that software is kept up to date, and that configurations
are reviewed to ensure that they’re secure. For example, there may have
been configuration options for PHP which may have made exploitation harder.

--------------------

SN-02: PHP include()

--------------------

Severity: High

When sending a request to /, the 'c' parameter is used as part of an
include() statement.

Excerpt from /spider/web/webroot/index.php:

 $class  = Input::get('c', 'layout');
 $method = Input::get('m', 'index');

 include APP\_DIR.'/controllers/'.$class.EXT;

(where EXT is defined as '.php’).

By crafting the c parameter, it’s possible to access arbitrary files on the
device:

 wget 'http://victim.ip.address/?c=../../../../../etc/passwd%00&apos;

The %00 trick is a known issue, and is addressed in a later PHP update. For
more information, please see SN-01.

It is recommended that the code be refactored to not require passing user
supplied input to the include() function. Alternatively, a strict whitelist
approach of known modules may be used instead.

--------------------------------------------

SN-03: Unauthenticated remote code execution

--------------------------------------------

Severity: Critical

A variety of functionality is implemented via insecure string concatenation
then passed to underlying exec() functions:

For example, in card\_scan\_decoder.php

16     $No = $\_GET\['No'\];
17     $door = $\_GET\['door'\];
18
19     $result = array();
20
21     $db   = new PDO('sqlite:/tmp/SpiderDB/Spider.db');
<snip>

27
28     if ($No < 1)
29     {
30         $DelTemp = $db->prepare("DELETE FROM CardRawData");
31         $DelTemp->execute();
32
33         exec("/spider/sicu/spider-cgi getrawdata ".$door." on");
34     }

This vulnerability can be exploited by:

 wget 'http://victim.ip.address/card\_scan\_decoder.php?No=0&door=$(sleep 3)’

This is just an example of the pattern of insecurely creating strings to be
executed, and not an exhaustive listing.

It is recommended that injection-proof API's are used instead of
error-prone string concatenation, or whitelist / blacklist being used (for
example, escapeshellcmd). However, it appears as if the closest option in
PHP is http://php.net/manual/en/function.pcntl-exec.php which requires the
user to perform a lot more work to avoid shooting themselves in the foot
(such as forking the process first).

---------------------------------

SN-04: Hardcoded root credentials

---------------------------------

Severity: Critical

There are 3 password fingerprints in /etc/passwd

 root:$1$VVtYRWvv$gyIQsOnvSv53KQwzEfZpJ0:0:100:root:/root:/bin/sh
 e3user:$1$vR6H2PUd$52r03jiYrM6m5Bff03yT0/:1000:1000:Linux
User,,,:/home/e3user:/bin/sh
 lighttpd:$1$vqbixaUx$id5O6Pnoi5/fXQzE484CP1:1001:1000:Linux
User,,,:/home/lighttpd:/bin/sh

The plaintext root password can be found in /spider/sicu binaries. The root
password may be used for the ftp or telnet service on the device. From our
observation, it appears as if FTP is running by default, along with the
ability to login as root via FTP.

The hardcoded root credentials are used by binaries on the system to run
commands as root. It is currently unknown what the purpose of the e3user
and lighttpd hardcoded passwords are.

For example, the root password is used in a variety of ways in the
following format:

 echo %s | su -c 'mkdir -p %s >& /tmp/message'
 echo %s | su -c 'chown %s %s >& /tmp/message'

Where %s is replaced at run time with the cleartext root password before
being passed to the system() function.

It is recommended that hardcoded credentials be removed, and instead
replaced with a more suitable mechanism. For example; sudo may be suitable,
combined with the NOPASSWD directive.

FTP access should be replaced with a more secure transfer mechanism (such
as SSH FTP, or SCP), and authentication should be managed by a user
(preferably via SSH public keys).

------------------------------------------

SN-05: Passwords stored in plaintext

------------------------------------------

Severity: High

A variety of credentials (for example, used for accessing the web front
end, or other devices part of the installation) are stored unencrypted on
the device in /tmp/SpiderDB/Spider.db:

sqlite> SELECT Name,Password FROM WebUser;
admin|ExamplePlaintextPassword
sqlite> SELECT Name,ID,Password FROM Controller;
Server|username|AnotherPlaintextPassword

It is recommended that where passwords must be stored, that they are
suitably cryptographically hashed using an appropriate standard (for more
information, please see https://password-hashing.net).

Author

======

The vulnerabilities were discovered by Andrew Griffiths from Google
Security Team.

Timeline

========

2016/12/06 - Contacted sicunet.com domain registrar, and sales () sicunet com
            for a point of contact to report security issues.

2016/12/08 - Pinged earlier email for a point of contact, additionally
            included tech () sicunet com on an email.

2016/12/08 - Report sent to Ike Huh, CEO.

2016/12/12 - Mentioned that reviewing spider-api would be worthwhile as it
            listens on port 7000, and strings suggests that there may be
            command injection / other vulnerabilities. No reply.

2017/01/17 - Asked point of contact if they had any questions about the
            advisory sent earlier. No reply.

2017/01/24 - Pinged vendor again, asked about resellers who may be able to
            make recommendations about restricting network access to the
            devices from the internet.

2017/01/30 - No contact from vendor.

2017/02/24 - Asked vendor if the affected users can expect patches. No
            reply.

2017/03/01 - Sent an email to the vendor, reminding them disclosure is
coming
            up soon.

2017/03/08 - 90 day disclosure deadline.

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **SICUNET Physical Access Controller - Multiple Vulnerabilities** _Andrew Griffiths (Mar 10)_

CVE-2017-20040: Full Disclosure: SICUNET Physical Access Controller

By Owais Sultan
If you own a WordPress website this article is for you because it addresses WordPress security and protection…
This is a post from HackRead.com Read the original post: How To Secure WordPress Website From Cyber Attacks?

****If you own a WordPress website this article is for you because it addresses WordPress security and protection against cyber attacks.****

WordPress is a widely used CMS (content management system), powering a significant proportion of all available websites. Unfortunately, it also attracts cyber criminals who take advantage of the platform’s security flaws.

It does not mean that WordPress’s security mechanism is ineffective. Security issues can also occur due to the absence of security measures from the users’ side such as outdated or malware-infected plugins. Therefore, it is crucial to take security measures before your WordPress website becomes a target of a malicious attack.

Although you can maintain network security while transferring files by understanding the TCP vs UDP comparison and selecting the best one for web security, some valuable yet small details might help you secure your website in the long run.

*   **What Is the Importance of WordPress Website Security?**

A hacked WordPress site can significantly harm your company’s income and credibility. Cybercriminals can access passwords and user information and even exploit the site to spread malware or harvest login credentials and banking card information. Therefore, providing a secure platform for your website’s users/visitors is a must.

Also, keeping a high-end website requires maintaining your WordPress website’s safety. Website security has a direct impact on search engine visibility. And the most straightforward strategy to improve your search ranking is to improve your security. Thus, the importance of WordPress website security cannot be denied whatsoever.

*   **Is WordPress a Safe Platform?**

If this question always pops up in your mind, you are not alone. It is one of the most frequently asked questions. And the answer to this question is “Yes, it is safe.” It is safe for the most part as long as you take all necessary security precautions seriously.

*   **Avoid “Admin” Username**

The disclosure of a username may not appear to be particularly harmful. Still, it might set off a chain reaction of security flaws that can lead to account identity theft, hijacking, or financial harm.

If you have named the site’s administrator as admin, it is recommended to change it because cyber criminals are good at exploiting platforms with default setups. They understand that “admin” is frequently used as an administrator account. They may exploit that username in a “brute force” attack. Avoid the “Admin” username and save your WordPress website from such attacks.

*   **WordPress Must Be Updated Regularly**

WordPress publishes software updates regularly to enhance security and speed. These upgrades also help in keeping your site safe from cyber attacks. The most straightforward approach to improving your WordPress website’s security is to update your WordPress version. 

To see if you own the most recent WordPress version, go to Dashboard, then click on Updates.

Stay updated on the release dates for new upgrades to guarantee that your site isn’t running an old WordPress version. Moreover, try to update the plugins and themes on your WordPress site. Older plugins and themes might cause conflicts with the newly updated WordPress software, resulting in problems and security vulnerabilities.

*   **Limit the Number of Log In Times**

Cybercriminals may try to guess your admin password via a brute force attack or use leaked credentials to log in to the site. You can reduce their chances of winning by limiting the number of times they can try to log in. As a result, if someone continuously enters the incorrect password, they will be blocked for hours, months, or even years depending on what options you select.

Thus, Limit Login Attempts is a plugin that you may use to secure your website. It works by allowing you to set up a significant number of wrong passwords that may be entered before the IP address of the person who entered the wrong password is locked out.

*    **All Hotlinking Should Be Disabled**

Rather than downloading the file, putting it on your server, and providing a correct citation. Hotlinking or Inline linking is a technique of linking to a file stored on another site. It is most commonly used for images, but it may also be used for videos, music files, flash animations, and other digital content.

If you want to keep your WordPress website secure, hotlinking should be disabled. Otherwise, you’ll notice slower loading times, the possibility of more server expenses, and an increased risk of being hacked.

Although there are several manual methods for avoiding hotlinking, the most straightforward solution is to use a WordPress security plugin. The All-in-One WP Security and Firewall plugin, for example, has built-in solutions for preventing all hotlinking.

*   **Use Two-Factor Authentication**

Two-factor authentication, often known as 2FA, dual-factor authentication, or two-step verification, is a security method in which users validate their identity using two independent authentication factors. This is another smart step to include in your security strategies.

The authentication can be a conventional password followed by a security question, a combination of letters, a hidden code, or the Google Authenticator application delivering a secret code to your phone. The person who has your phone may log in to your website. It is used to safeguard a user’s credentials and the information they have access to.

**Conclusion**

Malicious actors are continuously coming up with new ways to use a company’s online presence against them, while cyber security specialists are always coming up with new ways to resist them.

This is the never-ending cycle of cybersecurity, and we’re all trapped in its center. Your WordPress site is just like any other website on the internet when it comes to cyber-attacks. However, by following the above-recommended tips and hacks, you can secure your WordPress website from cyber criminals or at least reduce the risk of being attacked. 

**More WordPress Security News**

1.  7 Tips to Increase Your WordPress Security
2.  5 WordPress Security Solutions with Free SSL Certificates
3.  Critical WordPress plugin vulnerability allowed wiping databases
4.  Flaws in 2 famous WordPress plugins put millions of websites at risk
5.  WordPress security: Steps to assess employee before granting admin access

How To Secure WordPress Website From Cyber Attacks?

### Impact
Ill-formed headers sent to Envoy in certain configurations can lead to unexpected memory access resulting in undefined behavior or crashing.

You are at most risk if you have an Istio ingress Gateway exposed to external traffic.

### Patches
1.12.8, 1.13.5, 1.14.1

### Workarounds
No.

### References
More details can be found in the [Istio Security Bulletin](https://istio.io/latest/news/security/istio-security-2022-05)

### For more information
If you have any questions or comments about this advisory, please email us at [istio-security-vulnerability-reports@googlegroups.com](mailto:istio-security-vulnerability-reports@googlegroups.com)


**Package**

gomod istio.io/istio (Go)

**Affected versions**

< 1.12.18

\>= 1.13.0, < 1.13.5

\>= 1.14.0, < 1.14.1

**Patched versions**

1.12.18

1.13.5

1.14.1

**Description**

**Impact**

Ill-formed headers sent to Envoy in certain configurations can lead to unexpected memory access resulting in undefined behavior or crashing.

You are at most risk if you have an Istio ingress Gateway exposed to external traffic.

**Patches**

1.12.8, 1.13.5, 1.14.1

**Workarounds**

No.

**References**

More details can be found in the Istio Security Bulletin

**For more information**

If you have any questions or comments about this advisory, please email us at istio-security-vulnerability-reports@googlegroups.com

**References**

*   GHSA-xwx5-5c9g-x68x
*   https://nvd.nist.gov/vuln/detail/CVE-2022-31045
*   https://istio.io/latest/news/security/istio-security-2022-05

 howardjohn published the maintainer security advisory

Jun 9, 2022

GHSA-xwx5-5c9g-x68x: Ill-formed headers may lead to unexpected behavior in Istio

Twitter has reportedly given the billionaire access to its full stream of tweets and related user data. Is your privacy in jeopardy?

Elon Musk’s never-ending attempt to take over Twitter has taken yet another weird turn as the social media platform appears to have acceded to the entrepreneur’s request to gain access to a “fire hose of” internal data held by the company.

For weeks, Musk has pressed Twitter to provide data that would allow the South African entrepreneur to test whether a significant share of the platform’s users are fake bot accounts—something he believes would cheapen the price he’d be willing to pay for the company. Musk contends that bot accounts make up more than 5 percent of Twitter’s user base—something even Musk’s critics believe is true—and wants the company to disprove that.

Twitter has reported lower numbers of inauthentic accounts in its financial results, and according to _The Washington Post_, it is willing to give Musk access to every tweet posted daily, alongside granular user information, in order to allow him to look for inauthentic behavior. (Informally, this data is called the "fire hose.” Twitter declined WIRED's request to confirm or deny the _Post_ report.) Twitter’s apparent willingness to grant Musk access to the datastream comes days after the suitor’s lawyers sent a letter to the company saying it was “actively resisting and thwarting \[Musk’s\] information rights,” and threatening to pull out of the deal.

The reported shift to grant Musk access to the data is significant, and it raises two key questions: One, will Musk get what he wants from the data he’s been given? And two: What does him gaining access mean for everyday users’ privacy and security?

For Axel Bruns, professor at Queensland University of Technology, the move is Twitter calling Musk’s bluff. “By giving him access to the fire hose, Twitter can presumably say, ‘Prove your claims about the abundance of bots, then,’” he says. Bruns believes that Musk and whoever he employs to track down bots would have a difficult time. But even for someone with the requisite skills to handle that level of data, it’s unlikely to be the right method to answer the question. It’s uncertain whether access to the fire hose of 500 million tweets posted to the social media platform every day will actually help Musk answer the key question he claims is holding up his purchase of Twitter: The proportion of users who are bots. “It seems a bit performative,” says Paddy Leerssen, a researcher in information law at the University of Amsterdam. “My sense is that this data isn’t the data you need to figure out who’s a bot or not.”

Being able to pinpoint what makes a bot a bot has been a hotly debated subject in the field of academia, one that experts have devoted much of their working lives to—which is why they’re skeptical that access to all the tweets posted to Twitter will answer the bot question definitively enough to convince Musk to go ahead with the purchase. “My impression is that people tend to overestimate how easy it is to detect bots,” says Leerssen. “A tool like this \[the fire hose\] isn’t going to enable you to do that, unless you combine it with all sorts of other research methods. I don’t think that’s something that in a timeline like this, Elon Musk is going to have time for.” The man who could answer how that data would help him identify bots, Musk himself, did not respond to an emailed request for comment.

Giving Musk access to the fire hose of tweets is a relatively innocuous move, says Christopher Bouzy, the founder of Bot Sentinel, a service that tracks inauthentic behavior on Twitter. “It doesn’t expose users’ private data,” he says. “It’s just a stream of tweets.” From that stream, Musk could analyze the data to see whether accounts spammed the same message, or whether a small number of accounts were responsible for the majority of tweets on the platform—both of which would be potential warning signals for bot behavior. Asked whether we should be concerned about Musk gaining access to the fire-hose data, Bouzy said no. “It’s just a massive number of tweets,” he says. And it’s also an unmanageable number of tweets for pretty much everyone outside Twitter: Bruns points out that the US Library of Congress once had fire hose access in an attempt to archive every tweet ever posted and gave up on the endeavor.

Musk’s interest in the fire hose data is ironic, given that he reportedly declined an offer to look at Twitter’s data room—a collection of information and documents that are collated by companies when touting their businesses to potential buyers—back when his initial takeover bid was launched in April. Twitter spokesperson Jasmine Basi declined to respond to questions, including whether Musk previously asked for access to the data room. Basi also refused to answer direct questions about how many people outside of Twitter, other than Musk, have access to the fire hose data, and whether Musk would have to sign a nondisclosure or usage agreement in order to access it. That gives some cause for concern. “While I understand what Twitter is doing here, it is nonetheless also highly unusual,” says Bruns, who equates it to “giving away the crown jewels”.

The crown jewels are, however, up for sale: Around two dozen companies already have access to the fire hose of data to which Twitter has granted Musk access. Twitter’s Basi declined to name those companies, but their handling of the data has so far seemingly not caused any known issues among those dozen firms. Previously, Twitter has given broader fire hose access, with issues: The company recognized it was leaving money on the table by giving third-party data resellers access, while spy agencies previously gained access to user data through Dataminr, a company that had bought fire hose access. Google and researchers at the Massachusetts Institute of Technology have previously had access to the same data Musk is now being granted access to. “The sharing of sensitive information is a key part of acquisition procedures,” says Leerssen, who prior to his career in academia worked on data protection issues around data rooms for due diligence. “When you go through the process of acquiring a company, you need to look under the hood,” he says.

Yet the big unknown is Musk himself—someone who has already shown during the course of his attempted acquisition that he’s willing to ignore legal agreements. Many also see his ostensible concern about the number of bot accounts as a pretext in order to back out of the deal, despite the terms of the agreement he came to with Twitter precluding that from happening without massive, punitive fines.

“It basically becomes more about trying to psychoanalyze Elon Musk than about the Twitter data, almost,” says Midas Nouwens, assistant professor in digital rights at Aarhus University. Nouwens has long had concerns about the scale of information available to employees at Twitter—a single tech company in a single jurisdiction in the world. “I find it a bit difficult to separate the way that social media platforms like Twitter operate, and then the rogue element of Elon Musk in there,” he says. “It very quickly becomes trying to figure out what Elon Musk would do, and his behavior is quite erratic sometimes.”

Nouwens is one of those who has access to Twitter data through an API available to researchers that allows him to query 10 million tweets a month. Gaining access to the datastream, he says, was easier than expected given the volume of data he had access to. He had to write a description of the project he intended to use the data for, alongside providing proof he was an active academic. “Whether it was Elon Musk or some other actor, I would always have concerns,” Nouwens says. “Now for him, the added element is his past behavior, sure, but also his commercial interests.” The fear is that even if Musk does pull out of the deal to buy Twitter, the information he’s been granted access to by getting free visibility over Twitter’s fire hose of tweets could be used by him or his companies in the future. Bruns says the fire-hose data set could generate new insights into who uses Twitter and why, how usage patterns change over the long term, and what problematic behaviors users engage in—alongside generating detailed profiles of users' interests and networks. “Unless there's anything in the reporting that I've missed about how long Musk gets access to the fire hose for, I'm assuming Twitter is gambling on him and his team giving up on it fairly quickly,” says Bruns. “Especially if he had the fire hose for months or longer, this really becomes a user privacy and ethics concern too.”

Regardless of whether Musk gains access to the data or not, it’s unlikely to help him overcome the main hurdle he has for his purchase of Twitter. “I don’t know if there’s an answer to the question he is posing to Twitter,” says Nouwens. “Perhaps Twitter knows more than external researchers do at the moment or can do. But it’s a really tricky question.”

The Tricky Business of Elon Musk Getting Twitter Fire-Hose Access

Red Hat Security Advisory 2022-4985-01 - New Cryostat 2.1.1 on RHEL 8 container images have been released, containing bug fixes and addressing security vulnerabilities. Issues addressed include a deserialization vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: Cryostat 2.1.1: new Cryostat on RHEL 8 container images  
Advisory ID:       RHSA-2022:4985-01  
Product:           Cryostat  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:4985  
Issue date:        2022-06-09  
CVE Names:         CVE-2018-25032 CVE-2021-3634 CVE-2021-3737  
                   CVE-2021-4189 CVE-2022-25647 CVE-2022-28948  
====================================================================  
1. Summary:

New Cryostat 2.1.1 on RHEL 8 container images are now available

2. Description:

New Cryostat 2.1.1 on RHEL 8 container images have been released,  
containing bug fixes and addressing the following security vulnerabilities:  
CVE-2022-25647, CVE-2022-28948 (see References)

Users of Cryostat 2 on RHEL 8 container images are advised to upgrade to  
these updated images, which contain backported patches to correct these  
security issues and fix these bugs. Users of these images are also  
encouraged to rebuild all container images that depend on these images.

You can find images updated by this advisory in Red Hat Container Catalog  
(see References).

3. Solution:

The Cryostat 2 on RHEL 8 container images provided by this update can be  
downloaded from the Red Hat Container Registry at registry.redhat.io.  
Installation instructions for your platform are available at Red Hat  
Container Catalog (see References).

Dockerfiles and scripts should be amended either to refer to this new image  
specifically, or to the latest image generally.

4. Bugs fixed (https://bugzilla.redhat.com/):

2080850 - CVE-2022-25647 com.google.code.gson-gson: Deserialization of Untrusted Data in com.google.code.gson-gson  
2088748 - CVE-2022-28948 golang-gopkg-yaml: crash when attempting to deserialize invalid input

5. References:

https://access.redhat.com/security/cve/CVE-2018-25032  
https://access.redhat.com/security/cve/CVE-2021-3634  
https://access.redhat.com/security/cve/CVE-2021-3737  
https://access.redhat.com/security/cve/CVE-2021-4189  
https://access.redhat.com/security/cve/CVE-2022-25647  
https://access.redhat.com/security/cve/CVE-2022-28948  
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYqJsydzjgjWX9erEAQgD+w//RGgsK6HJDmrUB6+LmpIysA4RBvulbCWs  
JF7aqvNMSa4zY6FFc9bA4IBsl90Og86jDQycKV/Hs9XTQxtLozaUmDjj//Cur+EL  
+CAqGI2U5kRjVNaCO9E8lD+NcvQPy/Qu8gb1xYOnLO12s4ZSMpL7JmC/nYv0204B  
oTIg2yeF6eTSCv1rX9WBarOAorMso8iGtGWxRQSOhf2xh6d3XpeU1WvybShWMpt+  
bdkig/tdXm5ukvg0RxGE/H9kH7XwaLhndg7ar2oAPKuoZjtY2J3UrTLDeSx2bhvg  
bYbIrj5dgiSQbmm/A2Quir+ZIAw03a2cBYMvBpKD+pamgyEA/kYoMSxUjrsROV67  
Nt+Dbr+jOhze5H+PjuBuuYCVXwXB/M1lNAlui4tnvrgw1Ueay1xJnbEKqi/bhZqB  
cFnm18qfefKs+BdPjOn3tMJ2XGH8rx/dRzg80PEs/N8eWKTywmnGCQAGtO3sNmYQ  
fjMl2Tq46jcLTEhtDZL4hK+kk+cAPXNAVbhD8bmP9WFaER/bjwPrpa93ilU2gzLH  
7mV5bTejGDtqHYjvly1GH8YGf7oP5XKa/1ss5eBOoIiSwDG+H8SLKeGpl5Gib+wJ  
G/OYFZoPufHUwP3Xn3Nwtb9BUcjAomtQ56TrJ4px3WW5CvvSiQwYWJcSnYXYv2Gz  
kammRoCAyUI=TSuR  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#google