Security
Headlines
HeadlinesLatestCVEs

Tag

#maven

CVE-2020-4301: Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 176609.

CVE
Open in Source
#xss#vulnerability#web#ios#dos#nodejs#js#java#ssrf#auth#ibm#maven
Google Launches New Open Source Bug Bounty to Tackle Supply Chain Attacks

Google on Monday introduced a new bug bounty program for its open source projects, offering payouts anywhere from $100 to $31,337 (a reference to eleet or leet) to secure the ecosystem from supply chain attacks. Called the Open Source Software Vulnerability Rewards Program (OSS VRP), the offering is one of the first open source-specific vulnerability programs. With the tech giant the maintainer

GHSA-rr2m-gffv-mgrj: Deserialization of Untrusted Data in Apache Hadoop YARN

ZKConfigurationStore which is optionally used by CapacityScheduler of Apache Hadoop YARN deserializes data obtained from ZooKeeper without validation. An attacker having access to ZooKeeper can run arbitrary commands as YARN user by exploiting this. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.4 or later (containing YARN-11126) if ZKConfigurationStore is used.

GHSA-h28c-453m-h9xm: Path Traversal in Payara

Payara through 5.2022.2 allows directory traversal without authentication. This affects Payara Server, Payara Micro, and Payara Server Embedded.

Software Supply Chain Chalks Up a Security Win With New Crypto Effort

GitHub, the owner of the Node Package Manager (npm), proposes cryptographically linking source code and JavaScript packages in an effort to shore up supply chain security.

10 Malicious Code Packages Slither into PyPI Registry

The discovery adds to the growing list of recent incidents where threat actors have used public code repositories to distribute malware in software supply chain attacks.

School Kid Uploads Ransomware Scripts to PyPI Repository as 'Fun' Project

The malware packages had names that were common typosquats of a legitimate widely used Python library. One was downloaded hundreds of times.

Jenkins security: Unpatched XSS, CSRF bugs included in latest plugin advisory

‘We believe that announcing vulnerabilities without a fix is the best solution for a difficult problem’

CVE-2022-2576: 580018 – Denial-of-Service vulnerability in the DTLS stack

In Eclipse Californium version 2.0.0 to 2.7.2 and 3.0.0-3.5.0 a DTLS resumption handshake falls back to a DTLS full handshake on a parameter mismatch without using a HelloVerifyRequest. Especially, if used with certificate based cipher suites, that results in message amplification (DDoS other peers) and high CPU load (DoS own peer). The misbehavior occurs only with DTLS_VERIFY_PEERS_ON_RESUMPTION_THRESHOLD values larger than 0.

CVE-2022-1799: Release Notes  |  Google Play services  |  Google Developers

Incorrect signature trust exists within Google Play services SDK play-services-basement. A debug version of Google Play services is trusted by the SDK for devices that are non-GMS. We recommend upgrading the SDK past the 2022-05-03 release.