#oracle

The beginning of Pwn2Own Berlin 2025, hosted at the OffensiveCon conference, has concluded its first two days with…

How do attackers exploit authority bias to manipulate victims? Martin shares proactive strategies to protect yourself and others in this must-read edition of the Threat Source newsletter.

New research shows Google Cloud and smaller providers have the highest cloud vulnerability rates as compared to AWS…

# Summary `{field}.isFilterable` access control can be bypassed in `update` and `delete` mutations by adding additional unique filters. These filters can be used as an oracle to probe the existence or value of otherwise unreadable fields. Specifically, when a mutation includes a `where` clause with multiple unique filters (e.g. `id` and `email`), Keystone will attempt to match records even if filtering by the latter fields would normally be rejected by `field.isFilterable` or `list.defaultIsFilterable`. This can allow malicious actors to infer the presence of a particular field value when a filter is successful in returning a result. # Impact This affects any project relying on the default or dynamic `isFilterable` behaviour (at the list or field level) to prevent external users from using the filtering of fields as a discovery mechanism. While this access control is respected during `findMany` operations, it was not completely enforced during `update` and `delete` mutations when...

### Impact When run as a server, OPA exposes an HTTP[ Data API](https://www.openpolicyagent.org/docs/latest/rest-api/#data-api) for reading and writing documents. Requesting a virtual document through the Data API entails policy evaluation, where a Rego query containing a single data document [reference](https://www.openpolicyagent.org/docs/latest/policy-language/#references) is constructed from the requested path. This query is then used for policy evaluation. A HTTP request path can be crafted in a way that injects Rego code into the constructed query. The evaluation result cannot be made to return any other data than what is generated by the requested path, but this path can be misdirected, and the injected Rego code can be crafted to make the query succeed or fail; opening up for oracle attacks or, given the right circumstances, erroneous policy decision results. Furthermore, the injected code can be crafted to be computationally expensive, resulting in a Denial Of Service (DoS) ...

Following reports of unauthorized access to a legacy Oracle cloud environment, CISA warns of potential credential compromise leading…

The database company said its Oracle Cloud Infrastructure (OCI) was not involved in the breach. And at least one law firm seeking damages is already on the case.

Today, every unpatched system, leaked password, and overlooked plugin is a doorway for attackers. Supply chains stretch deep into the code we trust, and malware hides not just in shady apps — but in job offers, hardware, and cloud services we rely on every day. Hackers don’t need sophisticated exploits anymore. Sometimes, your credentials and a little social engineering are enough. This week,

Hazel highlights the key findings within Cisco Talos’ 2024 Year in Review (now available for download) and details our active tracking of an ongoing campaign targeting users in Ukraine with malicious LNK files.

Top Data Anonymization Tools of 2025 to protect sensitive information, ensure compliance, and maintain performance across industries.