Security
Headlines
HeadlinesLatestCVEs

Tag

#ssh

Kitty 0.76.0.8 Stack Buffer Overflow

Kitty version 0.76.0.8 suffers from a buffer overflow vulnerability.

Packet Storm
#vulnerability#windows#buffer_overflow#ssh
Zyxel Buffer Overflow / Format String / Command Injection

Zyxel firewalls, AP controllers, and APs suffer from buffer overflow, format string, and command injection vulnerabilities.

CVE-2022-25856: Directory Traversal in github.com/argoproj/argo-events/sensors/artifacts | CVE-2022-25856 | Snyk

The package github.com/argoproj/argo-events/sensors/artifacts before 1.7.1 are vulnerable to Directory Traversal in the (g *GitArtifactReader).Read() API in git.go. This could allow arbitrary file reads if the GitArtifactReader is provided a pathname containing a symbolic link or an implicit directory name such as ...

GHSA-cgw6-f3mj-h742: RustEmbed generated `get` method allows for directory traversal when reading files from disk

When running in debug mode and the `debug-embed` (off by default) feature is not enabled, the generated `get` method does not check that the input path is a child of the folder given. This allows attackers to read arbitrary files in the file system if they have control over the filename given. The following code will print the contents of your `/etc/passwd` if adjusted with a correct number of `../`s depending on where it is run from. ```rust #[derive(rust_embed::RustEmbed)] #[folder = "src/"] pub struct Asset; fn main() { let d = Asset::get("../../../etc/passwd").unwrap().data; println!("{}", String::from_utf8_lossy(&d)); } ``` The flaw was corrected by canonicalizing the input filename and ensuring that it starts with the canonicalized folder path.

GHSA-q874-g24w-4q9g: Token bruteforcing

Affects: Notebook and Lab between 6.4.0?(potentially earlier) and 6.4.11 (currently latest). Jupyter Server <=1.16.0. If I am correct about the responsible code it will affect Jupyter-Server 1.17.0 and 2.0.0a0 as well. Description: If notebook server is started with a value of `root_dir` that contains the starting user's home directory, then the underlying REST API can be used to leak the access token assigned at start time by guessing/brute forcing the PID of the jupyter server. While this requires an authenticated user session, this url can be used from an xss payload (as in CVE-2021-32798) or from a hooked or otherwise compromised browser to leak this access token to a malicious third party. This token can be used along with the REST API to interact with Jupyter services/notebooks such as modifying or overwriting critical files, such as .bashrc or .ssh/authorized_keys, allowing a malicious user to read potentially sensitive data and possibly gain control of the impacted system.

GHSA-v7vq-3x77-87vg: Token bruteforcing.

### Impact _What kind of vulnerability is it? Who is impacted?_ Authenticated requests to the notebook server with `ContentsManager.allow_hidden = False` only prevented listing the contents of hidden directories, not accessing individual hidden files or files in hidden directories (i.e. hidden files were 'hidden' but not 'inaccessible'). This could lead to notebook configurations allowing authenticated access to files that may reasonably be expected to be disallowed. Because fully authenticated requests are required, this is of relatively low impact. But if a server's root directory contains sensitive files whose only protection from the server is being hidden (e.g. `~/.ssh` while serving $HOME), then any authenticated requests could access files if their names are guessable. Such contexts also necessarily have full access to the server and therefore execution permissions, which also generally grants access to all the same files. So this does not generally result in any privilege esc...

CVE-2022-31299: GitHub - bigzooooz/CVE-2022-31299: Haraj Script 3.7 - Reflected XSS

Haraj v3.7 was discovered to contain a reflected cross-site scripting (XSS) vulnerability in the User Upgrade Form.

Microsoft 365 Function Leaves SharePoint, OneDrive Files Open to Ransomware Attacks

SharePoint and OneDrive libraries can be encrypted in ransomware attack, researchers say.

CVE-2022-27512: Citrix Application Delivery Management Security Bulletin for CVE-2022-27511 and CVE-2022-27512

Temporary disruption of the ADM license service. The impact of this includes preventing new licenses from being issued or renewed by Citrix ADM.

Wormable Panchan Peer-to-Peer Botnet Harvests Linux Server Keys

The Japanese-language Panchan botnet has been discovered stealing SSH keys from Linux servers across Asia, Europe, and North America, with a focus on telecom and education providers.