Security
Headlines
HeadlinesLatestCVEs

Tag

#vulnerability

GHSA-3936-3gx6-49c4: Apache Commons VFS Exposure of Sensitive Information to an Unauthorized Actor

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Commons VFS. The FtpFileObject class can throw an exception when a file is not found, revealing the original URI in its message, which may include a password. The fix is to mask the password in the exception message This issue affects Apache Commons VFS: before 2.10.0. Users are recommended to upgrade to version 2.10.0, which fixes the issue.

ghsa
Open in Source
#vulnerability#web#apache#auth
GHSA-vm77-mr48-27wj: nossrf Server-Side Request Forgery (SSRF)

Versions of the package nossrf before 1.0.4 are vulnerable to Server-Side Request Forgery (SSRF) where an attacker can provide a hostname that resolves to a local or reserved IP address space and bypass the SSRF protection mechanism.

How Cybercriminals Exploit Notification Channels

Cybercriminals are always looking for new ways to take advantage of people. One effective method they use is…

Why AI Systems Need Red Teaming Now More Than Ever

AI systems are becoming a huge part of our lives, but they are not perfect. Red teaming helps…

How Cybercriminals Exploit Public Info for Attacks: Understanding Risks and Prevention

Cybercriminals are skilled at using public information to their advantage. Knowing how they gather this data can help…

GHSA-4m5h-5v4q-4xgq: aizuda snail-job Vulnerable to Deserialization via `nodeExpression` Argument

A vulnerability was found in aizuda snail-job 1.4.0. It has been classified as critical. Affected is the function getRuntime of the file /snail-job/workflow/check-node-expression of the component Workflow-Task Management Module. The manipulation of the argument nodeExpression leads to deserialization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

GHSA-fmxw-76xq-cmqq: Apache Oozie Cross-Site Scripting (XSS)

** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Oozie. This issue affects Apache Oozie: all versions. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Oracle Denies Breach Amid Hacker’s Claim of Access to 6 Million Records

Oracle denies breach claims as hacker alleges access to 6 million cloud records. CloudSEK reports a potential zero-day exploit affecting 140,000 tenants.

GHSA-mh63-6h87-95cp: jwt-go allows excessive memory allocation during header parsing

### Summary Function [`parse.ParseUnverified`](https://github.com/golang-jwt/jwt/blob/c035977d9e11c351f4c05dfeae193923cbab49ee/parser.go#L138-L139) currently splits (via a call to [strings.Split](https://pkg.go.dev/strings#Split)) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose _Authorization_ header consists of `Bearer ` followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: [CWE-405: Asymmetric Resource Consumption (Amplification)](https://cwe.mitre.org/data/definitions/405.html) ### Details See [`parse.ParseUnverified`](https://github.com/golang-jwt/jwt/blob/c035977d9e11c351f4c05dfeae193923cbab49ee/parser.go#L138-L139) ### Impact Excessive memory allocation

GHSA-4jhw-c53w-w5r7: PipeCD Vulnerable to Privilege Escalation

Insecure permissions in pipecd v0.49 allow attackers to gain access to the service account's token, leading to escalation of privileges.