MiniOrange's Google Authenticator Security Vulnerabilities

GHSA-8R3F-844C-MC37 vulnerabilities

Vulnerabilities for packages: buf, terraform-docs, restic, spire-server, melange, istio-pilot-agent, amass, cri-tools, kwok, cadvisor, secrets-store-csi-driver-provider-aws, grype, prometheus-mongodb-exporter, crossplane, dex, step-ca, k3d, spark-operator, prometheus-bind-exporter, opentofu,...

CVE-2024-24789 vulnerabilities

Vulnerabilities for packages: flyte, istio-pilot-agent, cadvisor, grype, paranoia, nri-mssql, dex, step-ca, trivy, zarf, protoc-gen-go, cortex, flux-helm-controller, metacontroller, gatekeeper, docker-credential-ecr-login, gitness, flux, k9s, render-template, kubeadm-bootstrap-controller, k8sgpt,.....

CVE-2023-45288 vulnerabilities

Vulnerabilities for packages: flyte, melange, istio-pilot-agent, cadvisor, paranoia, nri-mssql, dex, step-ca, spark-operator, trivy, zarf, protoc-gen-go, cortex, flux-helm-controller, metacontroller, gatekeeper, docker-credential-ecr-login, gitness, flux, k9s, render-template,...

CVE-2024-24786 vulnerabilities

Vulnerabilities for packages: buf, terraform-docs, restic, spire-server, melange, istio-pilot-agent, amass, cri-tools, kwok, cadvisor, secrets-store-csi-driver-provider-aws, grype, prometheus-mongodb-exporter, crossplane, dex, step-ca, k3d, spark-operator, prometheus-bind-exporter, opentofu,...

GHSA-4V7X-PQXF-CX7M vulnerabilities

Vulnerabilities for packages: flyte, melange, istio-pilot-agent, cadvisor, paranoia, nri-mssql, dex, step-ca, spark-operator, trivy, zarf, protoc-gen-go, cortex, flux-helm-controller, metacontroller, gatekeeper, docker-credential-ecr-login, gitness, flux, k9s, render-template,...

CVE-2024-24790 vulnerabilities

Vulnerabilities for packages: flyte, istio-pilot-agent, cadvisor, grype, paranoia, nri-mssql, dex, step-ca, trivy, zarf, protoc-gen-go, cortex, flux-helm-controller, metacontroller, gatekeeper, docker-credential-ecr-login, gitness, flux, k9s, render-template, kubeadm-bootstrap-controller, k8sgpt,.....

GHSA-9763-4F94-GFCH vulnerabilities

Vulnerabilities for packages: wolfictl, spire-server, melange, flux-kustomize-controller, flux-notification-controller, crossplane-provider-aws, crossplane, terragrunt, aactl, zarf, policy-controller, vexctl, keda, kaniko, pulumi-kubernetes-operator, zot, falco, tekton-chains, rclone,...

GHSA-49GW-VXVF-FC2G vulnerabilities

Vulnerabilities for packages: flyte, istio-pilot-agent, cadvisor, grype, paranoia, nri-mssql, dex, step-ca, trivy, zarf, protoc-gen-go, cortex, flux-helm-controller, metacontroller, gatekeeper, docker-credential-ecr-login, gitness, flux, k9s, render-template, kubeadm-bootstrap-controller, k8sgpt,.....

GHSA-236W-P7WF-5PH8 vulnerabilities

Vulnerabilities for packages: flyte, istio-pilot-agent, cadvisor, grype, paranoia, nri-mssql, dex, step-ca, trivy, zarf, protoc-gen-go, cortex, flux-helm-controller, metacontroller, gatekeeper, docker-credential-ecr-login, gitness, flux, k9s, render-template, kubeadm-bootstrap-controller, k8sgpt,.....

CyberChef - The Cyber Swiss Army Knife - A Web App For Encryption, Encoding, Compression And Data Analysis

CyberChef is a simple, intuitive web app for carrying out all manner of "cyber" operations within a web browser. These operations include simple encoding like XOR and Base64, more complex encryption like AES, DES and Blowfish, creating binary and hexdumps, compression and decompression of data,...

Analysis of user password strength

The processing power of computers keeps growing, helping users to solve increasingly complex problems faster. A side effect is that passwords that were impossible to guess just a few years ago can be cracked by hackers within mere seconds in 2024. For example, the RTX 4090 GPU is capable of...

The Annual SaaS Security Report: 2025 CISO Plans and Priorities

Seventy percent of enterprises are prioritizing investment in SaaS security by establishing dedicated teams to secure SaaS applications, as part of a growing trend of maturity in this field of cybersecurity, according to a new survey released this month by the Cloud Security Alliance (CSA)....

Security Bulletin: Vulnerabilities in JAR files affect Transparent Cloud Tiering in IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products

Summary Vulnerabilities in multiple JAR files affect Transparent Cloud Tiering in IBM SAN Volume Controller, IBM Storwize, IBM Storage Virtualize and IBM FlashSystem products. The vulnerabilities are not thought to be exploitable but IBM recommends upgrade for users of Transparent Cloud Tiering...

CVE-2024-5899 Improper trust check in Bazel Build intellij plugin

When Bazel Plugin in intellij imports a project (either using "import project" or "Auto import") the dialog for trusting the project is not displayed. This comes from the fact that both call the method ProjectBuilder.createProject which then calls ProjectManager.getInstance().createProject. This...

CVE-2024-5899 Improper trust check in Bazel Build intellij plugin

When Bazel Plugin in intellij imports a project (either using "import project" or "Auto import") the dialog for trusting the project is not displayed. This comes from the fact that both call the method ProjectBuilder.createProject which then calls ProjectManager.getInstance().createProject. This...

BIT-kibana-2024-23442

An open redirect issue was discovered in Kibana that could lead to a user being redirected to an arbitrary website if they use a maliciously crafted Kibana...

BIT-gitlab-2024-5469

DoS in KAS in GitLab CE/EE affecting all versions from 16.10.0 prior to 16.10.6 and 16.11.0 prior to 16.11.3 allows an attacker to crash KAS via crafted gRPC...

BIT-elk-2024-23442

An open redirect issue was discovered in Kibana that could lead to a user being redirected to an arbitrary website if they use a maliciously crafted Kibana...

BIT-airflow-2024-25142

Use of Web Browser Cache Containing Sensitive Information vulnerability in Apache Airflow. Airflow did not return "Cache-Control" header for dynamic content, which in case of some browsers could result in potentially storing sensitive data in local cache of the browser.This issue affects Apache...

Malicious code in rb-info-banner (npm)

-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (b4418457e7570184ceb88f4adbd3857b2c1f0272bdac5533354efc091d1b726b) The OpenSSF Package Analysis project identified 'rb-info-banner' @ 1.0.0 (npm) as malicious. It is considered malicious because: The package...

Malicious code in rb-accordion (npm)

-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (92f6b37cf2d8d698234663a0312bdadd85f0034ac2bf9d6ae20cdcbc1d5dd69a) The OpenSSF Package Analysis project identified 'rb-accordion' @ 1.0.0 (npm) as malicious. It is considered malicious because: The package...

Malicious code in rb-payment-input (npm)

-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (e2609ed37d97239b7a1cf44a814e27f11d2a31ffa84f2c47f51a83f6e39166d3) The OpenSSF Package Analysis project identified 'rb-payment-input' @ 1.0.0 (npm) as malicious. It is considered malicious because: The package...

This Week in Spring - June 18th, 2024

Hi, Spring fans! Welcome to another installment of This Week in Spring! I've just come from Paris, France, and now I'm in equally beautiful Krakow, Poland, for the amazing Devoxx PL event. We've got a ton of good stuff to dive into, so let's get going! In last week's installment of Spring Tips, I.....

Rancher's RKE1 Encryption Config kept in plain-text within cluster AppliedSpec

Impact This issue is only relevant to clusters provisioned using RKE1 with secrets encryption configuration enabled. A vulnerability has been identified in which an RKE1 cluster keeps constantly reconciling when secrets encryption configuration is enabled (please see the RKE documentation). When...

Rancher's External RoleTemplates can lead to privilege escalation

Impact A vulnerability has been identified whereby privilege escalation checks are not properly enforced for RoleTemplateobjects when external=true, which in specific scenarios can lead to privilege escalation. The bug in the webhook rule resolver ignores rules from a ClusterRole for external...

rke's credentials are stored in the RKE1 Cluster state ConfigMap

Impact When RKE provisions a cluster, it stores the cluster state in a configmap called full-cluster-state inside the kube-system namespace of the cluster itself. This cluster state object contains information used to set up the K8s cluster, which may include the following sensitive data: ...

Rancher does not automatically clean up a user deleted or disabled from the configured Authentication Provider

Impact A vulnerability has been identified in which Rancher does not automatically clean up a user which has been deleted from the configured authentication provider (AP). This characteristic also applies to disabled or revoked users, Rancher will not reflect these modifications which may leave...

Lobe Chat API Key Leak

Summary If an attacker can successfully authenticate through SSO/Access Code, they can obtain the real backend API Key by modifying the base URL to their own attack URL on the frontend and setting up a server-side request. Details The attack process is described above. PoC Frontend: 1. Pass basic.....

Firefly III has a MFA bypass in oauth flow

Impact A MFA bypass in the Firefly III OAuth flow may allow malicious users to bypass the MFA-check. This allows malicious users to use password spraying to gain access to your Firefly III data using passwords stolen from other sources. As OAuth applications are easily enumerable using an...

urllib3's Proxy-Authorization request header isn't stripped during cross-origin redirects

When using urllib3's proxy support with ProxyManager, the Proxy-Authorization header is only sent to the configured proxy, as expected. However, when sending HTTP requests without using urllib3's proxy support, it's possible to accidentally configure the Proxy-Authorization header even though it...

LNbits improperly handles potential network and payment failures when using Eclair backend

Summary Paying invoices in Eclair that do not get settled within the internal timeout (about 30s) lead to a payment being considered failed, even though it may still be in flight. Details Using blocking: true on the API call will lead to a timeout error if a payment does not get settled in the 30s....

DeepJavaLibrary API absolute path traversal

Summary DeepJavaLibrary(DJL) versions 0.1.0 through 0.27.0 do not prevent absolute path archived artifacts from inserting archived files directly into the system, overwriting system files. This is fixed in DJL 0.28.0 and patched in DJL Large Model Inference containers 0.27.0. Impacted versions:...

Malvertising Campaign Leads to Execution of Oyster Backdoor

The following analysts contributed to this blog: Thomas Elkins, Daniel Thiede, Josh Lockwood, Tyler McGraw, and Sasha Kovalev. Executive Summary Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and.....

@akbr/update Prototype Pollution

akbr update 1.0.0 is vulnerable to Prototype Pollution via...

obx Prototype Pollution

almela obx before v.0.0.4 has a Prototype Pollution issue which allows arbitrary code execution via the obx/build/index.js:656), reduce (@almela/obx/build/index.js:470), Object.set (obx/build/index.js:269)...

Object Resolver Prototype Pollution

apphp js-object-resolver < 3.1.1 is vulnerable to Prototype Pollution via...

flatten-json Prototype Pollution

A Prototype Pollution issue in flatten-json 1.0.1 allows an attacker to execute arbitrary code via module.exports.unflattenJSON...

ghostscript vulnerabilities

It was discovered that Ghostscript did not properly restrict eexec seeds to those specified by the Type 1 Font Format standard when SAFER mode is used. An attacker could use this issue to bypass SAFER restrictions and cause unspecified impact. (CVE-2023-52722) This issue only affected Ubuntu 20.04....

Malicious code in delta0231 (npm)

-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (7df399fa1580fb8e64d7cd2481b0212f607aa8146a1b904b83a7af05ebb8031b) The OpenSSF Package Analysis project identified 'delta0231' @ 100.0.0 (npm) as malicious. It is considered malicious because: The package...

Malicious code in commando333333 (npm)

-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (3da17f518475bb94d3d0740d0e1fc486dcce1f4fd1c8f86b9578176c4ea04a03) The OpenSSF Package Analysis project identified 'commando333333' @ 10.0.0 (npm) as malicious. It is considered malicious because: The package...

Malicious code in dc-test1-asdf (npm)

-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (04026ef40e4abce9afd70341d1bbb7d8907a917e7a6bd0fd6b7ffb15623a30c0) The OpenSSF Package Analysis project identified 'dc-test1-asdf' @ 1.0.1 (npm) as malicious. It is considered malicious because: The package...

object-deep-assign Prototype Pollution

alexbinary object-deep-assign 1.0.11 is vulnerable to Prototype Pollution via the extend() method of Module.deepAssign...

Badger Database Prototype Pollution

A Prototype Pollution issue in abw badger-database 1.2.1 allows an attacker to execute arbitrary code via...

@cdr0/sg Prototype Pollution

A Prototype Pollution issue in cdr0 sg 1.0.10 allows an attacker to execute arbitrary...

PSF-2024-4

A defect was discovered in the Python “ssl” module where there is a memory race condition with the ssl.SSLContext methods “cert_store_stats()” and “get_ca_certs()”. The race condition can be triggered if the methods are called at the same time as certificates are loaded into the SSLContext, such...

PSF-2024-5

The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and...

ruby2.7, ruby3.0, ruby3.1, ruby3.2 vulnerabilities

It was discovered that Ruby RDoc incorrectly parsed certain YAML files. If a user or automated system were tricked into parsing a specially crafted .rdoc_options file, a remote attacker could possibly use this issue to execute arbitrary code. (CVE-2024-27281) It was discovered that the Ruby regex.....

ruby-rack vulnerabilities

It was discovered that Rack incorrectly handled Multipart MIME parsing. A remote attacker could possibly use this issue to cause Rack to consume resources, leading to a denial of service. This issue only affected Ubuntu 23.10. (CVE-2023-27530) It was discovered that Rack incorrectly parsed certain....

sssd vulnerability

It was discovered that SSSD did not always correctly apply the GPO policy for authenticated users, contrary to expectations. This could result in improper authorization or improper access to...

Malicious code in importlib-metadate (PyPI)

-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (540e9c9d054904f5342d684bd5cabf212fdbe7e4d20bac7407c937a6b8264cab) The OpenSSF Package Analysis project identified 'importlib-metadate' @ 99.99 (pypi) as malicious. It is considered malicious because: The package...