Summary IBM® Db2® is vulnerable to an information disclosure vulnerability due to the consumed GSKit library. The fix for this issue was already published in an earlier bulletin. If you have already applied the appropriate Db2 special build or installed GSKit version 8.0.55.31, which contains the.....
7.5CVSS
6AI Score
0.001EPSS
Ibexa ezplatform-kernel download route allows filename change
Impact The route used for file downloads allows specifying the name of the downloaded file. This is an unintended side effect of the implementation, and means one could construct download URLs with filenames that have no relation to the actual file, which could lead to misunderstandings and...
6.8AI Score
Ibexa ezplatform-kernel download route allows filename change
Impact The route used for file downloads allows specifying the name of the downloaded file. This is an unintended side effect of the implementation, and means one could construct download URLs with filenames that have no relation to the actual file, which could lead to misunderstandings and...
6.9AI Score
Ibexa DXP Download route allows filename change
Impact The route used for file downloads allows specifying the name of the downloaded file. This is an unintended side effect of the implementation, and means one could construct download URLs with filenames that have no relation to the actual file, which could lead to misunderstandings and...
7AI Score
Ibexa DXP Download route allows filename change
Impact The route used for file downloads allows specifying the name of the downloaded file. This is an unintended side effect of the implementation, and means one could construct download URLs with filenames that have no relation to the actual file, which could lead to misunderstandings and...
7AI Score
Download route allows filename change in eZpublish kernel
Impact The route used for file downloads allows specifying the name of the downloaded file. This is an unintended side effect of the implementation, and means one could construct download URLs with filenames that have no relation to the actual file, which could lead to misunderstandings and...
7AI Score
Download route allows filename change in eZpublish kernel
Impact The route used for file downloads allows specifying the name of the downloaded file. This is an unintended side effect of the implementation, and means one could construct download URLs with filenames that have no relation to the actual file, which could lead to misunderstandings and...
7AI Score
SaaS Security is Now Accessible and Affordable to All
This new product offers SaaS discovery and risk assessment coupled with a free user access review in a unique "freemium" model Securing employees' SaaS usage is becoming increasingly crucial for most cloud-based organizations. While numerous tools are available to address this need, they often...
7AI Score
What is a Cloud Native Application Protection Platform CNAPP ?
Revealing the Secrets of the Cloud-specific Application Safety Platform (CSASP) In the landscape of online safety, the notion of the Cloud-specific Application Safety Platform (CSASP) is something relatively unheard of, but rapidly gaining popularity. Intuitively from its name, CSASP is a system...
7.6AI Score
What is a Cloud Workload Protection Platform ? (CWPP)
Diving into the Depths of Cloud Workload Defense Framework (CWDF) Mysteries Setting out to understand cloud security, one frequently encounters the term - Cloud Workload Defense Framework (CWDF). What exact role does CWDF play? Let's decode this riddle. At its core, the Cloud Workload Defense...
7.5AI Score
Exploit for Code Injection in Apache Rocketmq
CVE-2023-33246 - RocketMQ Remote Code Execution...
9.8CVSS
7.6AI Score
0.973EPSS
browserify-sign upper bound check issue in `dsaVerify` leads to a signature forgery attack
Summary An upper bound check issue in dsaVerify function allows an attacker to construct signatures that can be successfully verified by any public key, thus leading to a signature forgery attack. Details In dsaVerify function, it checks whether the value of the signature is legal by calling...
7.5CVSS
6.3AI Score
0.001EPSS
browserify-sign upper bound check issue in `dsaVerify` leads to a signature forgery attack
Summary An upper bound check issue in dsaVerify function allows an attacker to construct signatures that can be successfully verified by any public key, thus leading to a signature forgery attack. Details In dsaVerify function, it checks whether the value of the signature is legal by calling...
7.5CVSS
6.7AI Score
0.001EPSS
SUSE SLED15 / SLES15 / openSUSE 15 Security Update : openssl-3 (SUSE-SU-2023:4190-1)
The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:4190-1 advisory. Issue summary: Checking excessively long DH keys or parameters may be very slow. Impact...
7.5CVSS
7.5AI Score
0.003EPSS
SUSE SLED15 / SLES15 / openSUSE 15 Security Update : openssl-3 (SUSE-SU-2023:4189-1)
The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:4189-1 advisory. Issue summary: Checking excessively long DH keys or parameters may be very slow. Impact...
7.5CVSS
7.5AI Score
0.003EPSS
Issue summary: A bug has been identified in the processing of key and initialisation vector (IV) lengths. This can lead to potential truncation or overruns during the initialisation of some symmetric ciphers. Impact summary: A truncation in the IV can result in non-uniqueness, which could result...
7.5CVSS
6.7AI Score
0.001EPSS
Issue summary: A bug has been identified in the processing of key and initialisation vector (IV) lengths. This can lead to potential truncation or overruns during the initialisation of some symmetric ciphers. Impact summary: A truncation in the IV can result in non-uniqueness, which could result...
7.5CVSS
7.4AI Score
0.001EPSS
Issue summary: A bug has been identified in the processing of key and initialisation vector (IV) lengths. This can lead to potential truncation or overruns during the initialisation of some symmetric ciphers. Impact summary: A truncation in the IV can result in non-uniqueness, which could result...
7.5CVSS
7.3AI Score
0.001EPSS
Issue summary: A bug has been identified in the processing of key and initialisation vector (IV) lengths. This can lead to potential truncation or overruns during the initialisation of some symmetric ciphers. Impact summary: A truncation in the IV can result in non-uniqueness, which could result...
7.5CVSS
7.4AI Score
0.001EPSS
Issue summary: A bug has been identified in the processing of key and initialisation vector (IV) lengths. This can lead to potential truncation or overruns during the initialisation of some symmetric ciphers. Impact summary: A truncation in the IV can result in non-uniqueness, which could result...
7.5CVSS
7.6AI Score
0.001EPSS
Issue summary: A bug has been identified in the processing of key and initialisation vector (IV) lengths. This can lead to potential truncation or overruns during the initialisation of some symmetric ciphers. Impact summary: A truncation in the IV can result in non-uniqueness, which could result...
7.5CVSS
7.2AI Score
0.001EPSS
OpenSSL Incorrect Cipher Key & IV Length Processing Vulnerability (20231024) - Windows
OpenSSL is prone to an incorrect processing of key and initialisation vector (IV) lengths...
7.5CVSS
7.5AI Score
0.001EPSS
OpenSSL 3.0.0 < 3.0.12 Multiple Vulnerabilities
The version of OpenSSL installed on the remote host is prior to 3.0.12. It is, therefore, affected by multiple vulnerabilities as referenced in the 3.0.12 advisory. Issue summary: The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal...
7.5CVSS
8AI Score
0.001EPSS
Lines of code Vulnerability details Lines of code Vulnerability details Mitigation of M-08: Issue mitigated with ERROR Mitigated issue M-08: Inflation attack in VotiumStrategy The issue was that the price of afEth and of vAfEth could be inflated by donating underlying assets. Mitigation review All....
7AI Score
OpenSSL Incorrect Cipher Key & IV Length Processing Vulnerability (20231024) - Linux
OpenSSL is prone to an incorrect processing of key and initialisation vector (IV) lengths...
7.5CVSS
7.5AI Score
0.001EPSS
OpenSSL 3.1.0 < 3.1.4 Vulnerability
The version of OpenSSL installed on the remote host is prior to 3.1.4. It is, therefore, affected by a vulnerability as referenced in the 3.1.4 advisory. Issue summary: A bug has been identified in the processing of key and initialisation vector (IV) lengths. This can lead to potential...
7.5CVSS
7.6AI Score
0.001EPSS
CVE-2023-5363 Incorrect cipher key & IV length processing
Issue summary: A bug has been identified in the processing of key and initialisation vector (IV) lengths. This can lead to potential truncation or overruns during the initialisation of some symmetric ciphers. Impact summary: A truncation in the IV can result in non-uniqueness, which could result...
7.7AI Score
0.001EPSS
Why We Don’t Generate Elliptic Curves Every Day
With all the talk recently of how the NIST curve parameters were selected, a reasonable observer could wonder why we all use the same curves instead of generating them along with keys, like we do for Diffie-Hellman parameters. (You might have memories of waiting around for openssl dhparam to run...
7.1AI Score
Application Layer Gateway (ALG) Explained: What it is & Why You Need it ?
Snippet When you hear "Application Layer Gateway," or ALG for short, think of it as a network traffic conductor. It's the unsung hero that examines data packets, making sure they follow specific rules and get to where they're supposed to go—securely and efficiently. Quick Facts Definition In the...
7.5AI Score
Issue summary: A bug has been identified in the processing of key and initialisation vector (IV) lengths. This can lead to potential truncation or overruns during the initialisation of some symmetric ciphers. Impact summary: A truncation in the IV can result in non-uniqueness, which could result...
7.5CVSS
5.4AI Score
0.001EPSS
Former Uber CISO Appealing His Conviction
Joe Sullivan, Uber's CEO during their 2016 data breach, is appealing his conviction. Prosecutors charged Sullivan, whom Uber hired as CISO after the 2014 breach, of withholding information about the 2016 incident from the FTC even as its investigators were scrutinizing the company's data security.....
6.9AI Score
Talos Vulnerability Report TALOS-2023-1825 JustSystems Corporation Ichitaro 2023 DocumentViewStyles and DocumentEditStyles stream relative write vulnerabilities October 19, 2023 CVE Number CVE-2023-35126 SUMMARY An out-of-bounds write vulnerability exists within the parsers for both the...
7.8CVSS
7.9AI Score
0.002EPSS
D-Link Confirms Data Breach: Employee Falls Victim to Phishing Attack
Taiwanese networking equipment manufacturer D-Link has confirmed a data breach that led to the exposure of what it said is "low-sensitivity and semi-public information." "The data was confirmed not from the cloud but likely originated from an old D-View 6 system, which reached its end of life as...
6.9AI Score
Getting RCE in Chrome with incomplete object initialization in the Maglev compiler
In this post I'll exploit CVE-2023-4069, a type confusion vulnerability that I reported in July 2023. The vulnerability—which allows remote code execution (RCE) in the renderer sandbox of Chrome by a single visit to a malicious site—is found in v8, the Javascript engine of Chrome. It was filed as.....
8.8CVSS
8.5AI Score
0.002EPSS
vantage6 does not properly delete linked resources when deleting a collaboration
When a collaboration is deleted in vantage6, the linked resources (such as tasks from that collaboration) are not properly deleted. This is partly to manage data properly, but also to prevent a potential (but unlikely) side-effect, where if a collaboration with id=10 is deleted, and subsequently a....
4.3CVSS
5.9AI Score
0.001EPSS
vantage6 does not properly delete linked resources when deleting a collaboration
When a collaboration is deleted in vantage6, the linked resources (such as tasks from that collaboration) are not properly deleted. This is partly to manage data properly, but also to prevent a potential (but unlikely) side-effect, where if a collaboration with id=10 is deleted, and subsequently a....
4.3CVSS
6.2AI Score
0.001EPSS
Apache Kafka’s Exactly-Once Semantics in Spring Cloud Stream Kafka Applications
Other parts in this blog series Part 1: Introduction to Transactions in Spring Cloud Stream Kafka Applications Part 2: Producer Initiated Transactions in Spring Cloud Stream Kafka Applications Part 3: Synchronizing with External Transaction Managers in Spring Cloud Stream Kafka Applications Part...
6.6AI Score
Ransomware Attacks Double: Are Companies Prepared for 2024's Cyber Threats?
Ransomware attacks have only increased in sophistication and capabilities over the past year. From new evasion and anti-analysis techniques to stealthier variants coded in new languages, ransomware groups have adapted their tactics to effectively bypass common defense strategies. Cyble, a...
7.5AI Score
An analysis of an in-the-wild iOS Safari WebContent to GPU Process exploit
By Ian Beer A graph representation of the sandbox escape NSExpression payload In April this year Google's Threat Analysis Group, in collaboration with Amnesty International, discovered an in-the-wild iPhone zero-day exploit chain being used in targeted attacks delivered via malicious link. The...
8.8CVSS
7.4AI Score
0.021EPSS
vantage6 is privacy preserving federated learning infrastructure. When a collaboration is deleted, the linked resources (such as tasks from that collaboration) should be deleted. This is partly to manage data properly, but also to prevent a potential (but unlikely) side-effect that affects...
4.3CVSS
6.7AI Score
0.001EPSS
vantage6 is privacy preserving federated learning infrastructure. When a collaboration is deleted, the linked resources (such as tasks from that collaboration) should be deleted. This is partly to manage data properly, but also to prevent a potential (but unlikely) side-effect that affects...
4.3CVSS
4AI Score
0.001EPSS
vantage6 is privacy preserving federated learning infrastructure. When a collaboration is deleted, the linked resources (such as tasks from that collaboration) should be deleted. This is partly to manage data properly, but also to prevent a potential (but unlikely) side-effect that affects...
4.3CVSS
4.2AI Score
0.001EPSS
vantage6 is privacy preserving federated learning infrastructure. When a collaboration is deleted, the linked resources (such as tasks from that collaboration) should be deleted. This is partly to manage data properly, but also to prevent a potential (but unlikely) side-effect that affects...
4.3CVSS
6.7AI Score
0.001EPSS
vantage6 is privacy preserving federated learning infrastructure. When a collaboration is deleted, the linked resources (such as tasks from that collaboration) should be deleted. This is partly to manage data properly, but also to prevent a potential (but unlikely) side-effect that affects...
4.3CVSS
4.4AI Score
0.001EPSS
CVE-2023-41881 Deleting a collaboration should also delete linked resources
vantage6 is privacy preserving federated learning infrastructure. When a collaboration is deleted, the linked resources (such as tasks from that collaboration) should be deleted. This is partly to manage data properly, but also to prevent a potential (but unlikely) side-effect that affects...
3.7CVSS
4.6AI Score
0.001EPSS
Automatic disruption of human-operated attacks through containment of compromised user accounts
Our experience and insights from real-world incidents tell us that the swift containment of compromised user accounts is key to disrupting hands-on-keyboard attacks, especially those that involve human-operated ransomware. In these attacks, lateral movement follows initial access as the next...
7.9AI Score
Automatic disruption of human-operated attacks through containment of compromised user accounts
Our experience and insights from real-world incidents tell us that the swift containment of compromised user accounts is key to disrupting hands-on-keyboard attacks, especially those that involve human-operated ransomware. In these attacks, lateral movement follows initial access as the next...
7.9AI Score
Ransomware review: October 2023
This article is based on research by Marcelo Rivero, Malwarebytes' ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, "known attacks" are those where the victim did not pay a ransom. This provides the best overall picture of...
9.1CVSS
6.8AI Score
0.023EPSS
CISA catalog passes 1,000 known-to-be-exploited vulnerabilities. Celebration time, or is it?
On September 18, 2023, the Cybersecurity & Infrastructure Security Agency (CISA) announced that its Known Exploited Vulnerabilities (KEV) catalog has reached the milestone of covering more than 1,000 vulnerabilities since its launch in November 2021. This may seem like a lot, but with over 25,000.....
6.7AI Score
HTTP/2 Stream Cancellation Attack
HTTP/2 Rapid reset attack The HTTP/2 protocol allows clients to indicate to the server that a previous stream should be canceled by sending a RST_STREAM frame. The protocol does not require the client and server to coordinate the cancellation in any way, the client may do it unilaterally. The...
7.5CVSS
6.8AI Score
0.732EPSS