SUSE-SU-2018:1757-1 Security update for salt

This update for salt provides version 2018.3 and brings many fixes and improvements: - Fix for sorting of multi-version packages bsc1097174 and bsc1097413 - Align SUSE salt-master.service 'LimitNOFILES' limit with upstream Salt - Add 'other' attribute to GECOS fields to avoid inconsistencies with...

Security Bulletin: Docker and Python as used in IBM QRadar SIEM is vulnerable to various CVEs.

Summary The product includes vulnerable components e.g., framework libraries that may be identified and exploited with automated tools. Vulnerability Details CVEID: CVE-2016-3697 DESCRIPTION: Docker could allow a local attacker to gain elevated privileges on the system, caused by an error in...

PwnAdventure3 - Game Open-World MMORPG Intentionally Vulnerable To Hacks

Pwnie Island is a limited-release, first-person, true open-world MMORPG set on a beautiful island where anything could happen. That's because this game is intentionally vulnerable to all kinds of silly hacks! Flying, endless cash, and more are all one client change or network proxy away. Are you...

Uber: [data-07.uberinternal.com] SSRF in Portainer app lead to access to Internal Docker API without Auth

Vulnerability description not provided...

This Week in Security News: Cyber Leads and Email Frauds

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, The Trump Administration added a cyber lead at Homeland Security and the Energy Department. Also, the FBI announced the arrest of 74 “email...

Security Bulletin: Multiple Security Vulnerabilities fixed in IBM WebSphere Application Server 8.5.5.9

Summary Cross reference list for security vulnerabilities fixed in IBM WebSphere Application Server, IBM WebSphere Application Server Hypervisor, WebSphere Application Server Liberty Profile and IBM HTTP Server. Affected Products and Versions The following IBM WebSphere Application Server Version...

Malicious Docker Containers Earn Cryptomining Criminals $90K

UPDATE Seventeen malicious Docker containers earned cryptomining criminals $90,000 in 30 days in what could be a harbinger of things to come. The figure may seem tame compared to some of the larger paydays that cryptojackers have earned. But, researchers at Kromtech Security Center warn container...

DefectDojo - Application Vulnerability Correlation And Security Orchestration Application

DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, schedule scans, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one...

RouterSploit v3.0 - Exploitation Framework For Embedded Devices

The RouterSploit Framework is an open-source exploitation framework dedicated to embedded devices. It consists of various modules that aids penetration testing operations: exploits - modules that take advantage of identified vulnerabilities creds - modules designed to test credentials against...

RIPS Integration into Jenkins CI with Pipeline Support

Pipelines The Pipeline approach is a more developer friendly method to define the build and test process of a project. It is as easy as placing a file named Jenkinsfile into your project which contains all the configuration. This is well known from other build tools like Docker or make and improv...

Archerysec - Open Source Vulnerability Assessment And Management Helps Developers And Pentesters To Perform Scans And Manage Vulnerabilities

Archery is an opensource vulnerability assessment and management tool which helps developers and pentesters to perform scans and manage vulnerabilities. Archery uses popular opensource tools to perform comprehensive scanning for web application and network. It also performs web application dynami...

Open Source Deception Framework: DejaVU

Deception techniques if deployed well can be very effective for organizations to improve network defense and can be a useful arsenal for blue teams to detect attacks at very early stage of cyber kill chain. But the challenge we have seen is deploying, managing and administering decoys across larg...

Parrot Security 4.0 - Security GNU/Linux Distribution Designed with Cloud Pentesting and IoT Security in Mind

Parrot 4.0 is now available for download. The development process of this version required a lot of time, and many important updates make this release an important milestone in the history of our project. This release includes all the updated packages and bug fixes released since the last version...

Misconfigured Reverse Proxy Servers Spill Credentials

Researchers have created a proof-of-concept attack that allows unauthenticated adversaries to extract user credentials from misconfigured reverse proxy servers in order to delete, manipulate or extract data from websites and applications. The proof-of-concept PoC attack targets major cloud...

[ASA-201805-11] runc: privilege escalation

Arch Linux Security Advisory ASA-201805-11 ========================================== Severity: High Date : 2018-05-16 CVE-ID : CVE-2016-9962 Package : runc Type : privilege escalation Remote : No Link : https://security.archlinux.org/AVG-134 Summary ======= The package runc before version...

OWASP Juice Shop - An Intentionally Insecure Webapp For Security Trainings Written Entirely In Javascript

OWASP Juice Shop is an intentionally insecure web application written entirely in JavaScript which encompasses the entire range of OWASP Top Ten and other severe security flaws. For a detailed introduction, full list of features and architecture overview please visit the official project page:...

(RHSA-2018:1427) Low: docker-latest in the Extras channel - deprecation notice

Docker is an open-source engine that automates the deployment of any application as a lightweight, portable, self-sufficient container that runs virtually anywhere. The docker-latest package provides a version of Docker that iterates outside of the release cadence of Red Hat's container platforms...

Drupwn - Drupal Enumeration & Exploitation Tool

Drupwn claims to provide an efficient way to gather drupal information. Further explaination on blog post article Supported tested version Drupal 7 Drupal 8 Execution mode Drupwn can be run, using two seperate modes which are enum and exploit. The enum mode allows performing enumerations whereas...

Kurukshetra - A Framework For Teaching Secure Coding By Means Of Interactive Problem Solving

Kurukshetra is a web framework that’s developed with the aim of being the first open source framework which provides a solid foundation to host reasonably complex secure coding challenges while still providing the ability to efficiently and dynamically execute each challenge on the basis of user...

Semmle: Docker Registry HTTP API v2 exposed in HTTP without authentication leads to docker images dumping and poisoning

Summary: Docker Registry HTTP API v2 is exposed in HTTP without authentication. An attacker can use it to dump your docker images and poison them. Description: While digging into the environment that hosts the sandboxed build container, I came across the port 5000 open on another machine probably...