CVE-2022-25512

CVE-2022-25512 affects FreeTAKServer-UI v1.9.8. The root cause described in connected documents is that the WebUI leaks sensitive tokens (API and Websocket) in the JavaScript source, enabling information disclosure. The CVSS data from NVD indicates a high confidentiality impact (C:H) with network...

GHSA-8WR4-2WM6-W3PR B2 Command Line Tool TOCTOU application key disclosure

Impact Linux and Mac releases of the B2 command-line tool version 3.2.0 and below contain a key disclosure vulnerability that, in certain conditions, can be exploited by local attackers through a time-of-check-time-of-use TOCTOU race condition. The command line tool saves API keys and bucket...

B2 Command Line Tool TOCTOU application key disclosure

Impact Linux and Mac releases of the B2 command-line tool version 3.2.0 and below contain a key disclosure vulnerability that, in certain conditions, can be exploited by local attackers through a time-of-check-time-of-use TOCTOU race condition. The command line tool saves API keys and bucket...

b2-sdk-python TOCTOU application key disclosure

Impact Linux and Mac releases of the SDK version 1.14.0 and below contain a key disclosure vulnerability that, in certain conditions, can be exploited by local attackers through a time-of-check-time-of-use TOCTOU race condition. SDK users of the SqliteAccountInfo format are vulnerable while users...

Time-of-check-time-of-use (TOCTOU)

b2 is vulnerable to time-of-check-time-of-use. A local attacker is able to read the contents of the local database file where API keys are saved when b2 authorize-accounto is first run, resulting in sensitive information disclosure via race condition...

CVE-2022-23653

B2 Command Line Tool is the official command line tool for the backblaze cloud storage service. Linux and Mac releases of the B2 command-line tool version 3.2.0 and below contain a key disclosure vulnerability that, in certain conditions, can be exploited by local attackers through a...

PYSEC-2022-33

b2-sdk-python is a python library to access cloud storage provided by backblaze. Linux and Mac releases of the SDK version 1.14.0 and below contain a key disclosure vulnerability that, in certain conditions, can be exploited by local attackers through a time-of-check-time-of-use TOCTOU race...

PYSEC-2022-32

B2 Command Line Tool is the official command line tool for the backblaze cloud storage service. Linux and Mac releases of the B2 command-line tool version 3.2.0 and below contain a key disclosure vulnerability that, in certain conditions, can be exploited by local attackers through a...

CVE-2022-23653

Summary (CVE-2022-23653): The B2 Command Line Tool (Linux/Mac) up to v3.2.0 stores API keys and bucket mappings in a local file (account_info) during first run of authorize-account. A TOCTOU race window between file creation (world-readable) and permission tightening can allow a local attacker to...

CVE-2022-23653 B2 Command Line Tool TOCTOU application key disclosure

B2 Command Line Tool is the official command line tool for the backblaze cloud storage service. Linux and Mac releases of the B2 command-line tool version 3.2.0 and below contain a key disclosure vulnerability that, in certain conditions, can be exploited by local attackers through a...

CVE-2022-23643

Sourcegraph is a code search and navigation engine. Sourcegraph versions 3.35 and 3.36 reintroduced a previously fixed side-channel vulnerabilitity in the Code Monitoring feature where strings in private source code could be guessed by an authenticated but unauthorized actor. This issue affects...

Code injection

Sourcegraph is a code search and navigation engine. Sourcegraph versions 3.35 and 3.36 reintroduced a previously fixed side-channel vulnerabilitity in the Code Monitoring feature where strings in private source code could be guessed by an authenticated but unauthorized actor. This issue affects...

CVE-2022-23643 Side-channel attack in Sourcegraph Code Monitors

Sourcegraph is a code search and navigation engine. Sourcegraph versions 3.35 and 3.36 reintroduced a previously fixed side-channel vulnerabilitity in the Code Monitoring feature where strings in private source code could be guessed by an authenticated but unauthorized actor. This issue affects...

CVE-2022-23643 Side-channel attack in Sourcegraph Code Monitors

Sourcegraph is a code search and navigation engine. Sourcegraph versions 3.35 and 3.36 reintroduced a previously fixed side-channel vulnerabilitity in the Code Monitoring feature where strings in private source code could be guessed by an authenticated but unauthorized actor. This issue affects...

CVE-2022-23643 Side-channel attack in Sourcegraph Code Monitors

Sourcegraph is a code search and navigation engine. Sourcegraph versions 3.35 and 3.36 reintroduced a previously fixed side-channel vulnerabilitity in the Code Monitoring feature where strings in private source code could be guessed by an authenticated but unauthorized actor. This issue affects...

JetBrains Security Bulletin Q4 2021

JetBrains Security JetBrains Security Bulletin Q4 2021 Robert Demmer In the fourth quarter of 2021, we resolved a number of security issues in our products. Here’s a summary report that contains a description of each issue and the version in which it was resolved. Product | Description | Severity...

New Argo CD Bug Could Let Hackers Steal Secret Info from Kubernetes Apps

Users of the Argo continuous deployment CD tool for Kubernetes are being urged to push through updates after a zero-day vulnerability was found that could allow an attacker to extract sensitive information such as passwords and API keys. The flaw, tagged as CVE-2022-24348 CVSS score: 7.7, affects...

Argo CD Security Bug Opens Kubernetes Cloud Apps to Attackers

A high-severity security vulnerability in Argo CD can enable attackers to access targets’ application-development environments, paving the way for stealing passwords, API keys, tokens and other sensitive information. Argo CD is a continuous-delivery platform deployed as a Kubernetes controller in...

Exposure of Sensitive Information to an Unauthorized Actor in cjferna/photo-services-mashup

Description Please enter a description of the vulnerability. Vulnerable URL: https://github.com/cjferna/Photo-Services-Mashup/blob/fdc12e0671e035bac00cc46ee67d456540444460/src/es/um/taw/rest/imagga/Imagga.java It contains sensitive API Keys and secret keys. Proof of Concept private final String U...

Session Fixation

pterodactyl/panel is vulnerable to session fixation. After the API keys are destroyed, the handle function in AuthenticateKey.php does not properly revoke the user sessions, allowing an attacker to remain logged in as the user the key belongs to...