1270 matches found
CVE-2022-23653
Summary (CVE-2022-23653): The B2 Command Line Tool (Linux/Mac) up to v3.2.0 stores API keys and bucket mappings in a local file (account_info) during first run of authorize-account. A TOCTOU race window between file creation (world-readable) and permission tightening can allow a local attacker to...
CVE-2022-23643
Sourcegraph is a code search and navigation engine. Sourcegraph versions 3.35 and 3.36 reintroduced a previously fixed side-channel vulnerabilitity in the Code Monitoring feature where strings in private source code could be guessed by an authenticated but unauthorized actor. This issue affects...
Code injection
Sourcegraph is a code search and navigation engine. Sourcegraph versions 3.35 and 3.36 reintroduced a previously fixed side-channel vulnerabilitity in the Code Monitoring feature where strings in private source code could be guessed by an authenticated but unauthorized actor. This issue affects...
CVE-2022-23643 Side-channel attack in Sourcegraph Code Monitors
Sourcegraph is a code search and navigation engine. Sourcegraph versions 3.35 and 3.36 reintroduced a previously fixed side-channel vulnerabilitity in the Code Monitoring feature where strings in private source code could be guessed by an authenticated but unauthorized actor. This issue affects...
CVE-2022-23643 Side-channel attack in Sourcegraph Code Monitors
Sourcegraph is a code search and navigation engine. Sourcegraph versions 3.35 and 3.36 reintroduced a previously fixed side-channel vulnerabilitity in the Code Monitoring feature where strings in private source code could be guessed by an authenticated but unauthorized actor. This issue affects...
CVE-2022-23643 Side-channel attack in Sourcegraph Code Monitors
Sourcegraph is a code search and navigation engine. Sourcegraph versions 3.35 and 3.36 reintroduced a previously fixed side-channel vulnerabilitity in the Code Monitoring feature where strings in private source code could be guessed by an authenticated but unauthorized actor. This issue affects...
JetBrains Security Bulletin Q4 2021
JetBrains Security JetBrains Security Bulletin Q4 2021 Robert Demmer In the fourth quarter of 2021, we resolved a number of security issues in our products. Here’s a summary report that contains a description of each issue and the version in which it was resolved. Product | Description | Severity...
New Argo CD Bug Could Let Hackers Steal Secret Info from Kubernetes Apps
Users of the Argo continuous deployment CD tool for Kubernetes are being urged to push through updates after a zero-day vulnerability was found that could allow an attacker to extract sensitive information such as passwords and API keys. The flaw, tagged as CVE-2022-24348 CVSS score: 7.7, affects...
Argo CD Security Bug Opens Kubernetes Cloud Apps to Attackers
A high-severity security vulnerability in Argo CD can enable attackers to access targets’ application-development environments, paving the way for stealing passwords, API keys, tokens and other sensitive information. Argo CD is a continuous-delivery platform deployed as a Kubernetes controller in...
Exposure of Sensitive Information to an Unauthorized Actor in cjferna/photo-services-mashup
Description Please enter a description of the vulnerability. Vulnerable URL: https://github.com/cjferna/Photo-Services-Mashup/blob/fdc12e0671e035bac00cc46ee67d456540444460/src/es/um/taw/rest/imagga/Imagga.java It contains sensitive API Keys and secret keys. Proof of Concept private final String U...
Session Fixation
pterodactyl/panel is vulnerable to session fixation. After the API keys are destroyed, the handle function in AuthenticateKey.php does not properly revoke the user sessions, allowing an attacker to remain logged in as the user the key belongs to...
Grafana OAuth Identity Token Vulnerability (GHSA-8wjh-59cw-9xh4)
Grafana is prone to a vulnerability in the OAuth identity token. Copyright C 2022 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free...
CVE-2022-21673
Grafana is an open-source platform for monitoring and observability. In affected versions when a data source has the Forward OAuth Identity feature enabled, sending a query to that datasource with an API token and no other user credentials will forward the OAuth Identity of the most recently...
CVE-2021-43823
Sourcegraph is a code search and navigation engine. Sourcegraph prior to version 3.33.2 is vulnerable to a side-channel attack where strings in private source code could be guessed by an authenticated but unauthorized actor. This issue affects the Saved Searches and Code Monitoring features. A...
CVE-2021-43823
Sourcegraph is a code search and navigation engine. Sourcegraph prior to version 3.33.2 is vulnerable to a side-channel attack where strings in private source code could be guessed by an authenticated but unauthorized actor. This issue affects the Saved Searches and Code Monitoring features. A...
Code injection
Sourcegraph is a code search and navigation engine. Sourcegraph prior to version 3.33.2 is vulnerable to a side-channel attack where strings in private source code could be guessed by an authenticated but unauthorized actor. This issue affects the Saved Searches and Code Monitoring features. A...
CVE-2021-43823 Side-channel attack in Sourcegraph
Sourcegraph is a code search and navigation engine. Sourcegraph prior to version 3.33.2 is vulnerable to a side-channel attack where strings in private source code could be guessed by an authenticated but unauthorized actor. This issue affects the Saved Searches and Code Monitoring features. A...
The fix for CVE-2020-7009 was found to be incomplete. Elasticsearch versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.1 contain a privilege escalation flaw if an attacker is able to create API keys and also authentication tokens. An attacker who is able to generate an API key and an authentication token can perform a series of steps that result in an authentication token being generated with elevated privileges.
...
The vulnerability in the implementation of the Datadog integration configuration for software platforms based on Git, which allows attackers to perform cross-site scripting attacks.
The vulnerability in the implementation of the Datadog integration configuration for software platforms based on Git, which facilitates collaborative code development on GitLab, is related to insufficient protection of the apikeysurl web page structure. Exploiting this vulnerability could allow a...
Millions of GoDaddy customer data compromised in breach
Domain name registrar giant and hosting provider GoDaddy yesterday disclosed to the Securities and Exchange Commission SEC that it had suffered a security breach. In the notice, it explained it had been compromised via an "unauthorized third-party access to our Managed WordPress hosting...