50 matches found
UBUNTU-CVE-2023-43040
IBM Spectrum Fusion HCI 2.5.2 through 2.7.2 could allow an attacker to perform unauthorized actions in RGW for Ceph due to improper bucket access. IBM X-Force ID: 266807...
PT-2023-8462 · Ibm +4 · Ibm Spectrum Fusion Hci +4
Name of the Vulnerable Software and Affected Versions: IBM Spectrum Fusion HCI versions 2.5.2 through 2.7.2 Description: The issue is related to improper bucket access in the RGW service of the Ceph data storage system. It allows an attacker to perform unauthorized actions by exploiting the lack ...
CVE-2022-39281 Remote Denial of Service via Tasks endpoint in fat_free_crm
fatfreecrm is a an open source, Ruby on Rails customer relationship management platform CRM. In versions prior to 0.20.1 an authenticated user can perform a remote Denial of Service attack against Fat Free CRM via bucket access. The vulnerability has been patched in commit c85a254 and will be...
CBC padding oracle issue in AWS S3 Crypto SDK for golang
Summary The golang AWS S3 Crypto SDK is impacted by an issue that can result in loss of confidentiality and message forgery. The attack requires write access to the bucket in question, and that the attacker has access to an endpoint that reveals decryption failures without revealing the plaintext...
Privilege Escalation
github.com/couchbase/syncgateway is vulnerable to privilege escalation. The vulnerability exists because of storage of bucket credentials in the metadata within sync documents written to the bucket, allowing a user with read privilege to perform write access to data in Couchbase Server. Note: Thi...
CVE-2021-43963
An issue was discovered in Couchbase Sync Gateway 2.7.0 through 2.8.2. The bucket credentials used to read and write data in Couchbase Server were insecurely being stored in the metadata within sync documents written to the bucket. Users with read access could use these credentials to obtain writ...
Common Security Misconfigurations and Their Consequences
Everyone makes mistakes. That one sentence was drummed into me in my very first job in tech, and it has held true since then. In the cybersecurity world, misconfigurations can create exploitable issues that can haunt us later - so let's look at a few common security misconfigurations. The first o...
L'Oréal L'Oréal Finance app has unauthorized access vulnerability
L'Oréal Finance app is the news app of L'Oréal Group, which allows users to browse the latest L'Oréal Group financial information in English and French on L'Oréal Finance. An unauthorized access vulnerability exists in the L'Oréal L'Oréal Finance app. An attacker could exploit the vulnerability t...
ceph: RGW permits bucket listing when authenticated_users=read
A flaw was found in Ceph RGW code which allows an anonymous user to list contents of RGW bucket by bypassing ACL which should only allow authenticated users to list contents of bucket...
LocalTapiola: Amazon Bucket Accessible (http://inpref.s3.amazonaws.com/)
Searching through the source code of your homepage shows a few http://inpref.s3.amazonaws.com/ URLS. I assume that you own this s3 Amazon bucket. The problem here is, visiting that amazon bucket on a browser will shows the files on the bucket, whilst a secure bucket would bring up an access denie...