78 matches found
CVE-2022-3867 Nomad Event Stream Subscriber Using a Token with TTL Receives Updates Until Garbage Collected
HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 event stream subscribers using a token with TTL receive updates until token garbage is collected. Fixed in 1.4.2...
CVE-2022-3867
CVE-2022-3867 affects HashiCorp Nomad and Nomad Enterprise versions 1.4.0–1.4.1, where event stream subscribers using a TTL token can continue to receive updates until the token is garbage-collected. The underlying issue is tied to how TTL tokens are handled for event stream subscriptions, allowi...
CVE-2022-3867
Removed by vendor...
HashiCorp Nomad 代码问题漏洞
HashiCorp Nomad is a simple and flexible scheduler and orchestrator from HashiCorp USA. for managing containerized and non-containerized applications at scale, both locally and in the cloud. A code issue vulnerability exists in HashiCorp Nomad and Nomad Enterprise versions 1.4.0 through 1.4.1,...
CVE-2022-3867
HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 event stream subscribers using a token with TTL receive updates until token garbage is collected. Fixed in 1.4.2...
PT-2022-24518 · Hashicorp · Nomad Enterprise +1
Name of the Vulnerable Software and Affected Versions: HashiCorp Nomad and Nomad Enterprise versions 1.4.0 through 1.4.1 Description: The issue affects event stream subscribers using a token with TTL, allowing them to receive updates until token garbage is collected. Recommendations: For versions...
Nomad’s Event Stream Subscriber Using ACL Token with TTL Receive Updates Until Garbage Collected
Summary A vulnerability was identified in Nomad and Nomad Enterprise “Nomad” such that an event stream subscriber using an ACL token with an expiry TTL set would continue to receive events until the token was garbage collected. This vulnerability, CVE-2022-3867, was fixed in Nomad 1.4.2. Backgrou...
Distributing Malware By Becoming an Admin on an Open-Source Project
The module "event-stream" was infected with malware by an anonymous someone who became an admin on the project. Cory Doctorow points out that this is a clever new attack vector: Many open source projects attain a level of "maturity" where no one really needs any new features and there aren't a lo...
Malicious Package
event-stream is a malicious package. The new maintainer of the package released versions of the package that contains malicious code that causes it to be declare an external wallet as a co-payee for cryptocurrencies...
Rogue Developer Infects Widely Used NodeJS Module to Steal Bitcoins
A widely used third-party NodeJS module with nearly 2 million downloads a week was compromised after one of its open-source contributor gone rogue, who infected it with a malicious code that was programmed to steal funds stored in Bitcoin wallet apps. The Node.js library in question is...
Rogue Developer Infects Widely Used NodeJS Module to Steal Bitcoins
A widely used third-party NodeJS module with nearly 2 million downloads a week was compromised after one of its open-source contributor gone rogue, who infected it with a malicious code that was programmed to steal funds stored in Bitcoin wallet apps. The Node.js library in question is...
Malicious Cryptocurrency Theft
[email protected] is a malicious package. The package displays malicious activities when imported from event-stream, and when used with cryptocurrenty related libraries such as copay-dash where the malicious code in flatmap-stream steals "hot" wallet profiles that were stored from mobile apps,...
GHSA-MH6F-8J2X-4483 Critical severity vulnerability that affects event-stream and flatmap-stream
The NPM package flatmap-stream is considered malicious. A malicious actor added this package as a dependency to the NPM event-stream package in version 3.3.6. Users of event-stream are encouraged to downgrade to the last non-malicious version, 3.3.4, or upgrade to the latest 4.x version. Users of...
Critical severity vulnerability that affects event-stream and flatmap-stream
The NPM package flatmap-stream is considered malicious. A malicious actor added this package as a dependency to the NPM event-stream package in version 3.3.6. Users of event-stream are encouraged to downgrade to the last non-malicious version, 3.3.4, or upgrade to the latest 4.x version. Users of...
Node.js third-party modules: flatmap-stream malicious package (distributed via the popular events-stream)
I would like to report a case of malicious package flat-stream that made it's way into many other npm packages. One such popular package is event-stream user dominictarr transferred the ownership of an npm module to another user because he wasn't actively maintaining it. That user then added...
Cb Defense’s ‘Streaming Ransomware Prevention’ Stops Bad Rabbit in Its Tracks
On October 24, a large-scale ransomware campaign spread across Europe, in campaigns closely mimicking the NotPetya attacks from earlier this year. Bad Rabbit appeared to infect machines via a drive-by-download that prompted the user to download a fake Adobe Flash installer. No exploits were used...
SAP Sybase Event Stream Processor esp_parse Remote Code Execution (CVE-2014-3457)
Two unsafe pointer dereference vulnerabilities have been reported in SAP Sybase Event Stream Processor ESP. These vulnerabilities are caused by the listening service accepting unsanitized pointers in XMLRPC requests. A remote attacker can leverage these vulnerabilities by sending crafted requests...
SAP Sybase Event Stream Processor esp_parse ConnectionType Unsafe Pointer Dereference (CVE-2014-3458)
Five unsafe pointer dereference vulnerabilities have been reported in SAP Sybase Event Stream Processor ESP. These vulnerabilities are caused by the listening service accepting unsanitized pointers in XMLRPC requests. By sending crafted requests to a vulnerable server, an remote attacker can caus...