Lucene search
K

78 matches found

OSV
OSV
added 2022/11/10 5:45 a.m.17 views

CVE-2022-3867 Nomad Event Stream Subscriber Using a Token with TTL Receives Updates Until Garbage Collected

HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 event stream subscribers using a token with TTL receive updates until token garbage is collected. Fixed in 1.4.2...

2.7CVSS5.9AI score0.00462EPSS
Exploits0References4
CVE
CVE
added 2022/11/10 5:45 a.m.63 views

CVE-2022-3867

CVE-2022-3867 affects HashiCorp Nomad and Nomad Enterprise versions 1.4.0–1.4.1, where event stream subscribers using a TTL token can continue to receive updates until the token is garbage-collected. The underlying issue is tied to how TTL tokens are handled for event stream subscriptions, allowi...

4.3CVSS4.1AI score0.00462EPSS
Exploits0References1Affected Software1
Debian CVE
Debian CVE
added 2022/11/10 5:45 a.m.57 views

CVE-2022-3867

Removed by vendor...

4.3CVSS4.8AI score0.00462EPSS
Exploits0
CNNVD
CNNVD
added 2022/11/10 12:0 a.m.33 views

HashiCorp Nomad 代码问题漏洞

HashiCorp Nomad is a simple and flexible scheduler and orchestrator from HashiCorp USA. for managing containerized and non-containerized applications at scale, both locally and in the cloud. A code issue vulnerability exists in HashiCorp Nomad and Nomad Enterprise versions 1.4.0 through 1.4.1,...

4.3CVSS5.1AI score0.00462EPSS
Exploits0References3
UbuntuCve
UbuntuCve
added 2022/11/10 12:0 a.m.28 views

CVE-2022-3867

HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 event stream subscribers using a token with TTL receive updates until token garbage is collected. Fixed in 1.4.2...

4.3CVSS5.8AI score0.00462EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2022/11/10 12:0 a.m.5 views

PT-2022-24518 · Hashicorp · Nomad Enterprise +1

Name of the Vulnerable Software and Affected Versions: HashiCorp Nomad and Nomad Enterprise versions 1.4.0 through 1.4.1 Description: The issue affects event stream subscribers using a token with TTL, allowing them to receive updates until token garbage is collected. Recommendations: For versions...

4.3CVSS7.2AI score0.00462EPSS
Exploits0References14
HashiCorp Security Advisories
HashiCorp Security Advisories
added 2022/10/28 4:0 p.m.7 views

Nomad’s Event Stream Subscriber Using ACL Token with TTL Receive Updates Until Garbage Collected

Summary A vulnerability was identified in Nomad and Nomad Enterprise “Nomad” such that an event stream subscriber using an ACL token with an expiry TTL set would continue to receive events until the token was garbage collected. This vulnerability, CVE-2022-3867, was fixed in Nomad 1.4.2. Backgrou...

4.3CVSS6AI score0.00462EPSS
Exploits0Affected Software1
Schneier on Security
Schneier on Security
added 2018/11/28 12:48 p.m.25 views

Distributing Malware By Becoming an Admin on an Open-Source Project

The module "event-stream" was infected with malware by an anonymous someone who became an admin on the project. Cory Doctorow points out that this is a clever new attack vector: Many open source projects attain a level of "maturity" where no one really needs any new features and there aren't a lo...

0.9AI score
Exploits0
Veracode
Veracode
added 2018/11/28 7:12 a.m.9 views

Malicious Package

event-stream is a malicious package. The new maintainer of the package released versions of the package that contains malicious code that causes it to be declare an external wallet as a co-payee for cryptocurrencies...

6.9AI score
Exploits0
The Hacker News
The Hacker News
added 2018/11/27 7:58 a.m.181 views

Rogue Developer Infects Widely Used NodeJS Module to Steal Bitcoins

A widely used third-party NodeJS module with nearly 2 million downloads a week was compromised after one of its open-source contributor gone rogue, who infected it with a malicious code that was programmed to steal funds stored in Bitcoin wallet apps. The Node.js library in question is...

0.4AI score
Exploits0
The Hacker News
The Hacker News
added 2018/11/27 7:58 a.m.3 views

Rogue Developer Infects Widely Used NodeJS Module to Steal Bitcoins

A widely used third-party NodeJS module with nearly 2 million downloads a week was compromised after one of its open-source contributor gone rogue, who infected it with a malicious code that was programmed to steal funds stored in Bitcoin wallet apps. The Node.js library in question is...

6.7AI score
Exploits0
Veracode
Veracode
added 2018/11/27 12:39 a.m.15 views

Malicious Cryptocurrency Theft

[email protected] is a malicious package. The package displays malicious activities when imported from event-stream, and when used with cryptocurrenty related libraries such as copay-dash where the malicious code in flatmap-stream steals "hot" wallet profiles that were stored from mobile apps,...

6.7AI score
Exploits0
OSV
OSV
added 2018/11/26 11:58 p.m.10 views

GHSA-MH6F-8J2X-4483 Critical severity vulnerability that affects event-stream and flatmap-stream

The NPM package flatmap-stream is considered malicious. A malicious actor added this package as a dependency to the NPM event-stream package in version 3.3.6. Users of event-stream are encouraged to downgrade to the last non-malicious version, 3.3.4, or upgrade to the latest 4.x version. Users of...

9.8CVSS7AI score
Exploits0References3
Github Security Blog
Github Security Blog
added 2018/11/26 11:58 p.m.43 views

Critical severity vulnerability that affects event-stream and flatmap-stream

The NPM package flatmap-stream is considered malicious. A malicious actor added this package as a dependency to the NPM event-stream package in version 3.3.6. Users of event-stream are encouraged to downgrade to the last non-malicious version, 3.3.4, or upgrade to the latest 4.x version. Users of...

4.7AI score
Exploits0References2Affected Software2
Hacker One
Hacker One
added 2018/11/26 6:28 p.m.153 views

Node.js third-party modules: flatmap-stream malicious package (distributed via the popular events-stream)

I would like to report a case of malicious package flat-stream that made it's way into many other npm packages. One such popular package is event-stream user dominictarr transferred the ownership of an npm module to another user because he wasn't actively maintaining it. That user then added...

0.9AI score
Exploits0
Carbon Black Blog
Carbon Black Blog
added 2017/10/25 4:9 p.m.39 views

Cb Defense’s ‘Streaming Ransomware Prevention’ Stops Bad Rabbit in Its Tracks

On October 24, a large-scale ransomware campaign spread across Europe, in campaigns closely mimicking the NotPetya attacks from earlier this year. Bad Rabbit appeared to infect machines via a drive-by-download that prompted the user to download a fake Adobe Flash installer. No exploits were used...

6.7AI score
Exploits0
Check Point Advisories
Check Point Advisories
added 2014/07/16 12:0 a.m.14 views

SAP Sybase Event Stream Processor esp_parse Remote Code Execution (CVE-2014-3457)

Two unsafe pointer dereference vulnerabilities have been reported in SAP Sybase Event Stream Processor ESP. These vulnerabilities are caused by the listening service accepting unsanitized pointers in XMLRPC requests. A remote attacker can leverage these vulnerabilities by sending crafted requests...

3.7AI score
Exploits0
Check Point Advisories
Check Point Advisories
added 2014/07/10 12:0 a.m.3 views

SAP Sybase Event Stream Processor esp_parse ConnectionType Unsafe Pointer Dereference (CVE-2014-3458)

Five unsafe pointer dereference vulnerabilities have been reported in SAP Sybase Event Stream Processor ESP. These vulnerabilities are caused by the listening service accepting unsanitized pointers in XMLRPC requests. By sending crafted requests to a vulnerable server, an remote attacker can caus...

2.8AI score
Exploits0
Rows per page
Query Builder