669 matches found
Improper Access Control
github.com/openbao/openbao is vulnerable to improper access control. The vulnerability is due to the ability of privileged API operators to bypass restrictions on system code execution and network connections through manipulation of audit log prefixes, which allows an attacker to execute...
CVE-2025-54997
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, some OpenBao deployments intentionally limit privileged API operators from executing system code or making network connections...
CVE-2025-54997 OpenBao: Privileged Operator May Execute Code on the Underlying Host
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, some OpenBao deployments intentionally limit privileged API operators from executing system code or making network connections...
CVE-2025-54997
OpenBao (OpenBao) v2.3.1 and earlier are vulnerable to code execution and unintended network access due to privileged API operators bypassing restrictions via the audit subsystem by manipulating log prefixes. The root cause is an abuse of the audit/log-prefix handling in privileged operators, ena...
CVE-2025-54997 OpenBao: Privileged Operator May Execute Code on the Underlying Host
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, some OpenBao deployments intentionally limit privileged API operators from executing system code or making network connections...
Privileged OpenBao Operator May Execute Code on the Underlying Host
Impact Under certain threat models, OpenBao operators with privileged API access may not be system administrators and thus normally lack the ability to update binaries or execute code on the system. Additionally, privileged API operators should be unable to perform TCP connections to arbitrary...
An Overview of 7726 User Reports: Uncovering SMS Scams and Scammer Strategies
Mobile network operators implement firewalls to stop illicit messages, but scammers find ways to evade detection. Previous work has looked into SMS texts that are blocked by these firewalls. However, there is little insight into SMS texts that bypass them and reach users. To this end, we...
CVE-2025-6000 Arbitrary Remote Code Execution via Plugin Catalog Abuse
A privileged Vault operator within the root namespace with write permission to sys/audit may obtain code execution on the underlying host if a plugin directory is set in Vault’s configuration. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23...
Moderate: Red Hat Security Advisory: Security release of Control plane Operators: RHOSO 18.0.10 (Feature Release 3)
RHOSO 18.0.10 Feature Release 3 Control Plane Operator Containers Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE...
Google Sues the Badbox Botnet Operators
It will be interesting to watch what will come of this private lawsuit: Google on Thursday announced filing a lawsuit against the operators of the Badbox 2.0 botnet, which has ensnared more than 10 million devices running Android open source software. These devices lack Google's security...
You Should Run a Certificate Transparency Log
Hear me out. If you are an organization with some spare storage and bandwidth, or an engineer looking to justify an overprovisioned homelab, you should consider running a Certificate Transparency log. It’s cheaper, easier, and more important than you might think. Certificate Transparency CT is on...
Breaking the Bulkhead: Demystifying Cross-Namespace Reference Vulnerabilities in Kubernetes Operators
Kubernetes Operators, automated tools designed to manage application lifecycles within Kubernetes clusters, extend the functionalities of Kubernetes, and reduce the operational burden on human engineers. While Operators significantly simplify DevOps workflows, they introduce new security risks. I...
CVE-2025-22874 vulnerabilities
Vulnerabilities for packages: cri-tools, aws-eks-pod-identity-agent, harbor-cli, nginx-prometheus-exporter, gcsfuse, src, terraform-provider-azapi-fips, docker-credential-gcr, newrelic-k8s-metadata-injection-fips, cert-manager, jaeger-operator, terraform-provider-kubernetes-fips, cargobump,...
CVE-2025-4673 vulnerabilities
Vulnerabilities for packages: cri-tools, aws-eks-pod-identity-agent, harbor-cli, nginx-prometheus-exporter, gcsfuse, src, terraform-provider-azapi-fips, docker-credential-gcr, cert-manager, jaeger-operator, terraform-provider-kubernetes-fips, cargobump, kyverno-policy-reporter-ui, yunikorn-web, k...
PT-2025-25451 · Undefined · Undefined
CVE-2025-46167 JSTargetFuzzer-V2 JSTargetFuzzer-v2.0 is a fuzzing approach that incorporates novel history-based guidance, using tailored seeds and custom mutation operators. It is built on top of the Fuzzilli fra... https://t.co/TUq3tMABu2...
PT-2025-25453 · Undefined · Undefined
CVE-2025-46169 JSTargetFuzzer-V2 JSTargetFuzzer-v2.0 is a fuzzing approach that incorporates novel history-based guidance, using tailored seeds and custom mutation operators. It is built on top of the Fuzzilli fra... https://t.co/3dWy3uR39j...
PT-2025-25452 · Undefined · Undefined
CVE-2025-46168 JSTargetFuzzer-V2 JSTargetFuzzer-v2.0 is a fuzzing approach that incorporates novel history-based guidance, using tailored seeds and custom mutation operators. It is built on top of the Fuzzilli fra... https://t.co/ioVUFu93Dp...
How Ransomware Operators Exploit Exposure, Not Just Vulnerabilities
Running short on time but still want to stay in the know? Well, we’ve got you covered! We’ve condensed all the key takeaways into a handy audio summary. Our AI-driven podcasts are fit for on the go. Click right here to hear it all on CAASM & CDMB Inefficiencies! In cybersecurity, we often treat...
CVE-2023-22428
Improper privilege validation in Command Centre Server allows authenticated operators to modify Division lineage. This issue affects Command Centre: vEL8.80 prior to vEL8.80.1192 MR2, vEL8.70 prior to vEL8.70.2185 MR4, vEL8.60 prior to vEL8.60.2347 MR6, vEL8.50 prior to vEL8.50.2831MR8, vEL8.40 a...
CVE-2023-5963
An issue has been discovered in GitLab EE with Advanced Search affecting all versions from 13.9 to 16.3.6, 16.4 prior to 16.4.2 and 16.5 prior to 16.5.1 that could allow a denial of service in the Advanced Search function by chaining too many syntax operators...