Important: Red Hat Security Advisory: subscription-manager security update

An update for subscription-manager is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is...

Important: subscription-manager security update

The subscription-manager packages provide programs and libraries to allow users to manage subscriptions and yum repositories from the AlmaLinux entitlement platform. Security Fixes: subscription-manager: inadequate authorization of com.AlmaLinux.RHSM1 D-Bus interface allows local users to modify...

Harbor <=2.5.3 - Unauthorized Access

An access control issue in Harbor v1.X.X to v2.5.3 allows attackers to access public and private image repositories without authentication id: CVE-2022-46463 info: name: Harbor =2.5.3 - Unauthorized Access author: Arm!tage severity: high description: | An access control issue in Harbor v1.X.X to...

CVE-2023-39438

A missing authorization check allows an arbitrary authenticated user to perform certain operations through the API of CLA-assistant by executing specific additional steps. This allows an arbitrary authenticated user to read CLA information including information of the persons who signed them as...

The vulnerability of the Extensions component of the Google Chrome browser allows a hacker to manipulate the extension storage.

The vulnerability of the Google Chrome browser’s Extensions component is related to lack of access control. Exploiting this vulnerability could allow a malicious actor to forge extension repositories using a specially crafted HTML page...

Malicious npm Packages Found Exfiltrating Sensitive Data from Developers

Cybersecurity researchers have discovered a new bunch of malicious packages on the npm package registry that are designed to exfiltrate sensitive developer information. Software supply chain firm Phylum, which first identified the "test" packages on July 31, 2023, said they "demonstrated increasi...

PT-2023-26561 · Microsoft · Contosoair

Name of the Vulnerable Software and Affected Versions: ContosoAir affected versions not specified Description: The issue is unclear whether it rests in the original repository microsoft/ContosoAir, the forked repository Apetree100122/ContosoAir, or both. Recommendations: At the moment, there is n...

UBUNTU-CVE-2023-3401

An issue has been discovered in GitLab affecting all versions before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. The main branch of a repository with a specially designed name allows an attacker to create repositories with malicious code...

CVE-2023-3401

An issue has been discovered in GitLab affecting all versions before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. The main branch of a repository with a specially designed name allows an attacker to create repositories with malicious code...

Exposed Gits: 10 Years on

Nearly 10 years ago my colleague wrote a cracking post on exposed Git repositories. 10 years is a long time in cyber security, but you’d be surprised how many things you thought should have gone extinct that haven’t. A prime example is a recent finding of a handful of exposed .git repositories. A...

The vulnerability of the 1Panel Linux server’s control panel, related to the failure to eliminate special elements used in the operating system commands, allows a hacker to execute arbitrary commands.

The vulnerability of the 1Panel Linux server’s control panel is related to the lack of measures taken to neutralize special elements used in the operating system when adding container repositories. Exploiting this vulnerability allows a remote attacker to execute arbitrary commands...

Fake GitHub Repos Caught Dropping Malware as PoCs AGAIN!

By Habiba Rashid At the time of writing, all reported fake repositories have been taken down and the malicious PoC has been removed from GitHub. This is a post from HackRead.com Read the original post: Fake GitHub Repos Caught Dropping Malware as PoCs AGAIN!...

ROS-2-1174

2.1174 Vulnerability in Git CVE-2020-11008, CVE-2020-5260 1. Vulnerability Description: Vulnerability in Git. The vulnerability affects the "credential.helper" handlers and is exploited when a specially crafted URL containing a newline character, an empty host, or an unspecified request scheme is...

GHSA-Q2MX-GPJF-3H8X 1Panel vulnerable to command injection when adding container repositories

Impact The authenticated attacker can craft a malicious payload to achieve command injection when adding container repositories. 1. Vulnerability analysis. backend\app\api\v1\imagerepo.gocreate backend\app\service\imagerepo.goCheckConn 2. vulnerability reproduction. POST /api/v1/containers/repo...

CVE-2023-36457

1Panel is an open source Linux server operation and maintenance management panel. Prior to version 1.3.6, an authenticated attacker can craft a malicious payload to achieve command injection when adding container repositories. The vulnerability has been fixed in v1.3.6...

Improper Neutralization of Special Elements used in a Command ('Command Injection')

1Panel is an open source Linux server operation and maintenance management panel. Prior to version 1.3.6, an authenticated attacker can craft a malicious payload to achieve command injection when adding container repositories. The vulnerability has been fixed in v1.3.6...

Information Disclosure

github.com/mattermost/mattermost-server is vulnerable to Information Disclosure. The vulnerability exists because the library fails to sanitize code permalinks, allowing an attacker to preview code from private repositories by posting a maliciously crafted permalink on a channel...

PT-2023-3543 · 1Panel · 1Panel

Name of the Vulnerable Software and Affected Versions: 1Panel versions prior to 1.3.6 Description: The issue is related to command injection when adding container repositories. An authenticated attacker can craft a malicious payload to achieve this. The vulnerability is due to the lack of proper...

Fake security researchers push malware files on GitHub

Researchers from VulnCheck have observed a campaign using real security researchers as bait for malware. The campaign goes to some lengths to appear genuine, using fake profiles, downloads, websites, and bogus GitHub profiles, to paint a convincing picture of security professionals offering up...

CVE-2023-2797

Mattermost fails to sanitize code permalinks, allowing an attacker to preview code from private repositories by posting a specially crafted permalink on a channel...