approve and safeApprove Should Approve the Zero Amount First

Lines of code Vulnerability details Impact The PooledCreditLine.sol and LenderPool.sol contracts approve the strategy contract on the collateral or borrow assets before depositing funds. This allows the strategy contracts to transfer on behalf of these contracts, pulling assets out from the pool...

Conti Leaks: Examining the Panama Papers of Ransomware | Trellix

Conti Leaks: Examining the Panama Papers of Ransomware By John Fokker, Jambul Tologonov · March 31, 2022 Introduction It isn’t often the whole world gets an inside look of the business operations of a top tier cybercriminal group. Very early on in the Russian-Ukrainian Crisis the predominantly...

How CISOs can Mitigate Cryptomining Malware

Learn more about cloud-based cryptomining, its repercussions, and how CISOs can create an effective risk mitigation strategy for this threat...

Adobe Acrobat DC (Continuous) Security Update (APSB21-29) - Windows

Adobe Acrobat DC Continuous Track is prone to multiple vulnerabilities. Copyright C 2022 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free...

Executive Summary: Organizations and Nation-State Cyber Threats

Executive Summary: Organizations and Nation-State Cyber Threats By John Fokker · March 28, 2022 Traditionally when we talk about threat actors, we first need to make the split between cybercrime and nation-state sponsored operations. Where cybercrime is mostly focused on financial gain,...

Executive Summary: Organizations and Nation-State Cyber Threats

Executive Summary: Organizations and Nation-State Cyber Threats By John Fokker · March 28, 2022 Traditionally when we talk about threat actors, we first need to make the split between cybercrime and nation-state sponsored operations. Where cybercrime is mostly focused on financial gain,...

To Pay or Not to Pay? That is the Ransomware question

During a review of a client’s incident response capabilities the discussion turned to ransomware and strategies for handling it. The client’s board-level view was that if they were unable to restore their systems they would pay-up. They’d gone so far as considering setting up a cryptocurrency...

Can steal collateral deposit

Lines of code Vulnerability details Impact The Collateral.deposit function mints initial shares equal to the deposited amount. The deposit / withdraw functions also use the strategyController.totalValue, which includes the strategy contract balance, to compute the shares. It's possible to increas...

Malicious User can Manipulate PreCT Mint Logic with Direct Base Token Transfer

Lines of code Vulnerability details Impact A bad actor can steal funds from future depositors by sending the base token directly to the Strategy or StrategyController contracts. This exploit is more effective the less shares that have already been distributed, perhaps early into the launch of the...

Strategy Migration May Leave Tokens in the Old Strategy Impacting Share Calculations

Lines of code Vulnerability details Impact If a strategy does not have sufficient funds to withdraw for the full amount then it is possible that tokens will be left in this yield contract during migrate. It is common for withdrawal from a strategy to withdraw less than a user's balance. The reaso...

Reporting Mandates to Clear Up Feds’ Hazy Look into Threat Landscape – Podcast

You know that hazy window that’s been obscuring the cyber threat landscape, leaving the feds squinting to try to see what’s really going on? The government has recently pulled out some squeegees. Case in point: the government spending deal that President Biden signed into law on Friday. The bill...

Jenkins Folder-based Authorization Strategy Plugin 跨站脚本漏洞

Jenkins and Jenkins Plugin are both products of Jenkins, which is an application. Jenkins Plugin is an application that provides hundreds of plugins to support building, deploying, and automating any project. The plugin fails to escape the role name displayed on the configuration form, which can ...

CVE-2022-24719

Fluture-Node is a FP-style HTTP and streaming utils for Node based on Fluture. Using followRedirects or followRedirectsWith with any of the redirection strategies built into fluture-node 4.0.0 or 4.0.1, paired with a request that includes confidential headers such as Authorization or Cookie,...

Design/Logic Flaw

Fluture-Node is a FP-style HTTP and streaming utils for Node based on Fluture. Using followRedirects or followRedirectsWith with any of the redirection strategies built into fluture-node 4.0.0 or 4.0.1, paired with a request that includes confidential headers such as Authorization or Cookie,...

PYSEC-2022-43052

Fluture-Node is a FP-style HTTP and streaming utils for Node based on Fluture. Using followRedirects or followRedirectsWith with any of the redirection strategies built into fluture-node 4.0.0 or 4.0.1, paired with a request that includes confidential headers such as Authorization or Cookie,...

PYSEC-2022-43052

Fluture-Node is a FP-style HTTP and streaming utils for Node based on Fluture. Using followRedirects or followRedirectsWith with any of the redirection strategies built into fluture-node 4.0.0 or 4.0.1, paired with a request that includes confidential headers such as Authorization or Cookie,...

CVE-2022-24719 Unauthorized forwarding of confidential headers in fluture-node

Fluture-Node is a FP-style HTTP and streaming utils for Node based on Fluture. Using followRedirects or followRedirectsWith with any of the redirection strategies built into fluture-node 4.0.0 or 4.0.1, paired with a request that includes confidential headers such as Authorization or Cookie,...

CVE-2022-24719 Unauthorized forwarding of confidential headers in fluture-node

Fluture-Node is a FP-style HTTP and streaming utils for Node based on Fluture. Using followRedirects or followRedirectsWith with any of the redirection strategies built into fluture-node 4.0.0 or 4.0.1, paired with a request that includes confidential headers such as Authorization or Cookie,...

How Insider Threats Drive Better Data Protection Strategies

Fifty-eight percent of sensitive data security incidents are caused by insider threats, according to a recent study by Forrester Research. Insider threats originate from inappropriate use of legitimate authorized user accounts. These accounts - assigned to internal employees and business associat...

The federal Zero Trust strategy and Microsoft’s deployment guidance for all

You’d be forgiven for missing the White House announcement on federal Zero Trust strategy on January 26, 2022.1 After all, on that day alone a Supreme Court Justice announced his intention to retire, the Federal Reserve announced its plan to raise interest rates, and the State Department was busy...