BIT-MATTERMOST-2020-14447

An issue was discovered in Mattermost Server before 5.23.0. Large webhook requests allow attackers to cause a denial of service infinite loop, aka MMSA-2020-0021...

BIT-KUSTOMIZE-2021-41254 Privilege escalation to cluster admin on multi-tenant environments

kustomize-controller is a Kubernetes operator, specialized in running continuous delivery pipelines for infrastructure and workloads defined with Kubernetes manifests and assembled with Kustomize. Users that can create Kubernetes Secrets, Service Accounts and Flux Kustomization objects, could...

Spring into Action! Earn up to $10,000 with our Extended Bug Bounty Program Extravaganza through Memorial Day!

Spring into action and kick-start your spring cleaning with a tech twist! Were excited to announce the extension of our Bug Bounty Extravaganza through Memorial Day, May 27th, 2024. Now, you have a golden opportunity to earn up to $10,000 for reporting vulnerabilities in WordPress software over t...

Malicious code in harbor-container-webhook (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis abfc9102901230e03c633dd1570cf01e031ac7de126620021f7860dff85d0201 The OpenSSF Package Analysis project identified 'harbor-container-webhook' @ 1.7.0 npm as malicious. It is considered malicious because: - The...

MAL-2024-1010 Malicious code in harbor-container-webhook (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis abfc9102901230e03c633dd1570cf01e031ac7de126620021f7860dff85d0201 The OpenSSF Package Analysis project identified 'harbor-container-webhook' @ 1.7.0 npm as malicious. It is considered malicious because: - The...

Wordfence Intelligence Weekly WordPress Vulnerability Report (February 5, 2024 to February 11, 2024)

Did you know were running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through February 29th, 2024 when you opt to have Wordfence handle responsible disclosure! Last week, there were 95 vulnerabilities disclosed in 65...

Python’s Colorama Typosquatting Meets ‘Fade Stealer’ Malware

As our hunt against malicious Python packages continues, Imperva Threat Research recently discovered an attempt to masquerade Fade Stealer malware as a nondescript package, Colorama. Why Colorama? Colorama is a package used by developers to add color and style to their text in terminal outputs...

GHSA-R8F4-HV23-6QP6 vulnerabilities

Vulnerabilities for packages: rancher-agent, rancher-webhook...

Wordfence Intelligence Weekly WordPress Vulnerability Report (January 29, 2024 to February 4, 2024)

Did you know were running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through February 29th, 2024 when you opt to have Wordfence handle responsible disclosure! Last week, there were 122 vulnerabilities disclosed in 110...

Duplicate Advisory: Svix vulnerable to improper comparison of different-length signatures

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-747x-5m58-mq97. This link is maintained to preserve external references. Original Description The Webhook::verify function incorrectly compared signatures of different lengths - the two signatures would only be...

Improper comparison of different-length signatures

The Webhook::verify function incorrectly compared signatures of different lengths - the two signatures would only be compared up to the length of the shorter signature. This allowed an attacker to pass in v1, as the signature, which would always pass verification...

RUSTSEC-2024-0010 Improper comparison of different-length signatures

The Webhook::verify function incorrectly compared signatures of different lengths - the two signatures would only be compared up to the length of the shorter signature. This allowed an attacker to pass in v1, as the signature, which would always pass verification...

PT-2024-18907 · Svix · Svix

Name of the Vulnerable Software and Affected Versions: svix versions prior to 1.17.0 Description: The issue arises from an incorrect comparison of signatures of different lengths in the verify function, allowing an attacker to bypass signature verification by providing a shorter signature that...

Wordfence Intelligence Weekly WordPress Vulnerability Report (January 22, 2024 to January 28, 2024)

Did you know were running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through February 29th, 2024 when you opt to have Wordfence handle responsible disclosure! Last week, there were 52 vulnerabilities disclosed in 42...

Non-constant time webhook token comparison in Jenkins GitLab Branch Source Plugin

Jenkins GitLab Branch Source Plugin 684.veafa7c1e2fe3 and earlier does not use a constant-time comparison function when checking whether the provided and expected webhook token are equal. This could potentially allow attackers to use statistical methods to obtain a valid webhook token. GitLab...

GHSA-F67F-2J6R-M4C9 Non-constant time webhook token comparison in Jenkins GitLab Branch Source Plugin

Jenkins GitLab Branch Source Plugin 684.veafa7c1e2fe3 and earlier does not use a constant-time comparison function when checking whether the provided and expected webhook token are equal. This could potentially allow attackers to use statistical methods to obtain a valid webhook token. GitLab...

CVE-2024-23903

Jenkins GitLab Branch Source Plugin 684.veafa7c1e2fe3 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token...

CVE-2024-23903

Jenkins GitLab Branch Source Plugin 684.veafa7c1e2fe3 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token...

CVE-2024-23903

Jenkins GitLab Branch Source Plugin 684.veafa7c1e2fe3 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token...

CVE-2024-23903

Jenkins GitLab Branch Source Plugin 684.veafa7c1e2fe3 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token...