openSUSE 15 Security Update : apptainer (openSUSE-SU-2023:0018-1)

The remote SUSE Linux SUSE15 host has a package installed that is affected by multiple vulnerabilities as referenced in the openSUSE-SU-2023:0018-1 advisory. - net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via...

ChatGPT-Written Malware

I dont know how much of a thing this will end up being, but we are seeing ChatGPT-written malware in the wild. …within a few weeks of ChatGPT going live, participants in cybercrime forums--­some with little or no coding experience­--were using it to write software and emails that could be used fo...

EulerOS Virtualization 3.0.2.6 : binutils (EulerOS-SA-2023-1092)

According to the versions of the binutils package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - An issue was discovered in the Bidirectional Algorithm in the Unicode Specification through 14.0. It permits the visual reorderi...

Breaking RSA with a Quantum Computer

A group of Chinese researchers have just published a paper claiming that they can--although they have not yet done so--break 2048-bit RSA. This is something to take seriously. It might not be correct, but its not obviously wrong. We have long known from Shors algorithm that factoring with a quant...

Security Bulletin: Vulnerability in bind affects IBM Integrated Analytics System [CVE-2022-38177]

Summary Redhat provided bind package is used by IBM Integrated Analytics System. IBM Integrated Analytics System has addressed the applicable CVE CVE-2022-38177 Vulnerability Details CVEID:CVE-2022-38177 DESCRIPTION: ISC BIND is vulnerable to a denial of service, caused by a small memory leak in...

CVE-2022-4861 Incorrect Implementation of Authentication Algorithm

Incorrect implementation in authentication protocol in M-Files Client before 22.5.11356.0 allows high privileged user to get other users tokens to another resource...

LZ4 缓冲区错误漏洞

LZ4 is a lossless compression algorithm. A security vulnerability exists in LZ4 that stems from the use of a C API that is vulnerable to memory corruption. An attacker can exploit the vulnerability to execute arbitrary code...

CVE-2020-12069

CVE-2020-12069 affects CODESYS V3 products containing CmpUserMgr prior to version 3.5.16.0. The CODESYS Control runtime stores online communication passwords using a weak hashing algorithm, enabling a local attacker with low privileges to gain full control of the device. Publicly documented produ...

CVE-2020-12069 CODESYS V3 prone to Inadequate Password Hashing

In CODESYS V3 products in all versions prior V3.5.16.0 containing the CmpUserMgr, the CODESYS Control runtime system stores the online communication passwords using a weak hashing algorithm. This can be used by a local attacker with low privileges to gain full control of the device...

Unrestricted Key Type

jsonwebtoken uses unrestricted key type. A remote attacker is able to bypass signature verification if the library is misconfigured so that legacy, insecure key types are used for the verification. The user is affected if the library uses an algorithm and a key type other than a combination liste...

CVE-2022-23539

Versions =8.5.1 of jsonwebtoken library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the...

Type confusion

Versions =8.5.1 of jsonwebtoken library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the...

IBM Spectrum Control Weak Encryption Vulnerability

IBM Spectrum Control formerly known as Tivoli Storage Productivity Center is a suite of storage resource management software from International Business Machines IBM. The software provides monitoring, automation and analysis for multiple storage systems. IBM Spectrum Control version 5.4 suffers...

Use of a Broken or Risky Cryptographic Algorithm

IO FinNet tss-lib before 2.0.0 allows a collision of hash values...

CVE-2022-23539 jsonwebtoken unrestricted key type could lead to legacy keys usage

Versions =8.5.1 of jsonwebtoken library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the...

CVE-2022-23540

In versions =8.5.1 of jsonwebtoken library, lack of algorithm definition in the jwt.verify function can lead to signature validation bypass due to defaulting to the none algorithm for signature verification. Users are affected if you do not specify algorithms in the jwt.verify function. This issu...

Input validation

In versions =8.5.1 of jsonwebtoken library, lack of algorithm definition in the jwt.verify function can lead to signature validation bypass due to defaulting to the none algorithm for signature verification. Users are affected if you do not specify algorithms in the jwt.verify function. This issu...

CVE-2022-23541

jsonwebtoken is an implementation of JSON Web Tokens. Versions = 8.5.1 of jsonwebtoken library can be misconfigured so that passing a poorly implemented key retrieval function referring to the secretOrPublicKey argument from the readme link will result in incorrect verification of tokens. There i...

CVE-2022-23540

CVE-2022-23540 affects the jsonwebtoken library. In versions

CVE-2022-23540 jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()

In versions =8.5.1 of jsonwebtoken library, lack of algorithm definition in the jwt.verify function can lead to signature validation bypass due to defaulting to the none algorithm for signature verification. Users are affected if you do not specify algorithms in the jwt.verify function. This issu...