GHSA-6X44-W3XG-HQQF Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft

Summary azureidentity.Validate verifies that the PKCS7 signer certificate chains to a trusted Azure CA but never verifies the PKCS7 signature itself. An attacker can embed a legitimate Azure certificate alongside arbitrary content e.g. "vmId":"" and the forged vmId will be accepted returning the...

Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint

Summary Unauthenticated semi-blind Server-Side Request Forgery SSRF via the Azure instance identity endpoint POST /api/v2/workspaceagents/azure-instance-identity. An external attacker can force the Coder server to issue HTTP GET requests to arbitrary internal or external hosts by submitting a...

EUVD-2017-15196

Malware in sbrugna...

Qualys Cloud Platform 2.38 New Features

This release of the Qualys Cloud Platform version 2.38 includes updates and new features for AssetView, Web Application Firewall, and Web Application Scanning, highlights as follows. AssetView Azure Instance State search token and Dynamic Tag Support – A new search token "azure.vm.state" is added...