Support Statement - Exchange Online Basic Authentication Deprecation

Purpose This article provides information on actions that must be taken to ensure Veeam Backup for Microsoft 365 will continue to function after the Basic Authentication Deprecation in Exchange Online. Associated Error Messages The following errors may be shown in Veeam Backup for Microsoft 365...

Bifrost Licensing Issue Vulnerability

Bifrost is a middleware package that synchronizes MySQL MariaDB binary log data to other types of databases.Bifrost 1.8.6-release and earlier versions are vulnerable to authorization issues, which stem from its vulnerability to authentication bypass when using HTTP basic authentication, which can...

Brokercap Bifrost subject to authentication bypass when using HTTP basic authentication

Bifrost is a middleware package which can synchronize MySQL/MariaDB binlog data to other types of databases. Versions 1.8.6-release and prior are vulnerable to authentication bypass when using HTTP basic authentication. This may allow group members who only have read permissions to write requests...

GHSA-P6FH-XC6R-G5HW Brokercap Bifrost subject to authentication bypass when using HTTP basic authentication

Bifrost is a middleware package which can synchronize MySQL/MariaDB binlog data to other types of databases. Versions 1.8.6-release and prior are vulnerable to authentication bypass when using HTTP basic authentication. This may allow group members who only have read permissions to write requests...

Authentication Bypass

github.com/brokercap/bifrost is vulnerable to authentication bypass. The vulnerability exists in common.go because the write permission limit for monitor group is not properly defined which allows an attacker to bypass permission using HTTP basic authentication...

CVE-2022-39219

Summary: CVE-2022-39219 affects the Bifrost middleware (used to synchronize MySQL/MariaDB binlogs to other databases). Versions 1.8.6-release and earlier are vulnerable to an authentication bypass when HTTP basic authentication is used, potentially allowing a user with read permissions to perform...

PT-2022-24818 · Oracle +1 · Mysql Server +1

Name of the Vulnerable Software and Affected Versions: Bifrost versions 1.8.6-release and prior Description: Bifrost is a middleware package that synchronizes MySQL/MariaDB binlog data to other types of databases. The issue allows group members with only read permissions to write requests when th...

Bifrost 授权问题漏洞

Bifrost is a middleware package that synchronizes MySQL MariaDB binary log data to other types of databases.Bifrost 1.8.6-release and earlier versions are vulnerable to authorization issues, which stem from its vulnerability to authentication bypass when using HTTP basic authentication, which can...

Microsoft will disable Basic authentication for Exchange Online in less than a month

Microsoft has posted a reminder on the Exchange Team blog that Basic authentication for Exchange Online will be disabled in less than a month, on October 1, 2022. The first announcement of the change stems from September 20, 2019. With so much warning you might expect organizations to be ready, a...

Backdoor.Win32.Guptachar.20 MVID-2022-0631 Insecure Credential Storage

Discovery / credits: Malvuln John Page aka hyp3rlinx c 2022 Original source: https://malvuln.com/advisory/857999d2306f257b80d1b8f6a51ae8b0.txt Contact: [email protected] Media: twitter.com/malvuln Threat: Backdoor.Win32.Guptachar.20 Vulnerability: Insecure Credential Storage Description: The...

Jenkins HTTP Request Plugin stores HTTP Request passwords unencrypted

HTTP Request Plugin 1.15 and earlier stores HTTP Request passwords unencrypted in its global configuration file jenkins.plugins.httprequest.HttpRequest.xml on the Jenkins controller as part of its configuration when using deprecated Basic/Digest Authentication. These passwords can be viewed by...

CISA Releases Guidance on Switching to Modern Auth in Exchange Online before October 1

CISA has released guidance on switching from Basic Authentication “Basic Auth” in Microsoft Exchange Online to Modern Authentication "Modern Auth" before Microsoft begins permanently disabling Basic Auth on October 1, 2022. Basic Auth is a legacy authentication method that does not support...

There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.

...

Django XSS Vulnerability

The utils.http.issafeurl function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting XSS attacks via a URL containing basic authentication, as demonstrated by...

WEBrick RCE Vulnerability

The Basic authentication code in WEBrick library in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to inject terminal emulator escape sequences into its log and possibly execute arbitrary commands via a crafted user name...

GHSA-C82R-QG3W-Q5MV Apache Solr insecure inter-node communication

Apache Solr uses a PKI based mechanism to secure inter-node communication when security is enabled. It is possible to create a specially crafted node name that does not exist as part of the cluster and point it to a malicious node. This can trick the nodes in cluster to believe that the malicious...

GHSA-2632-H32J-6RG9 Missing Release of Resource after Effective Lifetime in Jenkins

A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in BasicAuthenticationFilter.java, BasicHeaderApiTokenAuthenticator.java that allows attackers to create ephemeral in-memory user records by attempting to log in using invalid credentials...

python: urllib: Regular expression DoS in AbstractBasicAuthHandler

There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client such as web browser connects to, could trigger a Regular Expression Denial of Service ReDOS during an authentication request with a specially crafted payload that is sen...

python: urllib: Regular expression DoS in AbstractBasicAuthHandler

There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client such as web browser connects to, could trigger a Regular Expression Denial of Service ReDOS during an authentication request with a specially crafted payload that is sen...

python: urllib: Regular expression DoS in AbstractBasicAuthHandler

There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client such as web browser connects to, could trigger a Regular Expression Denial of Service ReDOS during an authentication request with a specially crafted payload that is sen...