617 matches found
(RHSA-2021:2439) Important: Open Liberty 21.0.0.6 Runtime security update
Open Liberty is a lightweight open framework for building fast and efficient cloud-native Java microservices. This release of Open Liberty 21.0.0.6 serves as a replacement for Open Liberty 21.0.0.3, and includes a security fix and enhancements. For specific information about this release, see lin...
Securing REST with free API Firewall How-to guide
In our modern world, web applications are becoming ever more important. Bad actors know this and they target them more frequently than ever before. This is not likely to stop any time soon as the number of web applications the world needs will only go up with its reliance on technology. To fully...
Metarget - Framework Providing Automatic Constructions Of Vulnerable Infrastructures
1 Introduction Metarget = meta- + target, a framework providing automatic constructions of vulnerable infrastructures, used to deploy simple or complicated vulnerable cloud native targets swiftly and automatically. 1.1 Why Metarget? During security researches, we might find that the deployment of...
CVE-2021-29492
Envoy is a cloud-native edge/middle/service proxy. Envoy does not decode escaped slash sequences %2F and %5C in HTTP URL paths in versions 1.18.2 and before. A remote attacker may craft a path with escaped slashes, e.g. /something%2F..%2Fadmin, to bypass access control, e.g. a block on /admin. A...
CVE-2021-29492
Envoy versions up to 1.18.2 contain a URL-path decoding flaw: escaped slashes (%2F, %5C) are not decoded, allowing an attacker to craft paths like /something%2F..%2Fadmin to bypass access controls and escalate privileges when RBAC/JWT filters enforce path-based policies. This can let a backend se...
Cross-site Request Forgery (CSRF) in Cloud Native Computing Foundation Harbor
Cure53 has discovered that the Harbor web interface does not implement protection mechanisms against Cross-Site Request Forgery CSRF. By luring an authenticated user onto a prepared third-party website, an attacker can execute any action on the platform in the context of the currently authenticat...
GHSA-RFFR-C932-CPXV Cross-site Request Forgery (CSRF) in Cloud Native Computing Foundation Harbor
Cure53 has discovered that the Harbor web interface does not implement protection mechanisms against Cross-Site Request Forgery CSRF. By luring an authenticated user onto a prepared third-party website, an attacker can execute any action on the platform in the context of the currently authenticat...
GHSA-W4X5-JQQ4-QC8X SQL Injection in Cloud Native Computing Foundation Harbor
Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via project quotas in the VMware Harbor Container Registry for the Pivotal Platform...
SQL Injection in Cloud Native Computing Foundation Harbor
Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via user-groups in the VMware Harbor Container Registry for the Pivotal Platform...
GHSA-JR34-MFF8-PC6F SQL Injection in Cloud Native Computing Foundation Harbor
Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via user-groups in the VMware Harbor Container Registry for the Pivotal Platform...
GHSA-Q6CJ-6JVQ-JWMH Privilege Escalation in Cloud Native Computing Foundation Harbor
Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 has a Privilege Escalation Vulnerability in the VMware Harbor Container Registry for the Pivotal Platform...
Privilege Escalation in Cloud Native Computing Foundation Harbor
Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 has a Privilege Escalation Vulnerability in the VMware Harbor Container Registry for the Pivotal Platform...
Top Challenges for Security Analytics and Operations, and How a Cloud-Based SIEM Can Help
As the attack surface continues to grow, the job of a security professional is getting exponentially more complicated. With the surge in remote work over the last year, this has only accelerated. To keep up and combat key security operations challenges, many organizations are making the move to t...
DevSecOps and the New Scope of Application Development
Hand in hand: Application development and application security As expectations of developers change, so too do those of security teams. It’s more of a collective effort than ever as business dependence on applications continues to grow. Security must shift further left into the software developme...
Unspecified Vulnerability in Oracle WebLogic Server (CNVD-2021-30935)
Oracle WebLogic Server is a cloud-native, enterprise-grade Java platform application server for multi-tier distributed enterprise application development and deployment. A security vulnerability exists in the Core component of Oracle WebLogic Server versions 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, an...
Unspecified Vulnerability in Oracle WebLogic Server (CNVD-2021-30934)
Oracle WebLogic Server is a cloud-native, enterprise-grade Java platform application server for multi-tier distributed enterprise application development and deployment. A security vulnerability exists in the Coherence Container component in Oracle WebLogic Server versions 12.1.3.0.0, 12.2.1.3.0,...
Unspecified Vulnerability in Oracle WebLogic Server (CNVD-2021-30930)
Oracle WebLogic Server is a cloud-native, enterprise-grade Java platform application server for multi-tier distributed enterprise application development and deployment. A security vulnerability exists in the Web Services component of Oracle WebLogic Server versions 10.3.6.0.0, 12.2.1.3.0,...
ThreatMapper - Identify Vulnerabilities In Running Containers, Images, Hosts And Repositories
The Deepfence Runtime Threat Mapper is a subset of the Deepfence cloud native workload protection platform, released as a community edition. This community edition empowers the users with following features: 1. Visualization: Visualize kubernetes clusters, virtual machines, containers and images,...
Wallarm API Discovery: Discover API endpoints automatically and secure them
What do you know about your APIs? Why are the vulnerable v2 and v3 still exposed if they are deprecated for almost a year? What else is exposed and you don’t even know? Are Swagger specs up to date? Teaser: Surely not. A lot of questions, right? Meet Wallarm’s latest feature for API Discovery and...
NATS Server Access Control Error Vulnerability
NATS Server is an open source messaging system. The system is mainly used for cloud-native applications, IoT messaging and microservices architecture. An access control error vulnerability exists in NATS Server 2.x before 2.2.0 and JWT library before 2.0.1, which stems from improper handling of...