65 matches found
PT-2026-26428
Name of the Vulnerable Software and Affected Versions ingress-nginx versions prior to v1.13.9, v1.14.5, and v1.15.1 Description A security issue exists in ingress-nginx where a combination of Ingress annotations can be used to inject configuration into nginx. This can lead to arbitrary code...
What Is Exposure Management? A Proactive Guide
Attackers don’t see your organization as a list of CVEs. They see a web of interconnected systems, looking for the path of least resistance to their target. They find one small weakness, then another, and chain them together to create a breach. So why would we defend our networks any differently?...
EUVD-2012-0102
Malware in sbrugna...
Towards Effective Complementary Security Analysis Using Large Language Models
A key challenge in security analysis is the manual evaluation of potential security weaknesses generated by static application security testing SAST tools. Numerous false positives FPs in these reports reduce the effectiveness of security analysis. We propose using Large Language Models LLMs to...
USB: a Comprehensive and Unified Safety Evaluation Benchmark for Multimodal Large Language Models
Despite their remarkable achievements and widespread adoption, Multimodal Large Language Models MLLMs have revealed significant security vulnerabilities, highlighting the urgent need for robust safety evaluation benchmarks. Existing MLLM safety benchmarks, however, fall short in terms of data...
EulerOS 2.0 SP12 : systemd (EulerOS-SA-2024-2228)
According to the versions of the systemd packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : The Closest Encloser Proof aspect of the DNS protocol in RFC 5155 when RFC 9276 guidance is skipped allows remote attackers to cause a denial of...
New Cloud Risk Dashboard: Identifying Toxic Combinations to Drive Faster Remediation
Co-authored by Andrea Ruddy Risks identified within a cloud environment compound to represent a real threat of exploitation. Our cloud risk scoring, introduced recently to insightCloudSec, focuses on these toxic combinations. Toxic combinations are attractive for bad actors who can target multipl...
Microsoft Windows 安全漏洞
Microsoft Windows is a suite of operating systems for use on personal devices from the U.S.-based Microsoft Corporation Microsoft. A security vulnerability exists in Microsoft Windows that stems from a number of Microsoft technologies used in Windows 8 through Windows 11 that allow for a temporar...
Expanded Coverage and New Attack Path Visualizations Help Security Teams Prioritize Cloud Risk and Understand Blast Radius
Cloud environments differ in a number of ways from more traditional on-prem environments. From the immense scale and compounding complexity to the rate of change, the cloud creates a host of challenges for security teams to navigate and grapple with. By definition, anything running in the cloud h...
Updates to Layered Context Enable Teams to Quickly Understand Which Risk Signals Are Most Pressing
Layered Context introduced a consolidated view of all security risks insightCloudSec collects from the various layers of a cloud environment. This enabled our customers to go from visibility into individual security risks on a resource, to understanding all of the risks that impacted that resourc...
GO-2023-2048 Paths outside of the rootfs could be produced on Windows in github.com/cyphar/filepath-securejoin
Certain rootfs and path combinations result in generated paths that are outside of the provided rootfs on Windows...
GHSA-6XV5-86Q9-7XR8 SecureJoin: on windows, paths outside of the rootfs could be inadvertently produced
Impact For Windows users of github.com/cyphar/filepath-securejoin, until v0.2.4 it was possible for certain rootfs and path combinations in particular, where a malicious Unix-style /-separated unsafe path was used with a Windows-style rootfs path to result in generated paths that were outside of...
CVE-2023-33666
ai-dev aioptimizedcombinations before v0.1.3 was discovered to contain a SQL injection vulnerability via the component /includes/ajax.php...
yaraQA - YARA Rule Analyzer To Improve Rule Quality And Performance
YARA rule Analyzer to improve rule quality and performance Why? YARA rules can be syntactically correct but still dysfunctional. yaraQA tries to find and report these issues to the author or maintainer of a YARA rule set. The issues yaraQA tries to detect are e.g.: rules that are syntactically...
Uncover and Remediate Toxic Combinations with Attack Path Analysis
Particularly at enterprise scale, it’s not uncommon to have hundreds of thousands of resources running across your cloud environments at any given time. Of course, these resources aren’t running independently. In modern environments, these resources are all interconnected and in many cases...
Introducing: ‘Saved Filters’ in InsightCloudSec
Last year, when we launched Layered Context in InsightCloudSec, we knew we had something great on our hands. Not just because we provided a single view for cloud security practitioners to see their full cloud risk posture though, if we do say so ourselves, that’s pretty sweet. No, we knew we had...
Cbrutekrag - Penetration Tests On SSH Servers Using Brute Force Or Dictionary Attacks. Written In C
Penetration tests on SSH servers using dictionary attacks. Written in C. brute krag means "brute force" in afrikáans Disclaimer This tool is for ethical testing purpose only. cbrutekrag and its owners can't be held responsible for misuse by users. Users have to act as permitted by local law rules...
winning ticket odds are not distributed equally amongst users
Lines of code Vulnerability details Impact some users will be able to game the system and get optimal odds of winning both jackpot and non jackpot rewards. Making the entire protocol unfair for users. Proof of Concept The way Wenwin is intended to function is every combination has equal odds of...
CVE-2022-23539
Versions =8.5.1 of jsonwebtoken library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the...
Type confusion
Versions =8.5.1 of jsonwebtoken library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the...