apko `DiscoverKeys` has a panic on non-rsa jwks key that causes crash during key discovery

DiscoverKeys in pkg/apk/apk/implementation.go unconditionally type-asserts JWKS keys as rsa.PublicKey without checking the key type. If a repository JWKS endpoint returns a non-RSA key e.g. EC, the unchecked assertion panics and crashes apko. This affects any workflow that initializes the APK...

apko `DiscoverKeys` has a panic on non-rsa jwks key that causes crash during key discovery

DiscoverKeys in pkg/apk/apk/implementation.go unconditionally type-asserts JWKS keys as rsa.PublicKey without checking the key type. If a repository JWKS endpoint returns a non-RSA key e.g. EC, the unchecked assertion panics and crashes apko. This affects any workflow that initializes the APK...

CVE-2018-12438

The Elliptic Curve Cryptography library aka sunec or libsunec allows a memory-cache side-channel attack on ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the...

CVE-2018-12439

MatrixSSL through 3.9.5 Open allows a memory-cache side-channel attack on ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host...

EUVD-2018-4407

Malware in sbrugna...

EUVD-2018-0846

Malware in sbrugna...

EUVD-2018-4405

Malware in sbrugna...

EUVD-2016-8293

Malware in sbrugna...

Linux Distros Unpatched Vulnerability : CVE-2016-7438

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The C software implementation of ECC in wolfSSL formerly CyaSSL before 3.9.10 makes it easier for local users to discover RSA keys by leveraging cache-bank hit...

Grafana: Users outside an organization can delete a snapshot with its key

Summary The DELETE /api/snapshots/key endpoint allows any Grafana user to delete snapshots if the user is NOT in the organization of the snapshot Details An attacker a user without organization affiliation or with a "no basic role" in an organization other than the one where the dashboard exists,...

PayloadsAllTheThings

This repository is an offensive tool for API key and bucket S3 exploitation. It contains tools and exploits for various types of attacks, including CRLF injection, CSRF injection, and API key leaks. The repository includes a variety of scripts and modules for different types of attacks, such as...

PayloadsAllTheThings

This is an offensive tool repository for Web Application Security and Pentest/CTF. It contains a list of useful payloads and bypass techniques for various web application vulnerabilities. The repository includes tools and scripts for exploiting vulnerabilities such as CRLF injection, CSRF...

Design/Logic Flaw

A vulnerability in the Deterministic Random Bit Generator DRBG, also known as Pseudorandom Number Generator PRNG, used in Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software could allow an unauthenticated, remote attacker to cause a cryptographic...

CVE-2018-12437

LibTomCrypt through 1.18.1 allows a memory-cache side-channel attack on ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host...

Memory corruption

LibreSSL before 2.6.5 and 2.7.x before 2.7.4 allows a memory-cache side-channel attack on DSA and ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP. To discover a key, the attacker needs access to either the local machine or a different virtual machine on the same physical ho...

Memory corruption

MatrixSSL through 3.9.5 Open allows a memory-cache side-channel attack on ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host...

CVE-2018-12437

LibTomCrypt through 1.18.1 allows a memory-cache side-channel attack on ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host...

CVE-2018-12435

Botan 2.5.0 through 2.6.0 before 2.7.0 allows a memory-cache side-channel attack on ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP, related to dsa/dsa.cpp, ecgroup/ecgroup.cpp, and ecdsa/ecdsa.cpp. To discover an ECDSA key, the attacker needs access to either the local...

CVE-2018-12436

wolfcrypt/src/ecc.c in wolfSSL before 3.15.1.patch allows a memory-cache side-channel attack on ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physic...

CVE-2018-12437

LibTomCrypt through 1.18.1 allows a memory-cache side-channel attack on ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host...