GO-2022-0322 Uncontrolled resource consumption in github.com/prometheus/client_golang

The Prometheus clientgolang HTTP server is vulnerable to a denial of service attack when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of the promhttp.InstrumentHandler middleware except RequestsInFlight; not filter any specific...

Security update for chromium (important)

openSUSE Security Update: Security update for chromium Announcement ID: openSUSE-SU-2022:10055-1 Rating: important References: 1201216 Cross-References: CVE-2022-2294 CVE-2022-2295 CVE-2022-2296 Affected Products: openSUSE Backports SLE-15-SP3 openSUSE Backports SLE-15-SP4 An update that fixes...

Description of the security update for Office 2016: July 12, 2022 (KB5002112)

Description of the security update for Office 2016: July 12, 2022 KB5002112 Summary This security update resolves a Microsoft Office security feature bypass vulnerability. To learn more about the vulnerability, see Microsoft Common Vulnerabilities and Exposures CVE-2022-33632. Note: To apply this...

GHSA-2588-CX6W-6VM6 Missing permission checks in Jenkins XebiaLabs XL Release Plugin allow capturing credentials

Missing permission checks in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins...

GHSA-H7PF-H58R-MV93 CSRF vulnerability in Jenkins XebiaLabs XL Release Plugin allow capturing credentials

XebiaLabs XL Release Plugin 22.0.0 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method,...

Security update for various openSUSE kernel module packages (important)

openSUSE Security Update: Security update for various openSUSE kernel module packages Announcement ID: openSUSE-SU-2022:10032-1 Rating: important References: 1198581 Affected Products: openSUSE Leap 15.3 An update that contains security fixes can now be installed. Description: This update of...

GHSA-W24X-87MR-4R23 SpEL Injection in Spring Data MongoDB

A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized...

CVE-2022-22980

A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized...

CVE-2022-22980

A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized...

CVE-2022-22980

A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized...

Jenkins Plugin Convertigo Mobile Platform 跨站请求伪造漏洞

Jenkins and Jenkins Plugin are both Jenkins open source products.Jenkins is an application. Jenkins Plugin is an application that provides hundreds of plugins to support building, deploying, and automating any project. The vulnerability stems from a failure to perform permission checks in the...

The Inevitable Need for Advanced Vulnerability Management

We have read enough and more news in recent times on the surge in cyberattacks. It is crystal clear that attackers are not leaving out even the tiniest of security loopholes and are coming up with smarter ways to invade our IT network. Vulnerability management is the most crucial cyber defense...

Upgraded Q -> M from 205 [1655579891083]

Judge has assessed an item in Issue 205 as Medium risk. The relevant finding follows: transfer and send methods are used inside the codebase. Since these methods use 2300 gas stipend which is not adjustable,it may likely to get broken when calling a contract's fallback function if any contract...

GHSA-3JCH-9QGP-4844 Generated code can read and write out of bounds in safe code

Code generated by flatbuffers' compiler is unsafe but not marked as such. See https://github.com/google/flatbuffers/issues/6627 for details. All users that use generated code by flatbuffers compiler are recommended to: 1. not expose flatbuffer generated code as part of their public APIs 2. audit...

How much does access to corporate infrastructure cost?

Division of labor Money has been and remains the main motivator for cybercriminals. The most widespread techniques of monetizing cyberattacks include selling stolen databases, extortion using ransomware and carding. However, there is demand on the dark web not only for data obtained through an...

Security update for caddy (moderate)

openSUSE Security Update: Security update for caddy Announcement ID: openSUSE-SU-2022:10007-1 Rating: moderate References: 1200279 Cross-References: CVE-2022-297182 Affected Products: openSUSE Backports SLE-15-SP4 An update that fixes one vulnerability is now available. Description: This update f...

KB5014164 - Description of the security update for SQL Server 2014 SP3 CU4: June 14, 2022

KB5014164 - Description of the security update for SQL Server 2014 SP3 CU4: June 14, 2022 Summary How to obtain and install the update More information File information Information about protection and security Summary An authenticated attacker could affect SQL Server memory when executing a...

WordPress theme Discy plugin cross-site request forgery vulnerability (CNVD-2022-61898)

WordPress and WordPress plugin are both products of the WordPress Foundation. WordPress is a blogging platform developed using the PHP language. WordPress plugin is an application plugin. WordPress theme Discy plugin versions prior to 5.2 contain a cross-site request forgery vulnerability that...

java-11-openj9,java-1_8_0-openj9: unverified methods can be invoked using MethodHandles

In Eclipse Openj9 before version 0.32.0, Java 8 & 11 fail to throw the exception captured during bytecode verification when verification is triggered by a MethodHandle invocation, allowing unverified methods to be invoked using MethodHandles...

CVE-2022-1421

The Discy WordPress theme before 5.2 lacks CSRF checks in some AJAX actions, allowing an attacker to make a logged in admin change arbitrary 's settings including payment methods via a CSRF attack...