Authorization Bypass

smallrye-config is vulnerable to authorization bypass. The vulnerability exists as it improperly restricts the access to utility methods wrapping doPrivileged calls...

New Crypto in Go 1.14

Go 1.14 is out and with it come a few nice updates to crypto/tls! Will this certificate work? Certificate selection in TLS1 is a mess. I was going to try and describe it here to make the point, but I kept getting it wrong and it was even too messy for something just meant to make the point that i...

ruby: Unintentional directory traversal by poisoned NULL byte in Dir

It was found that the methods from the Dir class did not properly handle strings containing the NULL byte. An attacker, able to inject NULL bytes in a path, could possibly trigger an unspecified behavior of the ruby script...

Forrester report for Rapid7: number juggling and an excellent overview of Vulnerability Management problems

I recently read Forrester's 20-page report "The Total Economic Impact Of Rapid7 InsightVM". It is about the Cost Savings And Business Benefits that Vulnerability Management solution can bring to the organizations. In short, I didn't like everything related to money. It seems like juggling with...

Azure Sentinel uncovers the real threats hidden in billions of low fidelity signals

Cybercrime is as much a people problem as it is a technology problem. To respond effectively, the defender community must harness machine learning to compliment the strengths of people. This is the philosophy that undergirds Azure Sentinel. Azure Sentinel is a cloud-native SIEM that exploits...

CVE-2020-1843

Huawei HEGE-560 version 1.0.1.20SP2, OSCA-550 version 1.0.0.71SP1, OSCA-550A version 1.0.0.71SP1, OSCA-550AX version 1.0.0.71SP2, and OSCA-550X version 1.0.0.71SP2 have an insufficient verification vulnerability. An attacker can perform specific operations to exploit this vulnerability by physica...

CVE-2020-2118

A missing permission check in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins...

CVE-2020-2109

Sandbox protection in Jenkins Pipeline: Groovy Plugin 2.78 and earlier can be circumvented through default parameter expressions in CPS-transformed methods...

CVE-2020-2109

Sandbox protection in Jenkins Pipeline: Groovy Plugin 2.78 and earlier can be circumvented through default parameter expressions in CPS-transformed methods...

CVE-2020-2118

A missing permission check in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins...

CVE-2020-2109

CVE-2020-2109 is corroborated by the GHSA entry for Jenkins Pipeline: Groovy Plugin. The vulnerability concerns sandbox protection bypass via default parameter expressions in CPS-transformed methods, affecting Jenkins Pipeline: Groovy Plugin versions 2.78 and earlier. The connected documents iden...

PT-2020-15316 · Jenkins · Jenkins Pipeline: Groovy Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins Pipeline: Groovy Plugin versions 2.78 and earlier Description: The issue concerns the Jenkins Pipeline: Groovy Plugin, where sandbox protection can be circumvented. This is possible through default parameter expressions in...

Security update for rubygem-rack (moderate)

openSUSE Security Update: Security update for rubygem-rack Announcement ID: openSUSE-SU-2020:0214-1 Rating: moderate References: 1114828 1116600 1159548 Cross-References: CVE-2018-16471 CVE-2019-16782 Affected Products: openSUSE Leap 15.1 An update that solves two vulnerabilities and has one erra...

Description of the security update for Microsoft Exchange Server 2019 and 2016: February 11, 2020

Description of the security update for Microsoft Exchange Server 2019 and 2016: February 11, 2020 This update rollup is a security update that resolves vulnerabilities in Microsoft Exchange Server. To learn more about these vulnerabilities, see the following Common Vulnerabilities and Exposures...

Description of the security update for Microsoft Exchange Server 2010: February 11, 2020

Description of the security update for Microsoft Exchange Server 2010: February 11, 2020 This update rollup is a security update that provides a security advisory in Microsoft Exchange. To learn more about these vulnerabilities, see the following Common Vulnerabilities and Exposures CVE:...

Description of the security update for Microsoft Exchange Server 2013: February 11, 2020

Description of the security update for Microsoft Exchange Server 2013: February 11, 2020 This update rollup is a security update that resolves vulnerabilities in Microsoft Exchange. To learn more about these vulnerabilities, see the following Common Vulnerabilities and Exposures CVE: CVE-2020-069...

Siemens OZW Web Server

1. EXECUTIVE SUMMARY CVSS v3 5.3 ATTENTION: Exploitable remotely/low skill level to exploit Vendor: Siemens Equipment: OZW web server Vulnerability: Information disclosure 2. RISK EVALUATION Successful exploitation of this vulnerability could allow unauthenticated users to access project files...

Security update for upx (moderate)

openSUSE Security Update: Security update for upx Announcement ID: openSUSE-SU-2020:0180-1 Rating: moderate References: 1094138 1141777 1143839 1159833 1159920 Cross-References: CVE-2018-11243 CVE-2019-1010048 CVE-2019-14296 CVE-2019-20021 CVE-2019-20053 Affected Products: openSUSE Backports...

Security update for upx (moderate)

openSUSE Security Update: Security update for upx Announcement ID: openSUSE-SU-2020:0163-1 Rating: moderate References: 1094138 1141777 1143839 1159833 1159920 Cross-References: CVE-2018-11243 CVE-2019-1010048 CVE-2019-14296 CVE-2019-20021 CVE-2019-20053 Affected Products: openSUSE Leap 15.1 An...

Guarding against supply chain attacks—Part 2: Hardware risks

The challenge and benefit of technology today is that it’s entirely global in nature. This reality is brought into focus when companies assess their supply chains, and look for ways to identify, assess, and manage risks across the supply chain of an enterprise. Part 2 of the “Guarding against...