219 matches found
Rebar3: Command Injection
Background A sophisticated build-tool for Erlang projects that follows OTP principles. Description Rebar3 is vulnerable to OS command injection via the URL parameter of a dependency specification. Impact A vulnerability has been discovered in Rebar3. Please review the CVE identifier referenced...
Security above all else—expanding Microsoft’s Secure Future Initiative
Last November, we launched the Secure Future Initiative SFI to prepare for the increasing scale and high stakes of cyberattacks. SFI brings together every part of Microsoft to advance cybersecurity protection across our company and products. Since then, the threat landscape has continued to rapid...
Spring Framework 6.2.0-M1: Overriding Beans in Tests
Spring Framework 6.2.0-M1 has been released, including changes that resolve more than one hundred issues. Among those are a range of new features in Spring's testing support. In this post, I’d like to walk you through one of these new testing features: Bean Overriding support. The previous state ...
BIT-MAGENTO-2021-28583 Magento Commerce insecure storage of sensitive documentation
Magento versions 2.4.2 and earlier, 2.4.1 and earlier and 2.3.6 and earlier are affected by a Violation of Secure Design Principles vulnerability in RMA PDF filename formats. Successful exploitation could allow an attacker to get unauthorized access to restricted resources...
CISA Partners With OpenSSF Securing Software Repositories Working Group to Release Principles for Package Repository Security
Today, CISA partnered with the Open Source Security Foundation OpenSSF Securing Software Repositories Working Group to publish the Principles for Package Repository Securitylink is external framework. Recognizing the critical role package repositories play in securing open source software...
Microsoft Incident Response lessons on preventing cloud identity compromise
Microsoft observed a surge in cyberattacks targeting identities in 2023, with attempted password-based attacks increasing by more than tenfold in the first quarter of 2023 compared to the same period in 2022. Threat actors leverage compromised identities to achieve a significant level of access t...
Experts Uncover Passive Method to Extract Private RSA Keys from SSH Connections
A new study has demonstrated that it's possible for passive network attackers to obtain private RSA host keys from a vulnerable SSH server by observing when naturally occurring computational faults that occur while the connection is being established. The Secure Shell SSH protocol is a method for...
[SECURITY] Fedora 39 Update: moodle-4.3-1.fc39
Moodle is a course management system CMS - a free, Open Source software package designed using sound pedagogical principles, to help educators create effective online learning communities...
CISA Releases Fact Sheet on Effort to Revise the National Cyber Incident Response Plan (NCIRP)
Today, the Cybersecurity and Infrastructure Security Agency CISA released a fact sheet on the effort to revise the National Cyber Incident Response Plan NCIRP. Through the Joint Cyber Defense Collaborative JCDC, CISA will work to ensure that the updated NCIRP addresses significant changes in poli...
CISA, NSA, FBI, and International Partners Release Updated Secure by Design Guidance
Today, the U.S. Cybersecurity and Infrastructure Security Agency CISA, National Security Agency NSA, and Federal Bureau of Investigation FBI released an update to Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by- Design and -Default with the following...
NSA and CISA Release Advisory on Top Ten Cybersecurity Misconfigurations
Today, the National Security Agency NSA and Cybersecurity and Infrastructure Security Agency CISA released a joint cybersecurity advisory CSA, NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations, which provides the most common cybersecurity misconfigurations in large...
CVE-2023-29320 ZDI-CAN-20712: Adobe Acrobat Blacklist Bypass Design flaw
Adobe Acrobat Reader versions 23.003.20244 and earlier and 20.005.30467 and earlier are affected by an Violation of Secure Design Principles vulnerability that could result in arbitrary code execution in the context of the current user by bypassing the API blacklisting feature. Exploitation of th...
Chaos - Origin IP Scanning Utility Developed With ChatGPT
chaos is an 'origin' IP scanner developed by RST in collaboration with ChatGPT. It is a niche utility with an intended audience of mostly penetration testers and bug hunters. An origin-IP is a term-of-art expression describing the final public IP destination for websites that are publicly served...
The Journey to Zero Trust with Industry Frameworks
Discover the core principles and frameworks of Zero Trust, NIST 800-207 guidelines, and best practices when implementing CISA’s Zero Trust Maturity Model...
How to Achieve AWS Operational Excellence in Your Cloud Workload
Explore the Operational Excellence pillar of the AWS Well-Architected Framework and examine best practices and design principles for cloud-based security operations, including CI/CD and risk management...
Fedora: Security Advisory for moodle (FEDORA-2023-ce24b63b36)
The remote host is missing an update for the SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
[SECURITY] Fedora 38 Update: moodle-4.1.4-1.fc38
Moodle is a course management system CMS - a free, Open Source software package designed using sound pedagogical principles, to help educators create effective online learning communities...
Patch me if you can: Cyberattack Series
Many organizations utilize third-party apps for identity security solutions to automate and unburden overtaxed IT admins from tedious tasks that employees can perform via self-service without IT assistance. But in September 2021, our researchers observed threat actors exploiting one such...
The Well-Architected Framework Guide
Discover the six Amazon Web Services AWS pillars by examining best practices and design principles to leverage the cloud in a more efficient, secure, and cost-effective manner...
[ H ] No Validation checks for "v" signature in castApprovalBySig
Lines of code Vulnerability details Impact V must correspond according to ECDSA principles values of either 27 or 28. Not checking this will result in an attacker crafting a malicious v value and bypassing any checks, withdrawing funds or accessing the function maliciously. Proof of Concept Craft...