rdiffweb vulnerable to potential DoS via memory consumption

rdiffweb prior to 2.4.8 is vulnerable to a potential Dos attack via an unlimited length "title" field when adding an SSH key. This can result in excess memory consumption, leading to a Denial of Service DoS. This issue is patched in version 2.4.8. There are no known workarounds...

GHSA-XHW9-4WQQ-X67V rdiffweb vulnerable to potential DoS via memory consumption

rdiffweb prior to 2.4.8 is vulnerable to a potential Dos attack via an unlimited length "title" field when adding an SSH key. This can result in excess memory consumption, leading to a Denial of Service DoS. This issue is patched in version 2.4.8. There are no known workarounds...

No Limit in "title" length while adding SSH key , results in memory consumption/DOS attack

Description There must be a fixed length for user input parameters like "title" while adding SSH key. Allowing users to enter long strings may result in a DOS attack or memory corruption Proof of Concept 1Go to https://rdiffweb-demo.ikus-soft.com/prefs/sshkeys endpoint . 2Click on add SSH key...

GHSA-GMHJ-XJFH-CF6M Caddy-SSH vulnerable to Authorization Bypass due to incorrect usage of PAM library

Not invoking a call to pamacctmgmt after a call to pamauthenticate to check the validity of a login can lead to an authorization bypass. Impact Exploitability The attack can be carried over the network. A complex non-standard configuration or a specialized condition is required for the attack to ...

Hackers Using Fake CircleCI Notifications to Hack GitHub Accounts

GitHub has put out an advisory detailing what may be an ongoing phishing campaign targeting its users to steal credentials and two-factor authentication 2FA codes by impersonating the CircleCI DevOps platform. The Microsoft-owned code hosting service said it learned of the attack on September 16,...

The vulnerability of the `kex_method_diffie_hellman_group_exchange_sha256_key_exchange` function in the `kex.c` component of the SSH2 protocol implementation library Libssh2 allows a attacker to access confidential data and also trigger a denial-of-service attack.

The vulnerability of the kexmethoddiffiehellmangroupexchangesha256keyexchange function in the kex.c component of the SSH2 protocol implementation library Libssh2 is related to reading data beyond the allowed buffer size. Exploiting this vulnerability allows an attacker to gain access to...

F5 Networks BIG-IP : OpenSSH vulnerability (K11315080)

The version of F5 Networks BIG-IP installed on the remote host is prior to 15.1.10 / 16.1.4 / 17.1.1. It is, therefore, affected by a vulnerability as referenced in the K11315080 advisory. In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via...

FritzFrog: A New Generation of Peer-to-Peer Botnets

Guardicore has discovered FritzFrog, a sophisticated peer-to-peer P2P botnet that has been actively breaching SSH servers since January 2020...

Over 39,000 Unauthenticated Redis Instances Found Exposed on the Internet

An unknown attacker targeted tens of thousands of unauthenticated Redis servers exposed on the internet in an attempt to install a cryptocurrency miner. It's not immediately known if all of these hosts were successfully compromised. Nonetheless, it was made possible by means of a "lesser-known...

openssh bug fix update

An update is available for openssh. This update affects Rocky Linux 9. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list OpenSSH is an SSH protocol implementation supported by a number of Linux, UNI...

cloud-init bug fix and enhancement update

An update is available for cloud-init. This update affects Rocky Linux 9. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list The cloud-init packages provide a set of init scripts for cloud instances...

CVE-2022-28321

The Linux-PAM package before 1.5.2-6.1 for openSUSE Tumbleweed allows authentication bypass for SSH logins. The pamaccess.so module doesn't correctly restrict login if a user tries to connect from an IP address that is not resolvable via DNS. In such conditions, a user with denied access to a...

Authentication flaw

The Linux-PAM package before 1.5.2-6.1 for openSUSE Tumbleweed allows authentication bypass for SSH logins. The pamaccess.so module doesn't correctly restrict login if a user tries to connect from an IP address that is not resolvable via DNS. In such conditions, a user with denied access to a...

CVE-2022-28321

The Linux-PAM package before 1.5.2-6.1 for openSUSE Tumbleweed allows authentication bypass for SSH logins. The pamaccess.so module doesn't correctly restrict login if a user tries to connect from an IP address that is not resolvable via DNS. In such conditions, a user with denied access to a...

UBUNTU-CVE-2022-28321

The Linux-PAM package before 1.5.2-6.1 for openSUSE Tumbleweed allows authentication bypass for SSH logins. The pamaccess.so module doesn't correctly restrict login if a user tries to connect from an IP address that is not resolvable via DNS. In such conditions, a user with denied access to a...

CVE-2022-28321

The Linux-PAM package before 1.5.2-6.1 for openSUSE Tumbleweed allows authentication bypass for SSH logins. The pamaccess.so module doesn't correctly restrict login if a user tries to connect from an IP address that is not resolvable via DNS. In such conditions, a user with denied access to a...

CVE-2022-28321

The Linux-PAM package before 1.5.2-6.1 for openSUSE Tumbleweed allows authentication bypass for SSH logins. The pamaccess.so module doesn't correctly restrict login if a user tries to connect from an IP address that is not resolvable via DNS. In such conditions, a user with denied access to a...

CVE-2022-28321

CVE-2022-28321 affects Linux-PAM on openSUSE Tumbleweed/Factory. The pam_access.so module may bypass SSH login restrictions when a connecting IP cannot be resolved via DNS, allowing a user with denied access to still authenticate. Root cause: login restriction logic in pam_access.so fails for non...

CVE-2022-28321

The Linux-PAM package before 1.5.2-6.1 for openSUSE Tumbleweed allows authentication bypass for SSH logins. The pamaccess.so module doesn't correctly restrict login if a user tries to connect from an IP address that is not resolvable via DNS. In such conditions, a user with denied access to a...

openSUSE Tumbleweed 授权问题漏洞

openSUSE Tumbleweed is an open source system from the openSUSE project. A security vulnerability exists in openSUSE Tumbleweed versions prior to 1.5.2-6.1, which stems from the pamaccess.so module not properly restricting logins if a user attempts to connect from an IP address that is not...