Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-22565: Release v1.1.2 · google/exposure-notifications-verification-server

An attacker could prematurely expire a verification code, making it unusable by the patient, making the patient unable to upload their TEKs to generate exposure notifications. We recommend upgrading the Exposure Notification server to V1.1.2 or greater.

CVE
Open in Source
#web#google

Security

  • SECURITY PATCH! This release fixes an issue where users or API keys with permission to expire verification codes could have expired codes that belonged to another realm if they guessed the UUID.

Self-report

  • Allows HTTP GET request method (in addition to POST) for initiating the user report webview. The API key and nonce must still be passed as HTTP headers (unless dev mode is also enabled). dev mode should NOT be enabled in production to avoid logging the API key query params. (#2260, @mikehelmick)

Operations

  • Make Cloud Scheduler timezone configurable in Terraform via var.cloud_scheduler_timezone and update the default value to UTC time. (#2262, @sethvargo)
  • Return more detailed responses on code expiration errors. Only return 500 on server-side errors. (#2264, @sethvargo)

Dependencies****Added

Nothing has changed.

Changed

Nothing has changed.

Removed

Nothing has changed.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE