Latest News

While Ukraine remains Russia's major target for cyberattacks, TAG-110 is part of a strategy to preserve "a post-Soviet sphere of influence" by embedding itself in other countries' infrastructures.

### Summary When using Keycloak as an oidc provider, the clientsecret gets printed into the container stdout logs for an example at container startup. ### Details Container Image (15.04.2025): ghcr.io/project-zot/zot-linux-amd64:latest Here is an example how the configuration can look which causes the above stated problem: ` http: address: "0.0.0.0" port: 5000 externalUrl: "https://zot.example.com" auth: { failDelay: 1, openid: { providers: { oidc: { name: "Keycloak", clientid: "zot-client-id", clientsecret: fsdfkmmiwljasdklfsjaskldjfkljewijrf234i52k3j45l, keypath: "", issuer: "https://keycloak.example.com/realms/example", scopes: ["openid"] } } } } ` ### PoC Set up a blank new zot k8s deployment with the code snippet above. ### Impact exposure of secrets, on configuring a oidc provider

Pingora versions prior to 0.5.0 which used the caching functionality in pingora-proxy did not properly drain the downstream request body on cache hits. This allows an attacker to craft malicious HTTP/1.1 requests which could lead to request smuggling or cache poisoning. This flaw was corrected in commit fda3317ec822678564d641e7cf1c9b77ee3759ff by ensuring that the downstream request body is always drained before a connection can be reused. See [the blog post](https://blog.cloudflare.com/resolving-a-request-smuggling-vulnerability-in-pingora/) for more information.

### Summary When using the `fiber.Ctx.BodyParser` to parse into a struct with range values, a panic occurs when trying to parse a negative range index ### Details `fiber.Ctx.BodyParser` can map flat data to nested slices using `key[idx]value` syntax, however when idx is negative, it causes a panic instead of returning an error stating it cannot process the data. Since this data is user-provided, this could lead to denial of service for anyone relying on this `fiber.Ctx.BodyParser` functionality ### Reproducing Take a simple GoFiberV2 server which returns a JSON encoded version of the FormData ```go package main import ( "encoding/json" "fmt" "net/http" "github.com/gofiber/fiber/v2" ) type RequestBody struct { NestedContent []*struct { Value string `form:"value"` } `form:"nested-content"` } func main() { app := fiber.New() app.Post("/", func(c *fiber.Ctx) error { formData := RequestBody{} if err := c.BodyParser(&formData); err != nil { fmt.Println(err) re...

A new US indictment against a group of Russian nationals offers a clear example of how, authorities say, a single malware operation can enable both criminal and state-sponsored hacking.

The emerging threat group is the latest to adopt the combo attack tactic, which Black Basta and other groups already are using to gain initial access for ransomware deployment.

On today’s episode of ‘Uncanny Valley,’ we discuss how WIRED was able to legally 3D-print the same gun allegedly used by Luigi Mangione, and where US law stands on the technology.

Insurance experts weigh in on how the recent barrage of attacks against UK retailers could affect premium rates and policy requirements, as well as how to work toward improving risk assessment.

Global crackdown: Operation RapTor leads to 270 arrests, millions seized as law enforcement targets dark web drug, weapon, and crypto vendors.

Hazel observes that cybercriminals often fumble teamwork, with fragile alliances crumbling over missed messages. Plus, how UAT-6382 is exploiting Cityworks and what you can do to stay secure.