Latest News

The `OVERWRITE` clause of the `DEFINE TABLE` statement would fail to overwrite data for tables that were defined with `TYPE RELATION`. Since table definitions include the `PERMISSIONS` clause, this failure would result in permissions not being overwritten as a result, which may potentially lead users to believe they have changed the table permissions when they have not. ### Impact If a user attempted to update table permissions of a table defined with `TYPE RELATION` using `DEFINE TABLE ... OVERWRITE`, permissions for the table would not be changed. This may allow a client that is authorized to run queries in a SurrealDB server to access certain data in that specific table that they were not intended to be able to access after the specified change in permissions. ### Patches The `DEFINE TABLE` statement has been updated to appropriately overwrite data for tables defined with `TYPE RELATION`. - Version 2.1.3 and later are not affected by this issue. ### Workarounds Users of table...

### Impact Privilege escalation in IAM import API, all users are impacted since MinIO commit 580d9db85e04f1b63cc2909af50f0ed08afa965f ### Patches ``` commit f246c9053f9603e610d98439799bdd2a6b293427 Author: Aditya Manthramurthy <[email protected]> Date: Wed Dec 11 18:09:40 2024 -0800 fix: Privilege escalation in IAM import API (#20756) This API had missing permissions checking, allowing a user to change their policy mapping by: 1. Craft iam-info.zip file: Update own user permission in user_mappings.json 2. Upload it via `mc admin cluster iam import nobody iam-info.zip` Here `nobody` can be a user with pretty much any kind of permission (but not anonymous) and this ends up working. Some more detailed steps - start from a fresh setup: ``` ./minio server /tmp/d{1...4} & mc alias set myminio http://localhost:9000 minioadmin minioadmin mc admin user add myminio nobody nobody123 mc admin poli...

Task scams are a new type of scams where victims are slowly tricked into paying to get paid for repetitive simple tasks

This week on the Lock and Code podcast, we speak with Ron de Jesus about the work of achieving user privacy while balancing company goals.

A 20-year-old Tucson man was arrested for horrific CSAM and cyberstalking linked to the dangerous online extremist group 764.

The ABB Cylon Aspect BMS/BAS controller allows users to bypass authentication by setting the 'content' POST parameter. This enables an attacker to inject arbitrary configuration overrides, potentially leading to unauthorized changes and compromising system integrity. The vulnerability can be exploited to update the /usr/local/aam/etc/override.properties file. This file contains critical configuration overrides such as enabling overrides (Override.enabled=true) and setting specific properties like debug.level=1. The runjava.VARIANT* script then sources this file during execution, applying the overrides when the system reboots or the application restarts. This allows attackers to manipulate critical system settings, potentially causing performance degradation, introducing security risks, or resulting in a denial of service scenario.

Cybersecurity researchers have shed light on a previously undocumented aspect associated with ClickFix-style attacks that hinge on taking advantage of a single ad network service as part of a malvertising-driven information stealer campaign dubbed DeceptionAds. "Entirely reliant on a single ad network for propagation, this campaign showcases the core mechanisms of malvertising — delivering over

Find out the key security risks of firmware security: Identify threats, and learn best practices and protection methods…

A Serbian journalist had his phone first unlocked by a Cellebrite tool and subsequently compromised by a previously undocumented spyware codenamed NoviSpy, according to a new report published by Amnesty International. "NoviSpy allows for capturing sensitive personal data from a target's phone after infection and provides the ability to turn on the phone's microphone or camera remotely," the

This past week has been packed with unsettling developments in the world of cybersecurity. From silent but serious attacks on popular business tools to unexpected flaws lurking in everyday devices, there’s a lot that might have flown under your radar. Attackers are adapting old tricks, uncovering new ones, and targeting systems both large and small. Meanwhile, law enforcement has scored wins