Security
Headlines
HeadlinesLatestCVEs

Latest News

GHSA-g4v5-6f5p-m38j: OpenFGA Authorization Bypass

Overview OpenFGA v1.8.4 or previous (Helm chart < openfga-0.2.22, docker < v.1.8.5) are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Am I Affected? If you are using OpenFGA v1.8.4 or previous, specifically under the following conditions, you are affected by this authorization bypass vulnerability: - Calling Check API or ListObjects with a model that has a relation [directly assignable](https://openfga.dev/docs/concepts#what-is-a-directly-related-user-type) to both [public access](https://openfga.dev/docs/concepts#what-is-type-bound-public-access) AND [userset](https://openfga.dev/docs/concepts#what-is-a-user) with the [same type](https://openfga.dev/docs/concepts#what-is-a-type), and - A type bound public access tuple is assigned to an object, and - userset tuple is not assigned to the same object, and - Check request's user field is a userset that has the same type as the type bound public access tuple's user type Fix Upgrade to v1.8.5. ...

ghsa
#vulnerability#git#auth#docker
Content Credentials Show Promise, But Ecosystem Still Young

While AI-generation services and major camera makers are adopting the specification for digitally signed metadata, creating a workflow around the nascent ecosystem is still a challenge.

GHSA-m5mf-3963-4x26: Authelia applies regulation separately to Username-based logins to Email-based logins

### Summary If users are allowed to sign in via both username and email the regulation system treats these as separate login events. This leads to the regulation limitations being effectively doubled assuming an attacker using brute-force to find a user password. It's important to note that due to the effective operation of regulation where no user-facing sign of their regulation ban being visible either via timing or via API responses, it's effectively impossible to determine if a failure occurs due to a bad username password combination, or a effective ban blocking the attempt which heavily mitigates any form of brute-force. ### Details This occurs because the records and counting process for this system uses the method utilized for sign in rather than the effective username attribute. ### Impact This has a minimal impact on account security, this impact is increased naturally in scenarios when there is no two-factor authentication required and weak passwords are used. This make...

GHSA-qxj7-2x7w-3mpp: Duende.AccessTokenManagement race condition when concurrently retrieving customized Client Credentials Access Tokens

### Summary Duende.AccessTokenManagement contains a race condition when requesting access tokens using the client credentials flow. Concurrent requests to obtain an access token using differing protocol parameters can return access tokens obtained with the wrong scope, resource indicator, or other protocol parameters. Such usage is somewhat atypical, and only a small percentage of users are likely to be affected. ### Details Duende.AccessTokenManagement can request access tokens using the client credentials flow in several ways. In basic usage, the client credentials flow is configured once and the parameters do not vary. In more advanced situations, requests with varying protocol parameters may be made by calling specific overloads of these methods: - `HttpContext.GetClientAccessTokenAsync()` - `IClientCredentialsTokenManagementService.GetAccessTokenAsync()` There are overloads of both of these methods that accept a `TokenRequestParameters` object that customizes token request para...

GHSA-99vm-5v2h-h6r6: Directus allows updates to non-allowed fields due to overlapping policies

### Summary If there are two overlapping policies for the `update` action that allow access to different fields, instead of correctly checking access permissions against the item they apply for the user is allowed to update the superset of fields allowed by any of the policies. E.g. have one policy allowing update access to `field_a` if the `id == 1` and one policy allowing update access to `field_b` if the `id == 2`. The user with both these policies is allowed to update both `field_a` and `field_b` for the items with ids `1` and `2`. ### Details Before v11, if a user was allowed to update an item they were allowed to update the fields that the single permission, that applied to that item, listed. With overlapping permissions this isn't as clear cut anymore and the union of fields might not be the fields the user is allowed to update for that specific item. The solution that this PR introduces is to evaluate the permissions for each field that the user tries to update in the vali...

Hackers Tricking Users Into Linking Devices to Steal Signal Messages

Is your Signal, WhatsApp, or Telegram account safe? Google warns of increasing attacks by Russian state-backed groups. Learn…

Hackers Exploit Signal's Linked Devices Feature to Hijack Accounts via Malicious QR Codes

Multiple Russia-aligned threat actors have been observed targeting individuals of interest via the privacy-focused messaging app Signal to gain unauthorized access to their accounts. "The most novel and widely used technique underpinning Russian-aligned attempts to compromise Signal accounts is the abuse of the app's legitimate 'linked devices' feature that enables Signal to be used on multiple

Patch Now: CISA Warns of Palo Alto Flaw Exploited in the Wild

The authentication bypass vulnerability in the OS for the company's firewall devices is under increasing attack and being chained with other bugs, making it imperative for organizations to mitigate the issue ASAP.