Latest News

### Summary A kyverno ClusterPolicy, ie. "disallow-privileged-containers," can be overridden by the creation of a PolicyException in a random namespace. ### Details By design, PolicyExceptions are consumed from any namespace. Administrators may not recognize that this allows users with privileges to non-kyverno namespaces to create exceptions. ### PoC 1. Administrator creates "disallow-privileged-containers" ClusterPolicy that applies to resources in the namespace "ubuntu-restricted" 2. Cluster user creates a PolicyException object for "disallow-privileged-containers" in namespace "ubuntu-restricted" 3. Cluster user creates a pod with a privileged container in "ubuntu-restricted" 4. Cluster user escalates to root on the node from the privileged container ### Impact Administrators attempting to enforce cluster security through kyverno policies, but that allow less privileged users to create resources

A collaboration with the FBI and law-enforcement agencies in Europe, the UK, and Australia, Operation Magnus has seized servers and source code related to the two malware families, which have stolen data from millions of victims worldwide.

### Impact When a remote client closes the connection before waitress has had the opportunity to call `getpeername()` waitress won't correctly clean up the connection leading to the main thread attempting to write to a socket that no longer exists, but not removing it from the list of sockets to attempt to process. This leads to a busy-loop calling the write function. A remote attacker could run waitress out of available sockets with very little resources required. ### Patches Waitress 3.0.1 contains fixes that remove the race condition. ### Workarounds No work-around. ### References - https://github.com/Pylons/waitress/issues/418 - https://github.com/Pylons/waitress/pull/435

Great CISOs are in short supply, so choose wisely. Here are five ways to make sure you've made the right pick.

Apple has issued patches for several of its operating systems. The ones for iOS and iPadOS deserve your immediate attention.

Custom generative AI solutions have the potential to transform industries, equipping businesses to reach their goals with exceptional…

A little over three dozen security vulnerabilities have been disclosed in various open-source artificial intelligence (AI) and machine learning (ML) models, some of which could lead to remote code execution and information theft. The flaws, identified in tools like ChuanhuChatGPT, Lunary, and LocalAI, have been reported as part of Protect AI's Huntr bug bounty platform. The most severe of the

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v4 10.0 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: InterMesh Vulnerabilities: OS Command Injection, Missing Authentication for Critical Function, Execution with Unnecessary Privileges, Incorrect Privilege Assignment 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to perform remote code execution, execute commands, write arbitrary files, or execute arbitrary commands. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Siemens InterMesh Subscriber Devices, a wireless alarm reporting system, are affected: InterMesh 7177 Hybrid 2.0 Subscriber: All...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Delta Electronics Equipment: InfraSuite Device Master Vulnerability: Deserialization of Untrusted Data 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an unauthenticated attacker to remotely execute arbitrary code. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of InfraSuite Device Master, a real-time device monitoring software, are affected: InfraSuite Device Master: Versions 1.0.12 and prior 3.2 Vulnerability Overview 3.2.1 DESERIALIZATION OF UNTRUSTED DATA CWE-502 Delta Electronics InfraSuite Device Master versions prior to 1.0.12 are affected by a deserialization vulnerability that targets the Device-Gateway, which could allow deserialization of arbitrary .NET objects prior to authentication, resulting in remote code execution. CVE-2024-10456 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 5.1 ATTENTION: Exploitable remotely/low attack complexity/public exploits are available Vendor: Solar-Log Equipment: Base 15 Vulnerability: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 2. RISK EVALUATION Successful exploitation of this vulnerability could result in an attacker obtaining unauthorized access. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Solar-Log Base 15 are affected: Base 15: Firmware 6.0.1 Build 161 3.2 Vulnerability Overview The affected product is vulnerable to a cross-site scripting attack, which may allow an attacker to bypass access controls and gain unauthorized access. CVE-2023-46344 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.4 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). A CVSS v4 score has also been calculated for CVE-2023-46344. A base score of 5.1 has been calculated; the CVSS vecto...