The imgcrypt library provides API exensions for containerd to support encrypted container images and implements the ctd-decoder command line tool for use by containerd to decrypt encrypted container images. The imgcrypt function `CheckAuthorization` is supposed to check whether the current used is authorized to access an encrypted image and prevent the user from running an image that another user previously decrypted on the same system. In versions prior to 1.1.4, a failure occurs when an image with a ManifestList is used and the architecture of the local host is not the first one in the ManifestList. Only the first architecture in the list was tested, which may not have its layers available locally since it could not be run on the host architecture. Therefore, the verdict on unavailable layers was that the image could be run anticipating that image run failure would occur later due to the layers not being available. However, this verdict to allow the image to run enabled other architectures in the ManifestList to run an image without providing keys if that image had previously been decrypted. A patch has been applied to imgcrypt 1.1.4. Workarounds may include usage of different namespaces for each remote user.

Compare

Choose a tag to compare

**imgcrypt 1.1.4**

Latest

Latest

![@stefanberger](https://avatars.githubusercontent.com/u/1873348?s=40&v=4) stefanberger released this

v1.1.4

This tag was signed with the committer’s **verified signature**.

 ![](https://avatars.githubusercontent.com/u/1873348?s=64&v=4)stefanberger Stefan Berger

GPG key ID: 75AD65802A0B4211 Learn about vigilant mode.

`4b71208`

This commit was created on GitHub.com and signed with GitHub’s **verified signature**.

GPG key ID: 4AEE18F83AFDEB23 Learn about vigilant mode.

Compare

Choose a tag to compare

v1.1.4:

*   Fixed issue in CheckAuthorization() callpath for images with a ManifestList
    *   CVE-2022-24778
    *   Fix: 6fdd981
    *   Added test case covering this
*   Updated to ocicrypt 1.1.3
*   Updated to containerd 1.6.1

CVE-2022-24778: Release imgcrypt 1.1.4 · containerd/imgcrypt

By Deeba Ahmed
This newly discovered malware campaign is attributed to a Chinese hacking group called Tropic Trooper. Cybersecurity researchers at…
This is a post from HackRead.com Read the original post: Chinese Hackers Distributing Nim language Malware in SMS Bomber Tool

****This newly discovered malware campaign is attributed to a Chinese hacking group called Tropic Trooper.****

Cybersecurity researchers at Check Point have shared details of a new malware campaign suspected to be launched by a Chinese hacking group Tropic Trooper.

The malware operators are using a unique loader Nimbda, written in Nim language, and a new variant of Yahoyah trojan.

Researchers state that the hackers possess extensive cryptographic knowledge as they have extended the AES specification in a customized implementation.

**Info-Stealing Trojan Embedded in SMS Bomber Tool**

According to Check Point’s analysis, the info stealing trojan is hidden inside a Chinese language greyware tool called SMS Bomber. This tool is used for targeting cellphones with Denial of Service attacks (DoS attacks).

SMS Bomber tool allows users to enter any phone number to flood their phones with a message, rendering the devices unusable. Novice hackers typically use such tools to compromise websites.

**Attack Scenario**

When the infected version of SMS Bomber (equipped with standard functionalities and the tool’s binary) is downloaded to the device, the attack sequence is immediately initiated. The downloaded tool also contains additional coding injected into a notepad.exe process. 

In a blog post, researchers explained that This executable is the Nimbda loader, which uses the SMS Bomber as an icon and an executable while the loader injects shellcode in the notepad process in the background. The process then reaches a GitHub repository, fetches an obfuscated executable, decodes it, and executes it through process hollowing in Dllhost.exe, the new Yahoyah variant. 

This variant collects host-related data and transmits it to the attacker-operated C2 server. The final payload that Yahoyah executable drops is encoded in a JPG file through steganography. Researchers identified it as TClient. It is a backdoor used in previous campaigns by Tropic Trooper.

The interface of SMS Bomber (left) – Infection chain of the malware (right)

**What Information is Collected**

Yahoyah can collect device names, local wireless networks’ SSIDs located within the target device’s vicinity, MAC address, antivirus products installed on the device, OS version, and presence of Tencent and WeChat files.

The encryption used for Yahoyah is a custom AES implementation to perform the inverted sequence of round operations twice. Therefore, Check Point named it AEES. Though it doesn’t make encryption any stronger, it makes analyzing it complicated for researchers.

**Potential Targets**

Tropic Trooper has mainly focused on espionage in their previously identified phishing campaigns targeting Russian entities. However, in this campaign, the hackers have trojanized the SMS Bomber tool; hence they have narrowed down their targets.

Researchers believe their target could be based on the intelligence information the group collected during past espionages. Tropic Trooper also uses KeyBoy, Earth Centaur, and Pirate Panda monikers.

The group has a history of targeting targets in Hong Kong, Taiwan, and the Philippines. Moreover, their prominent targets are linked to the government, transportation, healthcare, and technology sectors.

**More Chinese Hackers in Action News**

*   China’s insidious surveillance against Uyghurs with Android malware
*   Android malware HenBox hits Xiaomi devices & minority group in China
*   China arrests 11 hackers for infecting 250M devices with Fireball malware
*   Someone from China is Distributing Mirai Malware Through Windows Botnet
*   Unofficial Micropatch for Follina Issued as Chinese Hackers Exploit the 0-day

Chinese Hackers Distributing Nim language Malware in SMS Bomber Tool

A sophisticated APT known as "ToddyCat," sponsored by Beijing, is cleverly using unsophisticated malware to keep defenders off their trail.

Chinese advanced persistent threats (APTs) are known for being sophisticated, but the "ToddyCat" group is bucking the trend, compromising telecommunications organizations in Central and Southeast Asia using a constantly evolving arsenal of custom-developed, but very simple, backdoors and loaders.

ToddyCat was first discovered last year, though it has been in operation since at least 2020. According to Check Point, it has previously been linked with Chinese espionage operations.

In a blog post published this week, Check Point's researchers described how the group is staying nimble these days: by deploying, and just as quickly throwing away, cheap malware it can use to drop its payloads.

Victims of its latest "Stayin' Alive" campaign — active since at least 2021 — include telcos from Kazakhstan, Pakistan, Uzbekistan, and Vietnam. The precise extent of their reach, and whether they caused any damage, are yet unknown.

**ToddyCat's Latest Tactics**

Stayin' Alive attacks begin with spear phishing emails containing archive files. Once executed, the archive files are designed to take advantage of CVE-2022-23748, a 7.8 out of 10 "High" criticality DLL sideloading vulnerability in Dante AV systems software. ToddyCat uses such DLL sideloading — a popular technique, especially among Chinese threat actors — to drop loaders and downloaders onto targeted devices.

These loaders and downloaders are not nearly to the specs one would expect of a high-level, state-affiliated threat actor, explains Sergey Shykevich, threat intelligence group manager at Check Point.

"They have relatively basic functionality, but they're good enough to achieve initial goals, like allowing the attacker to get basic reports about infected machines: computer name, user name, system info, some directories, and so on. They also include the functionality of shelling, allowing the execution of any command the attacker wants," he explains.

"Our assumption is that via the shell, they were able to implement additional backdoors and modules," he adds, though the research didn't extend to finding out what payloads they ultimately did deploy.

**A Smart Use of Dumb Malware**

Though at first it might seem lazy or ineffectual, there is a reasoning behind using such basic tools instead of more sophisticated, multifunctional weapons of cyberwar.

"The smaller the tool, the more difficult it is to detect," Shykevich explains. "And also, when it's a small tool, it's relatively easy to adjust it to a target."

Easier to adjust, and less expensive to throw away. Typically, researchers identify and track APTs by cross-referencing details between different attacks. With ToddyCat, however, it's impossible to do that — each of its malware samples has zero discernible overlap with known malware families, or even with one another. The researchers expect that they're likely discarded for new samples even after little use. "The small changes mean that you can catch one of them, but it won't be so straightforward to catch all the others. It will require some additional work," Shykevich says.

That said, ToddyCat is undone by the fact that each sample traces back to its easily identifiable command-and-control (C2) infrastructure.

To defend against such a nimble attacker, Shykevich recommends a layered approach. "The first layer here, for example, was the email — you should have proper email protection to identify a malicious attachment," he advocates. "But another level is endpoint detection and response (EDR) endpoints, to identify for example the DLL sideloading and malicious shell activity."

Chinese 'Stayin' Alive' Attacks Dance Onto Targets With Dumb Malware

Healthcare organizations face a 32% surge in cyberattacks, with sensitive patient data being sold on the Dark Web.…

Healthcare organizations face a 32% surge in cyberattacks, with sensitive patient data being sold on the Dark Web. Hospitals worldwide are vulnerable, as cybercriminals exploit weak defenses and digital health records.

A new report has revealed a troubling trend: healthcare organizations across the globe are falling victim to increasingly **sophisticated cyberattacks**, leaving patients and patients’ families vulnerable to financial gain.

According to recent data from Check Point Research, the global weekly average number of attacks per organization within the healthcare industry has increased by 32% over the same period last year, reaching a staggering 2,018 per week.

The targeted institutions, including vulnerable hospitals, are constantly under the triple threat of cybercrime such as ransomware attacks, data theft, and even selling access to these critical healthcare networks on the dark web.

A closer look at the data reveals that around the world, the top regions of attack are:

****The Asia-Pacific (APAC)****

The Asia-Pacific (APAC) region has suffered the most from these attacks. With 4,556 weekly attacks per organization, a 54% increase, this region is responsible for the majority of healthcare cyberattacks, driven by the rapid expansion of digital health records and telemedicine.

****Latin America****

Latin America also faced a substantial increase in these attacks. With 2,703 weekly attacks per organization, a 34% increase, this region is particularly vulnerable due to weaker regulations and underfunded cyber security initiatives.

****Europe****

According to Check Point’s **report**, Europe, despite experiencing fewer weekly attacks at an average of 1,686, saw the largest percentage increase at 56%, highlighting a growing reliance on digital tools without parallel investments in security.

****North America****

North America, with 1,607 weekly attacks and a 20% increase, remains a prime target due to the wealth of sensitive patient data and established digital infrastructure.

The impact of these cyberattacks is severe. The situation is serious enough that the World Health Organization (WHO) has called for caution, declaring 17 September **World Patient Safety Day** to highlight the risks associated with cyberattacks in the healthcare industry.

On the other hand, cybercriminals are also using ransomware-as-a-service (RaaS) to target healthcare organizations, partnering with others to carry out attacks and siphoning off sensitive data.

A real-life example, according to Check Point, involves a hacker known as Cicada3301, who posted an advertisement on a Russian-language underground forum offering ransomware-as-a-service. He demands a 20% commission on successful attacks and even provides negotiation mechanisms for disputes among partners.

To mitigate these risks, healthcare organizations must adopt comprehensive cybersecurity measures, including technological solutions, employee training, and improved security policies. Key steps include using anti-ransomware solutions, regularly backing up data, segmenting and limiting access to information, educating staff on recognizing cyber threats, installing updates and patches, and ensuring strong passwords and multi-factor authentication.

Compliance with national and international privacy standards and regulations is also important to ensure patient safety. By securing all devices and using the best security solutions, healthcare organizations can better protect themselves against cyber criminals and protect the well-being of their patients.

1.  **7TB of Healthcare Data Leak Affects 12 Million Patients**
2.  **AI in Healthcare: ChatGPT Helps Diagnosis After Doctors Fail**
3.  **8220 Gang Targets Healthcare in Global Cryptojacking Attack**
4.  **Chinese Malware Targets European Healthcare via USB Drives**
5.  **PData of 75,000 people exposed in HealthCare.gov system hack  
    **

Dark Web Sales Fuel 32% Increase in Global Healthcare Cyberattacks

A shocking amount of iOS apps in Apple's App Store contained hard-coded secrets. Secrets that could lead criminals to user data.

Researchers found that most of the apps available on Apple’s App Store leak at least one hard-coded secret.

The researchers looked at 156,000 iOS apps and discovered more than 815,000 hardcoded secrets, including very sensitive secrets like keys to cloud storage, various Application Programming Interfaces (APIs), and even payment processors.

The researchers noted how:

“The average app’s code exposes 5.2 secrets, and 71% of apps leak at least one secret.”

Secrets hard-coded in the source code of the apps are considered exposed because they are relatively easy to find and abuse by cybercriminals.

While you may think that’s the publisher’s problem, these hard-coded secrets can have serious consequences for the an app’s users, particularly when these are credentials which provide access to cloud storage services like AWS S3 buckets or Azure Blob Storage. The researchers found 78,000 apps which exposed cloud storage buckets.

We have posted plenty of examples of exposed AWS S3 buckets over the years, often leading to millions of exposed customer records. Depending on the type of app these records can contain financial data, location data, and other personal information.

Unless you’re able to reverse engineer an app, there is not a lot you can do after the fact. But you can keep this information in mind before you install an app. Do you trust the developers to follow best practices and do you really need it? Also keep a tight rein on the permissions you allow an app.

**Protecting yourself after a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

 Research on iOS apps shows widespread exposure of secrets 

Web shops are an attractive target. How can SMBs keep theirs safe?

An online shop is more than just another way to sell your products. It comes with a responsibility to keep the web shop secure.

Cybercriminals are looking to steal your customers’ credit card details, their personal data, and even your revenue.

And it’s not as if using a platform that is used by major retailers makes it safe. Platforms like Shopify, Wix, and Magento are always under scrutiny of cybercriminals that are looking for a vulnerability that allows them to insert skimmers or get access to your database.

Let’s look at some examples to demonstrate my point.

A cybercriminal specializing in breaching Shopify stores is posting huge data sets as free downloads. Using the monicker ShopifyGUY, which implies they specialize in Shopify sites, the cybercriminal posted a few datasets containing millions of customer records.

boAt Lifestyle data free download

For example, boAt is reportedly Indian’s most active company that markets audio-focused electronic gadgets. ShopifyGUY dumped files of a data breach with access to PII information of boAt customers, which has 7,550,000 entries.

Piping Rock data for download

ShopifyGUY also uploaded the Piping Rock database containing 2.1million email addresses from the online health products store Piping Rock.

We found several Magento-based web shops that had skimmers injected into their code busy stealing credit card information. One of them even infected visitors with the SocGolish malware, a sophisticated JavaScript malware framework that has been actively used by cybercriminals since at least 2017. It tricks users into running a script supposedly meant to update their browser. What it actually does is infect the machine and send the details back to a human operator, who can decide how best to monetize it. Lately, SocGholish has been found to install information stealers on both Windows and Mac machines.

The most common attacks web shop owners need to worry about are:

*   Credential phishing where the criminals try to steal your login credentials.
*   Malware injection where the criminals inject malicious code into your web shop by abusing a vulnerability in the platform itself or a plug-in.
*   Brute force attacks, where the criminals try a whole bunch of passwords they obtained from other breaches.

So, to keep your web shop safe you should:

*   Be extra vigilant when it comes to phishing attempts.
*   Keep your software up to date.
*   Protect the device(s) you use to login with an active anti-malware solution.
*   Make it harder to log in by using multi-factor authentication (MFA) and by not re-using passwords.
*   Regularly check your web site for additional code, especially the payment section.
*   If you run the web shop on your own server, use web application firewalls (WAF) to detect and block malicious traffic.
*   Do not store customer details that you no longer need.

Your customers will probably not thank you for your efforts, but they will come complaining if you spill their data.

For readers that would like to check whether their credentials are included in one of the data breaches, Malwarebytes has a free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

 Small business owners, secure your web shop 

Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows attackers able to control agent processes to decrypt secrets stored in Jenkins obtained through another method.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Wed, 12 Jan 2022 19:10:44 +0100
From: Wadeck Follonier <wfollonier@...udbees.com>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins and Jenkins plugins

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

\* Jenkins 2.330
\* Jenkins LTS 2.319.2
\* Active Directory Plugin 2.25.1
\* Badge Plugin 1.9.1
\* Bitbucket Branch Source Plugin 746.v350d2781c184
\* Configuration as Code Plugin 1.55.1
\* Credentials Binding Plugin 1.27.1
\* Docker Commons Plugin 1.18
\* HashiCorp Vault Plugin 3.8.0
\* Mailer Plugin 408.vd726a\_1130320
\* Matrix Project Plugin 1.20
\* Metrics Plugin 4.0.2.8.1
\* SSH Agent Plugin 1.23.2
\* Warnings Next Generation Plugin 9.10.3

Additionally, we announce unresolved security issues in the following
plugins:

\* batch task Plugin
\* Conjur Secrets Plugin
\* Debian Package Builder Plugin
\* Publish Over SSH Plugin

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://www.jenkins.io/security/advisory/2022-01-12/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://www.jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-2558 / CVE-2022-20612
Jenkins 2.329 and earlier, LTS 2.319.1 and earlier does not require POST
requests for the HTTP endpoint handling manual build requests when no
security realm is set, resulting in a cross-site request forgery (CSRF)
vulnerability.

This vulnerability allows attackers to trigger build of job without
parameters.


SECURITY-2163 / CVE-2022-20613 (CSRF) & CVE-2022-20614 (missing permission
check)
Mailer Plugin 391.ve4a\_38c1b\_cf4b\_ and earlier does not perform a
permission check in a method implementing form validation.

This allows attackers with Overall/Read access to use the DNS used by the
Jenkins instance to resolve an attacker-specified hostname.

Additionally, this form validation method does not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.


SECURITY-2017 / CVE-2022-20615
Matrix Project Plugin 1.19 and earlier does not escape HTML metacharacters
in node and label names, and label descriptions.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Agent/Configure permission.


SECURITY-2342 / CVE-2022-20616
Credentials Binding Plugin 1.27 and earlier does not perform a permission
check in a method implementing form validation.

This allows attackers with Overall/Read access to validate if a credential
ID refers to a secret file credential and whether it's a zip file.


SECURITY-1878 / CVE-2022-20617
Docker Commons Plugin 1.17 and earlier does not sanitize the name of an
image or a tag.

This results in an OS command execution vulnerability exploitable by
attackers with Item/Configure permission or able to control the contents of
a previously configured job's SCM repository.


SECURITY-2033 / CVE-2022-20618
Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier does not
perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read access to enumerate credentials IDs
of credentials stored in Jenkins. Those can be used as part of an attack to
capture the credentials using another vulnerability.


SECURITY-2467 / CVE-2022-20619
Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier does not
require POST requests for an HTTP endpoint, resulting in a cross-site
request forgery (CSRF) vulnerability.

This allows attackers with Overall/Read access to connect to an
attacker-specified URL using attacker-specified credentials IDs obtained
through another method, capturing credentials stored in Jenkins.


SECURITY-2189 / CVE-2022-20620
SSH Agent Plugin 1.23 and earlier does not perform permission checks in
several HTTP endpoints.

This allows attackers with Overall/Read access to enumerate credentials IDs
of credentials stored in Jenkins. Those can be used as part of an attack to
capture the credentials using another vulnerability.


SECURITY-1624 / CVE-2022-20621
Metrics Plugin 4.0.2.8 and earlier stores access keys unencrypted in its
global configuration file \`jenkins.metrics.api.MetricsAccessKey.xml\` on the
Jenkins controller as part of its configuration.

This access key can be viewed by users with access to the Jenkins
controller file system.


SECURITY-1389 / CVE-2022-23105
Active Directory Plugin implements two separate modes: integration with
ADSI on Windows, and an OS agnostic LDAP-based mode.

Active Directory Plugin 2.25 and earlier does not encrypt the transmission
of data between the Jenkins controller and Active Directory servers unless
it is configured to use the OS agnostic LDAP mode and the system property
\`hudson.plugins.active\_directory.ActiveDirectorySecurityRealm.forceLdaps\`
is set to \`true\`.

This allows attackers able to capture network traffic between the Jenkins
controller and Active Directory servers to obtain credentials of users
logging into Jenkins, as well as credentials of the manager DN (LDAP mode)
or the Windows/Active Directory user Jenkins is running as (ADSI mode).


SECURITY-2141 / CVE-2022-23106
Configuration as Code Plugin 1.55 and earlier does not use a constant-time
comparison when checking whether two authentication tokens are equal.

This could potentially allow attackers to use statistical methods to obtain
a valid authentication token.


SECURITY-2090 / CVE-2022-23107
Warnings Next Generation Plugin 9.10.2 and earlier does not restrict the
name of a file when configuring a custom ID.

This allows attackers with Item/Configure permission to write and read
specific files with a hard-coded suffix on the Jenkins controller file
system.


SECURITY-2547 / CVE-2022-23108
Badge Plugin allows adding custom build badges with a custom description
and optionally a link to a URL.

Badge Plugin 1.9 and earlier does not escape the description and does not
check for allowed protocols when creating a badge.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Item/Configure permission.


SECURITY-2213 / CVE-2022-23109
Pipelines display commands executed in their Pipeline step descriptions and
their output in build logs. To mask sensitive output,
Pipeline: Groovy Plugin 2.84 and earlier specified an
allowlist of known non-sensitive variables and masked everything else. This
caused problems, so Pipeline: Groovy Plugin 2.85 and newer expects pipeline
steps to explicitly specify that variables are to be treated as sensitive
and should be removed from output.

HashiCorp Vault Plugin 3.7.0 and earlier relied on the previous behavior
and did not explicitly declare variables as sensitive or redacted them.

This can result in exposure of Vault credentials in Pipeline build logs and
Pipeline step descriptions.


SECURITY-2287 / CVE-2022-23110
Publish Over SSH Plugin 1.22 and earlier does not escape the SSH server
name.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Overall/Administer permission.

As of publication of this advisory, there is no fix.


SECURITY-2290 / CVE-2022-23111 (CSRF) & CVE-2022-23112 (missing permission
check)
Publish Over SSH Plugin 1.22 and earlier does not perform permission checks
in methods implementing connection tests.

This allows attackers with Overall/Read access to connect to an
attacker-specified SSH server using attacker-specified credentials.

Additionally, these connection tests methods do not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2307 / CVE-2022-23113
Publish Over SSH Plugin 1.22 and earlier performs a validation of the file
name specifying whether it is present or not.

This results in a path traversal vulnerability allowing attackers with
Item/Configure permission to discover the name of the Jenkins controller
files.

As of publication of this advisory, there is no fix.


SECURITY-2291 / CVE-2022-23114
Publish Over SSH Plugin 1.22 and earlier stores password unencrypted in its
global configuration file
\`jenkins.plugins.publish\_over\_ssh.BapSshPublisherPlugin.xml\` on the Jenkins
controller as part of its configuration.

This password can be viewed by users with access to the Jenkins controller
file system.

As of publication of this advisory, there is no fix.


SECURITY-1025 / CVE-2022-23115
batch task Plugin 1.19 and earlier does not require POST requests for
several HTTP endpoints, resulting in cross-site request forgery (CSRF)
vulnerabilities.

These vulnerabilities allow attackers with Overall/Read access to retrieve
logs, build or delete a batch task.

As of publication of this advisory, there is no fix.


SECURITY-2522 (1) / CVE-2022-23116
Conjur Secrets Plugin 1.0.9 and earlier implements functionality that
allows agent processes to obtain the plain text of any attacker-provided
encrypted secret.

This allows attackers able to control agent processes to decrypt secrets
stored in Jenkins obtained through another method.

As of publication of this advisory, there is no fix.


SECURITY-2522 (2) / CVE-2022-23117
Conjur Secrets Plugin 1.0.9 and earlier implements functionality that
allows agent processes to obtain all username/password credentials
(Credentials Plugin) stored on the Jenkins controller.

This allows attackers able to control agent processes to retrieve those
credentials.

As of publication of this advisory, there is no fix.


SECURITY-2546 / CVE-2022-23118
Debian Package Builder Plugin 1.6.11 and earlier implements functionality
that allows agent processes to invoke command-line \`git\` at an
attacker-specified path on the controller.

This allows attackers able to control agent processes to invoke arbitrary
OS commands on the controller.

As of publication of this advisory, there is no fix.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2022-23116: security - Multiple vulnerabilities in Jenkins and Jenkins plugins

lib/Image/ExifTool.pm in ExifTool before 12.38 mishandles a $file =~ /\|$/ check, leading to command injection.

@@ -431,9 +431,10 @@ <h2 class=top>Nikon Tags</h2> <br\>ShotInfoD6 <br\>ShotInfoD610 <br\>ShotInfoZ7\_2 <br\>ShotInfoZ9 <br\>ShotInfo02xx <br\>ShotInfoUnknown</td\> <td class\=c\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-</td\> <td class\=c\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-<br\>\-</td\> <td\>\--&gt; <a href\='Nikon.html#ShotInfoD40'\>Nikon ShotInfoD40 Tags</a\> <br\>\--&gt; <a href\='Nikon.html#ShotInfoD80'\>Nikon ShotInfoD80 Tags</a\> <br\>\--&gt; <a href\='Nikon.html#ShotInfoD90'\>Nikon ShotInfoD90 Tags</a\> @@ -459,6 +460,7 @@ <h2 class=top>Nikon Tags</h2> <br\>\--&gt; <a href\='Nikon.html#ShotInfoD6'\>Nikon ShotInfoD6 Tags</a\> <br\>\--&gt; <a href\='Nikon.html#ShotInfoD610'\>Nikon ShotInfoD610 Tags</a\> <br\>\--&gt; <a href\='Nikon.html#ShotInfoZ7\_2'\>Nikon ShotInfoZ7\_2 Tags</a\> <br\>\--&gt; <a href\='Nikon.html#ShotInfoZ9'\>Nikon ShotInfoZ9 Tags</a\> <br\>\--&gt; <a href\='Nikon.html#ShotInfo'\>Nikon ShotInfo Tags</a\> <br\>\--&gt; <a href\='Nikon.html#ShotInfo'\>Nikon ShotInfo Tags</a\></td\></tr\> <tr\> @@ -470,18 +472,7 @@ <h2 class=top>Nikon Tags</h2> <td title\='0x0093 = 147'\>0x0093</td\> <td\>NEFCompression</td\> <td class\=c\>int16u</td\> <td\><table class\=cols\><tr\> <td\>1 = Lossy (type 1) <br\>2 = Uncompressed <br\>3 = Lossless <br\>4 = Lossy (type 2) <br\>5 = Striped packed 12 bits <br\>6 = Uncompressed (reduced to 12 bit) <br\>7 = Unpacked 12 bits <br\>8 = Small <br\>9 = Packed 12 bits <br\>10 = Packed 14 bits</td\></tr\></table\> </td\></tr\> <td\>\--&gt; <a href\='Nikon.html#NEFCompression'\>Nikon NEFCompression Values</a\></td\></tr\> <tr\> <td title\='0x0094 = 148'\>0x0094</td\> <td\>SaturationAdj</td\> @@ -815,6 +806,25 @@ <h2 class=top>Nikon Tags</h2> <br\>&#39;16 16 16 0&#39; = 16 x 3</span\></td\></tr\> </table\></td\></tr\></table\></blockquote\>  
<h2\><a name\='NEFCompression'\>Nikon NEFCompression Values</a\></h2\> <blockquote\> <table class\=frame\><tr\><td\> <table class\='inner sep' cellspacing\=1\> <tr class\=h\><th\>Value</th\><th\>NEFCompression</th\><th\>Value</th\><th\>NEFCompression</th\></tr\> <tr\><td class\=r\>1</td\><td\>\= Lossy (type 1)</td\> <td class\='r b'\>7</td\><td class\=b\>\= Unpacked 12 bits</td\> </tr\><tr\><td class\=r\>2</td\><td\>\= Uncompressed</td\> <td class\='r b'\>8</td\><td class\=b\>\= Small</td\> </tr\><tr\><td class\=r\>3</td\><td\>\= Lossless</td\> <td class\='r b'\>9</td\><td class\=b\>\= Packed 12 bits</td\> </tr\><tr\><td class\=r\>4</td\><td\>\= Lossy (type 2)</td\> <td class\='r b'\>10</td\><td class\=b\>\= Packed 14 bits</td\> </tr\><tr\><td class\=r\>5</td\><td\>\= Striped packed 12 bits</td\> <td class\='r b'\>13</td\><td class\=b\>\= High Efficiency</td\> </tr\><tr\><td class\=r\>6</td\><td\>\= Uncompressed (reduced to 12 bit)</td\> <td class\='r b'\>14</td\><td class\=b\>\= High Efficiency\*</td\> </tr\></table\></td\></tr\></table\></blockquote\>  
<h2\><a name\='PreviewIFD'\>Nikon PreviewIFD Tags</a\></h2\> <blockquote\> <table class\=frame\><tr\><td\> @@ -1703,6 +1713,24 @@ <h2><a name='LocationInfo'>Nikon LocationInfo Tags</a></h2> <td\>&nbsp;</td\></tr\> </table\></td\></tr\></table\></blockquote\>  
<h2\><a name\='MakerNotes0x51'\>Nikon MakerNotes0x51 Tags</a\></h2\> <blockquote\> <table class\=frame\><tr\><td\> <table class\=inner cellspacing\=1\> <tr class\=h\><th\>Index1</th\><th\>Tag Name</th\> <th\>Writable</th\><th\>Values / <span class\=n\>Notes</span\></th\></tr\> <tr\> <td class\=r title\='0 = 0x0'\>0</td\> <td\>FirmwareVersion</td\> <td class\=c\>no</td\> <td\>&nbsp;</td\></tr\> <tr class\=b\> <td class\=r title\='10 = 0xa'\>10</td\> <td\>NEFCompression</td\> <td class\=c\>int16u\[0.5\]</td\> <td\>\--&gt; <a href\='Nikon.html#NEFCompression'\>Nikon NEFCompression Values</a\></td\></tr\> </table\></td\></tr\></table\></blockquote\>  
<h2\><a name\='AFInfo'\>Nikon AFInfo Tags</a\></h2\> <blockquote\> <table class\=frame\><tr\><td\> @@ -3996,44 +4024,78 @@ <h2><a name='ZMenuSettings'>Nikon ZMenuSettings Tags</a></h2> <td\><span class\=s\>0 = No <br\>1 = Yes</span\></td\></tr\> <tr class\=b\> <td class\=r title\='577 = 0x241'\>577</td\> <td\>MovieDiffractionCompensation?</td\> <td class\=c\>int8u</td\> <td\><span class\=s\>0 = Off <br\>1 = On</span\></td\></tr\> <tr\> <td class\=r title\='578 = 0x242'\>578</td\> <td\>MovieAutoDistortionControl?</td\> <td class\=c\>int8u</td\> <td\><span class\=s\>0 = Off <br\>1 = On</span\></td\></tr\> <tr\> <tr class\=b\> <td class\=r title\='584 = 0x248'\>584</td\> <td\>MovieFocusMode?</td\> <td class\=c\>int8u</td\> <td\><span class\=s\>0 = Manual <br\>1 = AF-S <br\>2 = AF-C <br\>4 = AF-F</span\></td\></tr\> <tr class\=b\> <tr\> <td class\=r title\='590 = 0x24e'\>590</td\> <td\>MovieVibrationReduction?</td\> <td class\=c\>int8u</td\> <td\><span class\=s\>0 = Off <br\>1 = On (Normal) <br\>2 = On (Sport)</span\></td\></tr\> <tr\> <tr class\=b\> <td class\=r title\='591 = 0x24f'\>591</td\> <td\>MovieVibrationReductionSameAsPhoto?</td\> <td class\=c\>int8u</td\> <td\><span class\=s\>0 = No <br\>1 = Yes</span\></td\></tr\> <tr class\=b\> <tr\> <td class\=r title\='858 = 0x35a'\>858</td\> <td\>HDMIOutputN-Log?</td\> <td class\=c\>int8u</td\> <td\><span class\=s\>0 = Off <br\>1 = On</span\></td\></tr\> </table\></td\></tr\></table\></blockquote\>  
<h2\><a name\='ShotInfoZ9'\>Nikon ShotInfoZ9 Tags</a\></h2\> <p\>These tags are extracted from encrypted data in images from the Z9.</p\> <blockquote\> <table class\=frame\><tr\><td\> <table class\=inner cellspacing\=1\> <tr class\=h\><th\>Index</th\><th\>Tag Name</th\> <th\>Writable</th\><th\>Values / <span class\=n\>Notes</span\></th\></tr\> <tr\> <td class\=r title\='5771 = 0x168b'\>5771</td\> <td\>MovieDiffrationCompensation?</td\> <td class\=c\>int8u</td\> <td\><span class\=s\>0 = Off <br\>1 = On</span\></td\></tr\> <td class\=r title\='0 = 0x0'\>0</td\> <td\>ShotInfoVersion</td\> <td class\=c\>no</td\> <td\>&nbsp;</td\></tr\> <tr class\=b\> <td class\=r title\='4 = 0x4'\>4</td\> <td\>FirmwareVersion</td\> <td class\=c\>no</td\> <td\>&nbsp;</td\></tr\> <tr\> <td class\=r title\='60139 = 0xeaeb'\>60139</td\> <td\>RollAngle</td\> <td class\=c\>fixed32u</td\> <td\><span class\=s\><span class\=n\>(converted to degrees of clockwise camera roll)</span\></span\></td\></tr\> <tr class\=b\> <td class\=r title\='60143 = 0xeaef'\>60143</td\> <td\>PitchAngle</td\> <td class\=c\>fixed32u</td\> <td\><span class\=s\><span class\=n\>(converted to degrees of upward camera tilt)</span\></span\></td\></tr\> <tr\> <td class\=r title\='60147 = 0xeaf3'\>60147</td\> <td\>YawAngle</td\> <td class\=c\>fixed32u</td\> <td\><span class\=s\><span class\=n\>(the camera yaw angle when shooting in portrait orientation)</span\></span\></td\></tr\> </table\></td\></tr\></table\></blockquote\>  
<h2\><a name\='ShotInfo'\>Nikon ShotInfo Tags</a\></h2\> @@ -7949,7 +8011,7 @@ <h2><a name='LensID'>Nikon LensID Values</a></h2>  
<hr\> (This document generated automatically by Image::ExifTool::BuildTagLookup) <br\><i\>Last revised Dec 8, 2021</i\> <br\><i\>Last revised Dec 20, 2021</i\> <p class\=lf\><a href\='index.html'\>&lt;-- ExifTool Tag Names</a\></p\> </body\> </html\>

CVE-2022-23935: Update to 12.38 · exiftool/exiftool@74dbab1

The Docker image of ownCloud Server through 10.11 contains a misconfiguration that renders the trusted_domains config useless. This could be abused to spoof the URL in password-reset e-mail messages.

**ownCloud, your collaboration tool**

The most essential productivity tool since email  
Store. Share. Work.

**Filesharing, trusted by 200 million users worldwide**

**Infinite Scale****the new cloud-native data platform**

**The all–new Infinite Scale, written in Go, using microservices, brings unparalleled scale and speed. Discover out beta program now and save your free test instance for 14 days!**

**For organizations with high data governance requirements**

Control your data – always, anytime and anywhere. Deploy ownCloud on-premises, in a data center of your choice or in a hybrid setup. Regulations and certifications? Say no more. We keep your back! With multi-factor authentication, encryption and our elaborate file lifecycle management. Looking for 100% data ownership? Let’s get in touch now.

**Do you prefer SaaS? Check out ownCloud.online!**

**For smaller organizations and private users**

No time for infrastructure management? ownCloud.online is your best choice for data sovereignty and the flexibility of a SaaS solution. Our platform, fully hosted in Germany, lets you start right away. Keep your data safe at any time. Compliant and without any maintenance. It’s just one click away.

**Control who can access your data**

Give staff an easy, flexible and secure way to share files and folders. Safely involve contacts outside your organization with select documents. Share public links shielded by passwords and expiration dates.

Say goodbye to slow VPN connections, unversioned documents attached to emails and shadow IT in public clouds of questionable security.

R

General Data Protection Regulation

R

Lei Geral de Proteção de Dados

R

Cloud Computing Regulatory Framework

R

Health Insurance Portability and Accountability Act

R

California Consumer Privacy Act

**Increase productivity**

Modern teams collaborate from anywhere and from any device. Make them more efficient by enabling them to store, share and work on their data and documents through a single point of access.

Work simultaneously on documents, create presentations together in real-time, annotate files and much more, thereby saving time on coordination and feedback processes.

We believe that the needs for data sovereignty and real-time collaboration can be reconciled in private clouds. Learn how we can help you gain digital sovereignty.

**Convenient collaboration with internal and external parties without storing data in the public cloud. Open APIs and modularity let you integrate almost everything to your ownCloud – Data sovereignty by design.**

**Users love ownCloud**

****Our latest news****

**Keep up with what’s next**

Sign up to the ownCloud newsletter:

**Having trouble viewing or submitting this form?**

Contact Us

\* Mandatory field

By submitting this form I agree that I want to to receive notifications and services via email, phone or personalized ads. Therefore, I agree, that ownCloud stores and uses my contact data for further information and in order to optimize and adapt the offer to my individual interests. I can revoke my consent for the future at any time, either directly via the link in emails or by email to . For further information please also see the Privacy Statement.

CVE-2022-43679: ownCloud - share files and folders, easy and secure

As more employees plan on taking longer holidays and working remotely from the destination for part of that time, organizations have to consider the risks. Like Wi-Fi networks.

_Many employees are requesting a "hybrid holiday" — where longer holidays are booked with the intention of spending time working remotely from the travel destination. In a Virgin Media O2 survey from earlier this year, 76% of workers polled said they were considering adding remote-work days around their annual leave to extend their time away._

**Question: What are the risks of employees going on a hybrid holiday?**

**John Ayers, Interim CISO and Vice President of Product, Advanced Detection, & Response at Optiv:** Threat actors are like any other criminals — they do reconnaissance, and social media has become the best recon tool in the trade craft. With employees now looking to combine work with holiday plans, this has only increased the security risks for users and their companies.

Let's take an example of going overseas to Rome. It's a nice place to visit, but you also need to work. First, Internet is not a "like for like," meaning the type of access you would have there is not like yours at home. Yes, we all have been led to believe coffee shop and hotel Wi-Fi is OK to use since COVID — but it is not.

Second, not all locations are friendly. Most companies should be deploying, or have already deployed, geo-blocking in order to prevent employees from connecting in countries or locations with high risk or out of the US. Geo-blocking is a great tool to prevent and deny all access from a region. Most CISOs today need to protect access to data, which means denying access from devices based on location. They are trying to prevent MitM (man-in-the-middle attack). Why is that important? MitM employs someone setting up an access point that might not be what you think it is.

Each time you fire up the laptop or mobile device and log into Amazon or your work email, you are practicing what we call "data in motion" using the rogue Wi-Fi connection, which is now collecting all that data.

The risks here are:

*   **Location.** You now are advertising where you are.
*   **Browsing history.**
*   **Purchasing.** Yes, the credit card you used was just compromised. How do you avoid that? Tether your device and get an Internet plan with a secure option. I have used TEP Wireless because it grants me access wherever I go using an always-on VPN. Check with your company about traveling — especially out of the country.

So, the next time you try to take vacation and look to access your company's email and OneDrive, remember this: Using public Wi-Fi is like buying sushi at a gas station — you never know how sick you will get until you consume it.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Search

lenovo warranty check/lookup | check warranty status | lenovo support us