Security
Headlines
HeadlinesLatestCVEs

Tag

#auth

INE Security Alert: Expediting CMMC 2.0 Compliance

Cary, North Carolina, 26th January 2025, CyberNewsWire

HackRead
Open in Source
#ios#auth
UnitedHealth Group’s Massive Data Breach Impacts 190 Million Americans

UnitedHealth Group has confirmed that a ransomware attack targeted its subsidiary, Change Healthcare, in February 2024, impacting 190…

American National Insurance Company (ANICO) Data Leaked in MOVEit Breach

Cybersecurity researchers discovered 270,000+ lines of American National Insurance customer data leaked online, potentially linked to the 2023…

CISOs Are Gaining C-Suite Swagger, but Has It Come With a Cost?

The number of CISOs who report directly to the CEO is up sharply in recent years, but many still say it's not enough to secure adequate resources.

DoJ Busts Up Another Multinational DPRK IT Worker Scam

A departmentwide initiative has now led to five major law enforcement actions, in an attempt to curb the increasingly common trend of North Korean hackers posing as IT job applicants.

MITRE's Latest ATT&CK Simulations Tackle Cloud Defenses

The MITRE framework's applied exercise provides defenders with critical feedback about how to detect and defend against common, but sophisticated, attacks.

Cisco: Critical Meeting Management Bug Requires Urgent Patch

The bug has been given a 9.9 CVSS score, and could allow authenticated threat actors to escalate their privileges to admin-level if exploited.

3 Use Cases for Third-Party API Security

Third-party API security requires a tailored approach for different scenarios. Learn how to adapt your security strategy to outbound data flows, inbound traffic, and SaaS-to-SaaS interconnections.

GHSA-v34r-vj4r-38j6: Updatecli exposes Maven credentials in console output

### Summary Private maven repository credentials leaked in application logs in case of unsuccessful retrieval operation. ### Details During the execution of an updatecli pipeline which contains a `maven` source configured with basic auth credentials, the credentials are being leaked in the application execution logs in case of failure. Credentials are properly sanitized when the operation is successful but not when for whatever reason there is a failure in the maven repository .e.g. wrong coordinates provided, not existing artifact or version. ### PoC The [documentation](https://www.updatecli.io/docs/plugins/resource/maven/) currently state to provide user credentials as basic auth inside the `repository` field. e.g. ``` sources: default: kind: maven spec: repository: "{{ requiredEnv "MAVEN_USERNAME" }}:{{ requiredEnv "MAVEN_PASS" }}@repo.example.org/releases" groupid: "org.example.company" artifactid: "my-artifact" versionFilter: kind: ...

GHSA-vqf5-2xx6-9wfm: GitHub PAT written to debug artifacts

### Impact summary In some circumstances, debug artifacts uploaded by the CodeQL Action after a failed code scanning workflow run may contain the environment variables from the workflow run, including any secrets that were exposed as environment variables to the workflow. Users with read access to the repository would be able to access this artifact, containing any secrets from the environment. For some affected workflow runs, the exposed environment variables in the debug artifacts included a valid `GITHUB_TOKEN` for the workflow run, which has access to the repository in which the workflow ran, and all the permissions specified in the workflow or job. The `GITHUB_TOKEN` is valid until the job completes or 24 hours has elapsed, whichever comes first. Environment variables are exposed only from workflow runs that satisfy all of the following conditions: - Code scanning workflow configured to scan the Java/Kotlin languages. - Running in a repository containing Kotlin source code. - R...