#auth

Example DAG: example_inlet_event_extra.py shipped with Apache Airflow version 2.10.0 has a vulnerability that allows an authenticated attacker with only DAG trigger permission to execute arbitrary commands. If you used that example as the base of your DAGs - please review if you have not copied the dangerous example; see https://github.com/apache/airflow/pull/41873  for more information. We recommend against exposing the example DAGs in your deployment. If you must expose the example DAGs, upgrade Airflow to version 2.10.1 or later.

Apache Airflow versions before 2.10.1 have a vulnerability that allows DAG authors to add local settings to the DAG folder and get it executed by the scheduler, where the scheduler is not supposed to execute code submitted by the DAG author. Users are advised to upgrade to version 2.10.1 or later, which has fixed the vulnerability.

### Impact Users running the Synthetic Monitoring agent in their local network are impacted. The authentication token used to communicate with the Synthetic Monitoring API is exposed thru a debugging endpoint. This token can be used to retrieve the Synthetic Monitoring checks created by the user and assigned to the agent identified with that token. The Synthetic Monitoring API will reject connections from already-connected agents, so access to the token does not guarantee access to the checks. ### Patches Fixed version is v0.12.0 Users are advised to rotate the agent tokens. After upgrading to version v0.12.0 or later, it's recommended that user's of distribution packages (e.g. Debian or RedHat and their derivatives) review the configuration stored in `/etc/synthetic-monitoring/synthetic-monitoring-agent.conf`, specifically the `API_TOKEN` variable which has been renamed to `SM_AGENT_API_TOKEN`. ### Workarounds With all previous versions, it's recommended that users review the a...

### Impact In distributed service mode, Pomerium's Authenticate service exposes pprof debug and prometheus metrics handlers to untrusted traffic. This can leak potentially sensitive environmental information or lead to limited denial of service conditions. ### Patches v0.17.1 ### Workarounds Block access to `/debug` and `/metrics` paths on the authenticate service. This can be done with any L7 proxy, including Pomerium's own proxy service. ### References https://github.com/pomerium/pomerium/pull/3212 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Pomerium](https://github.com/pomerium/pomerium) * Email us at [[email protected]](mailto:[email protected])

In the past, Putin's Unit 29155 has utilized malware like WhisperGate to target organizations, particularly those in Ukraine.

The vulnerabilities affect industrial control tech used across the healthcare and critical manufacturing sectors.

Vendors of mercenary spyware tools used by nation-states to track citizens and enemies have gotten savvy about evading efforts to limit their use.

The Biden administration launches an initiative to encourage careers in cybersecurity, as businesses try new tactics to get unfilled IT security roles staffed.

C-MOR Video Surveillance versions 5.2401 and 6.00PL01 suffer from a command injection vulnerability.

C-MOR Video Surveillance version 5.2401 makes use of unmaintained vulnerability third-party components.