Security
Headlines
HeadlinesLatestCVEs

Tag

#auth

GHSA-6cf5-w9h3-4rqv: Denied Host Validation Bypass in Zitadel Actions

### Summary A flaw in the URL validation mechanism of Zitadel actions allows bypassing restrictions intended to block requests to localhost (127.0.0.1). The isHostBlocked check, designed to prevent such requests, can be circumvented by creating a DNS record that resolves to 127.0.0.1. This enables actions to send requests to localhost despite the intended security measures. ### Details While attempting to send a request directly to 127.0.0.1 via an action results in an error (see image below), the restriction can be bypassed using a custom DNS record. <img width="781" alt="image" src="https://github.com/user-attachments/assets/6d22dae8-407f-4420-a937-aca53d22d05d"> The relevant action code demonstrates the attempted request to 127.0.0.1: ``` let http = require('zitadel/http') let logger = require("zitadel/log") function make_api_call(ctx, api) { var user = http.fetch('http://127.0.0.1:8080/debug/metrics'); var api_r = http.fetch('https://obtjoiwgtaftuhbjugulyolvvxuvuuosq.oa...

ghsa
Open in Source
#vulnerability#js#git#auth
GHSA-v46j-h43h-rwrm: Autolab Misconfigured Reset Password Permissions

### Impact For email-based accounts, users with insufficient privileges could reset and theoretically access privileged users' accounts by resetting their passwords. ### Patches This is fixed in v3.0.1. ### Workarounds No workarounds. ### For more information If you have any questions or comments about this advisory: Open an issue in https://github.com/autolab/Autolab/ Email us at [[email protected]](mailto:[email protected])

100 million US citizens officially impacted by Change Healthcare data breach

Change Healtcare has confrimed that at least 100M US citizens personal data were impacted by their February data breach

Linux Kernel Project Drops 11 Russian Developers Amid US Sanctions Concerns

Linux Foundation removes 11 Russian developers from the Linux kernel project due to U.S. sanctions. Linus Torvalds confirms…

Lawo AG vsm LTC Time Sync Path Traversal

Lawo AG vsm LTC Time Sync versions prior to 4.5.6.0 suffer from a path traversal vulnerability.

Red Hat Security Advisory 2024-8461-03

Red Hat Security Advisory 2024-8461-03 - An update for krb5 is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

My Journey From the Air Force to Cybersecurity

Cybersecurity is mission-driven, meaningful work that coincides with the service branches' goals to protect, defend, and create a safer world.

Researchers Discover Command Injection Flaw in Wi-Fi Alliance's Test Suite

A security flaw impacting the Wi-Fi Test Suite could enable unauthenticated local attackers to execute arbitrary code with elevated privileges. The CERT Coordination Center (CERT/CC) said the vulnerability, tracked as CVE-2024-41992, said the susceptible code from the Wi-Fi Alliance has been found deployed on Arcadyan FMIMG51AX000J routers. "This flaw allows an unauthenticated local attacker to

Cybersecurity Isn't Easy When You're Trying to Be Green

Renewable energy firms deal with a large cyberattack surface area, given the distributed nature of power generation and more pervasive connectivity.

UNC5820 Exploits FortiManager Zero-Day Vulnerability (CVE-2024-47575)

Fortinet and Mandiant investigated the mass exploitation of FortiManager devices via CVE-2024-47575, impacting 50+ systems across industries. Threat…