Security
Headlines
HeadlinesLatestCVEs

Tag

#auth

Amazon Employee Data Compromised in MOVEit Breach

The data leak was not actually due to a breach in Amazon's systems but rather that of a third-party vendor; the supply chain incident affected several other clients as well.

DARKReading
#vulnerability#amazon#intel#aws#auth
GHSA-gv7v-rgg6-548h: Laravel environment manipulation via query string

## Description When the `register_argc_argv php` directive is set to `on` , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request. ## Resolution The framework now ignores argv values for environment detection on non-cli SAPIs.

Microsoft’s November Patch Tuesday Fixes 91 Vulnerabilities, 4 Zero-Days

Microsoft’s November 2024 Patch Tuesday update fixes 91 security vulnerabilities, including four zero-day vulnerabilities. Critical fixes address actively…

Microsoft Patch Tuesday, November 2024 Edition

Microsoft today released updates to plug at least 89 security holes in its Windows operating systems and other software. November's patch batch includes fixes for two zero-day vulnerabilities that are already being exploited by attackers, as well as two other flaws that were publicly disclosed prior to today.

GHSA-7hpf-g48v-hw3j: Zoraxy has an authenticated command injection in the Web SSH feature

### Summary A command injection vulnerability in the Web SSH feature allows an authenticated attacker to execute arbitrary commands as root on the host. ### Details Zoraxy has a Web SSH terminal feature that allows authenticated users to connect to SSH servers from their browsers. In [`HandleCreateProxySession`](https://github.com/tobychui/zoraxy/blob/9cb315ea6739d1cc201b690322d25166b12dc5db/src/webssh.go#L19) the request to create an SSH session is handled. After checking for the presence of required parameters, ensuring that the target is not the loopback interface and that there is actually an SSH service running on the target, `CreateNewConnection` is called: https://github.com/tobychui/zoraxy/blob/e79a70b7acfa45c2445aff9d60e4e7525c89fec8/src/mod/sshprox/sshprox.go#L165-L178 In line 178, the `gotty` binary is executed running `sshCommand` from the line above. It contains the user-controlled variable `connAddr`, which includes the hostname of the SSH server and - if provided - th...

GHSA-g23h-7vf9-xc25: Mimalloc Can Allocate Memory with Bad Alignment

This crate depended on a promise regarding alignments made by the author of the mimalloc allocator to avoid using aligned allocation functions where possible for performance reasons. Since then, the mimalloc allocator's logic changed, making it break this promise. This caused this crate to return memory with an incorrect alignment for some allocations, particularly those with large alignments. The flaw was fixed by always using the aligned allocation functions.

GHSA-fpr5-jp2j-4q2f: paillier-zk has ambiguous challenge derivation

Challenge derivation in non-interactive ZK proofs was ambiguous and that could lead to security vulnerability (however, it's unknown if it could be exploited).

GHSA-rm66-9gh4-4gp8: cggmp21 vulnerable to ambiguous challenge derivation

Challenge derivation in non-interactive ZK proofs was ambiguous and that could lead to security vulnerability (however, it's unknown if it could be exploited).

GHSA-7jjx-3qw9-j6h6: cggmp21-keygen has ambiguous challenge derivation

Challenge derivation in non-interactive ZK proofs was ambiguous and that could lead to security vulnerability (however, it's unknown if it could be exploited).

New Essay Competition Explores AI's Role in Cybersecurity

The essays are to focus on the impact that artificial intelligence will have on European policy.