Security
Headlines
HeadlinesLatestCVEs

Tag

#auth

Microsoft Patch Tuesday, November 2024 Edition

Microsoft today released updates to plug at least 89 security holes in its Windows operating systems and other software. November's patch batch includes fixes for two zero-day vulnerabilities that are already being exploited by attackers, as well as two other flaws that were publicly disclosed prior to today.

Krebs on Security
Open in Source
#sql#vulnerability#mac#windows#google#microsoft#git#rce#auth#zero_day#blog
GHSA-7hpf-g48v-hw3j: Zoraxy has an authenticated command injection in the Web SSH feature

### Summary A command injection vulnerability in the Web SSH feature allows an authenticated attacker to execute arbitrary commands as root on the host. ### Details Zoraxy has a Web SSH terminal feature that allows authenticated users to connect to SSH servers from their browsers. In [`HandleCreateProxySession`](https://github.com/tobychui/zoraxy/blob/9cb315ea6739d1cc201b690322d25166b12dc5db/src/webssh.go#L19) the request to create an SSH session is handled. After checking for the presence of required parameters, ensuring that the target is not the loopback interface and that there is actually an SSH service running on the target, `CreateNewConnection` is called: https://github.com/tobychui/zoraxy/blob/e79a70b7acfa45c2445aff9d60e4e7525c89fec8/src/mod/sshprox/sshprox.go#L165-L178 In line 178, the `gotty` binary is executed running `sshCommand` from the line above. It contains the user-controlled variable `connAddr`, which includes the hostname of the SSH server and - if provided - th...

GHSA-g23h-7vf9-xc25: Mimalloc Can Allocate Memory with Bad Alignment

This crate depended on a promise regarding alignments made by the author of the mimalloc allocator to avoid using aligned allocation functions where possible for performance reasons. Since then, the mimalloc allocator's logic changed, making it break this promise. This caused this crate to return memory with an incorrect alignment for some allocations, particularly those with large alignments. The flaw was fixed by always using the aligned allocation functions.

GHSA-fpr5-jp2j-4q2f: paillier-zk has ambiguous challenge derivation

Challenge derivation in non-interactive ZK proofs was ambiguous and that could lead to security vulnerability (however, it's unknown if it could be exploited).

GHSA-rm66-9gh4-4gp8: cggmp21 vulnerable to ambiguous challenge derivation

Challenge derivation in non-interactive ZK proofs was ambiguous and that could lead to security vulnerability (however, it's unknown if it could be exploited).

GHSA-7jjx-3qw9-j6h6: cggmp21-keygen has ambiguous challenge derivation

Challenge derivation in non-interactive ZK proofs was ambiguous and that could lead to security vulnerability (however, it's unknown if it could be exploited).

New Essay Competition Explores AI's Role in Cybersecurity

The essays are to focus on the impact that artificial intelligence will have on European policy.

GHSA-x8jh-xj3x-gx3c: `fast-float` has multiple soundness issues

`fast-float` contains multiple soundness issues: 1. [Undefined behavior when checking input length](https://github.com/aldanor/fast-float-rust/issues/28), which has been merged but no package [pubished](https://github.com/aldanor/fast-float-rust/issues/35). 1. [Many functions marked as safe with non-local safety guarantees](https://github.com/aldanor/fast-float-rust/issues/37) The library is also unmaintained. ## Alternatives For quickly parsing floating-point numbers third-party crates are generally no longer needed. A fast float parsing algorithm by the author of `lexical` has been [merged](https://github.com/rust-lang/rust/pull/86761) into libcore. When requiring direct parsing from bytes and/or partial parsers, the [`fast-float2`](https://crates.io/crates/fast-float2) fork of `fast-float` containing these security patches and reduces overall usage of unsafe.

GHSA-xvg8-m4x3-w6xr: matrix-js-sdk has insufficient MXC URI validation which allows client-side path traversal

### Summary matrix-js-sdk before 34.11.0 is vulnerable to client-side path traversal via crafted MXC URIs. A malicious room member can trigger clients based on the matrix-js-sdk to issue arbitrary authenticated GET requests to the client's homeserver. ### Details The Matrix specification demands homeservers to [perform validation](https://spec.matrix.org/v1.12/client-server-api/#security-considerations-5) of the `server-name` and `media-id` components of MXC URIs with the intent to prevent path traversal. However, it is not mentioned that a similar check must also be performed on the client to prevent *client-side* path traversal. matrix-js-sdk fails to perform this validation. ### Patches Fixed in matrix-js-sdk 34.11.1. ### Workarounds None. ### References - https://spec.matrix.org/v1.12/client-server-api/#security-considerations-5 - https://blog.doyensec.com/2024/07/02/cspt2csrf.html

GHSA-cxwf-qc32-375f: Decidim-Awesome has SQL injection in AdminAccountability

## Vulnerability type: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') ## Vendor: Decidim International Community Environment ### Has vendor confirmed: Yes ### Attack type: Remote ### Impact: Code Execution Escalation of Privileges Information Disclosure ### Affected component: A raw sql-statement that uses an interpolated variable exists in the admin_role_actions method of the `papertrail/version-model(app/models/decidim/decidim_awesome/paper_trail_version.rb`). ### Attack vector: An attacker with admin permissions could manipulate database queries in order to read out the database, read files from the filesystem, write files from the filesystem. In the worst case, this could lead to remote code execution on the server. Description of the vulnerability for use in the CVE [ℹ] (https://cveproject.github.io/docs/content/key-details- phrasing.pdf) : An improper neutralization of special elements used in an SQL command in the `papertrail/vers...