#auth

## Overview OpenFGA v1.5.7 and v1.5.8 are vulnerable to authorization bypass when calling Check API with a model that uses `but not` and `from` expressions and a userset. For example, with a model like the following ``` model schema 1.1 type user type role relations define assignee: [user] type permission relations define assignee: assignee from role define role: [role] type job relations define can_read: [permission#assignee] define problem: [user] but not can_read ``` and these tuples: ``` user:1, problem, job:1 user:1, assignee, role:admin role:admin, role, permission:readJobs permission:readJobs#assignee, can_read, job:1 ``` A query such as `Check(object=job:1, relation=problem, user=user:1)` will return `allowed=true` when the correct response is `allowed=false`. ## Fix Downgrade to v1.5.6 as soon as possible. This downgrade is backward compatible. We are currently working on a fix which will be included in the n...

### Impact An API ordering issue in s2n-tls can cause client authentication to unexpectedly not be enabled on the server when it otherwise appears to be. Server applications are impacted if client authentication is enabled by calling s2n_connection_set_config() before calling s2n_connection_set_client_auth_type(). Applications are not impacted if these APIs are called in the opposite order, or if client authentication is enabled on the config with s2n_config_set_client_auth_type(). s2n-tls clients verifying server certificates are not impacted. Impacted versions: < v1.5.0. ### Patches The patch is included in v1.5.0 [1]. ### Workarounds Applications can workaround this issue by calling s2n_connection_set_config() after calling s2n_connection_set_client_auth_type(), or by enabling client authentication on the config with s2n_config_set_client_auth_type(). If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability...

openHAB's [CometVisuServlet](https://github.com/openhab/openhab-webui/blob/1c03c60f84388b9d7da0231df2d4ebb1e17d3fcf/bundles/org.openhab.ui.cometvisu/src/main/java/org/openhab/ui/cometvisu/internal/servlet/CometVisuServlet.java#L75) is susceptible to an unauthenticated path traversal vulnerability. Local files on the server can be requested via HTTP GET on the CometVisuServlet. This vulnerability was discovered with the help of CodeQL's [Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/java/java-path-injection/) query. ## Impact This issue may lead to Information Disclosure.

CometVisu's file system endpoints don't require authentication and additionally the endpoint to update an existing file is susceptible to path traversal. This makes it possible for an attacker to overwrite existing files on the openHAB instance. If the overwritten file is a shell script that is executed at a later time this vulnerability can allow remote code execution by an attacker. This vulnerability was discovered with the help of CodeQL's [Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/java/java-path-injection/) query. ## Impact This issue may lead up to Remote Code Execution (RCE).

Several endpoints in the CometVisu add-on of openHAB don't require authentication. This makes it possible for unauthenticated attackers to modify or to steal sensitive data. ## Impact This issue may lead to sensitive Information Disclosure.

The [proxy endpoint](https://github.com/openhab/openhab-webui/blob/1c03c60f84388b9d7da0231df2d4ebb1e17d3fcf/bundles/org.openhab.ui.cometvisu/src/main/java/org/openhab/ui/cometvisu/internal/backend/rest/ProxyResource.java#L83) of openHAB's CometVisu add-on can be accessed without authentication. This proxy-feature can be exploited as Server-Side Request Forgery (SSRF) to induce GET HTTP requests to internal-only servers, in case openHAB is exposed in a non-private network. Furthermore, this proxy-feature can also be exploited as a Cross-Site Scripting (XSS) vulnerability, as an attacker is able to re-route a request to their server and return a page with malicious JavaScript code. Since the browser receives this data directly from the openHAB CometVisu UI, this JavaScript code will be executed with the origin of the CometVisu UI. This allows an attacker to exploit call endpoints on an openHAB server even if the openHAB server is located in a private network. (e.g. by sending an openHAB...

Microsoft on Thursday disclosed four medium-severity security flaws in the open-source OpenVPN software that could be chained to achieve remote code execution (RCE) and local privilege escalation (LPE). "This attack chain could enable attackers to gain full control over targeted endpoints, potentially resulting in data breaches, system compromise, and unauthorized access to sensitive information

Home surveillance provider ADT just announced they suffered a data breach and cybercriminals are already leaking the data

Gaati Track version 1.0-2023 suffers from an insecure direct object reference vulnerability.

Ubuntu Security Notice 6948-1 - It was discovered that Salt incorrectly handled crafted web requests. A remote attacker could possibly use this issue to run arbitrary commands. It was discovered that Salt incorrectly created certificates with weak file permissions. It was discovered that Salt incorrectly handled credential validation. A remote attacker could possibly use this issue to bypass authentication.