Tag
#auth
The Singapore Police Force (SPF) has announced the extradition of two men from Malaysia for their alleged involvement in a mobile malware campaign targeting citizens in the country since June 2023. The unnamed individuals, aged 26 and 47, engaged in scams that tricked unsuspecting users into downloading malicious apps onto their Android devices via phishing campaigns with the aim of stealing
With the requirement that all vulnerabilities first get reported to the Chinese government, once-private vulnerability research has become a goldmine for China's offensive cybersecurity programs.
### Impact This issue is only relevant to clusters provisioned using RKE1 with secrets encryption configuration enabled. A vulnerability has been identified in which an RKE1 cluster keeps constantly reconciling when secrets encryption configuration is enabled (please see the [RKE documentation](https://rke.docs.rancher.com/config-options/secrets-encryption)). When reconciling, the Kube API secret values are written in plaintext on the AppliedSpec. Cluster owners, Cluster members, and Project members (for projects within the cluster), all have RBAC permissions to view the cluster object from the apiserver. This could lead to an unauthorized user gaining access to the entire secrets encryption config specific for the cluster, only on the applied spec. Since this affects only custom encryption configurations, users need to manually rotate the keys by editing the cluster. For more information, please refer to the [RKE secrets encryption documentation](https://rke.docs.rancher.com/config...
### Impact A vulnerability has been identified in which Rancher does not automatically clean up a user which has been deleted from the configured authentication provider (AP). This characteristic also applies to disabled or revoked users, Rancher will not reflect these modifications which may leave the user’s tokens still usable. An AP must be enabled to be affected by this, as the built-in User Management feature is not affected by this vulnerability. This issue may lead to an adversary gaining unauthorized access, as the user’s access privileges may still be active within Rancher even though they are no longer valid on the configured AP (please consult the [MITRE ATT&CK - Technique - Valid Accounts](https://attack.mitre.org/techniques/T1078/) for further information about the associated technique of attack). It’s important to note that all configurable APs are impacted, see [Rancher Docs - Configuring Authentication - External vs. Local Authentication](https://ranchermanager.docs....
### Summary If an attacker can successfully authenticate through SSO/Access Code, they can obtain the real backend API Key by modifying the base URL to their own attack URL on the frontend and setting up a server-side request. ### Details The attack process is described above.  ### PoC Frontend: 1. Pass basic authentication (SSO/Access Code). 2. Set the Base URL to a private attack address. 3. Configure the request method to be a server-side request. 4. At the self-set attack address, retrieve the API Key information from the request headers. Backend: 1. The LobeChat version allows setting the Base URL. 2. There is no outbound traffic whitelist. ### Impact All community version LobeChat users using SSO/Access Code authentication, tested on version 0.162.13.
### Impact A MFA bypass in the Firefly III OAuth flow may allow malicious users to bypass the MFA-check. This allows malicious users to use password spraying to gain access to your Firefly III data using passwords stolen from other sources. As OAuth applications are easily enumerable using an incrementing id, an attacker could try sign an OAuth application up to a users profile quite easily if they have created one. The attacker would also need to know the victims username and password. ### Patches Problem has been patched in Firefly III v6.1.17 and up. ### Workarounds - Use a unique password for your Firefly III instance, - Store your password securely, i.e. in a password manager or in your head. ### References - https://owasp.org/www-community/attacks/Password_Spraying_Attack - https://www.menlosecurity.com/what-is/highly-evasive-adaptive-threats-heat/mfa-bypass
When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-...
Ubuntu Security Notice 6836-1 - It was discovered that SSSD did not always correctly apply the GPO policy for authenticated users, contrary to expectations. This could result in improper authorization or improper access to resources.
SPA-CART CMS version 1.9.0.6 suffers from business logic and user enumeration flaws.
Payroll Management System version 1.0 suffers from a remote code execution vulnerability.