Security
Headlines
HeadlinesLatestCVEs

Tag

#auth

GHSA-c37v-3c8w-crq8: zot logs secrets

### Summary When using Keycloak as an oidc provider, the clientsecret gets printed into the container stdout logs for an example at container startup. ### Details Container Image (15.04.2025): ghcr.io/project-zot/zot-linux-amd64:latest Here is an example how the configuration can look which causes the above stated problem: ` http: address: "0.0.0.0" port: 5000 externalUrl: "https://zot.example.com" auth: { failDelay: 1, openid: { providers: { oidc: { name: "Keycloak", clientid: "zot-client-id", clientsecret: fsdfkmmiwljasdklfsjaskldjfkljewijrf234i52k3j45l, keypath: "", issuer: "https://keycloak.example.com/realms/example", scopes: ["openid"] } } } } ` ### PoC Set up a blank new zot k8s deployment with the code snippet above. ### Impact exposure of secrets, on configuring a oidc provider

ghsa
Open in Source
#linux#kubernetes#auth
GHSA-3qmp-g57h-rxf2: Pingora Request Smuggling and Cache Poisoning

Pingora versions prior to 0.5.0 which used the caching functionality in pingora-proxy did not properly drain the downstream request body on cache hits. This allows an attacker to craft malicious HTTP/1.1 requests which could lead to request smuggling or cache poisoning. This flaw was corrected in commit fda3317ec822678564d641e7cf1c9b77ee3759ff by ensuring that the downstream request body is always drained before a connection can be reused. See [the blog post](https://blog.cloudflare.com/resolving-a-request-smuggling-vulnerability-in-pingora/) for more information.

Feds Charge 16 Russians Allegedly Tied to Botnets Used in Ransomware, Cyberattacks, and Spying

A new US indictment against a group of Russian nationals offers a clear example of how, authorities say, a single malware operation can enable both criminal and state-sponsored hacking.

Operation RapTor: 270 Arrested in Global Crackdown on Dark Web Vendors

Global crackdown: Operation RapTor leads to 270 arrests, millions seized as law enforcement targets dark web drug, weapon, and crypto vendors.

Database Leak Reveals 184 Million Infostealer-Harvested Emails and Passwords

Cybersecurity researcher Jeremiah Fowler discovered a misconfigured cloud server containing a massive 184 million login credentials, likely collected…

Lumma information stealer infrastructure disrupted

The Lumma infostealer infrastructure has suffered a serious blow by a coordinated action of the DOJ and Microsoft.

19-Year-Old Admits to PowerSchool Data Breach Extortion

A 19-year-old college student faces charges after pleading guilty to cyber extortion targeting PowerSchool, exposing data of 60…

UAT-6382 exploits Cityworks zero-day vulnerability to deliver malware

Talos has observed exploitation of CVE-2025-0994 in the wild by UAT-6382, a Chinese-speaking threat actor, who then deployed malware payloads via TetraLoader.

Mysterious Database of 184 Million Records Exposes Vast Array of Login Credentials

The trove has now been taken down but included users’ logins for platforms including Apple, Google, and Meta, plus services from multiple governments.

Scammers are using AI to impersonate senior officials, warns FBI

Cybercriminals are using AI-based tools to generate voice clones of the voices of senior US officials in order to scam people.