#auth

The cybercrime group demands ransoms of varying degrees, from thousands to even millions of dollars — in some cases, 2 bitcoin per encrypted customer.

### Summary Applications using the `zitadel-go` `v3` library (`next` branch) might be impacted by package vulnerabilities. The output of `govulncheck` suggests that only `example` code seems to be impacted, based on 1 of the 3 potential vulnerabilities. This vulnerability is located in the transitive dependency `golang.org/x/net v0.19.0`, [CVE-2023-45288](https://www.cve.org/CVERecord?id=CVE-2023-45288) ### Patches 3.0.0-next versions are fixed on >= [3.0.0-next.3](https://github.com/zitadel/zitadel-go/releases/tag/v3.0.0-next.3) ZITADEL recommends upgrading to the latest versions available in due course. ### Workarounds If updating the zitadel-go library is not an option, updating the affected (transient) dependencies works as a workaround. ### Details #### Direct deps: - [GO-2024-2631](https://pkg.go.dev/vuln/GO-2024-2631) Decompression bomb vulnerability in github.com/go-jose/go-jose - github.com/go-jose/go-jose/v3 Fixed in v3.0.3. This module is necessary because [github....

### Summary HTTP `OPTIONS` requests are always allowed by `OpaMiddleware`, even when they lack authentication, and are passed through directly to the application. The maintainer uncertain whether this should be classed as a "bug" or "security issue" – but is erring on the side of "security issue" as an application could reasonably assume OPA controls apply to *all* HTTP methods, and it bypasses more sophisticated policies. ### Details `OpaMiddleware` allows all HTTP `OPTIONS` requests without evaluating it against any policy: https://github.com/busykoala/fastapi-opa/blob/6dd6f8c87e908fe080784a74707f016f1422b58a/fastapi_opa/opa/opa_middleware.py#L79-L80 If an application provides different responses to HTTP `OPTIONS` requests based on an entity existing (such as to indicate whether an entity is writable on a system level), an unauthenticated attacker could discover which entities exist within an application (CWE-204). ### PoC This toy application is based on the behaviour of an ...

Senator Mark Warner is trying to pass new limits on when the government can wiretap Americans. At least two senators are quietly trying to stop him.

### Summary The maintainer been contemplating whether FTP or other protocols could serve as useful functionalities, but there may not be a practical reason for it since we are utilizing headless Chrome to capture screenshots. The argument is based on the assumption that this package can function as a service. The package includes an `ALLOW_LIST` where the host can specify which services the user is permitted to capture screenshots of. By default, capturing screenshots of web services running on localhost, 127.0.0.1, or the [::] is allowed. The maintainer is of the opinion that the package should also have a blacklist due to a potential vulnerability (or rather design oversight). If someone hosts this on a server, users could then capture screenshots of other web services running locally. Unless this is strictly for web pages. Something similar here: https://github.com/follow-redirects/follow-redirects/issues/235 (localhost is intended for end users or hosts to deny, and the package...

A malicious Telegram bot is the key to a veritable flourishing garden of nefarious cybercriminal activity, which was discovered via a series of Python packages.

### Summary The ProfileBasedRequestOptionsBuilder method returns allowedCredentials without any credentials if no username was found. ### Details When WebAuthn is used as the first or only authentication method, an attacker can enumerate usernames based on the absence of the `allowedCredentials` property in the assertion options response. This allows enumeration of valid or invalid usernames. #### Proposal how to resolve it: ``` return $this->publicKeyCredentialRequestOptionsFactory->create( $this->profile, count($allowedCredentials) <= 0 ? self::getRandomCredentials(): $allowedCredentials, $optionsRequest->userVerification, $extensions ); private static function getRandomCredentials(): array { $credentialSources = []; for ($i = 0; $i <= rand(0,1); $i++) { $credentialSources[] = new PublicKeyCredentialSource( random_bytes(32), "public-key", [], ...

The breach affects older customer information involved in purchases made from June 6, 2017, up until July 30, 2018.

Cybersecurity researchers said they discovered an accidentally leaked GitHub token that could have granted elevated access to the GitHub repositories of the Python language, Python Package Index (PyPI), and the Python Software Foundation (PSF) repositories. JFrog, which found the GitHub Personal Access Token, said the secret was leaked in a public Docker container hosted on Docker Hub. "This

At least a dozen organizations with domain names at domain registrar Squarespace saw their websites hijacked last week. Squarespace bought all assets of Google Domains a year ago, but many customers still haven't set up their new accounts. Experts say malicious hackers learned they could commandeer any migrated Squarespace accounts that hadn't yet been registered, merely by supplying an email address tied to an existing domain.