Security
Headlines
HeadlinesLatestCVEs

Tag

#auth

CVE-2023-33837: Security Bulletin: IBM Security Verify Governance is affected by multiple vulnerabilities

IBM Security Verify Governance 10.0 does not encrypt sensitive or critical information before storage or transmission. IBM X-Force ID: 256020.

CVE
Open in Source
#sql#xss#vulnerability#web#android#windows#dos#apache#nodejs#js#git#java#oracle#perl#log4j#hard_coded_credentials#oauth#auth#ibm#postgres#ssl
CVE-2023-33839: IBM Security Verify Governance command execution CVE-2023-33839 Vulnerability Report

IBM Security Verify Governance 10.0 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request. IBM X-Force ID: 256036.

CVE-2022-22466: IBM Security Verify Governance information disclosure CVE-2022-22466 Vulnerability Report

IBM Security Verify Governance 10.0 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 225222.

CVE-2023-46288: fix(api_connexion): handle the cases that webserver.expose_config is set to "non-sensitive-only" instead of boolean value by Lee-W · Pull Request #32261 · apache/airflow

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Airflow.This issue affects Apache Airflow from 2.4.0 to 2.7.0. Sensitive configuration information has been exposed to authenticated users with the ability to read configuration via Airflow REST API for configuration even when the expose_config option is set to non-sensitive-only. The expose_config option is False by default. It is recommended to upgrade to a version that is not affected if you set expose_config to non-sensitive-only configuration. This is a different error than CVE-2023-45348 which allows authenticated user to retrieve individual configuration values in 2.7.* by specially crafting their request (solved in 2.7.2). Users are recommended to upgrade to version 2.7.2, which fixes the issue and additionally fixes CVE-2023-45348.

How State and Local Governments Can Serve Citizens More Securely

The top 10 priorities of state CIOs underscore the importance of securing applications and APIs in complex environments.

Malicious Apps Spoof Israeli Attack Detectors: Conflict Goes Mobile

A spoofed version of an Israeli rocket-attack alerting app is targeting Android devices, in a campaign that shows how cyber-espionage attacks are shifting to individual, everyday citizens.

Freelance Market Flooded With North Korean IT Actors

Organizations should be careful that the workers they hire on a freelance and temporary basis are not operatives working to funnel money to North Korea's WMD program, US DOJ says.

CVE-2023-46122: zip slip vulnerability · Issue #358 · sbt/io

sbt is a build tool for Scala, Java, and others. Given a specially crafted zip or JAR file, `IO.unzip` allows writing of arbitrary file. This would have potential to overwrite `/root/.ssh/authorized_keys`. Within sbt's main code, `IO.unzip` is used in `pullRemoteCache` task and `Resolvers.remote`; however many projects use `IO.unzip(...)` directly to implement custom tasks. This vulnerability has been patched in version 1.9.7.

CVE-2023-43074: DSA-2023-141: Dell Unity, Unity VSA and Unity XT Security Update for Multiple Vulnerability

Dell Unity 5.3 contain(s) an Arbitrary File Creation vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by crafting arbitrary files through a request to the server.

Moodle 4.3 Cross Site Scripting

Moodle version 4.3 suffers from a cross site scripting vulnerability.