#bitbucket

Jenkins Kubernetes Credentials Provider Plugin 1.208.v128ee9800c04 and earlier does not set the appropriate context for Kubernetes credentials lookup, allowing attackers with Item/Configure permission to access and potentially capture Kubernetes credentials they are not entitled to.

Missing permission checks in Jenkins Orka by MacStadium Plugin 1.31 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Jenkins Keycloak Authentication Plugin 2.3.0 and earlier does not invalidate the previous session on login.

An issue has been discovered in GitLab EE affecting all versions starting from 15.6 before 15.6.1. It was possible to create a malicious README page due to improper neutralisation of user supplied input.

CircleCI, a big name in the DevOps space, has released an incident report about a data breach it experienced early this month. (Read more...) The post CircleCI: Malware stole GitHub OAuth keys, bypassing 2FA appeared first on Malwarebytes Labs.

Companies are being urged to update 0Auth, runner, and project API tokens, along with other secrets stashed with CircleCI.

How the build pipeline was compromised

DevOps platform CircleCI on Friday disclosed that unidentified threat actors compromised an employee's laptop and leveraged malware to steal their two-factor authentication-backed credentials to breach the company's systems and data last month. The CI/CD service CircleCI said the "sophisticated attack" took place on December 16, 2022, and that the malware went undetected by its antivirus

## Summary RSSHub is vulnerable to Server-Side Request Forgery (SSRF) attacks. This vulnerability allows an attacker to send arbitrary HTTP requests from the server to other servers or resources on the network. ## Description An attacker can exploit this vulnerability by sending a request to the affected routes with a malicious URL. For example, if an attacker controls the `ATTACKER.HOST` domain, they can send a request to affected routes with the value set to `ATTACKER.HOST%2F%23`. The `%2F` and `%23` characters are URL-encoded versions of the forward-slash (`/`) and pound (`#`) characters, respectively. In this context, an attacker could use those characters to append the base URL (i.e. `https://${input}.defined.host`) to be modified to `https://ATTACKER.HOST/#.defined.host`. This will cause the server to send a request to the attacker-controlled domain, allowing the attacker to potentially gain access to sensitive information or perform further attacks on the server. ## Proof o...

The Automated Libra group is deploying all components of its campaign in an automated manner via containers, stealing free trial resources for cryptomining, but the threat could get larger.