Security
Headlines
HeadlinesLatestCVEs

Tag

#git

GHSA-6cr6-ph3p-f5rf: XXE vulnerability in XSLT transforms in `org.hl7.fhir.core`

### Impact XSLT transforms performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag ( `<!DOCTYPE foo [<!ENTITY example SYSTEM "/etc/passwd"> ]>` could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients can submit XML. ### Patches This issue has been patched in release 6.3.23 ### Workarounds None. ### References [MITRE CWE](https://cwe.mitre.org/data/definitions/611.html) [OWASP XML External Entity Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#transformerfactory)

ghsa
Open in Source
#vulnerability#web#git#java#maven
GHSA-9xcg-3q8v-7fq6: gnark commitments to private witnesses in Groth16 as implemented break zero-knowledge property

This report concerns the Groth16 prover when used with commitments (as in `frontend.Committer`). To simplify exposition of the issue, I will focus on the case of a single commitment, to only private witnesses. But the issue should be present whenever commitments are used that include private witnesses. > The commitment to private witnesses `w_i` is computed as ``` c = sum_i w_i * b_i ``` where `b_i` would be `ProvingKey.CommitmentKeys[0].Basis[i]` in the code. While this is a binding commitment, it is not hiding. In practice, an adversary will know the points `b_i`, as they are part of the proving key, and can verify correctness of a guess for the values of `w_i` by computing `c'` as the right hand side of the above formula, and checking whether `c'` is equal to `c`. I attach a proof of concept that demonstrates this. This breaks the perfect zero-knowledge property of Groth16, so the Groth16 scheme using commitments to private witnesses as implemented by gnark fails to be a zk-SNARK...

Commercial Spyware Use Roars Back Despite Sanctions

Vendors of mercenary spyware tools used by nation-states to track citizens and enemies have gotten savvy about evading efforts to limit their use.

C-MOR Video Surveillance 5.2401 / 6.00PL01 SQL Injection

C-MOR Video Surveillance versions 5.2401 and 6.00PL01 suffer from a remote SQL injection vulnerability.

Travel 1.0 Shell Upload

Travel version 1.0 suffers from a remote shell upload vulnerability.

SPIP 4.2.12 Code Execution

SPIP version 4.2.12 suffers from a code execution vulnerability.

GeoServer Vulnerability Targeted by Hackers to Deliver Backdoors and Botnet Malware

A recently disclosed security flaw in OSGeo GeoServer GeoTools has been exploited as part of multiple campaigns to deliver cryptocurrency miners, botnet malware such as Condi and JenX, and a known backdoor called SideWalk. The security vulnerability is a critical remote code execution bug (CVE-2024-36401, CVSS score: 9.8) that could allow malicious actors to take over susceptible instances. In

GitHub Actions Vulnerable to Typosquatting, Exposing Developers to Hidden Malicious Code

Threat actors have long leveraged typosquatting as a means to trick unsuspecting users into visiting malicious websites or downloading booby-trapped software and packages. These attacks typically involve registering domains or packages with names slightly altered from their legitimate counterparts (e.g., goog1e.com vs. google.com). Adversaries targeting open-source repositories across

FreeBSD Gets €686,400 to Boost Security Features

The funds from Germany's Sovereign Tech Fund will be used to integrate zero-trust capabilities, tools for software bill of materials, and other security features.

The 2024 Threat Landscape State of Play

Talos' Nick Biasini discusses the biggest shifts and trends in the threat landscape so far. We also focus on one state sponsored actor that has been particularly active this year, and talk about why defenders need to be paying closer attention to infostealers.