Tag
#git
### Impact A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. The vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can view the exposed secret data. ### Patches A patch for this vulnerability is available in the following Argo CD versions: - v2.13.4 - v2.12.10 - v2.11.13 ### Workarounds There is no workaround other than upgrading. ### References Fixed with commit https://github.com/argoproj/argo-cd/commit/6f5537bdf15ddbaa0f27a1a678632ff0743e4107 & https://github.com/argoproj/gitops-engine/commit/7e21b91e9d0f64104c8a661f3f390c5e6d73ddca
### Impact A vulnerable node can be forced to shutdown/crash using a specially crafted message. More in-depth details will be released at a later time. ### Patches A fix has been included in geth version 1.14.13 and onwards. ### Workarounds Unfortunately, no workaround is available. ### Credits This issue was originally reported to Polygon Security by David Matosse (@iam-ned).
### Impact A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. The vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can view the exposed secret data. ### Patches A patch for this vulnerability is available in the following Argo CD versions: - v2.13.4 - v2.12.10 - v2.11.13 ### Workarounds There is no workaround other than upgrading. ### References Fixed with commit https://github.com/argoproj/argo-cd/commit/6f5537bdf15ddbaa0f27a1a678632ff0743e4107 & https://github.com/argoproj/gitops-engine/commit/7e21b91e9d0f64104c8a661f3f390c5e6d73ddca
In an effort to blend in and make their malicious traffic tougher to block, hosting firms catering to cybercriminals in China and Russia increasingly are funneling their operations through major U.S. cloud providers. Research published this week on one such outfit -- a sprawling network tied to Chinese organized crime gangs and aptly named "Funnull" -- highlights a persistent whac-a-mole problem facing cloud services.
Whether by intercepting its traffic or just giving it a little nudge, GitHub's AI assistant can be made to do malicious things it isn't supposed to.
Just days after we uncovered a campaign targeting Google Ads accounts, a similar attack has surfaced, this time aimed at Microsoft...
Palo Alto, USA, 30th January 2025, CyberNewsWire
Palo Alto, USA, 30th January 2025, CyberNewsWire
The sudden rise of DeepSeek has raised questions of data origin, data destination, and the security of the new AI model.
This new report from Cisco Talos Incident Response explores how threat actors increasingly deployed web shells against vulnerable web applications, and exploited vulnerable or unpatched public-facing applications to gain initial access.