Tag
#git
The MITRE framework's applied exercise provides defenders with critical feedback about how to detect and defend against common, but sophisticated, attacks.
### Summary If an attacker can control the input to the `asteval` library, they can bypass asteval's restrictions and execute arbitrary Python code in the context of the application using the library. ### Details The vulnerability is rooted in how `asteval` performs handling of `FormattedValue` AST nodes. In particular, the [`on_formattedvalue`](https://github.com/lmfit/asteval/blob/cfb57f0beebe0dc0520a1fbabc35e66060c7ea71/asteval/asteval.py#L507) value uses the [dangerous format method of the str class](https://lucumr.pocoo.org/2016/12/29/careful-with-str-format/), as shown in the vulnerable code snippet below: ```py def on_formattedvalue(self, node): # ('value', 'conversion', 'format_spec') "formatting used in f-strings" val = self.run(node.value) fstring_converters = {115: str, 114: repr, 97: ascii} if node.conversion in fstring_converters: val = fstring_converters[node.conversion](val) fmt = '{__fstring__}' if node.f...
### Impact summary In some circumstances, debug artifacts uploaded by the CodeQL Action after a failed code scanning workflow run may contain the environment variables from the workflow run, including any secrets that were exposed as environment variables to the workflow. Users with read access to the repository would be able to access this artifact, containing any secrets from the environment. For some affected workflow runs, the exposed environment variables in the debug artifacts included a valid `GITHUB_TOKEN` for the workflow run, which has access to the repository in which the workflow ran, and all the permissions specified in the workflow or job. The `GITHUB_TOKEN` is valid until the job completes or 24 hours has elapsed, whichever comes first. Environment variables are exposed only from workflow runs that satisfy all of the following conditions: - Code scanning workflow configured to scan the Java/Kotlin languages. - Running in a repository containing Kotlin source code. - R...
### Impact XSLT transforms performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag ( ]> could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.publisher is being used to within a host where external clients can submit XML. A previous release provided an incomplete solution revealed by new testing. ### Patches This issue has been patched as of version 1.7.4 ### Workarounds None ### References [Previous Advisory for Incomplete solution](https://github.com/HL7/fhir-ig-publisher/security/advisories/GHSA-59rq-22fm-x8q5) [MITRE CWE](https://cwe.mitre.org/data/definitions/611.html) [OWASP XML External Entity Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#transformerfactory)
US prosecutors charged five, including North Koreans, for tricking firms into hiring fake IT workers, sending $866K+ to…
Crooks pwning crooks – Hackers exploit script kiddies with XWorm RAT, compromising 18,000+ devices globally and stealing sensitive…
The Texas Attorney General has requested information of four more car manufacturers about their data handling.
For the first time in a long while, the federal government and the software sector alike finally have the tools and resources needed to do security well — consistently and cost-effectively.
At Black Hat and DEF CON, cybersecurity experts were asked to game out how Taiwan could protect its communications and power infrastructure in case of invasion by China.
### Impact Directus allows an authenticated attacker to save cross site scripting code to the database. This is possible because the application injects an attacker-controlled parameter that will be stored in the server and used by the client into an unsanitized DOM element. When chained with [CVE-2024-6534](https://github.com/directus/directus/security/advisories/GHSA-3fff-gqw3-vj86), it could result in account takeover. ### PoC To exploit this vulnerability, we need to do the following steps using a non-administrative, default role attacker account. 1. Upload the following JavaScript file. Using the upload functionality at `POST /files`. This PoC will show an alert message. ```js export TARGET_HOST="http://localhost:8055" export ATTACKER_EMAIL="[email protected]" export ATTACKER_PASSWORD="123456" root_dir=$(dirname $0) mkdir "${root_dir}/static" curl -s -k -o /dev/null -w "%{http_code}" -X 'POST' "${TARGET_HOST}/auth/login" \ -c "${root_dir}/static/attacker_directus_se...