#git

### Summary Jupyter Server on Windows has a vulnerability that lets unauthenticated attackers leak the NTLMv2 password hash of the Windows user running the Jupyter server. An attacker can crack this password to gain access to the Windows machine hosting the Jupyter server, or access other network-accessible machines or 3rd party services using that credential. Or an attacker perform an NTLM relay attack without cracking the credential to gain access to other network-accessible machines.

The number of alleged hacks targeting the customers of cloud storage firm Snowflake appears to be snowballing into one of the biggest data breaches of all time.

Boelter Blue System Management version 1.3 suffers from a remote SQL injection vulnerability.

### Impact _What kind of vulnerability is it? Who is impacted?_ At the moment, users are able to delegate tokens that have not yet been vested. This affects employees and grantees who have funds managed via `ClawbackVestingAccount`. ### Patches _Has the problem been patched? What versions should users upgrade to?_ [The PR linked to this advisory](https://github.com/evmos/evmos-ghsa-7hrh-v6wp-53vw/pull/1) includes part of the fix. The remainder is in a [second advisory on the Cosmos SDK fork](https://github.com/evmos/cosmos-sdk/security/advisories/GHSA-wj6f-x5wv-8pqv). ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ There is no effective workaround to fix or remediate this issue without a new release. The best solution is to contain the information about this vulnerability to minimize the number of users who know about it and can thus exploit it. ### References _Are there any links users can visit to find out more?_ See the inte...

Multiple variants of Trojan.Win32.DarkGateLoader malware suffer from a code execution vulnerability.

### Impact It’s possible for authenticated users to enumerate clusters by name by inspecting error messages: ``` $ curl -k 'https://localhost:8080/api/v1/clusters/in-cluster?id.type=name' -H "Authorization: Bearer $token" {"error":"permission denied: clusters, get, , sub: alice, iat: 2022-11-04T20:25:44Z","code":7,"message":"permission denied: clusters, get, , sub: alice, iat: 2022-11-04T20:25:44Z"}⏎ $ curl -k 'https://localhost:8080/api/v1/clusters/does-not-exist?id.type=name' -H "Authorizati on: Bearer $token" {"error":"permission denied","code":7,"message":"permission denied"} ``` It’s also possible to enumerate the names of projects with project-scoped clusters if you know the names of the clusters. ``` curl -k 'https://localhost:8080/api/v1/clusters/in-cluster-project?id.type=name' -H "Authorization: Bearer $token" {"error":"permission denied: clusters, get, default/, sub: alice, iat: 2022-11-04T20:25:44Z","co...

### Summary _Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server._ ### Details We discovered a bug walking through how to liquid stake using Safe which itself is a contract. The bug only appears when there is a local state change together with an ICS20 transfer in the same function and uses the contract's balance, that is using the contract address as the `sender` parameter in an ICS20 transfer using the ICS20 precompile ### Proof of Concept ```solidity // This function does not reduce the contract balance correctly but liquid stakes correctly function transfer( string memory sourcePort, string memory sourceChannel, string memory denom, uint256 amount, string memory receiver, string memory evmosReceiver ) external returns (uint64 nextSequence) { counter += 1; # Only happen...

A local file inclusion vulnerability exists in the JSON component of gradio-app/gradio and was discovered in version 4.25. The vulnerability arises from improper input validation in the `postprocess()` function within `gradio/components/json_component.py`, where a user-controlled string is parsed as JSON. If the parsed JSON object contains a `path` key, the specified file is moved to a temporary directory, making it possible to retrieve it later via the `/file=..` endpoint. This issue is due to the `processing_utils.move_files_to_cache()` function traversing any object passed to it, looking for a dictionary with a `path` key, and then copying the specified file to a temporary directory. The vulnerability can be exploited by an attacker to read files on the remote system, posing a significant security risk.

A Server-Side Request Forgery (SSRF) vulnerability exists in the gradio-app/gradio and was discovered in version 4.21.0, specifically within the `/queue/join` endpoint and the `save_url_to_cache` function. The vulnerability arises when the `path` value, obtained from the user and expected to be a URL, is used to make an HTTP request without sufficient validation checks. This flaw allows an attacker to send crafted requests that could lead to unauthorized access to the local network or the AWS metadata endpoint, thereby compromising the security of internal servers.

A remote code execution (RCE) vulnerability exists in the lightning-ai/pytorch-lightning library version 2.2.1 due to improper handling of deserialized user input and mismanagement of dunder attributes by the `deepdiff` library. The library uses `deepdiff.Delta` objects to modify application state based on frontend actions. However, it is possible to bypass the intended restrictions on modifying dunder attributes, allowing an attacker to construct a serialized delta that passes the deserializer whitelist and contains dunder attributes. When processed, this can be exploited to access other modules, classes, and instances, leading to arbitrary attribute write and total RCE on any self-hosted pytorch-lightning application in its default configuration, as the delta endpoint is enabled by default.