Security
Headlines
HeadlinesLatestCVEs

Tag

#git

Web3 Security Specialist Hypernative To Provide Proactive Protection To The Flare Ecosystem

By Owais Sultan Institutions, dApps and users on Flare will now benefit from Hypernative’s industry-leading ecosystem-wide protection suite.  This is a post from HackRead.com Read the original post: Web3 Security Specialist Hypernative To Provide Proactive Protection To The Flare Ecosystem

HackRead
Open in Source
#vulnerability#web#mac#git#oracle#intel#zero_day
GHSA-4v7x-pqxf-cx7m: net/http, x/net/http2: close connections when receiving too many headers

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.

Bing ad for NordVPN leads to SecTopRAT

Threat actors are luring victims to a fake NordVPN website that installs a Remote Access Trojan.

GHSA-j2rp-gmqv-frhv: HashiCorpVault does not correctly validate OCSP responses

Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. Fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11.

There are plenty of ways to improve cybersecurity that don’t involve making workers return to a physical office

An April 2023 study from Kent State University found that remote workers are more likely to be vigilant of security threats and take actions to ward them off than their in-office counterparts.

5 Best Crypto Marketing Agencies for Web3 Security Brands in 2024

By Uzair Amir It seems each week brings news of another attack – millions drained from DeFi protocols, NFTs swiped, and… This is a post from HackRead.com Read the original post: 5 Best Crypto Marketing Agencies for Web3 Security Brands in 2024

GHSA-27jx-ffw8-xrqv: pgAdmin Remote Code Execution (RCE) vulnerability

pgAdmin <= 8.4 is affected by a Remote Code Execution (RCE) vulnerability through the validate binary path API. This vulnerability allows attackers to execute arbitrary code on the server hosting PGAdmin, posing a severe risk to the database management system's integrity and the security of the underlying data.

GHSA-65pc-76pq-pvf5: Duplicate Advisory: Pebble service manager's file pull API allows access by any user

## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-4685-2x5r-65pj. This link is maintained to preserve external references. ## Original Description It was discovered that Pebble's read-file API and the associated pebble pull command, before v1.10.2, allowed unprivileged local users to read files with root-equivalent permissions when Pebble was running as root. Fixes are also available as backports to v1.1.1, v1.4.2, and v1.7.4.

GHSA-f8h5-v2vg-46rr: quarkus-core leaks local environment variables from Quarkus namespace during application's build

A vulnerability was found in the quarkus-core component. Quarkus captures the local environment variables from the Quarkus namespace during the application's build. Thus, running the resulting application inherits the values captured at build time. However, some local environment variables may have been set by the developer / CI environment for testing purposes, such as dropping the database during the application startup or trusting all TLS certificates to accept self-signed certificates. If these properties are configured using environment variables or the .env facility, they are captured into the built application. It leads to dangerous behavior if the application does not override these values. This behavior only happens for configuration properties from the `quarkus.*` namespace. So, application-specific properties are not captured.

GHSA-wpff-wm84-x5cx: Mobile Security Framework (MobSF) vulnerable to SSRF in firebase database check

### Impact _What kind of vulnerability is it? Who is impacted?_ SSRF vulnerability in firebase database check logic. The attacker can cause the server to make a connection to internal-only services within the organization’s infrastructure. When malicious app is uploaded to Static analyzer, it is possible to make internal requests. Credits: Oleg Surnin (Positive Technologies). ### Patches _Has the problem been patched? What versions should users upgrade to?_ v3.9.8 and above ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ Code level patch ### References _Are there any links users can visit to find out more?_ https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2373