Security
Headlines
HeadlinesLatestCVEs

Tag

#git

GHSA-8f57-wcmg-4jmh: Apache Airflow vulnerable to Exposure of Resource to Wrong Sphere

Apache Airflow, in versions prior to 2.8.0, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources for DAGs that the user had no access to, thus, enabling the user to clear DAGs they shouldn't. This is a missing fix for CVE-2023-42792 in Apache Airflow 2.7.2  Users of Apache Airflow are strongly advised to upgrade to version 2.8.0 or newer to mitigate the risk associated with this vulnerability.

ghsa
Open in Source
#vulnerability#apache#git#auth
Hackers Exploiting Old MS Excel Vulnerability to Spread Agent Tesla Malware

Attackers are weaponizing an old Microsoft Office vulnerability as part of phishing campaigns to distribute a strain of malware called Agent Tesla. The infection chains leverage decoy Excel documents attached in invoice-themed messages to trick potential targets into opening them and activate the exploitation of CVE-2017-11882 (CVSS score: 7.8), a memory corruption vulnerability in Office's

GHSA-3pjv-r7w4-2cf5: Grails data binding causes JVM crash and/or DoS

### Impact A specially crafted web request can lead to a JVM crash or denial of service. Any Grails framework application using Grails data binding is vulnerable. ### Patches Patches are available for Grails 3 and later. ### Workarounds No workaround is possible except to avoid data binding to request data. ### References - [Blog post](https://grails.org/blog/2023-12-20-cve-data-binding-dos.html) - [Discussion](https://github.com/grails/grails-core/issues/13302) - [Mitre CVD record](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46131)

GHSA-mhpq-9638-x6pw: Denial of service when decrypting attack controlled input in github.com/dvsekhvalnov/jose2go

An attacker controlled input of a PBES2 encrypted JWE blob can have a very large p2c value that, when decrypted, produces a denial-of-service.

GHSA-v68g-wm8c-6x7j: transformers has a Deserialization of Untrusted Data vulnerability

Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.

New JaskaGO Malware Targets Mac and Windows for Crypto, Browser Data

By Waqas Another day, another cross-platform hits unsuspecting users! This is a post from HackRead.com Read the original post: New JaskaGO Malware Targets Mac and Windows for Crypto, Browser Data

GHSA-87fg-9x5w-j3rm: MainWP Dashboard SQL Command Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in MainWP MainWP Dashboard – WordPress Manager for Multiple Websites Maintenance.This issue affects MainWP Dashboard – WordPress Manager for Multiple Websites Maintenance: from n/a through 4.4.3.3.

MOKOSmart MKGW1 Gateway Improper Session Management

MOKOSmart MKGW1 Gateway devices with firmware version 1.1.1 or below do not provide an adequate session management for the administrative web interface. This allows adjacent attackers with access to the management network to read and modify the configuration of the device.

MajorDoMo Remote Code Execution

MajorDoMo versions prior to 0662e5e suffer from an unauthenticated remote code execution vulnerability.

Red Hat Security Advisory 2023-7879-03

Red Hat Security Advisory 2023-7879-03 - An update for opensc is now available for Red Hat Enterprise Linux 9. Issues addressed include bypass and out of bounds read vulnerabilities.