Tag
GoCD is an open source continuous delivery server. In GoCD versions from 20.5.0 and below 23.1.0, if the server environment is not correctly configured by administrators to provide access to the relevant PostgreSQL or MySQL backup tools, the credentials for database access may be unintentionally leaked to admin alerts on the GoCD user interface. The vulnerability is triggered only if the GoCD server host is misconfigured to have backups enabled, but does not have access to the `pg_dump` or `mysqldump` utility tools to backup the configured database type (PostgreSQL or MySQL respectively). In such cases, failure to launch the expected backup utility reports the shell environment used to attempt to launch in the server admin alert, which includes the plaintext database password supplied to the configured tool. This vulnerability does not affect backups of the default on-disk H2 database that GoCD is configured to use. This issue has been addressed and fixed in GoCD 23.1.0. Users are advi...
lambdaisland/uri is a pure Clojure/ClojureScript URI library. In versions prior to 1.14.120 `authority-regex` allows an attacker to send malicious URLs to be parsed by the `lambdaisland/uri` and return the wrong authority. This issue is similar to but distinct from CVE-2020-8910. The regex in question doesn't handle the backslash (`\`) character in the username correctly, leading to a wrong output. ex. a payload of `https://example.com\\@google.com` would return that the host is `google.com`, but the correct host should be `example.com`. Given that the library returns the wrong authority this may be abused to bypass host restrictions depending on how the library is used in an application. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Key vaults, aka key-management-as-a-service (KMaaS), promise to allow companies to encrypt sensitive data across cloud and third parties with granular control.
Conor Brian Fitzpatrick, the 20-year-old founder and the administrator of the now-defunct BreachForums has been formally charged in the U.S. with conspiracy to commit access device fraud. If proven guilty, Fitzpatrick, who went by the online moniker "pompompurin," faces a maximum penalty of up to five years in prison. He was arrested on March 15, 2023. "Cybercrime victimizes and steals financial
A new information-stealing malware has set its sights on Apple's macOS operating system to siphon sensitive information from compromised devices. Dubbed MacStealer, it's the latest example of a threat that uses Telegram as a command-and-control (C2) platform to exfiltrate data. It primarily affects devices running macOS versions Catalina and later running on M1 and M2 CPUs. "MacStealer has the
Microsoft has released an out-of-band update to address a privacy-defeating flaw in its screenshot editing tool for Windows 10 and Windows 11. The issue, dubbed aCropalypse, could enable malicious actors to recover edited portions of screenshots, potentially revealing sensitive information that may have been cropped out. Tracked as CVE-2023-28303, the vulnerability is rated 3.3 on the CVSS
Categories: Podcast This week on Lock and Code, we speak with Anna Pobletts about the death of passwords, and how passkeys can become the non-compromising fix to authentication's biggest problems. (Read more...) The post Solving the password’s hardest problem with passkeys, featuring Anna Pobletts appeared first on Malwarebytes Labs.
Categories: News Tags: Chat GPT Tags: chrome Tags: extension Tags: rogue Tags: facebook Tags: cookies We look at a bogus Chat GPT Chrome extension which was after Facebook cookies. (Read more...) The post Bogus Chat GPT extension takes over Facebook accounts appeared first on Malwarebytes Labs.
In the Linux kernel through 6.2.8, net/bluetooth/hci_sync.c allows out-of-bounds access because amp_init1[] and amp_init2[] are supposed to have an intentionally invalid element, but do not.
Categories: News Tags: potentially unwanted programs Tags: PUP Tags: ViLE Tags: Google Tags: Magecart Tags: skimmer Tags: skimming Tags: NBA Tags: Google Pixel crop Tags: Kritec Magecart Tags: fake IRS tax mail Tags: Emotet Tags: BreachForums Tags: Bitcoin ATM Tags: Bitcoin Tags: USB bomb Tags: USB Tags: ChatGPT The most interesting security related news from the week of March 20 - 26. (Read more...) The post A week in security (March 20 - 26) appeared first on Malwarebytes Labs.