#ssh

When running in debug mode and the `debug-embed` (off by default) feature is not enabled, the generated `get` method does not check that the input path is a child of the folder given. This allows attackers to read arbitrary files in the file system if they have control over the filename given. The following code will print the contents of your `/etc/passwd` if adjusted with a correct number of `../`s depending on where it is run from. ```rust #[derive(rust_embed::RustEmbed)] #[folder = "src/"] pub struct Asset; fn main() { let d = Asset::get("../../../etc/passwd").unwrap().data; println!("{}", String::from_utf8_lossy(&d)); } ``` The flaw was corrected by canonicalizing the input filename and ensuring that it starts with the canonicalized folder path.

Affects: Notebook and Lab between 6.4.0?(potentially earlier) and 6.4.11 (currently latest). Jupyter Server <=1.16.0. If I am correct about the responsible code it will affect Jupyter-Server 1.17.0 and 2.0.0a0 as well. Description: If notebook server is started with a value of `root_dir` that contains the starting user's home directory, then the underlying REST API can be used to leak the access token assigned at start time by guessing/brute forcing the PID of the jupyter server. While this requires an authenticated user session, this url can be used from an xss payload (as in CVE-2021-32798) or from a hooked or otherwise compromised browser to leak this access token to a malicious third party. This token can be used along with the REST API to interact with Jupyter services/notebooks such as modifying or overwriting critical files, such as .bashrc or .ssh/authorized_keys, allowing a malicious user to read potentially sensitive data and possibly gain control of the impacted system.

### Impact _What kind of vulnerability is it? Who is impacted?_ Authenticated requests to the notebook server with `ContentsManager.allow_hidden = False` only prevented listing the contents of hidden directories, not accessing individual hidden files or files in hidden directories (i.e. hidden files were 'hidden' but not 'inaccessible'). This could lead to notebook configurations allowing authenticated access to files that may reasonably be expected to be disallowed. Because fully authenticated requests are required, this is of relatively low impact. But if a server's root directory contains sensitive files whose only protection from the server is being hidden (e.g. `~/.ssh` while serving $HOME), then any authenticated requests could access files if their names are guessable. Such contexts also necessarily have full access to the server and therefore execution permissions, which also generally grants access to all the same files. So this does not generally result in any privilege esc...

Haraj v3.7 was discovered to contain a reflected cross-site scripting (XSS) vulnerability in the User Upgrade Form.

SharePoint and OneDrive libraries can be encrypted in ransomware attack, researchers say.

Temporary disruption of the ADM license service. The impact of this includes preventing new licenses from being issued or renewed by Citrix ADM.

The Japanese-language Panchan botnet has been discovered stealing SSH keys from Linux servers across Asia, Europe, and North America, with a focus on telecom and education providers.

A new Golang-based peer-to-peer (P2P) botnet has been spotted actively targeting Linux servers in the education sector since its emergence in March 2022. Dubbed Panchan by Akamai Security Research, the malware "utilizes its built-in concurrency features to maximize spreadability and execute malware modules" and "harvests SSH keys to perform lateral movement." <!--adsense--> The feature-packed

What is post-quantum cryptography? A new type of computer is being developed that can break many of our existing cryptographic algorithms. As a result, we need to develop new algorithms that are secure against those computers and that will run on our existing computers. This is called "post-quantum cryptography".

Jupyter Server provides the backend (i.e. the core services, APIs, and REST endpoints) for Jupyter web applications like Jupyter Notebook. Prior to version 1.17.1, if notebook server is started with a value of `root_dir` that contains the starting user's home directory, then the underlying REST API can be used to leak the access token assigned at start time by guessing/brute forcing the PID of the jupyter server. While this requires an authenticated user session, this URL can be used from a cross-site scripting payload or from a hooked or otherwise compromised browser to leak this access token to a malicious third party. This token can be used along with the REST API to interact with Jupyter services/notebooks such as modifying or overwriting critical files, such as .bashrc or .ssh/authorized_keys, allowing a malicious user to read potentially sensitive data and possibly gain control of the impacted system. This issue is patched in version 1.17.1.