Security
Headlines
HeadlinesLatestCVEs

Tag

#ssl

Startup Spotlight: LeakSignal Helps Plug Leaky Data in Organizations

Cybersecurity startup LeakSignal, a finalist in this year's Black Hat USA Startup Spotlight competition, helps organizations see where data is leaking within their environments.

DARKReading
#mac#ssl
Ubuntu Security Notice USN-6943-1

Ubuntu Security Notice 6943-1 - It was discovered that Tomcat incorrectly handled certain uncommon PersistenceManager with FileStore configurations. A remote attacker could possibly use this issue to execute arbitrary code. This issue only affected tomcat8 for Ubuntu 18.04 LTS It was discovered that Tomcat incorrectly handled certain HTTP/2 connection requests. A remote attacker could use this issue to obtain wrong responses possibly containing sensitive information. This issue only affected tomcat8 for Ubuntu 18.04 LTS

GHSA-vw7g-3cc7-7rmh: cortex establishes TLS connections with `InsecureSkipVerify` set to `true`

A TLS certificate verification issue discovered in cortex v0.42.1 allows attackers to obtain sensitive information via the makeOperatorRequest function.

Johnson Controls exacqVision Web Service

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 6.4 ATTENTION: Exploitable remotely Vendor: Johnson Controls, Inc. Equipment: exacqVision Server Vulnerability: Improper Certificate Validation 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to perform a man-in-the-middle attack and intercept communications. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Johnson Controls exacqVision Server are affected: exacqVision Server: Versions 24.03 and prior 3.2 Vulnerability Overview 3.2.1 IMPROPER CERTIFICATE VALIDATION CWE-295 Under certain circumstances the exacqVision Server will not properly validate TLS certificates provided by connected devices. CVE-2024-32865 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.4 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Commercial Facilities, Government Facilities, Transpo...

GHSA-mpvx-whpp-99xj: Filestash skips TLS certificate verification process when sending out email verification codes

Default configurations in the ShareProofVerifier function of filestash v0.4 causes the application to skip the TLS certificate verification process when sending out email verification codes, possibly allowing attackers to access sensitive data via a man-in-the-middle attack.

GHSA-4jmm-c6jw-g796: Filestash configured to skip TLS certificate verification when using the FTPS protocol

filestash v0.4 is configured to skip TLS certificate verification when using the FTPS protocol, possibly allowing attackers to execute a man-in-the-middle attack via the Init function of index.go.

Ubuntu Security Notice USN-6928-1

Ubuntu Security Notice 6928-1 - It was discovered that the Python ssl module contained a memory race condition when handling the APIs to obtain the CA certificates and certificate store statistics. This could possibly result in applications obtaining wrong results, leading to various SSL issues. It was discovered that the Python ipaddress module contained incorrect information about which IP address ranges were considered "private" or "globally reachable". This could possibly result in applications applying incorrect security policies.

DigiCert to Revoke 83,000+ SSL Certificates Due to Domain Validation Oversight

Certificate authority (CA) DigiCert has warned that it will be revoking a subset of SSL/TLS certificates within 24 hours due to an oversight with how it verified if a digital certificate is issued to the rightful owner of a domain. The company said it will be taking the step of revoking certificates that do not have proper Domain Control Validation (DCV). "Before issuing a certificate to a

Don’t Let Your Domain Name Become a “Sitting Duck”

More than a million domain names -- including many registered by Fortune 100 firms and brand protection companies -- are vulnerable to takeover by cybercriminals thanks to authentication weaknesses at a number of large web hosting providers and domain registrars, new research finds.