#vulnerability

Cybercriminals are always looking for new ways to take advantage of people. One effective method they use is…

AI systems are becoming a huge part of our lives, but they are not perfect. Red teaming helps…

Cybercriminals are skilled at using public information to their advantage. Knowing how they gather this data can help…

A vulnerability was found in aizuda snail-job 1.4.0. It has been classified as critical. Affected is the function getRuntime of the file /snail-job/workflow/check-node-expression of the component Workflow-Task Management Module. The manipulation of the argument nodeExpression leads to deserialization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Oozie. This issue affects Apache Oozie: all versions. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Oracle denies breach claims as hacker alleges access to 6 million cloud records. CloudSEK reports a potential zero-day exploit affecting 140,000 tenants.

### Summary Function [`parse.ParseUnverified`](https://github.com/golang-jwt/jwt/blob/c035977d9e11c351f4c05dfeae193923cbab49ee/parser.go#L138-L139) currently splits (via a call to [strings.Split](https://pkg.go.dev/strings#Split)) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose _Authorization_ header consists of `Bearer ` followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: [CWE-405: Asymmetric Resource Consumption (Amplification)](https://cwe.mitre.org/data/definitions/405.html) ### Details See [`parse.ParseUnverified`](https://github.com/golang-jwt/jwt/blob/c035977d9e11c351f4c05dfeae193923cbab49ee/parser.go#L138-L139) ### Impact Excessive memory allocation

Insecure permissions in pipecd v0.49 allow attackers to gain access to the service account's token, leading to escalation of privileges.

### Impact The 3rd party authentication handling of Parse Server allows the authentication credentials of some specific authentication providers to be used across multiple Parse Server apps. For example, if a user signed up using the same authentication provider in two unrelated Parse Server apps, the credentials stored by one app can be used to authenticate the same user in the other app. Note that this only affects Parse Server apps that specifically use an affected 3rd party authentication provider for user authentication, for example by setting the Parse Server option `auth` to configure a Parse Server authentication adapter. See the [3rd party authentication docs](https://docs.parseplatform.org/parse-server/guide/#oauth-and-3rd-party-authentication) for more information on which authentication providers are affected. ### Patches The fix of this vulnerability requires to upgrade Parse Server to a version that includes the bug fix, as well as upgrade the client app to send a secu...

Credential theft alert! Venak Security discovers a BYOVD attack using .SYS drivers to bypass Windows security. Learn how…