Security
Headlines
HeadlinesLatestCVEs

Tag

#vulnerability

Apache Cordova App Harness Targeted in Dependency Confusion Attack

Researchers have identified a dependency confusion vulnerability impacting an archived Apache project called Cordova App Harness. Dependency confusion attacks take place owing to the fact that package managers check the public repositories before private registries, thus allowing a threat actor to publish a malicious package with the same name to a public package repository. This&

The Hacker News
Open in Source
#vulnerability#apache#The Hacker News
Lessons for CISOs From OWASP's LLM Top 10

It's time to start regulating LLMs to ensure they're accurately trained and ready to handle business deals that could affect the bottom line.

Russia's Fancy Bear Pummels Windows Print Spooler Bug

The infamous Russian threat actor has created a custom tool called GooseEgg to exploit CVE-2022-38028 in cyber-espionage attacks against targets in Ukraine, Western Europe, and North America.

Teetering on the Edge: VPNs, Firewalls' Nonexistent Telemetry Lures APTs

State-sponsored groups are targeting critical vulnerabilities in virtual private network (VPN) gateways, firewall appliances, and other edge devices to make life difficult for incident responders, who rarely have visibility into the devices.

Licensed to Bill? Nations Mandate Certification & Licensure of Cybersecurity Pros

Malaysia, Singapore, and Ghana are among the first countries to pass laws that require cybersecurity firms — and in some cases, individual consultants — to obtain licenses to do business, but concerns remain.

GHSA-pxhw-596r-rwq5: Kubernetes allows bypassing mountable secrets policy imposed by the ServiceAccount admission plugin

A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with containers, init containers, and ephemeral containers with the envFrom field populated.

GHSA-p72q-h37j-3hq7: dbt uses a SQLparse version with a high vulnerability

### Summary Using a version of `sqlparse` that has a security vulnerability and no way to update in current version of dbt core. Snyk recommends using `sqlparse==0.5` but this causes a conflict with dbt. Snyk states the issues is a recursion error: `SNYK-PYTHON-SQLPARSE-6615674`. ### Details Dependency conflict error message: ```sh The conflict is caused by: The user requested sqlparse==0.5 dbt-core 1.7.10 depends on sqlparse<0.5 and >=0.2.3 ``` Resolution was to pin `sqlparse >=0.5.0, <0.6.0` in `dbt-core`, patched in 1.6.13 and 1.7.13. ### PoC From Snyk: ```python import sqlparse sqlparse.parse('[' * 10000 + ']' * 10000) ``` ### Impact Snyk classifies it as high 7.5/10. ### Patches The bug has been fixed in [dbt-core v1.6.13](https://github.com/dbt-labs/dbt-core/releases/tag/v1.6.13) and [dbt-core v1.7.13](https://github.com/dbt-labs/dbt-core/releases/tag/v1.7.13). ### Mitigations Bump `dbt-core` 1.6 and 1.7 dependencies to 1.6.13 and 1.7.13 respectively

GHSA-mw82-6m2g-qh6c: Sylius Cross Site Scripting (XSS) vulnerability

Sylius 1.12.13 is vulnerable to Cross Site Scripting (XSS) via the "Province" field in Address Book.

ToddyCat APT Is Stealing Data on 'Industrial Scale'

The threat actor is deploying multiple connections into victim environments to maintain persistence and steal data.

Nespresso Domain Serves Up Steamy Cup of Phish, No Cream or Sugar

An open direct vulnerability in the Nespresso Web domain lets attackers bypass detection as they attempt to steal victims' Microsoft credentials.