Security
Headlines
HeadlinesLatestCVEs

Tag

#vulnerability

Fighting Third-Party Risk With Threat Intelligence

With every new third-party provider and partner, an organization's attack surface grows. How, then, do enterprises use threat intelligence to enhance their third-party risk management efforts?

DARKReading
#vulnerability#web#git#intel#auth
GHSA-vprp-94p9-5jp8: Dolibarr ERP CRM vulnerable to remote code execution (RCE)

Dolibarr ERP CRM before 19.0.2 was discovered to contain a remote code execution (RCE) vulnerability via the Computed field parameter under the Users Module Setup function.

Zest Security Aims to Resolve Cloud Risks

Cybersecurity startup Zest Security emerged from stealth with an AI-powered cloud risk resolution platform to reduce time from discovery to remediation.

GHSA-v8wx-v5jq-qhhw: The Argo CD web terminal session does not handle the revocation of user permissions properly

Argo CD v2.11.3 and before, discovering that even if the user's ```p, role:myrole, exec, create, */*, allow``` permissions are revoked, the user can still send any Websocket message, which allows the user to view sensitive information. Even though they shouldn't have such access. ## Description Argo CD has a Web-based terminal that allows you to get a shell inside a running pod, just like you would with kubectl exec. However, when the administrator enables this function and grants permission to the user ```p, role:myrole, exec, create, */*, allow```, even if the user revokes this permission, the user can still perform operations in the container, as long as the user keeps the terminal view open for a long time. CVE-2023-40025 Although the token expiration and revocation of the user are fixed, however, the fix does not address the situation of revocation of only user ```p, role:myrole, exec, create, */*, allow``` permissions, which may still lead to the leakage of sensitive information...

TracFone will pay $16 million to settle FCC data breach investigation

Prepay wireless provider TracFone has been slapped on the wrist to the tune of $16 million for insufficient customer data protection

Ubuntu Security Notice USN-6912-1

Ubuntu Security Notice 6912-1 - James Henstridge discovered that provd incorrectly handled environment variables. A local attacker could possibly use this issue to run arbitrary programs and escalate privileges.

Gentoo Linux Security Advisory 202407-28

Gentoo Linux Security Advisory 202407-28 - A vulnerability has been discovered in Freenet, which can lead to deanonymization due to path folding. Versions greater than or equal to 0.7.5_p1497 are affected.

Gentoo Linux Security Advisory 202407-27

Gentoo Linux Security Advisory 202407-27 - Multiple vulnerabilities have been discovered in ExifTool, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 12.42 are affected.

Ubuntu Security Notice USN-6906-1

Ubuntu Security Notice 6906-1 - It was discovered that python-zipp did not properly handle the zip files with malformed names. An attacker could possibly use this issue to cause a denial of service.