Tag
#vulnerability
A vulnerability was found in inclusionAI AWorld up to 8c257626e648d98d793dd9a1a950c2af4dd84c4e. It has been rated as critical. This issue affects the function subprocess.run/subprocess.Popen of the file AWorld/aworld/virtual_environments/terminals/shell_tool.py. The manipulation leads to os command injection. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable.
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to bypass some rewrite rules. If those rewrite rules effectively enforced security constraints, those constraints could be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102. Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6, which fix the issue.
# Issue Snowflake discovered and remediated a vulnerability in the NodeJS Driver for Snowflake (“Driver”). When using the Easy Logging feature on Linux and macOS the Driver didn’t correctly verify the permissions of the logging configuration file, potentially allowing an attacker with local access to overwrite the configuration and gain control over logging level and output location. This vulnerability affects Driver versions 1.10.0 through 2.0.3. Snowflake fixed the issue in version 2.0.4. # Vulnerability Details When using the Easy Logging feature on Linux and macOS the Driver reads logging configuration from a user-provided file. On Linux and macOS the Driver verifies that the configuration file can be written to only by its owner. That check was vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition and failed to verify that the file owner matches the user running the Driver. This could allow a local attacker with write access to the configuration file or the direct...
# Issue Snowflake discovered and remediated a vulnerability in the Go Snowflake Driver (“Driver”). When using the Easy Logging feature on Linux and macOS, the Driver didn’t correctly verify the permissions of the logging configuration file, potentially allowing an attacker with local access to overwrite the configuration and gain control over logging level and output location. This vulnerability affects Driver versions from 1.7.0 up to, but not including, 1.13.3. Snowflake fixed the issue in version 1.13.3. # Vulnerability Details When using the Easy Logging feature on Linux and macOS, the Driver reads logging configuration from a user-provided file. On Linux and macOS the Driver verifies that the configuration file can be written to only by its owner. That check was vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition and failed to verify that the file owner matches the user running the Driver. This could allow a local attacker with write access to the configuration ...
# Issue Snowflake discovered and remediated a vulnerability in the Snowflake Connector for .NET (“Connector”). When using the Easy Logging feature on Linux and macOS, the Connector didn’t correctly verify the permissions of the logging configuration file, potentially allowing an attacker with local access to overwrite the configuration and gain control over logging level and output location. This vulnerability affects Connector versions 2.1.2 through 4.4.0. Snowflake fixed the issue in version 4.4.1. # Vulnerability Details When using the Easy Logging feature on Linux and macOS, the Connector reads logging configuration from a user-provided file. On Linux and macOS, the Connector verifies that the configuration file can be written to only by its owner. That check was vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition and failed to verify that the file owner matches the user running the Connector. This could allow a local attacker with write access to the configurati...
BreachForums posts a PGP-signed message explaining the sudden April 2025 shutdown. Admins cite MyBB 0day vulnerability impacting the…
Not every security vulnerability is high risk on its own - but in the hands of an advanced attacker, even small weaknesses can escalate into major breaches. These five real vulnerabilities, uncovered by Intruder’s bug-hunting team, reveal how attackers turn overlooked flaws into serious security incidents. 1. Stealing AWS Credentials with a Redirect Server-Side Request Forgery (SSRF) is a
This quarter, phishing attacks surged as the primary method for initial access. Learn how you can detect and prevent pre-ransomware attacks.
Threat actors have been observed exploiting two newly disclosed critical security flaws in Craft CMS in zero-day attacks to breach servers and gain unauthorized access. The attacks, first observed by Orange Cyberdefense SensePost on February 14, 2025, involve chaining the below vulnerabilities - CVE-2024-58136 (CVSS score: 9.0) - An improper protection of alternate path flaw in the Yii PHP
A vulnerability was found in Apereo CAS 5.2.6. It has been declared as problematic. This vulnerability affects unknown code of the file cas-5.2.6\core\cas-server-core-configuration-metadata-repository\src\main\java\org\apereo\cas\metadata\rest\CasConfigurationMetadataServerController.java. The manipulation of the argument Name leads to inefficient regular expression complexity. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.