Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
[pnpm] pnpm no-script global cache poisoning via overrides / `ignore-scripts` evasion
Description: Summary pnpm seems to mishandle overrides and global cache: Overrides from one workspace leak into npm metadata saved in global cache npm metadata from global cache affects other workspaces installs by default don't revalidate the data (including on first lockfile generation) This can make workspace A (even running with ignore-scripts=true) posion global cache and execute scripts in workspace B Users generally expect ignore-scripts to be sufficient to prevent immediate code execution on install (e.g. when the tree is just repacked/bundled without executing it). Here, that expectation is broken Details See PoC. In it, overrides from a single run of A get leaked into e.g. ~/Library/Caches/pnpm/metadata/registry.npmjs.org/rimraf.json and persistently affect all other projects using the cache PoC Postinstall code used in PoC is benign and can be inspected in https://www.npmjs.com/package/ponyhooves?activeTab=code, it's just a console.log Remove store and cache On mac: rm -rf ~/Library/Caches/pnpm ~/Library/pnpm/store This step is not required in general, but we'll be using a popular package for PoC that's likely cached Create A/package.json:{ "name": "A", "pnpm": { "overrides": { "rimraf>glob": "npm:ponyhooves@1" } }, "dependencies": { "rimraf": "6.0.1" } } Install it with pnpm i --ignore-scripts (the flag is not required, but the point of the demo is to show that it doesn't help) Create B/package.json:{ "name": "B", "dependencies": { "rimraf": "6.0.1" } } Insta...
Source: Github Advisory Database (NPM)
December 10th, 2024 (4 months ago)
Wyden proposes bill to secure US telecoms after Salt Typhoon hacks
Description: U.S. Senator Ron Wyden of Oregon announced a new bill to secure the networks of American telecommunications companies breached by Salt Typhoon Chinese state hackers earlier this year. [...]
Source: BleepingComputer
December 10th, 2024 (4 months ago)
'Termite' Ransomware Likely Behind Cleo Zero-Day Attacks
Description: The threat actor group recently took credit for a similar attack on Blue Yonder that affected multiple organizations, including Starbucks.
Source: Dark Reading
December 10th, 2024 (4 months ago)
[org.wildfly:wildfly-elytron-oidc-client-subsystem] WildFly Elytron OpenID Connect Client Extension authorization code injection attack
Description: A vulnerability was found in OIDC-Client. When using the RH SSO OIDC adapter with EAP 7.x or when using the elytron-oidc-client subsystem with EAP 8.x, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with the client with a victim's identity. This is usually done with a Man-in-the-Middle (MitM) or phishing attack. References https://nvd.nist.gov/vuln/detail/CVE-2024-12369 https://access.redhat.com/security/cve/CVE-2024-12369 https://bugzilla.redhat.com/show_bug.cgi?id=2331178 https://github.com/advisories/GHSA-4v5x-9m47-cqr2
Source: Github Advisory Database (Maven)
December 10th, 2024 (4 months ago)
Ivanti warns of maximum severity CSA auth bypass vulnerability
Description: Ivanti warned customers on Tuesday about a new maximum-severity authentication bypass vulnerability in its Cloud Services Appliance (CSA) solution. [...]
Source: BleepingComputer
December 10th, 2024 (4 months ago)
Windows 10 KB5048652 update fixes new motherboard activation bug
Description: Microsoft has released the KB5048652 cumulative update for Windows 10 22H2, which contains six fixes, including a fix that prevented Windows 10 from activating when you change a device's motherboard. [...]
Source: BleepingComputer
December 10th, 2024 (4 months ago)
Microsoft December 2024 Patch Tuesday fixes 1 exploited zero-day, 71 flaws
Description: Today is Microsoft's December 2024 Patch Tuesday, which includes security updates for 71 flaws, including one actively exploited zero-day vulnerability. [...]
Source: BleepingComputer
December 10th, 2024 (4 months ago)
Scottish Parliament TV at Risk From Deepfakes
Description: Because the streaming service website offers no content restrictions, attackers are able to hijack and manipulate live streams.
Source: Dark Reading
December 10th, 2024 (4 months ago)
Windows 11 KB5048667 & KB5048685 cumulative updates released
Description: Microsoft has released the Windows 11 KB5048667 and KB5048685 cumulative updates for versions 24H2 and 23H2 to fix security vulnerabilities and issues. [...]
Source: BleepingComputer
December 10th, 2024 (4 months ago)
[luigi] luigi Arbitrary File Write via Archive Extraction (Zip Slip)
Description: Versions of the package luigi before 3.6.0 are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) due to improper destination file path validation in the _extract_packages_archive function. References https://nvd.nist.gov/vuln/detail/CVE-2024-21542 https://github.com/spotify/luigi/issues/3301 https://github.com/spotify/luigi/commit/b5d1b965ead7d9f777a3216369b5baf23ec08999 https://github.com/spotify/luigi/releases/tag/v3.6.0 https://security.snyk.io/vuln/SNYK-PYTHON-LUIGI-7830489 https://github.com/advisories/GHSA-8qch-vj6m-2694
Source: Github Advisory Database (PIP)
December 10th, 2024 (4 months ago)