CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
|
February 11th, 2025 (5 months ago)
|
|
|
Description: Impact
Systems running registry version > 3.0.0-beta.1 with token authentication enabled.
Patches
Update to at least v3.0.0-rc.3
Workarounds
There is no way to work around this issue without patching if your system requires token authentication.
References
The issue lies in how the JWK verification is performed. When a JWT contains a JWK header without a certificate chain, the code only checks if the KeyID (kid) matches one of the trusted keys, but doesn't verify that the actual key material matches.
Here's the problematic flow:
An attacker generates their own key pair
They create a JWT and include their public key in the JWK header
They set the kid in the JWK to match one of the trusted keys' IDs (which they could potentially discover)
They sign the JWT with their private key
The registry only checks if the kid exists in the trusted keys map but then uses the attacker's public key from the JWK to verify the signature
References
https://github.com/distribution/distribution/security/advisories/GHSA-phw4-mc57-4hwc
https://github.com/distribution/distribution/commit/5ea9aa028db65ca5665f6af2c20ecf9dc34e5fcd
https://github.com/advisories/GHSA-phw4-mc57-4hwc
February 11th, 2025 (5 months ago)
|
|
|
Description: A Cheat Sheet on Infrastructure as Code Landscape
February 11th, 2025 (5 months ago)
|
|
|
Description: A Threat Actor is Claiming to Sell Local Network Access to an Unidentified Company
February 11th, 2025 (5 months ago)
|
|
|
Description: Dark Strom Team Targeted the Official Portal of the Brazilian Government
February 11th, 2025 (5 months ago)
|
|
|
Description: Senator Dick Durbin presses Meta to explain why it can’t stop sending traffic to nonconsensual AI image generators that violate its policy.
February 11th, 2025 (5 months ago)
|
|
|
Description: Mullvad has announced a partnership with Obscura VPN, a newly launched privacy-focused service that routes internet traffic through two separate VPN providers. Under this collaboration, Obscura will act as the initial entry point for users' connections before passing encrypted traffic to Mullvad’s WireGuard servers for final routing to the internet. The partnership, which began today, …
The post Mullvad Partners with Obscura VPN to Offer Two-Hop VPN System appeared first on CyberInsider.
February 11th, 2025 (5 months ago)
|
CVE-2024-53704 |
Description: Security researchers at Bishop Fox have published complete exploitation details for the CVE-2024-53704 vulnerability that allows bypassing the authentication mechanism in certain versions of the SonicOS SSLVPN application. [...]
February 11th, 2025 (5 months ago)
|
|
|
Description: The Sandworm Russian military cyber-espionage group is targeting Windows users in Ukraine with trojanized Microsoft Key Management Service (KMS) activators and fake Windows updates. [...]
February 11th, 2025 (5 months ago)
|
|
|
Description: The United States, United Kingdom, and Australia have jointly imposed sanctions on Zservers, a Russia-based bulletproof hosting (BPH) provider, for supporting LockBit ransomware operations. The action, announced by the U.S. Treasury's Office of Foreign Assets Control (OFAC), targets the company's role in facilitating cyberattacks against critical infrastructure worldwide. Additionally, two Russian nationals linked to Zservers …
The post Zservers Hosting Sanctioned for Aiding LockBit Attacks appeared first on CyberInsider.
February 11th, 2025 (5 months ago)
|