Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
[org.springframework.ldap:spring-ldap-core] Spring LDAP data exposure vulnerability
Description: A vulnerability in VMware Tanzu Spring LDAP allows data exposure for case sensitive comparisons.This issue affects Spring LDAP: from 2.4.0 through 2.4.3, from 3.0.0 through 3.0.9, from 3.1.0 through 3.1.7, from 3.2.0 through 3.2.7, AND all versions prior to 2.4.0. The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in unintended columns from being queried Related to CVE-2024-38820 https://spring.io/security/cve-2024-38820 References https://nvd.nist.gov/vuln/detail/CVE-2024-38829 https://spring.io/security/cve-2024-38829 https://github.com/advisories/GHSA-mqvr-2rp8-j7h4
Source: Github Advisory Database (Maven)
December 4th, 2024 (5 months ago)
White House: Salt Typhoon hacked telcos in dozens of countries
Description: ​Chinese state hackers, known as Salt Typhoon, have breached telecommunications companies in dozens of countries, President Biden's deputy national security adviser Anne Neuberger said today. [...]
Source: BleepingComputer
December 4th, 2024 (5 months ago)
CISA Issues Guidance to Telecom Sector on Salt Typhoon Threat
Description: Individuals concerned about the privacy of their communications should consider using encrypted messaging apps and encrypted voice communications, CISA and FBI officials say.
Source: Dark Reading
December 4th, 2024 (5 months ago)
Veeam Urges Updates After Discovering Critical Vulnerability
Description: The vulnerability affects certain versions of the Veeam Service Provider Console that can only be fixed by updating with the latest patch.
Source: Dark Reading
December 4th, 2024 (5 months ago)
FBI shares tips on how to tackle AI-powered fraud schemes
Description: The FBI warns that scammers are increasingly using artificial intelligence to improve the quality and effectiveness of their online fraud schemes, ranging from romance and investment scams to job hiring schemes. [...]
Source: BleepingComputer
December 4th, 2024 (5 months ago)
UK disrupts Russian money laundering networks used by ransomware
Description: ​A law enforcement operation led by the United Kingdom's National Crime Agency (NCA) has disrupted two Russian money laundering networks working with criminals worldwide, including ransomware gangs. [...]
Source: BleepingComputer
December 4th, 2024 (5 months ago)
Pegasus Spyware Infections Proliferate Across iOS, Android Devices
Description: The notorious spyware from Israel's NSO Group has been found targeting journalists, government officials, and corporate executives in multiple variants discovered in a threat scan of 3,500 mobile phones.
Source: Dark Reading
December 4th, 2024 (5 months ago)
[linkme] linkme fails to ensure slice elements match the slice's declared type
Description: Affected versions allow populating a DistributedSlice of T with elements of an arbitrary other type that coerces to T. For example, elements of type &&str could end up in a slice of type [&str], since &&str coerces to &str via a deref coercion. The flaw was corrected by implementing typechecking for distributed slice elements in such a way that coercion no longer occurs. The element's type must be a subtype of the slice's declared element type. References https://github.com/dtolnay/linkme/issues/82 https://rustsec.org/advisories/RUSTSEC-2024-0407.html https://github.com/advisories/GHSA-f95p-4cv5-8w8x
Source: Github Advisory Database (Rust)
December 4th, 2024 (5 months ago)
[hashbrown] Borsh serialization of HashMap is non-canonical
Description: The borsh serialization of the HashMap did not follow the borsh specification. It potentially produced non-canonical encodings dependent on insertion order. It also did not perform canonicty checks on decoding. This can result in consensus splits and cause equivalent objects to be considered distinct. This was patched in 0.15.1. References https://github.com/rust-lang/hashbrown/issues/576 https://github.com/kayabaNerve/hashbrown-borsh-poc https://rustsec.org/advisories/RUSTSEC-2024-0402.html https://github.com/advisories/GHSA-wwq9-3cpr-mm53
Source: Github Advisory Database (Rust)
December 4th, 2024 (5 months ago)
[anstream] Unsoundness in anstream
Description: When given a valid UTF8 string "ö\x1b😀", the function in crates/anstream/src/adapter/strip.rs will be confused. The UTF8 bytes are \xc3\xb6 then \x1b then \xf0\x9f\x98\x80. When looping over "non-printable bytes" \x1b\xf0 will be considered as some non-printable sequence. This will produce a broken str from the incorrectly segmented bytes via str::from_utf8_unchecked, and that should never happen. Full credit goes to @Ralith who reviewed this code and asked @burakemir to follow up. References https://github.com/rust-cli/anstyle/issues/156 https://rustsec.org/advisories/RUSTSEC-2024-0404.html https://github.com/advisories/GHSA-2rxc-gjrp-vjhx
Source: Github Advisory Database (Rust)
December 4th, 2024 (5 months ago)