![]() |
🚨 Marked as known exploited on April 10th, 2025 (3 months ago).
Description: Today is Microsoft's February 2025 Patch Tuesday, which includes security updates for 55 flaws, including four zero-day vulnerabilities, with two actively exploited in attacks. [...]
February 11th, 2025 (5 months ago)
|
![]() |
Description: After health agencies responded to Trump's executive order deeming there to be only "two sexes" by scrubbing sites of important resources, a judge ordered they have until midnight Tuesday to bring them back online.
February 11th, 2025 (5 months ago)
|
![]() |
February 11th, 2025 (5 months ago)
|
![]() |
Description: Impact
Systems running registry version > 3.0.0-beta.1 with token authentication enabled.
Patches
Update to at least v3.0.0-rc.3
Workarounds
There is no way to work around this issue without patching if your system requires token authentication.
References
The issue lies in how the JWK verification is performed. When a JWT contains a JWK header without a certificate chain, the code only checks if the KeyID (kid) matches one of the trusted keys, but doesn't verify that the actual key material matches.
Here's the problematic flow:
An attacker generates their own key pair
They create a JWT and include their public key in the JWK header
They set the kid in the JWK to match one of the trusted keys' IDs (which they could potentially discover)
They sign the JWT with their private key
The registry only checks if the kid exists in the trusted keys map but then uses the attacker's public key from the JWK to verify the signature
References
https://github.com/distribution/distribution/security/advisories/GHSA-phw4-mc57-4hwc
https://github.com/distribution/distribution/commit/5ea9aa028db65ca5665f6af2c20ecf9dc34e5fcd
https://github.com/advisories/GHSA-phw4-mc57-4hwc
February 11th, 2025 (5 months ago)
|
![]() |
Description: A Cheat Sheet on Infrastructure as Code Landscape
February 11th, 2025 (5 months ago)
|
![]() |
Description: A Threat Actor is Claiming to Sell Local Network Access to an Unidentified Company
February 11th, 2025 (5 months ago)
|
![]() |
Description: Dark Strom Team Targeted the Official Portal of the Brazilian Government
February 11th, 2025 (5 months ago)
|
![]() |
Description: Senator Dick Durbin presses Meta to explain why it can’t stop sending traffic to nonconsensual AI image generators that violate its policy.
February 11th, 2025 (5 months ago)
|
![]() |
Description: Mullvad has announced a partnership with Obscura VPN, a newly launched privacy-focused service that routes internet traffic through two separate VPN providers. Under this collaboration, Obscura will act as the initial entry point for users' connections before passing encrypted traffic to Mullvad’s WireGuard servers for final routing to the internet. The partnership, which began today, …
The post Mullvad Partners with Obscura VPN to Offer Two-Hop VPN System appeared first on CyberInsider.
February 11th, 2025 (5 months ago)
|
CVE-2024-53704 |
Description: Security researchers at Bishop Fox have published complete exploitation details for the CVE-2024-53704 vulnerability that allows bypassing the authentication mechanism in certain versions of the SonicOS SSLVPN application. [...]
February 11th, 2025 (5 months ago)
|