Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2024-56128 |
Description: Incorrect Implementation of Authentication Algorithm in Apache Kafka's SCRAM implementation.
Issue Summary:
Apache Kafka's implementation of the Salted Challenge Response Authentication Mechanism (SCRAM) did not fully adhere to the requirements of RFC 5802 [1].
Specifically, as per RFC 5802, the server must verify that the nonce sent by the client in the second message matches the nonce sent by the server in its first message.
However, Kafka's SCRAM implementation did not perform this validation.
Impact:
This vulnerability is exploitable only when an attacker has plaintext access to the SCRAM authentication exchange. However, the usage of SCRAM over plaintext is strongly discouraged as it is considered an insecure practice [2]. Apache Kafka recommends deploying SCRAM exclusively with TLS encryption to protect SCRAM exchanges from interception [3].
Deployments using SCRAM with TLS are not affected by this issue.
How to Detect If You Are Impacted:
If your deployment uses SCRAM authentication over plaintext communication channels (without TLS encryption), you are likely impacted.
To check if TLS is enabled, review your server.properties configuration file for listeners property. If you have SASL_PLAINTEXT in the listeners, then you are likely impacted.
Fix Details:
The issue has been addressed by introducing nonce verification in the final message of the SCRAM authentication exchange to ensure compliance with RFC 5802.
Affected Versions:
Apache Kafka versions 0.10.2.0 through...
EPSS Score: 0.05%
December 18th, 2024 (6 months ago)
|
|
Description: Impact
You are affected if your php.ini configuration has register_argc_argv enabled.
Patches
Update to 4.13.2 or 5.5.2.
Workarounds
If you can't upgrade yet, and register_argc_argv is enabled, you can disable it to mitigate the issue.
References
https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9
https://github.com/craftcms/cms/commit/82e893fb794d30563da296bca31379c0df0079b3
https://github.com/advisories/GHSA-2p6p-9rc9-62j9
December 18th, 2024 (6 months ago)
|
|
|
Description: A Threat Actor Claims to be Selling Access to an Unidentified Technological Defense Company in USA
December 18th, 2024 (6 months ago)
|
|
|
Description: A plugin name containing a path separator may allow an attacker to execute an arbitrary binary.
Such a plugin name can be provided to the age CLI through an attacker-controlled recipient or identity string, or to the plugin.NewIdentity, plugin.NewIdentityWithoutData, or plugin.NewRecipient APIs.
On UNIX systems, a directory matching ${TMPDIR:-/tmp}/age-plugin-* needs to exist for the attack to succeed.
The binary is executed with a single flag, either --age-plugin=recipient-v1 or --age-plugin=identity-v1. The standard input includes the recipient or identity string, and the random file key (if encrypting) or the header of the file (if decrypting). The format is constrained by the age-plugin protocol.
An equivalent issue was fixed by the rage project, see advisory GHSA-4fg7-vxc8-qx5w.
Thanks to ⬡-49016 for reporting this.
References
https://github.com/FiloSottile/age/security/advisories/GHSA-32gq-x56h-299c
https://github.com/FiloSottile/age/commit/482cf6fc9babd3ab06f6606762aac10447222201
https://github.com/advisories/GHSA-32gq-x56h-299c
December 18th, 2024 (6 months ago)
|
|
|
Description: Impact
An issue with the way OTAPI manages client connections results in stale UUIDs remaining on RemoteClient instances after a player disconnects.
Because of this, if the following conditions are met a player may assume the login state of a previously connected player:
The server has UUID login enabled
An authenticated player disconnects
A subsequent player connects with a modified client that does not send the ClientUUID#68 packet during connection
The server assigns the same RemoteClient object that belonged to the originally authenticated player to the newly connected player
Patches
TShock 5.2.1 hotfixes this issue. A more robust fix will be made to OTAPI itself.
Workarounds
Implement a RemoteClient reset event handler in a plugin like so:
public override void Initialize()
{
On.Terraria.RemoteClient.Reset += RemoteClient_Reset;
}
private static void RemoteClient_Reset(On.Terraria.RemoteClient.orig_Reset orig, RemoteClient client)
{
client.ClientUUID = null;
orig(client);
}
References
https://github.com/Pryaxis/TShock/security/advisories/GHSA-hvm9-wc8j-mgrc
https://github.com/Pryaxis/TShock/commit/5075997264b48e27960e3446a948ecb0ea0f5a03
https://github.com/advisories/GHSA-hvm9-wc8j-mgrc
December 18th, 2024 (6 months ago)
|
|
|
Description: A plugin name containing a path separator may allow an attacker to execute an arbitrary binary.
Such a plugin name can be provided to the rage CLI through an attacker-controlled recipient or identity string, or to the following age APIs when the plugin feature flag is enabled:
age::plugin::Identity::from_str (or equivalently str::parse::<age::plugin::Identity>())
age::plugin::Identity::default_for_plugin
age::plugin::IdentityPluginV1::new
age::plugin::Recipient::from_str (or equivalently str::parse::<age::plugin::Recipient>())
age::plugin::RecipientPluginV1::new
On UNIX systems, a directory matching age-plugin-* needs to exist in the working directory for the attack to succeed.
The binary is executed with a single flag, either --age-plugin=recipient-v1 or --age-plugin=identity-v1. The standard input includes the recipient or identity string, and the random file key (if encrypting) or the header of the file (if decrypting). The format is constrained by the age-plugin protocol.
An equivalent issue was fixed in the reference Go implementation of age, see advisory GHSA-32gq-x56h-299c.
Thanks to ⬡-49016 for reporting this issue.
References
https://github.com/str4d/rage/security/advisories/GHSA-4fg7-vxc8-qx5w
https://github.com/str4d/rage/commit/703152ecfa86f27952a35b57dd525ed39396a227
https://github.com/advisories/GHSA-4fg7-vxc8-qx5w
December 18th, 2024 (6 months ago)
|
|
|
Description: A plugin name containing a path separator may allow an attacker to execute an arbitrary binary.
Such a plugin name can be provided to the rage CLI through an attacker-controlled recipient or identity string, or to the following age APIs when the plugin feature flag is enabled:
age::plugin::Identity::from_str (or equivalently str::parse::<age::plugin::Identity>())
age::plugin::Identity::default_for_plugin
age::plugin::IdentityPluginV1::new
age::plugin::Recipient::from_str (or equivalently str::parse::<age::plugin::Recipient>())
age::plugin::RecipientPluginV1::new
On UNIX systems, a directory matching age-plugin-* needs to exist in the working directory for the attack to succeed.
The binary is executed with a single flag, either --age-plugin=recipient-v1 or --age-plugin=identity-v1. The standard input includes the recipient or identity string, and the random file key (if encrypting) or the header of the file (if decrypting). The format is constrained by the age-plugin protocol.
An equivalent issue was fixed in the reference Go implementation of age, see advisory GHSA-32gq-x56h-299c.
Thanks to ⬡-49016 for reporting this issue.
References
https://github.com/str4d/rage/security/advisories/GHSA-4fg7-vxc8-qx5w
https://github.com/str4d/rage/commit/703152ecfa86f27952a35b57dd525ed39396a227
https://github.com/advisories/GHSA-4fg7-vxc8-qx5w
December 18th, 2024 (6 months ago)
|
|
|
Description: A phishing campaign targeting automotive, chemical, and industrial manufacturing companies in Germany and the UK is abusing HubSpot to steal Microsoft Azure account credentials. [...]
December 18th, 2024 (6 months ago)
|
|
|
Description: Today, CISA urged senior government and political officials to switch to end-to-end encrypted messaging apps like Signal following a wave of telecom breaches across dozens of countries, including eight carriers in the United States. [...]
December 18th, 2024 (6 months ago)
|
|
|
Description: Malicious Visual Studio Code extensions were discovered on the VSCode marketplace that download heavily obfuscated PowerShell payloads to target developers and cryptocurrency projects in supply chain attacks. [...]
December 18th, 2024 (6 months ago)
|