CyberAlerts

Description: Until C-level executives fully understand potential threats and implement effective mitigation strategies, healthcare organizations will remain vulnerable and at risk of disruption.

Source: Dark Reading

December 3rd, 2024 (6 months ago)

Note From the Editor-in-Chief

Description: A change in ownership and what it means for our readers.

Source: Dark Reading

December 3rd, 2024 (6 months ago)

'White FAANG' Data Export Attack: A Gold Mine for PII Threats

Description: Websites these days know everything about you — even some details you might not realize. Hackers can take advantage of that with a sharp-toothed attack that exploits Europe's GDPR-mandated data portability rules.

Source: Dark Reading

December 3rd, 2024 (6 months ago)

[ruzstd] `ruzstd` uninit and out-of-bounds memory reads

Description: Affected versions of ruzstd miscalculate the length of the allocated and init section of its internal RingBuffer, leading to uninitialized or out-of-bounds reads in copy_bytes_overshooting of up to 15 bytes. This may result in up to 15 bytes of memory contents being written into the decoded data when decompressing a crafted archive. This may occur multiple times per archive. References https://github.com/KillingSpark/zstd-rs/issues/75 https://github.com/KillingSpark/zstd-rs/pull/76 https://rustsec.org/advisories/RUSTSEC-2024-0400.html https://github.com/advisories/GHSA-x3f4-45xf-rjm7

Source: Github Advisory Database (Rust)

December 3rd, 2024 (6 months ago)

[rails-html-sanitizer] rails-html-sanitize has XSS vulnerability with certain configurations

Description: Summary There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0 and Nokogiri < 1.15.7, or 1.16.x < 1.16.8. Versions affected: 1.6.0 Not affected: < 1.6.0 Fixed versions: 1.6.1 Please note that the fix in v1.6.1 is to update the dependency on Nokogiri to 1.15.7 or >= 1.16.8. Impact A possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags in either of the following ways: allow both "math" and "style" elements or allow both "svg" and "style" elements Code is only impacted if Rails is configured to use HTML5 sanitization, please see documentation for config.action_view.sanitizer_vendor and config.action_text.sanitizer_vendor for more information on these configuration options. Code is only impacted if allowed tags are being overridden. Applications may be doing this in a few different ways: using application configuration to configure Action View sanitizers' allowed tags: # In config/application.rb config.action_view.sanitized_allowed_tags = ["math", "style"] # or config.action_view.sanitized_allowed_tags = ["svg", "style"] see https://guides.rubyonrails.org/configuring.html#configuring-action-view using a :tags option to the Action View helper sanitize: <%= sanitize @comment.body, tags: ["math", "style"] %&...

Source: Github Advisory Database (RubyGems)

December 3rd, 2024 (6 months ago)

[rails-html-sanitizer] rails-html-sanitizer has XSS vulnerability with certain configurations

Description: Summary There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0. Versions affected: 1.6.0 Not affected: < 1.6.0 Fixed versions: 1.6.1 Impact A possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags in the following way: the "noscript" element is explicitly allowed Code is only impacted if Rails is configured to use HTML5 sanitization, please see documentation for config.action_view.sanitizer_vendor and config.action_text.sanitizer_vendor for more information on these configuration options. The default configuration is to disallow all of these elements. Code is only impacted if allowed tags are being overridden. Applications may be doing this in a few different ways: using application configuration to configure Action View sanitizers' allowed tags: # In config/application.rb config.action_view.sanitized_allowed_tags = ["noscript"] see https://guides.rubyonrails.org/configuring.html#configuring-action-view using a :tags option to the Action View helper sanitize: <%= sanitize @comment.body, tags: ["noscript"] %> see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize setting Rails::HTML5::SafeListSanitizer class attribute allowed_tags: # class-level option Rails::HTML...

Source: Github Advisory Database (RubyGems)

December 3rd, 2024 (6 months ago)

[github.com/cli/go-gh/v2] `auth.TokenForHost` violates GitHub host security boundary when sourcing authentication token within a codespace

Description: Summary A security vulnerability has been identified in go-gh that could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when within a codespace. Details go-gh sources authentication tokens from different environment variables depending on the host involved: GITHUB_TOKEN, GH_TOKEN for GitHub.com and ghe.com GITHUB_ENTERPRISE_TOKEN, GH_ENTERPRISE_TOKEN for GitHub Enterprise Server Prior to 2.11.1, auth.TokenForHost could source a token from the GITHUB_TOKEN environment variable for a host other than GitHub.com or ghe.com when within a codespace. In 2.11.1, auth.TokenForHost will only source a token from the GITHUB_TOKEN environment variable for GitHub.com or ghe.com hosts. Impact Successful exploitation could send authentication token to an unintended host. Remediation and mitigation Upgrade go-gh to 2.11.1 Advise extension users to regenerate authentication tokens: Personal access tokens GitHub CLI OAuth app Advise extension users to review their personal security log and any relevant audit logs for actions associated with their account or enterprise References https://github.com/cli/go-gh/security/advisories/GHSA-55v3-xh23-96gh https://nvd.nist.gov/vuln/detail/CVE-2024-53859 https://docs.github.com/en/apps/using-github-apps/reviewing-and-revoking-authorization-of-github-apps#reviewing-your-authorized-github-apps https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/reviewing-your-security-log https://docs.github.co...

Source: Github Advisory Database (Go)

December 3rd, 2024 (6 months ago)

[github.com/cli/cli/v2] Recursive repository cloning can leak authentication tokens to non-GitHub submodule hosts

Description: Summary A security vulnerability has been identified in the GitHub CLI that could leak authentication tokens when cloning repositories containing git submodules hosted outside of GitHub.com and ghe.com. Details This vulnerability stems from several gh commands used to clone a repository with submodules from a non-GitHub host including gh repo clone, gh repo fork, gh pr checkout. These GitHub CLI commands invoke git with instructions to retrieve authentication tokens using the credential.helper configuration variable for any host encountered. Prior to 2.63.0, hosts other than GitHub.com and ghe.com are treated as GitHub Enterprise Server hosts and have tokens sourced from the following environment variables before falling back to host-specific tokens stored within system-specific secured storage: GITHUB_ENTERPRISE_TOKEN GH_ENTERPRISE_TOKEN GITHUB_TOKEN when CODESPACES environment variable is set The result being git sending authentication tokens when cloning submodules. In 2.63.0, these GitHub CLI commands will limit the hosts for which gh acts as a credential helper to source authentication tokens. Additionally, GITHUB_TOKEN will only be used for GitHub.com and ghe.com. Impact Successful exploitation could lead to a third-party using leaked authentication tokens to access privileged resources. Remediation and mitigation Upgrade gh to 2.63.0 Revoke authentication tokens used with the GitHub CLI: Personal access tokens GitHub CLI OAuth app Review your personal security...

Source: Github Advisory Database (Go)

December 3rd, 2024 (6 months ago)

[github.com/traefik/traefik/v2] Traefik's X-Forwarded-Prefix Header still allows for Open Redirect

Description: Impact There is a vulnerability in Traefik that allows the client to provide the X-Forwarded-Prefix header from an untrusted source. Patches https://github.com/traefik/traefik/releases/tag/v2.11.14 https://github.com/traefik/traefik/releases/tag/v3.2.1 Workarounds No workaround. For more information If you have any questions or comments about this advisory, please open an issue. Original Description ### Summary The previously reported open redirect ([GHSA-6qq8-5wq3-86rp](https://github.com/traefik/traefik/security/advisories/GHSA-6qq8-5wq3-86rp)) is not fixed correctly. The safePrefix function can be tricked to return an absolute URL. Details The Traefik API dashboard component tries to validate that the value of the header X-Forwarded-Prefix is a site relative path: http.Redirect(resp, req, safePrefix(req)+"/dashboard/", http.StatusFound) func safePrefix(req *http.Request) string { prefix := req.Header.Get("X-Forwarded-Prefix") if prefix == "" { return "" } parse, err := url.Parse(prefix) if err != nil { return "" } return parse.Path } PoC An attacker can bypass this by sending the following payload: curl -v 'http://traefik.localhost' -H 'X-Forwarded-Prefix: %0d//a.com' [...] > HTTP/1.1 302 Found > Location: //a.com/dashboard/ or similar: curl -v 'http://traefik.localhost' -H 'X-Forwarded-Prefix: %2f%2fa.com' [...] > HTTP/1.1 302 Found > Location: //a.com/dashboard/ Impact Similar to the previously report...

Source: Github Advisory Database (Go)

December 3rd, 2024 (6 months ago)

[github.com/traefik/traefik/v3] Traefik's X-Forwarded-Prefix Header still allows for Open Redirect

Description: Impact There is a vulnerability in Traefik that allows the client to provide the X-Forwarded-Prefix header from an untrusted source. Patches https://github.com/traefik/traefik/releases/tag/v2.11.14 https://github.com/traefik/traefik/releases/tag/v3.2.1 Workarounds No workaround. For more information If you have any questions or comments about this advisory, please open an issue. Original Description ### Summary The previously reported open redirect ([GHSA-6qq8-5wq3-86rp](https://github.com/traefik/traefik/security/advisories/GHSA-6qq8-5wq3-86rp)) is not fixed correctly. The safePrefix function can be tricked to return an absolute URL. Details The Traefik API dashboard component tries to validate that the value of the header X-Forwarded-Prefix is a site relative path: http.Redirect(resp, req, safePrefix(req)+"/dashboard/", http.StatusFound) func safePrefix(req *http.Request) string { prefix := req.Header.Get("X-Forwarded-Prefix") if prefix == "" { return "" } parse, err := url.Parse(prefix) if err != nil { return "" } return parse.Path } PoC An attacker can bypass this by sending the following payload: curl -v 'http://traefik.localhost' -H 'X-Forwarded-Prefix: %0d//a.com' [...] > HTTP/1.1 302 Found > Location: //a.com/dashboard/ or similar: curl -v 'http://traefik.localhost' -H 'X-Forwarded-Prefix: %2f%2fa.com' [...] > HTTP/1.1 302 Found > Location: //a.com/dashboard/ Impact Similar to the previously report...

Source: Github Advisory Database (Go)

December 3rd, 2024 (6 months ago)

Threat and Vulnerability Intelligence Database

Example Searches:

	Ransomware's Grip on Healthcare Description: Until C-level executives fully understand potential threats and implement effective mitigation strategies, healthcare organizations will remain vulnerable and at risk of disruption. Source: Dark Reading December 3rd, 2024 (6 months ago)
	Note From the Editor-in-Chief Description: A change in ownership and what it means for our readers. Source: Dark Reading December 3rd, 2024 (6 months ago)
	'White FAANG' Data Export Attack: A Gold Mine for PII Threats Description: Websites these days know everything about you — even some details you might not realize. Hackers can take advantage of that with a sharp-toothed attack that exploits Europe's GDPR-mandated data portability rules. Source: Dark Reading December 3rd, 2024 (6 months ago)
	[ruzstd] `ruzstd` uninit and out-of-bounds memory reads Description: Affected versions of ruzstd miscalculate the length of the allocated and init section of its internal RingBuffer, leading to uninitialized or out-of-bounds reads in copy_bytes_overshooting of up to 15 bytes. This may result in up to 15 bytes of memory contents being written into the decoded data when decompressing a crafted archive. This may occur multiple times per archive. References https://github.com/KillingSpark/zstd-rs/issues/75 https://github.com/KillingSpark/zstd-rs/pull/76 https://rustsec.org/advisories/RUSTSEC-2024-0400.html https://github.com/advisories/GHSA-x3f4-45xf-rjm7 Source: Github Advisory Database (Rust) December 3rd, 2024 (6 months ago)
	[rails-html-sanitizer] rails-html-sanitize has XSS vulnerability with certain configurations Description: Summary There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0 and Nokogiri < 1.15.7, or 1.16.x < 1.16.8. Versions affected: 1.6.0 Not affected: < 1.6.0 Fixed versions: 1.6.1 Please note that the fix in v1.6.1 is to update the dependency on Nokogiri to 1.15.7 or >= 1.16.8. Impact A possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags in either of the following ways: allow both "math" and "style" elements or allow both "svg" and "style" elements Code is only impacted if Rails is configured to use HTML5 sanitization, please see documentation for config.action_view.sanitizer_vendor and config.action_text.sanitizer_vendor for more information on these configuration options. Code is only impacted if allowed tags are being overridden. Applications may be doing this in a few different ways: using application configuration to configure Action View sanitizers' allowed tags: # In config/application.rb config.action_view.sanitized_allowed_tags = ["math", "style"] # or config.action_view.sanitized_allowed_tags = ["svg", "style"] see https://guides.rubyonrails.org/configuring.html#configuring-action-view using a :tags option to the Action View helper sanitize: <%= sanitize @comment.body, tags: ["math", "style"] %&... Source: Github Advisory Database (RubyGems) December 3rd, 2024 (6 months ago)
	[rails-html-sanitizer] rails-html-sanitizer has XSS vulnerability with certain configurations Description: Summary There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0. Versions affected: 1.6.0 Not affected: < 1.6.0 Fixed versions: 1.6.1 Impact A possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags in the following way: the "noscript" element is explicitly allowed Code is only impacted if Rails is configured to use HTML5 sanitization, please see documentation for config.action_view.sanitizer_vendor and config.action_text.sanitizer_vendor for more information on these configuration options. The default configuration is to disallow all of these elements. Code is only impacted if allowed tags are being overridden. Applications may be doing this in a few different ways: using application configuration to configure Action View sanitizers' allowed tags: # In config/application.rb config.action_view.sanitized_allowed_tags = ["noscript"] see https://guides.rubyonrails.org/configuring.html#configuring-action-view using a :tags option to the Action View helper sanitize: <%= sanitize @comment.body, tags: ["noscript"] %> see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize setting Rails::HTML5::SafeListSanitizer class attribute allowed_tags: # class-level option Rails::HTML... Source: Github Advisory Database (RubyGems) December 3rd, 2024 (6 months ago)
	[github.com/cli/go-gh/v2] `auth.TokenForHost` violates GitHub host security boundary when sourcing authentication token within a codespace Description: Summary A security vulnerability has been identified in go-gh that could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when within a codespace. Details go-gh sources authentication tokens from different environment variables depending on the host involved: GITHUB_TOKEN, GH_TOKEN for GitHub.com and ghe.com GITHUB_ENTERPRISE_TOKEN, GH_ENTERPRISE_TOKEN for GitHub Enterprise Server Prior to 2.11.1, auth.TokenForHost could source a token from the GITHUB_TOKEN environment variable for a host other than GitHub.com or ghe.com when within a codespace. In 2.11.1, auth.TokenForHost will only source a token from the GITHUB_TOKEN environment variable for GitHub.com or ghe.com hosts. Impact Successful exploitation could send authentication token to an unintended host. Remediation and mitigation Upgrade go-gh to 2.11.1 Advise extension users to regenerate authentication tokens: Personal access tokens GitHub CLI OAuth app Advise extension users to review their personal security log and any relevant audit logs for actions associated with their account or enterprise References https://github.com/cli/go-gh/security/advisories/GHSA-55v3-xh23-96gh https://nvd.nist.gov/vuln/detail/CVE-2024-53859 https://docs.github.com/en/apps/using-github-apps/reviewing-and-revoking-authorization-of-github-apps#reviewing-your-authorized-github-apps https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/reviewing-your-security-log https://docs.github.co... Source: Github Advisory Database (Go) December 3rd, 2024 (6 months ago)
	[github.com/cli/cli/v2] Recursive repository cloning can leak authentication tokens to non-GitHub submodule hosts Description: Summary A security vulnerability has been identified in the GitHub CLI that could leak authentication tokens when cloning repositories containing git submodules hosted outside of GitHub.com and ghe.com. Details This vulnerability stems from several gh commands used to clone a repository with submodules from a non-GitHub host including gh repo clone, gh repo fork, gh pr checkout. These GitHub CLI commands invoke git with instructions to retrieve authentication tokens using the credential.helper configuration variable for any host encountered. Prior to 2.63.0, hosts other than GitHub.com and ghe.com are treated as GitHub Enterprise Server hosts and have tokens sourced from the following environment variables before falling back to host-specific tokens stored within system-specific secured storage: GITHUB_ENTERPRISE_TOKEN GH_ENTERPRISE_TOKEN GITHUB_TOKEN when CODESPACES environment variable is set The result being git sending authentication tokens when cloning submodules. In 2.63.0, these GitHub CLI commands will limit the hosts for which gh acts as a credential helper to source authentication tokens. Additionally, GITHUB_TOKEN will only be used for GitHub.com and ghe.com. Impact Successful exploitation could lead to a third-party using leaked authentication tokens to access privileged resources. Remediation and mitigation Upgrade gh to 2.63.0 Revoke authentication tokens used with the GitHub CLI: Personal access tokens GitHub CLI OAuth app Review your personal security... Source: Github Advisory Database (Go) December 3rd, 2024 (6 months ago)
	[github.com/traefik/traefik/v2] Traefik's X-Forwarded-Prefix Header still allows for Open Redirect Description: Impact There is a vulnerability in Traefik that allows the client to provide the X-Forwarded-Prefix header from an untrusted source. Patches https://github.com/traefik/traefik/releases/tag/v2.11.14 https://github.com/traefik/traefik/releases/tag/v3.2.1 Workarounds No workaround. For more information If you have any questions or comments about this advisory, please open an issue. Original Description ### Summary The previously reported open redirect ([GHSA-6qq8-5wq3-86rp](https://github.com/traefik/traefik/security/advisories/GHSA-6qq8-5wq3-86rp)) is not fixed correctly. The safePrefix function can be tricked to return an absolute URL. Details The Traefik API dashboard component tries to validate that the value of the header X-Forwarded-Prefix is a site relative path: http.Redirect(resp, req, safePrefix(req)+"/dashboard/", http.StatusFound) func safePrefix(req *http.Request) string { prefix := req.Header.Get("X-Forwarded-Prefix") if prefix == "" { return "" } parse, err := url.Parse(prefix) if err != nil { return "" } return parse.Path } PoC An attacker can bypass this by sending the following payload: curl -v 'http://traefik.localhost' -H 'X-Forwarded-Prefix: %0d//a.com' [...] > HTTP/1.1 302 Found > Location: //a.com/dashboard/ or similar: curl -v 'http://traefik.localhost' -H 'X-Forwarded-Prefix: %2f%2fa.com' [...] > HTTP/1.1 302 Found > Location: //a.com/dashboard/ Impact Similar to the previously report... Source: Github Advisory Database (Go) December 3rd, 2024 (6 months ago)
	[github.com/traefik/traefik/v3] Traefik's X-Forwarded-Prefix Header still allows for Open Redirect Description: Impact There is a vulnerability in Traefik that allows the client to provide the X-Forwarded-Prefix header from an untrusted source. Patches https://github.com/traefik/traefik/releases/tag/v2.11.14 https://github.com/traefik/traefik/releases/tag/v3.2.1 Workarounds No workaround. For more information If you have any questions or comments about this advisory, please open an issue. Original Description ### Summary The previously reported open redirect ([GHSA-6qq8-5wq3-86rp](https://github.com/traefik/traefik/security/advisories/GHSA-6qq8-5wq3-86rp)) is not fixed correctly. The safePrefix function can be tricked to return an absolute URL. Details The Traefik API dashboard component tries to validate that the value of the header X-Forwarded-Prefix is a site relative path: http.Redirect(resp, req, safePrefix(req)+"/dashboard/", http.StatusFound) func safePrefix(req *http.Request) string { prefix := req.Header.Get("X-Forwarded-Prefix") if prefix == "" { return "" } parse, err := url.Parse(prefix) if err != nil { return "" } return parse.Path } PoC An attacker can bypass this by sending the following payload: curl -v 'http://traefik.localhost' -H 'X-Forwarded-Prefix: %0d//a.com' [...] > HTTP/1.1 302 Found > Location: //a.com/dashboard/ or similar: curl -v 'http://traefik.localhost' -H 'X-Forwarded-Prefix: %2f%2fa.com' [...] > HTTP/1.1 302 Found > Location: //a.com/dashboard/ Impact Similar to the previously report... Source: Github Advisory Database (Go) December 3rd, 2024 (6 months ago)