Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Deserialized web security roundup: Algolia API key leak, GitHub CVE reporting, scoring CVSS scores

Our inaugural web security roundup begins with the news that thousands of applications were found to be leaking API keys for Algolia.

Algolia technology is used by the likes of Lacoste, Stripe, and Slack, to incorporate search, discovery, and recommendations into web, voice, and mobile applications.

Researchers from CloudSEK found 1,500 apps leaking Algolia API keys, 32 of which had hardcoded keys that could allow attackers to steal or delete the data of millions of users. Vulnerable data included IP addresses, access details, and analytics data.

Meanwhile, maintainers of open source repositories can now receive private vulnerability reports, remediate them, and issue CVEs via GitHub, the Microsoft-owned software development platform announced at the GitHub Universe conference.

The news went down well with at least one infosec pro, with vulnerability researcher and The Daily Swig interviewee Alex Chapman calling it an “amazing feature”.

Staying with vulnerability management, the US Cybersecurity and Infrastructure Security Agency (CISA) has set out a three-step process for enhancing vulnerability management, including leveraging the vulnerability exploitability exchange (VEX), a form of security advisory index recently featured on The Daily Swig that focuses on the exploitability of flaws within applications.

CISA has also published a study on the effectiveness of the CVSS base score equation that concluded that the metric closely – albeit not perfectly – represents the CVSS maintainers’ expert opinion.

The Daily Swig also recently reported on system config issues in flavor-of-the-month social networking platform MastodonTailscale VPN nodes being vulnerable to DNS rebinding, and how the Go SAML library was affected by an authentication bypass, among other news.

Here are some more web security stories and other cybersecurity news that caught our attention in the last fortnight:

Web vulnerabilities

  • Apache Commons BCEL / CVE-2022-42920 / CVSS 9.8 / Out-of-bounds writing issue impacting APIs could give attackers greater control of resulting bytecode
  • Apache MINA SSHD / CVE-2022-45047 / CVSS 9.8 / Unsafe Java deserialization / Patched
  • Flarum / CVE-2022-41938 / CVSS 9.0 / cross site-scripting XSS allowed injection of malicious HTML markup using discussion title input, either by creating a new discussion or renaming one / Patched November 21
  • TiDB / CVE-2022-3023 / CVSS 9.8 / Data source name injection could lead to arbitrary file reads / Patched November 17
  • Sonar published a three-part series documenting vulnerabilities in IT Infrastructure monitoring tool Checkmk and its NagVis integration. These flaws could be chained to seize control of servers
  • Platform certificates used to sign system apps on Android builds have been maliciously leaked and used to sign malicious Android apps – “Folks, this is bad. Very, very bad”, tweeted one Android expert
  • Software engineer Tom Forbes uncovered a serious oversight by IT firm Infosys whereby a file was accidentally published to PyPi – and accessible for more than a year – containing AWS keys to an S3 bucket potentially containing patient data from Johns Hopkins University
  • Cybercriminals are tricking TikTok users into downloading malware with the promise of removing invisibility filters from nude photos, Checkmarx reveals – with TikTok videos posted by the attacker gathering over a million views in just two days
  • Hacker extraordinaire Sam Curry revealed that he was part of a team that uncovered 100 vulnerabilities – 50 rated critical – on agricultural equipment supplier John Deere’s security program, with technical details in the pipeline
  • HackerOne’s leading Australian hacker and number 30 on its worldwide leaderboard Shubham Shah has published a deep dive on what it takes to succeed as a bug bounty hunter
  • Belgium-based bug bounty and pen testing platform Intigriti launched a Bug Bounty Calculator, as reported in our monthly Bug Bounty Radar
  • Idaho launched a vulnerability disclosure policy for election websites, becoming the fourth US state to launch a vulnerability disclosure policy, reports Statescoop
  • Mi-X – Determines your system’s potential vulnerability to flaws by evaluating runtime execution, configuration, permissions, mitigations, OS, and other relevant variables
  • GuardDog – Identifies malicious Python packages using Semgrep and package metadata analysis
  • Legitify – Detect and remediate misconfigurations plus security and compliance issues across your GitHub assets
  • inTheWild – Vulnerability feed that documents reports of CVEs being exploited in the wild
  • APTRS (Automated Penetration Testing Reporting System) – Python and Django tool for tracking projects and vulnerabilities and creating reports without using DOCX files
  • The US’s National Security Agency (NSA) has released guidance (PDF) urging developers to abandon “programming languages that provide little or no inherent memory protection, such as C/C++, to a memory safe language when possible”

Copyright 2021 Associated Press. All rights reserved.

Source: https://portswigger.net/daily-swig/deserialized-web-security-roundup-algolia-api-key-leak-github-cve-reporting-scoring-cvss-scores

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

The Environmental Protection Agency cited a lack of resources and the sheer volume of critical vulnerabilities as the reasons for its inability to patch...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO