Aggregator

GitLab 发布了一个关键安全更新，解决了一个可能导致未经授权访问 Kubernetes 集群的高严重性漏洞。社区版（CE）和企业版（EE）的 17.5.2、17.4.4 和 17.3.7 版共修补了六个安全漏洞，包括关键的 Kubernetes 问题和其他几个中等严重性的漏洞。 最严重的漏洞（CVE-2024-9693）允许在特定配置下未经授权访问集群中的 Kubernetes 代理。GitLab 安全公告警告说：“这是一个高严重性问题（CVSS 8.5）。该漏洞是由 GitLab 团队成员 Tiger Watson 在内部发现的。” 除了 Kubernetes 漏洞，GitLab 还修补了其他几个漏洞，包括 设备 OAuth 流量漏洞 (CVE-2024-7404)： 该漏洞可让攻击者以受害者身份获得完整的 API 访问权限。 拒绝服务 (DoS) 漏洞： 使用 Fogbugz 导入器导入恶意制作的内容可能会触发拒绝服务。 存储 XSS 漏洞 (CVE-2024-8648)： 攻击者可通过特制 URL 向分析仪表板注入恶意 JavaScript 代码。 HTML 注入漏洞 (CVE-2024-8180)： 如果未启用内容安全策略 (CSP)，不正确的输出编码可能导致跨站点脚本 (XSS) 攻击。 信息披露漏洞 (CVE-2024-10240)： 未经身份验证的用户可能会在特定情况下读取私有项目中的合并请求信息。 GitLab 敦促所有用户立即将其自主管理安装升级到最新版本。 “我们强烈建议所有运行受下述问题影响的版本的安装程序尽快升级到最新版本。”     转自安全客，原文链接：https://www.anquanke.com/post/id/301813 封面来源于网络，如有侵权请联系删除

A vulnerability was found in Oracle Healthcare Translational Research 4.1.0/4.1.1 and classified as critical. This issue affects some unknown processing of the component DataStudio. The manipulation leads to denial of service. The identification of this vulnerability is CVE-2022-3171. The attack may be initiated remotely. There is no exploit available.

A vulnerability classified as critical has been found in Oracle Retail Customer Management and Segmentation Foundation 18.0.0.12/19.0.0.6. This affects an unknown part of the component Internal Operations. The manipulation leads to denial of service. This vulnerability is uniquely identified as CVE-2022-3171. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability was found in Oracle Banking Cash Management 14.7.0.2.0/14.7.1.0.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component Accessibility. The manipulation leads to denial of service. This vulnerability is known as CVE-2022-3171. The attack can be launched remotely. There is no exploit available.

A vulnerability has been found in Oracle Banking Credit Facilities Process Management 14.7.1.0.0 and classified as critical. This vulnerability affects unknown code of the component Common. The manipulation leads to denial of service. This vulnerability was named CVE-2022-3171. The attack can be initiated remotely. There is no exploit available.

A vulnerability, which was classified as critical, was found in Oracle Banking Liquidity Management 14.5.0.8.0/14.6.0.4.0/14.7.0.2.0/14.7.1.0.0. Affected is an unknown function of the component Common. The manipulation leads to denial of service. This vulnerability is traded as CVE-2022-3171. It is possible to launch the attack remotely. There is no exploit available.

A vulnerability was found in Oracle Banking Supply Chain Finance 14.7.0.2.0/14.7.1.0.0 and classified as critical. This issue affects some unknown processing of the component Security. The manipulation leads to denial of service. The identification of this vulnerability is CVE-2022-3171. The attack may be initiated remotely. There is no exploit available.

A vulnerability was found in Oracle Communications Policy Management 12.6.0.0.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component Core. The manipulation leads to denial of service. This vulnerability is known as CVE-2022-3171. The attack can be launched remotely. There is no exploit available.

A vulnerability classified as critical was found in Oracle Banking Corporate Lending up to 14.7. Affected by this vulnerability is an unknown functionality of the component Core. The manipulation leads to denial of service. This vulnerability is known as CVE-2022-3171. The attack can be launched remotely. There is no exploit available.

A vulnerability classified as critical was found in Oracle Banking Payments 14.5/14.6/14.7. This vulnerability affects unknown code of the component Infrastructure. The manipulation leads to denial of service. This vulnerability was named CVE-2022-3171. The attack can be initiated remotely. There is no exploit available.

A vulnerability, which was classified as critical, was found in Oracle Banking Trade Finance 14.5/14.6/14.7. Affected is an unknown function of the component Infrastructure. The manipulation leads to denial of service. This vulnerability is traded as CVE-2022-3171. It is possible to launch the attack remotely. There is no exploit available.

A vulnerability was found in Oracle Banking Treasury Management 14.5/14.6/14.7 and classified as critical. Affected by this issue is some unknown functionality of the component Infra Code. The manipulation leads to denial of service. This vulnerability is handled as CVE-2022-3171. The attack may be launched remotely. There is no exploit available.

A vulnerability, which was classified as critical, has been found in Oracle FLEXCUBE Universal Banking up to 14.7. This issue affects some unknown processing of the component Infrastructure. The manipulation leads to denial of service. The identification of this vulnerability is CVE-2022-3171. The attack may be initiated remotely. There is no exploit available.

A vulnerability was found in Oracle Communications Unified Assurance up to 5.5.9/6.0.1. It has been rated as critical. This issue affects some unknown processing of the component Core. The manipulation leads to denial of service. The identification of this vulnerability is CVE-2022-3171. The attack may be initiated remotely. There is no exploit available.

在最近的一份报告中，Palo Alto Networks 的研究人员披露了谷歌 Vertex AI 平台中的两个关键漏洞，这些漏洞可能使组织面临严重的安全风险。这些漏洞被称为 “ModeLeak”，可实现权限升级和模型外渗，可能允许攻击者访问 Vertex AI 环境中的敏感机器学习（ML）和大型语言模型（LLM）数据。 第一个漏洞是通过 Vertex AI 中的自定义作业进行权限升级。通过利用 Vertex AI Pipelines 中的自定义作业权限，攻击者可以访问整个项目的数据。报告指出：“通过操纵自定义作业管道，我们发现了一个权限升级路径，它允许我们访问远远超出预期范围的资源。这种访问权限包括从 Google 云存储和 BigQuery 数据集中列出、读取和导出数据的能力–这些操作通常需要更高级别的授权。” 通过自定义代码注入，研究人员演示了攻击者如何注入命令以打开反向 shell，从而在环境中创建后门。这一漏洞源于授予服务代理的默认权限，研究人员发现该权限过于宽泛。“凭借服务代理的身份，我们可以列出、读取甚至导出我们本不应该访问的数据桶和数据集中的数据。” 第二个漏洞带来了更为隐蔽的威胁：通过恶意模型进行模型外渗。恶意行为者可以将中毒模型上传到公共存储库，一旦部署，就会渗透到环境中的其他敏感模型。“想象一下恶意行为者将中毒模型上传到公共模型库的情景，”报告解释道。“一旦部署，恶意模型就会渗透到项目中的所有其他 ML 和 LLM 模型，包括敏感的微调模型。”这种情况创建了一个模型到模型的感染途径，嵌入在微调适配器中的专有信息可被攻击者复制和外渗。 Palo Alto Networks 此后与谷歌分享了这些发现，谷歌已部署了修复程序，以确保谷歌云平台（GCP）上 Vertex AI 的安全。为了抵御类似威胁，Palo Alto Networks 建议企业实施严格的访问控制，并密切监控模型部署流程。报告警告说，如果这些漏洞被威胁行为者利用，特别是在敏感数据驱动模型训练和调整的环境中，可能会造成广泛的后果。     转自Freebuf，原文链接：https://www.anquanke.com/post/id/301816 封面来源于网络，如有侵权请联系删除

A vulnerability has been found in Oracle Financial Services Crime and Compliance Management Studio 8.0.8.3.1 and classified as critical. This vulnerability affects unknown code of the component Studio. The manipulation leads to denial of service. This vulnerability was named CVE-2022-3171. The attack can be initiated remotely. There is no exploit available.

A vulnerability has been found in Oracle Fusion Middleware MapViewer 12.2.1.4.0 and classified as critical. This vulnerability affects unknown code of the component Install. The manipulation leads to denial of service. This vulnerability was named CVE-2022-3171. The attack can be initiated remotely. There is no exploit available.

A vulnerability classified as critical was found in Oracle MySQL Connectors up to 8.0.31. Affected by this vulnerability is an unknown functionality of the component Connector/Net. The manipulation leads to denial of service. This vulnerability is known as CVE-2022-3171. The attack can be launched remotely. There is no exploit available.

A vulnerability was found in Oracle Communications Cloud Native Core Network Repository Function 22.3.2 and classified as critical. Affected by this issue is some unknown functionality of the component Installation. The manipulation leads to denial of service. This vulnerability is handled as CVE-2022-3171. The attack may be launched remotely. There is no exploit available.