Users of the popular Vue.js frontend JavaScript framework experienced a supply chain attack on the npm ecosystem recently. The nested dependencies Node-IPC and peacenotwar were sabotaged as a protest by the maintainer of the Node-IPC package. Regardless of the peace-not-war slogan, node-ipc is now being identified as a malicious package, including malicious code that … Continue reading “Node-IPC NPM Package Embedded Malicious Code Vulnerability (CVE-2022-23812)”
Author: Diksha Ojha
Microsoft Patches 92 Vulnerabilities in March 2022 Patch Tuesday including 3 Zero-days
Microsoft has released security fixes for several vulnerabilities including patches for zero-day vulnerabilities in its March 2022 Patch Tuesday. Microsoft addresses 92 vulnerabilities in their March 2022 Patch Tuesday release. Out of these 92 vulnerabilities, three (3) are rated as critical. The release also includes fixes for three (3) publicly disclosed zero-day vulnerabilities. As of … Continue reading “Microsoft Patches 92 Vulnerabilities in March 2022 Patch Tuesday including 3 Zero-days”
New Linux Elevation of Privilege Vulnerability Exploited in the Wild (Dirty Pipe) (CVE-2022-0847)
Linux has been exploited by a highly severe vulnerability (CVE-2022-0847) that is being called ‘Dirty Pipe’. This vulnerability can allow local users to gain root privileges through publicly available exploits and is considered one of the most significant Linux security vulnerabilities that have been discovered since 2016 when another high-severity and easy-to-exploit Linux bug (dubbed … Continue reading “New Linux Elevation of Privilege Vulnerability Exploited in the Wild (Dirty Pipe) (CVE-2022-0847)”
Mozilla Firefox Releases Updates to Address Two Zero-day Vulnerabilities (CVE-2022-26485 & CVE-2022-26486)
Firefox is a free and open-source web browser for Windows, OS X, and Linux, as well as an Android mobile version. Mozilla has released out-of-band software upgrades for its Firefox web browser to address two high-impact security flaws. According to the advisory, both vulnerabilities were actively exploited in the wild. Mozilla has patched … Continue reading “Mozilla Firefox Releases Updates to Address Two Zero-day Vulnerabilities (CVE-2022-26485 & CVE-2022-26486)”
Apache APISIX Batch-Requests Plugin Remote Code Execution Vulnerability (CVE-2022-24112)
Apache APISIX has issued a security alert, revealing a remote code execution vulnerability (CVE-2022-24112) in versions prior to 2.12.1. Apache APISIX is a high-performance API gateway that is dynamic and real-time. APISIX offers load balancing, dynamic upstream, canary release, circuit breaking, authentication, observability, and other traffic management functions. The vulnerability states “In versions of Apache … Continue reading “Apache APISIX Batch-Requests Plugin Remote Code Execution Vulnerability (CVE-2022-24112)”
Critical Zabbix Web Frontend Authentication Bypass Vulnerability (CVE-2022-23131)
Researchers from SonarSource have discovered a critical severity vulnerability in Zabbix that allows an attacker to bypass authentication and execute arbitrary code on a targeted server. Zabbix is an open-source monitoring software program that can be used to track IT infrastructures like networks, servers, virtual machines, and cloud services. The vulnerability is tracked as … Continue reading “Critical Zabbix Web Frontend Authentication Bypass Vulnerability (CVE-2022-23131)”
Apache Cassandra Database Software High-Severity Remote Code Execution Vulnerability (CVE-2021-44521)
Apache Cassandra is a free and open-source distributed NoSQL database management system that can handle massive volumes of data across many commodity servers while maintaining high availability and avoiding single points of failure. Researchers have revealed details of a high-severity security flaw in the Apache Cassandra open-source NoSQL distributed database. The vulnerability is easy … Continue reading “Apache Cassandra Database Software High-Severity Remote Code Execution Vulnerability (CVE-2021-44521)”
CISA releases deadline for patching Google Chrome and Adobe Magneto zero-day vulnerabilities (CVE-2022-24086 & CVE-2022-0609)
The US Cybersecurity and Infrastructure Security Agency (CISA) has added nine new vulnerabilities to its list of regularly exploited vulnerabilities. This list includes two zero-days that affect Google Chrome and Adobe Commerce/Magento Open Source. CISA stated that until March 1st, 2022, all Federal Civilian Executive Branch Agencies (FCEB) must install patches for these two … Continue reading “CISA releases deadline for patching Google Chrome and Adobe Magneto zero-day vulnerabilities (CVE-2022-24086 & CVE-2022-0609)”
Microsoft addresses 70 vulnerabilities in February 2022 Patch Tuesday
Microsoft addresses 70 vulnerabilities in their February 2022 Patch Tuesday release. While none of the vulnerabilities in this month’s Microsoft release cycle have been assigned as critical risk, several have been given a high-risk rating (CVSSv3.1 score of 7.0 – 8.9). As of this writing, none of this month’s list of vulnerabilities is known to … Continue reading “Microsoft addresses 70 vulnerabilities in February 2022 Patch Tuesday”
Samba Releases update for Out-Of-Bounds Heap Read/Write Vulnerability (CVE-2021-44142)
Samba is a reimplementation of the SMB network protocol that provides file sharing and printing services across many platforms, allowing Linux, Windows, and macOS users to share files over the network. The vulnerability tracked as CVE-2021-44142, is an out-of-bounds heap read-write vulnerability that allows remote attackers to execute arbitrary code as root on affected Samba … Continue reading “Samba Releases update for Out-Of-Bounds Heap Read/Write Vulnerability (CVE-2021-44142)”
