Security News

GitLab has released security updates to address a critical severity vulnerability that allows attackers to run pipelines as other users via scheduled security scan policies. The flaw was assigned CVE-2023-4998 and impacts GitLab Community Edition and Enterprise Edition versions 13.12 through 16.2.7 and versions 16.3 through 16.3.4.

CISA also plans to create a guide to best practices in open source security for government entities and critical infrastructure organizations, according to the roadmap. CISA notes that open source software can lead to great innovation; however, CISA said, vulnerabilities like the widespread Log4shell vulnerability in 2021 mean open source software can introduce insidious flaws in widely-used code.

Observability's adoption is on the rise and full-stack observability leads to better service-level metrics, such as fewer, shorter outages and lower outage costs, according to New Relic. 32% of respondents said critical business app outages cost more than $500,000 per hour of downtime.

According to a recent Cost of Data Breach report, the financial industry has the second highest average cost for a data breach, making the value well worth financial institutions investing more into authorization. In this Help Net Security video, David Brossard, CTO at Axiomatics, discusses how, whether it's protecting their own or their customers' specific privacy/confidentiality while also adhering to global compliance regulations, there is a lot to think through regarding access control.

Mozilla on Tuesday released security updates to resolve a critical zero-day vulnerability in Firefox and Thunderbird that has been actively exploited in the wild, a day after Google released a fix for the issue in its Chrome browser. The shortcoming, assigned the identifier CVE-2023-4863, is a heap buffer overflow flaw in the WebP image format that could result in arbitrary code execution when processing a specially crafted image.

Adobe has released security updates to patch a zero-day vulnerability in Acrobat and Reader tagged as exploited in attacks."Adobe is aware that CVE-2023-26369 has been exploited in the wild in limited attacks targeting Adobe Acrobat and Reader," the company said in a security advisory published today.

A new vulnerability disclosed in GitHub could have exposed thousands of repositories at risk of repojacking attacks, new findings show. The flaw "Could allow an attacker to exploit a race condition within GitHub's repository creation and username renaming operations," Checkmarx security researcher Elad Rapoport said in a technical report shared with The Hacker News.

A threat actor called Redfly has been linked to a compromise of a national grid located in an unnamed Asian country for as long as six months earlier this year using a known malware referred to as ShadowPad. "The attackers managed to steal credentials and compromise multiple computers on the organization's network," the Symantec Threat Hunter Team, part of Broadcom, said in a report shared with The Hacker News. The earliest sign of an attack targeting the Asian entity is said to have been recorded on February 23, 2023, when ShadowPad was executed on a single computer, followed by running the backdoor three months later on May 17.

Google on Monday rolled out out-of-band security patches to address a critical security flaw in its Chrome web browser that it said has been exploited in the wild. With the latest fix, Google has addressed a total of four zero-days in Chrome since the start of the year -.

The U.S. Cybersecurity and Infrastructure Security Agency has added to its catalog of known exploited vulnerabilities a critical-severity issue tracked as CVE-2023-33246 that affects Apache's RocketMQ distributed messaging and streaming platform. CISA is warning federal agencies that they should patch the CVE-2023-33246 vulnerability for Apache RocketMQ installations on their systems by September 27.