Security News

JetBrains has patched a critical authentication bypass vulnerability affecting TeamCity On-Premises continuous integration and deployment servers. CVE-2024-23917 could allow an unauthenticated threat actor with HTTP(S) access to a TeamCity server to bypass authentication controls and gain administrative privileges on the server.

CVE-2024-21893, a server-side request forgery vulnerability affecting Ivanti Connect Secure VPN gateways and Policy Secure, is being exploited by attackers.Its existence, along with that of CVE-2024-21888, a privilege escalation vulnerability affecting the same Ivanti Connect Secure and Policy Secure versions, was revealed by Ivanti in late January.

Five days after Mastodon developers pushed out fixes for a remotely exploitable account takeover vulnerability, over 66% of Mastodon servers out there have been upgraded to close the hole. Mastodon is open-source software for running self-hosted social networking services within the wider Fediverse.

CVEMap is an open-source command-line interface tool that allows you to explore Common Vulnerabilities and Exposures. Security experts, who must be constantly alert to thwart adversaries seeking any vulnerability, are distracted by the sheer volume of CVEs.

The four vulnerabilities reported to Juniper Networks by watchTowr researcher Aliz Hammond, which were later found to be missing individual CVEs, have now each been disclosed separately, per an out-of-cycle security advisory. Despite submitting four vulnerability reports in total, Juniper credited watchTowr with the discovery of just two.

Less than two weeks after having plugged a security hole that allows account takeover without user interaction, GitLab Inc. has patched a critical vulnerability in GitLab CE/EE again and is urging users to update their installations immediately.GitLab Inc. operates GitLab.com and develops GitLab Community Edition and Enterprise Edition, a widely used software development platform with built-in version control, issue tracking, code review, etc.

Several proof-of-concept exploits for a recently patched critical vulnerability in Jenkins have been made public and there's evidence of exploitation in the wild. Jenkins is a widely used Java-based open-source automation server that helps developers build, test and deploy applications, enabling continuous integration and continuous delivery.

Blind spots and critical vulnerabilities are worsening, with 45% of critical CVEs remaining unpatched.The educational services industry has a significantly higher percentage of servers with unpatched weaponised Common Vulnerabilities and Exposures, compared to the general average of 10%. Industries still using end-of-life or EoS OSs that are no longer actively supported or patched for vulnerabilities and security issues by the manufacturer: Educational services, retail trade, healthcare, manufacturing and public administration.

Proof-of-concept exploit code for a critical vulnerability in Fortra's GoAnywhere MFT solution has been made public, sparking fears that attackers may soon take advantage of it. CVE-2024-0204 was privately reported by Mohammed Eldeeb and Islam Elrfai of Spark Engineering Consultants in early December 2023, and Fortra's GoAnywhere MFT customers got an advance warning with instructions on how to remediate the vulnerability.

Apple has fixed an actively exploited zero-day vulnerability that affects Macs, iPhones, iPads and AppleTVs. CVE-2024-23222 is a type confusion issue that affects WebKit - Apple's browser engine used in the Safari web browser and all iOS and iPadOS web browsers.