Security News

Five days after Mastodon developers pushed out fixes for a remotely exploitable account takeover vulnerability, over 66% of Mastodon servers out there have been upgraded to close the hole. Mastodon is open-source software for running self-hosted social networking services within the wider Fediverse.

CVEMap is an open-source command-line interface tool that allows you to explore Common Vulnerabilities and Exposures. Security experts, who must be constantly alert to thwart adversaries seeking any vulnerability, are distracted by the sheer volume of CVEs.

The four vulnerabilities reported to Juniper Networks by watchTowr researcher Aliz Hammond, which were later found to be missing individual CVEs, have now each been disclosed separately, per an out-of-cycle security advisory. Despite submitting four vulnerability reports in total, Juniper credited watchTowr with the discovery of just two.

Less than two weeks after having plugged a security hole that allows account takeover without user interaction, GitLab Inc. has patched a critical vulnerability in GitLab CE/EE again and is urging users to update their installations immediately.GitLab Inc. operates GitLab.com and develops GitLab Community Edition and Enterprise Edition, a widely used software development platform with built-in version control, issue tracking, code review, etc.

Several proof-of-concept exploits for a recently patched critical vulnerability in Jenkins have been made public and there's evidence of exploitation in the wild. Jenkins is a widely used Java-based open-source automation server that helps developers build, test and deploy applications, enabling continuous integration and continuous delivery.

Blind spots and critical vulnerabilities are worsening, with 45% of critical CVEs remaining unpatched.The educational services industry has a significantly higher percentage of servers with unpatched weaponised Common Vulnerabilities and Exposures, compared to the general average of 10%. Industries still using end-of-life or EoS OSs that are no longer actively supported or patched for vulnerabilities and security issues by the manufacturer: Educational services, retail trade, healthcare, manufacturing and public administration.

Proof-of-concept exploit code for a critical vulnerability in Fortra's GoAnywhere MFT solution has been made public, sparking fears that attackers may soon take advantage of it. CVE-2024-0204 was privately reported by Mohammed Eldeeb and Islam Elrfai of Spark Engineering Consultants in early December 2023, and Fortra's GoAnywhere MFT customers got an advance warning with instructions on how to remediate the vulnerability.

Apple has fixed an actively exploited zero-day vulnerability that affects Macs, iPhones, iPads and AppleTVs. CVE-2024-23222 is a type confusion issue that affects WebKit - Apple's browser engine used in the Safari web browser and all iOS and iPadOS web browsers.

The networking giant was accused of patching security flaws without disclosing them as standalone vulnerabilities, while Ivanti was called out for seemingly bundling multiple vulnerabilities under a single registered Common Vulnerabilities and Exposures ID. Security vulnerabilities that are serious enough to require patching to avoid problems for organizations generally need to be registered with a CVE Numbering Authority and added to the CVE program. Once registered with a CVE ID, vulnerabilities can be more easily identified and tracked by organizations, making their patching routine more easily manageable.

A previously patched critical vulnerability affecting Ivanti Endpoint Manager Mobile and MobileIron Core is being actively exploited, the Cybersecurity and Infrastructure Security Agency has confirmed by adding the vulnerability to its Known Exploited Vulnerabilities Catalog. It is not known whether the vulnerability is being exploited by ransomware groups, and CISA does not publish specific information about attacks in which the vulnerabilities in the KEV catalog are exploited.