Security News

Apache has fixed a critical vulnerability in its vastly popular Struts project that was previously believed to have been resolved but, as it turns out, wasn't fully remedied. Tracked as CVE-2021-31805, the critical vulnerability exists in Struts 2 versions from 2.0.0 up to and including 2.5.29.

Researchers have disclosed a previously undocumented local file inclusion vulnerability in Hashnode, a developer-oriented blogging platform, that could be abused to access sensitive data such as SSH keys, server's IP address, and other network information. "The LFI originates in a Bulk Markdown Import feature that can be manipulated to provide attackers with unimpeded ability to download local files from Hashnode's server," Akamai researchers said in a report shared with The Hacker News.

The U.S. Cybersecurity and Infrastructure Security Agency on Monday added the recently disclosed remote code execution vulnerability affecting the Spring Framework, to its Known Exploited Vulnerabilities Catalog based on "Evidence of active exploitation." The critical severity flaw, assigned the identifier CVE-2022-22965 and dubbed "Spring4Shell", impacts Spring model-view-controller and Spring WebFlux applications running on Java Development Kit 9 and later.

Wyze ignored a vulnerability in its home security cameras for three years. Bitdefender, who discovered the vulnerability, let the company get away with it. In case you’re wondering, no, that is...

Attackers are exploiting recently patched RCE in Sophos FirewallA critical vulnerability in Sophos Firewall in being exploited in the wild to target "a small set of specific organizations primarily in the South Asia region," Sophos has warned. IceID trojan delivered via hijacked email threads, compromised MS Exchange serversA threat actor is exploiting vulnerable on-prem Microsoft Exchange servers and using hijacked email threads to deliver the IceID trojan without triggering email security solutions.

DevOps platform GitLab has released software updates to address a critical security vulnerability that, if potentially exploited, could permit an adversary to seize control of accounts. "A hardcoded password was set for accounts registered using an OmniAuth provider in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts," the company said in an advisory published on March 31.

GitLab has addressed a critical severity vulnerability that could allow remote attackers to take over user accounts using hardcoded passwords. The bug affects both GitLab Community Edition and Enterprise Edition.

Spring released emergency updates to fix the 'Spring4Shell' zero-day remote code execution vulnerability, which leaked prematurely online before a patch was released. Yesterday, an exploit for a zero-day remote code execution vulnerability in the Spring Framework dubbed 'Spring4Shell' was briefly published on GitHub and then removed.

Taiwanese company QNAP this week revealed that a selected number of its network-attached storage appliances are affected by a recently-disclosed bug in the open-source OpenSSL cryptographic library. "An infinite loop vulnerability in OpenSSL has been reported to affect certain QNAP NAS," the company said in an advisory published on March 29, 2022.

Threat actors from North Korea have been exploiting a vulnerability in Google Chrome to target certain users with remote code, particularly news outlets, software vendors and fintechs in the United States. On Feb. 10, Google's TAG team discovered two distinct threat actors using that vulnerability to target U.S.-based organizations spanning news media, IT, cryptocurrency and fintech industries.