Aggregator

error code: 521

HackerNews 编译，转载请注明出处： 谷歌周四宣布推出OSV-SCALIBR（软件成分分析库），这是一款用于软件成分分析的开源库。 该工具以开源Go库的形式发布，是一款可扩展的文件系统扫描器，旨在提取软件库存信息并识别漏洞。 OSV-SCALIBR既可以作为独立的二进制文件（库的外围包装）使用，也可以作为库导入到Go项目中。 该工具支持对包、二进制文件和源代码进行软件成分分析（SCA）。它可用于扫描Linux、Windows和macOS上的操作系统包，并支持多种编程语言的工件和锁定文件扫描。 此外，它还提供了漏洞扫描功能，并可用于生成SPDX和CycloneDX格式的软件物料清单（SBOM）。 “OSV-SCALIBR现在是谷歌用于实时主机、代码仓库和容器的主要SCA引擎。它已在许多不同的产品和内部工具中进行了广泛使用和测试，以帮助生成SBOM、发现漏洞，并以谷歌的规模保护用户数据，”这家互联网巨头表示。 该工具的功能已被分组为软件提取和漏洞检测插件，当执行独立的二进制文件时，一组推荐的内部插件将默认运行。 OSV-SCALIBR在其定义文件中存储了内置插件模块。当该工具作为库使用时，可以通过导入这些插件并将它们添加到扫描配置中来启用它们。当SCALIBR作为库使用时，也可以运行自定义插件。 OSV-SCALIBR目前主要作为开源Go库提供，但谷歌正在努力将其更深入地集成到2022年发布的开源依赖项漏洞扫描器OSV-Scanner中。 OSV-SCANNER中的一些功能已经具备了OSV-SCALIBR的部分能力，未来几个月内将集成更多功能，包括已安装包的提取、SBOM生成和弱凭据扫描。 “请注意，OSV-Scanner V2即将发布，将具备许多这些新功能。OSV-Scanner将成为需要CLI界面的用户使用OSV-SCALIBR库的主要前端。OSV-Scanner的现有用户可以继续以相同的方式使用该工具，同时保持对所有现有用例的向后兼容性，”谷歌表示。   消息来源：Security Week, 编译：zhongx；  本文由 HackerNews.cc 翻译整理，封面来源于网络；   转载请注明“转自 HackerNews.cc”并附上原文

A vulnerability classified as problematic was found in McAfee VirusScan Enterprise up to 8.x. Affected by this vulnerability is an unknown functionality. The manipulation leads to improper access controls. This vulnerability is known as CVE-2010-5143. An attack has to be approached locally. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as problematic has been found in Poppler 0.13.0/0.13.1/0.13.2. Affected is an unknown function of the file DCTStream.cc. The manipulation leads to improper input validation. This vulnerability is traded as CVE-2010-5110. It is possible to launch the attack remotely. There is no exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability, which was classified as critical, was found in SAP Netweaver Java Application Server up to 7.2. This affects an unknown part of the component Invoker Servlet. The manipulation leads to improper privilege management (Detour). This vulnerability is uniquely identified as CVE-2010-5326. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.

A vulnerability, which was classified as problematic, has been found in Todd Miller sudo. This issue affects some unknown processing of the file check.c. The manipulation leads to improper access controls. The identification of this vulnerability is CVE-2011-0010. It is possible to launch the attack on the local host. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, has been found in Alibabaclone Alibaba Clone B2B 3.4. Affected by this issue is some unknown functionality of the file countrydetails.php. The manipulation of the argument es_id leads to sql injection. This vulnerability is handled as CVE-2010-4849. The attack may be launched remotely. Furthermore, there is an exploit available.

error code: 521

HackerNews 编译，转载请注明出处： 一个名为“pycord-self”的恶意软件包出现在Python包索引（PyPI）上，该软件包的目标用户为Discord开发者，旨在窃取认证令牌并在系统中植入后门以实现远程控制。 该软件包模仿了广受欢迎的“discord.py-self”软件包，后者下载量已近2800万次，并且甚至提供了正版项目的功能。 正版软件包是一个Python库，允许与Discord的用户API通信，并允许开发者以编程方式控制账户。 它通常用于消息传递和自动化交互、创建Discord机器人、编写自动化管理脚本、通知或响应，以及在不使用机器人账户的情况下运行命令或从Discord检索数据。 据代码安全公司Socket称，该恶意软件包去年6月被添加到PyPi上，截至目前已被下载885次。 截至发稿时，该软件包仍可通过一个已通过平台验证其详细信息的发布者从PyPI获取。 PyPI上的恶意软件包（图片来源：BleepingComputer） Socket研究人员分析了该恶意软件包，发现pycord-self包含执行两项主要操作的代码。一是从受害者处窃取Discord认证令牌并将其发送到外部URL。 攻击者可以使用窃取的令牌，在无需访问凭据的情况下劫持开发者的Discord账户，即使启用了双重身份验证保护也不例外。 该恶意软件包的第二个功能是，通过端口6969与远程服务器建立持久连接，从而设置一个隐蔽的后门机制。 Socket在报告中解释道：“根据操作系统的不同，它会启动一个shell（Linux上的“bash”或Windows上的“cmd”），使攻击者能够持续访问受害者的系统。” “后门在单独的线程中运行，这使得在软件包继续看似正常运行的同时难以检测到它。” 在机器上设置后门（图片来源：Socket） 建议软件开发人员避免在不确认代码来自官方作者的情况下安装软件包，尤其是热门软件包。验证软件包名称也可以降低遭遇拼写劫持攻击的风险。 在使用开源库时，如果可能的话，建议审查代码以查找可疑功能，并避免使用任何看似混淆的代码。此外，扫描工具可能有助于检测和阻止恶意软件包。 消息来源：Bleeping Computer, 编译：zhongx；  本文由 HackerNews.cc 翻译整理，封面来源于网络；   转载请注明“转自 HackerNews.cc”并附上原文

A vulnerability has been found in couponPHP and classified as critical. Affected by this vulnerability is an unknown functionality of the file comments_paginate.php. The manipulation of the argument iDisplayStart leads to sql injection. This vulnerability is known as CVE-2014-10034. The attack can be launched remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as problematic, was found in PostgreSQL 8.1.0/8.1.1/8.1.2. This affects the function SET COMMAND of the component Error Handler. The manipulation leads to improper access controls. This vulnerability is uniquely identified as CVE-2006-0553. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in PostgreSQL 8.1.0/8.1.1/8.1.2 and classified as problematic. This vulnerability affects the function SET SESSION AUTHORIZATION. The manipulation leads to improper access controls. This vulnerability was named CVE-2006-0553. The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Oracle Database 8.x. It has been rated as critical. This issue affects the function PLSQLExclusion. The manipulation leads to an unknown weakness. The identification of this vulnerability is CVE-2006-0435. The attack may be initiated remotely. There is no exploit available. It is recommended to apply restrictive firewalling.

A vulnerability, which was classified as critical, has been found in NullSoft WinAmp up to 5.12. Affected by this issue is some unknown functionality of the component Playlist File Name Handler. The manipulation leads to memory corruption. This vulnerability is handled as CVE-2006-0476. The attack may be launched remotely. Furthermore, there is an exploit available. It is recommended to replace the affected component with an alternative.

A vulnerability classified as problematic was found in Adobe Illustrator up to Cs3. This vulnerability affects unknown code. The manipulation leads to improper access controls. This vulnerability was named CVE-2006-0525. Attacking locally is a requirement. There is no exploit available.

A vulnerability, which was classified as critical, has been found in AOL client 8.0/9.0. This issue affects some unknown processing. The manipulation leads to Local Privilege Escalation. The identification of this vulnerability is CVE-2006-0526. It is possible to launch the attack on the local host. There is no exploit available.

2025年值得关注的十大漏洞管理工具 日期：2025年01月20日 阅：82 漏洞扫

漏洞扫描工具在现代网络安全框架中必不可少。它们不仅可以帮助组织在漏洞被利用之前识别和修复漏洞，还可以支持合规性 […]

追回“八折事故”资金损失？支付宝澄清；惠普多个关键系统疑遭黑客入侵，API凭证等敏感数据泄露 | 牛览 日期：2025年01月20日

新闻速览 •拜登签署行政命令加强国家网络安全 •美国联邦贸易委员会勒令GoDaddy整改安全漏洞 •追回“八折 […]