Aggregator

HackerNews 编译，转载请注明出处： 美国网络安全和基础设施安全局（CISA）于本周一将两个高危安全漏洞纳入其“已知被利用漏洞”（KEV）目录。这两个漏洞分别影响博科（Broadcom Brocade）光纤通道操作系统和Commvault Web服务器，已有证据表明其已被主动利用。 具体漏洞信息如下： CVE-2025-1976（CVSS评分：8.6） 博科光纤通道操作系统（Fabric OS）的代码注入漏洞，允许拥有管理员权限的本地用户以root权限执行任意代码。 CVE-2025-3928（CVSS评分：8.7） Commvault Web服务器中未公开具体细节的漏洞，允许经过身份验证的远程攻击者创建并执行Web Shell。 关于Commvault漏洞，该公司在2025年2月的安全公告中指出：“利用此漏洞需要攻击者已通过身份验证获取Commvault软件环境内的用户凭证。未经认证的访问无法利用此漏洞。对于软件用户而言，这意味着您的环境必须同时满足：(i) 可通过互联网访问；(ii) 已通过其他途径被入侵；(iii) 攻击者持有合法用户凭证。” 该漏洞影响以下Windows和Linux版本： 11.36.0 – 11.36.45（已在11.36.46修复） 11.32.0 – 11.32.88（已在11.32.89修复） 11.28.0 – 11.28.140（已在11.28.141修复） 11.20.0 – 11.20.216（已在11.20.217修复） 针对CVE-2025-1976漏洞，博科公司表示由于IP地址验证缺陷，拥有管理员权限的本地用户可在Fabric OS 9.1.0至9.1.1d6版本中通过root权限执行任意代码，该漏洞已在9.1.1d7版本修复。公司在2025年4月17日的公告中强调：“虽然利用此漏洞需首先获取管理员权限，但该漏洞已在真实环境中被主动利用。攻击者不仅可以执行现有系统命令，还能修改操作系统内核，甚至植入自定义子程序。” 目前，关于这两个漏洞被利用的具体方式、攻击规模及幕后组织的信息尚未公开。CISA建议联邦民事行政部门（FCEB）机构分别于2025年5月17日（Commvault）和5月19日（博科）前完成相关补丁安装。       消息来源： thehackernews； 本文由 HackerNews.cc 翻译整理，封面来源于网络；  转载请注明“转自 HackerNews.cc”并附上原文

A vulnerability, which was classified as critical, was found in Google Chrome. This affects an unknown part of the component Downloads. The manipulation leads to heap-based buffer overflow. This vulnerability is uniquely identified as CVE-2022-2853. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in FLIR AX8 up to 1.46.16. It has been classified as problematic. Affected is an unknown function of the component Web Management Interface. The manipulation leads to cross site scripting. This vulnerability is traded as CVE-2022-37063. It is possible to launch the attack remotely. Furthermore, there is an exploit available.

A vulnerability classified as critical was found in FastStone Image Viewer up to 7.5. Affected by this vulnerability is an unknown functionality of the component PNG tRNS Chunk Parser. The manipulation leads to stack-based buffer overflow. This vulnerability is known as CVE-2022-36947. The attack can be launched remotely. There is no exploit available.

A vulnerability has been found in Google Chrome and classified as critical. This vulnerability affects unknown code of the component Intents. The manipulation leads to improper input validation. This vulnerability was named CVE-2022-2856. The attack can be initiated remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in Apple Safari up to 15.6.0 and classified as critical. This vulnerability affects unknown code of the component WebKit. The manipulation leads to out-of-bounds write. This vulnerability was named CVE-2022-32893. The attack can be initiated remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as very critical has been found in Oracle Primavera Gateway up to 18.8.15/19.12.15/20.12.10/21.12.8. This affects an unknown part of the component Admin. The manipulation leads to code injection. This vulnerability is uniquely identified as CVE-2022-42889. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.

马斯克：下周推出 Grok 3.5；OpenAI 涉足电商，用户可通过 ChatGPT 购买商品；小米 YU7 汽车内饰更多谍照曝光

Although the National Institutes of Health appears to have scaled back plans to build a national registry to track individuals with autism, the agency's research project still poses critical data privacy concerns, said Ariana Aboulafia and Andrew Crawford of the Center for Democracy and Technology.

'Providers Must Urgently Reprioritize Security," Writes Patrick Opet
Banking giant JPMorgan Chase called on software as a service providers to improve cybersecurity practices in an open letter accusing them of "quietly enabling cyberattackers." An attack "on one major SaaS or PaaS provider can immediately ripple through its customers," wrote CISO Patrick Opet.

Capitol Meridian Partners' Razi on Smarter AI Use, Strong Leadership and Diversity
Many AI models prioritize speed over security, exposing organizations to significant risks. Niloofar Razi, operating partner at Capitol Meridian Partners, stressed the need for companies to evaluate models carefully before adoption.

Energy Department Disputes Nuclear Access Breach Claims in Latest DOGE Controversy
Department of Government Efficiency staffers gained access to accounts on classified networks storing some of the nation's top nuclear secrets according a report published concurrently with a lawsuit arguing the task force is unconstitutional and lacks congressional approval.

Hot Topics Also Include Quantum Computing, Blockchains, Artificial Intelligence
Cryptocurrencies have dramatically failed to live up to their promise, to the extent that the "world would be better" without them, said cryptographer Adi Shamir at this year's RSAC Conference, during an expert panel that touched on artificial intelligence, quantum computing, blockchains and more.

A vulnerability classified as problematic has been found in qBittorrent up to 5.0.0. This affects an unknown part. The manipulation leads to improper certificate validation. This vulnerability is uniquely identified as CVE-2024-51774. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

在全球安全秩序重组的风口浪尖，一位美国私营军事巨头正以超美国国家行动者的身份，悄然穿梭于世界各大冲突热点。他