Olivia
Online
Shachar Menashe
@SRMish
Joined November 2012
29 Following
49 Followers
22 Posts
@Star_Knight12 Amazing that React2Shell has already been forgotten... (Next.js CVSS 10.0)
@amartya_jha_ @0dayPublishing @OpenSearchProj Your response completely proves my point, thank you.
A CVSSv3 8.1 would have been more fitting here, since Attack Complexity is "High" - the attacker needs per-target research to understand where to pass the custom cloning options (if at all possible!)
https://t.co/t6haNNCSdj
@amartya_jha_ @0dayPublishing @OpenSearchProj I can read just fine. The fact that downstream applications bumped the version does not mean they were vulnerable to this attack to begin with. Show me a popular real-world application that accepts both URL and cloning options from user-supplied input without sanitization.
@amartya_jha_ @0dayPublishing You should be ashamed of assigning a CVSS 9.8 for this issue. You're actively wasting the time of security teams.
There is no real-world application that uses simple-git and would allow attackers to control both the entire repo URL and the cloning options, this is ridiculous.
For TensorFlow-based Keras #ML models, a major deserialization issue was given the identifier #CVE-2024-3660.
Exploiting this issue allows attackers to inject and execute arbitrary code by crafting a malicious #Keras model file even when operating in Safe Mode.
Deep dive into this new vulnerability: https://t.co/UJb2ooZadF
If anybody missed our BlackHat USA 2024 talk about vulnerabilities in MLOps platforms - here are our full research findings!
@Techslut @shakedko @JFrogSecurity לא חייבים לבדוק ב-NSA! פייתון עצמם הזכירו את התאריך המדויק (למעשה אנחנו סיפקנו להם את התאריך)
הטוקן היה פומב�� מתאריך 03/03/2023 (כמעט שנה וחצי!)
יש עוד מידע בבלוג שלהם -
https://t.co/yPqvruzAkL
דגל בגודל של 17 מטרים על 12 מטרים, הדגל הגדול ביותר בישראל, הונף כעת בנקודה שבה חדרו המחבלים הנאצים מחמאס ורצחו 20 מתושבי נתיב העשרה: מסביב לדגל נשתלו 20 עצי זית עתיקים על שמם ולזכרם של הניספים.
הדרך עוד ארוכה, אבל אנחנו כאן. ומהיום בכל פעם שהמחבלים הארורים ירימו את הראש הם יראו את דגל ישראל ויבינו שאנחנו לא הולכים לשום מקום 🇮🇱
.
תודה לאיתי לוי ולמושב נתיב העשרה על היוזמה, התכנון והביצוע ולחברת ההיטק JFrog שמימנה ותרמה
צילום: אמנון זיו
@valentijn @roelanddelrue @dcuthbert @0xdade @jrozner @travismcpeak @manicode @semgrep For some languages yes.
Golang - https://t.co/sTeoiPodOe. For example here - https://t.co/CGtNikRSOT, look for "symbols" and "derived_symbols".
Rust - https://t.co/9egg510n8d. For example here - https://t.co/fGAouwJPlm, look for "[affected]"
Not aware of other advisory DBs
@kingthorin_rm @steveonjava @manicode AFAIK the only exceptions are Go and Rust's vulnerability databases, which do contain the affected symbols for each CVE (for Go it's for all CVEs, for Rust it's only for some of the CVEs). The "govulncheck" command actually makes use of this info!
@kingthorin_rm @steveonjava @manicode I agree, it's not enough... I happen to lead such a team and the reason that almost everybody is not doing full reachability is because you need an entire research team to classify FOR EACH CVE what the vulnerable function is, it's not available in any machine-readable way today.
What are you basing this statement on? Do you have a working RCE PoC on an embedded appliance?
Also -
1. It's prior to 3.0.7 (3.0.6 is still vulnerable)
2. It is highly unlikely that an embedded appliance will be running OpenSSL 3.x
3. See this - https://t.co/HXqTzqHKUH
Many are downplaying this weakness as unlikely to be exploited, however this is incorrect and are many situations - particularly within embedded appliances - where this vulnerability may be triggered and given 4-byte controlled write, exploitation risk on embedded systems is high
@iamamoose Whether there are compilation or configuration mitigations for this issue (for folks that can't immediately upgrade)
@pwntester That makes sense, thanks for the clarification!
@pwntester Are you sure you're not using any additional dependencies such as "org.apache.commons.jexl3"?
On my barebones PoC on Oracle JDK + OpenJDK 17/19 I'm getting 0 script engines available
Check out my research collaboration with @andre_colonel where we scanned 8+ MILLION OSS packages to find thousands of active API tokens!
Guess how many of those were admin tokens😱
https://t.co/yNprwdzgm5
We uncovered a couple new malware families floating around on PyPI! Check it our technical analysis
PSA - Busybox's wget will silently accept any SSL certificate when downloading over HTTPS (yes, even self signed ones)
Despite a high severity score, a #vulnerability was not patched because it could break existing functionality. Our latest post reviews this situation and why it is unacceptable to sacrifice #security in favor of functionality and release insecure code.
https://t.co/jf1pCjHSB0
Last Seen Users on Sotwe
UPDATE HIJAB
Seen from United States
Kaan konya
Seen from France
dayanafiqh
Seen from Australia
Denizli İl ve ilçe eş ve itiraf paylaşım platformu
Seen from Turkey
سيف الأمير
Seen from Switzerland
omocat
Seen from Italy
Some One
Seen from Canada
Aaron Levie 
Seen from Singapore
อารมณ์สีเทา แบบลับ (18+)
Seen from Thailand
luana livia
Seen from Turkey
Trends for you
Most Popular Users
Elon Musk
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109.3M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.4M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
87M followers
Taylor Swift
@taylorswift13
80.8M followers
Lady Gaga
@ladygaga
72.4M followers
Kim Kardashian
@kimkardashian
69.5M followers
Virat Kohli
@imvkohli
68.8M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.5M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.4M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60.1M followers