SecEvery - Vulnerability Warning
2024-07-23
帆软工具软件存在0day漏洞,访问URL:/webroot/decision/view/ReportServer?test\=&n\=,可执行GET参数n中的SQL语句。经与帆软确认,该漏洞是由于帆软自带的sqlite\-jdbc\-x.x.x.x.jar驱动导致。
2024-07-23
Twilio Authy contains an information disclosure vulnerability in its API that allows an unauthenticated endpoint to accept a request containing a phone number and respond with information about whether the phone number was registered with Authy.
2024-07-23
Microsoft Internet Explorer contains a use\-after\-free vulnerability that allows a remote attacker to execute arbitrary code via a crafted web site that triggers access to an object that \(1\) was not properly allocated or \(2\) is deleted, as demonstrated by a CDwnBindInfo object.
2024-01-31
runc是一个根据OCI规范,在Linux上生成和运行容器的命令行工具。 在runc 1.1.11及更早版本中,由于内部文件描述符泄漏,攻击者可以通过runc exec生成的新容器进程在主机文件系统命名空间中拥有工作目录,从而允许通过访问主机文件系统进行容器逃逸("攻击2")。同样的攻击也可以通过恶意镜像在runc run中使用,使容器进程能够通过runc run访问主机文件系统("攻击1")。攻击1和攻击2的变种也可以用来覆盖几乎任意的主机二进制文件,从而完全逃逸出容器。