GitHub Archives - Cyber Security Minute

GitHub Rotates Credentials in Response to Vulnerability

Issued by: SecurityWeek

The Microsoft-owned platform received the vulnerability report on December 26, 2023, and took immediate action to address the issue and revoke potentially exposed credentials, which led to disruptions between December 27 and 29. The security defect, which allowed access to credentials within a production container, had no impact beyond the security researcher who identified and…

Malware & Threats

Exploited Vulnerabilities Can Take Months to Make KEV List

Issued by: Dark Reading

On October 10, the Cybersecurity and Infrastructure Security Agency (CISA) updated the Known Exploited Vulnerabilities (KEV) catalog with five known software flaws. At the top of the list: A use-after-free vulnerability in Adobe’s Acrobat and Reader PDF-viewing applications that could allow code execution with the privileges of any user that clicked on a malicious file….

Cloud Security

New AlienFox toolkit harvests credentials for tens of cloud services

Issued by: Security Affairs

AlienFox is a new modular toolkit that allows threat actors to harvest credentials for multiple cloud service providers. AlienFox is available for sale and is primarily distributed on Telegram in the form of source code archives. Some modules are available on GitHub allowing threat actors to customize their malicious code to suit their needs. AlienFox…

Malware & Threats

Dropbox Code Repositories Stolen in Cyberattack on GitHub-Based Developers

Issued by: Dark Reading

A massive phishing campaign targeting GitHub users convinced at least one developer at Dropbox to enter in their credentials and a two-factor authentication code, leading to the theft of at least 130 software code repositories. According to a Dropbox advisory on Nov. 1, the mid-October attack consisted of emails that appeared to be from CircleCI,…

Vulnerabilities

15-Year-Old Python Vulnerability Present in 350,000 Projects Resurrected

Issued by: Security Week

The vulnerability in question is CVE-2007-4559, initially described as a directory traversal vulnerability in Python’s ‘tarfile’ module that could allow an attacker to remotely overwrite arbitrary files by convincing users to process specially crafted tar archives. The flaw was never properly patched and instead users were warned not to open archive files from untrusted sources….

Vulnerabilities

GitKraken Vulnerability Prompts Action From GitHub, GitLab, Bitbucket

Issued by: Security Week

Discovered in the open source library that the Git GUI client uses for SSH key generation, the issue affects all keys issued using versions 7.6.x, 7.7.x, and 8.0.0 of GitKraken. The security hole was identified in late September and was addressed with the release of GitKraken version 8.0.1. The SSH key generation library was replaced…

Vulnerabilities

GitHub Patches Security Flaws in Core Node.js Dependencies

Issued by: Security Week

“These vulnerabilities may result in arbitrary code execution due to file overwrite and creation when tar is used to extract untrusted tar files or when the npm CLI is used to install untrusted npm packages under certain file system conditions,” GitHub said in an advisory. A code npm dependency, tar is used to extract and…

Application Security

GitHub Paid Out Over $1.5 Million via Bug Bounty Program Since 2016

Issued by: Security Week

According to the company, in 2020, it paid out over half a million dollars for more than 200 vulnerabilities affecting its products and services. The amount is roughly the same as in the previous year. GitHub said it received more than 1,000 submissions through its public and private bug bounty programs, and claimed that its…

Vulnerabilities

GitHub Discloses Details of Easy-to-Exploit Linux Vulnerability

Issued by: Security Week

The flaw, classified as high severity and tracked as CVE-2021-3560, impacts polkit, an authorization service that is present by default in many Linux distributions. The security hole was discovered by Kevin Backhouse of the GitHub Security Lab. On Thursday, the researcher published a blog post detailing his findings, as well as a video showing the…