Security firms dispute credit for overlapping #CVE reports

https://www.bleepingcomputer.com/news/security/security-firms-dispute-credit-for-overlapping-cve-reports/

Atenção: Falha de segurança grave no 7-Zip permite que hackers executem código remotamente
 https://tugatech.com.pt/t72789-atencao-falha-de-seguranca-grave-no-7-zip-permite-que-hackers-executem-codigo-remotamente

Hey folks, if you run Redis you should be aware of a CVSS 10 vuln, CVE-2025-49844, which is a lua related RCE. Redis have release a patch for this and 3 other CVEs. According to Wiz, this vuln has existed for 13 years. That means forks such as Valkey may also be impacted. Valkey has also released updates to address the same CVEs.

Redis: https://www.runzero.com/blog/redis/

Valkey: https://www.runzero.com/blog/valkey/

#Security #Redis #Valkey #CVE-2025-49844 #CVE202549844

Just a thought as I work through some bugs reported to NodeBB... would there be interest in ActivityPub.space hosting a "security" category for discussion around vulnerabilities, CVEs, and such that are related to ActivityPub?

For example, if NodeBB were to receive a bug bounty report and responsibly disclose the details, it would be ideal to have it archived in a place where it won't just disappear off the feed in a matter of minutes.

« Recently, security researcher Dirk-Jan Mollema disclosed CVE-2025–55241, a vulnerability so catastrophic that it reads like fiction : a single token, obtained from any test tenant, could have granted complete administrative control over every Microsoft Entra ID (Azure AD) tenant in the world. Every. Single. One. »

› https://tide.org/blog/god-mode-vulnerability-microsoft-authorityless-security

This is an insane vulnerability. The worst thing about this is that there's literally nothing you could do to stop this. Irresponsible engineering on Microsoft's part. I'm glad it's patched, but I'm concerned about security practices for Entra ID in general. https://dirkjanm.io/obtaining-global-admin-in-every-entra-id-tenant-with-actor-tokens/ #hack #cve #microsoft #azure #entra #cybersecurity

We have released a new version of Vulnerability-Lookup!

This release is packed with many improvements and some nice new features.

For full details, head over to:

https://www.vulnerability-lookup.org/2025/09/19/vulnerability-lookup-2-16-0/

CISA reaffirms support for the CVE Program, securing funding until 2026 and promising modernization, automation, and global inclusion.

Nick Andersen: “Defenders must operate from the same map. That’s what the CVE Program provides.”

How do you see CVE evolving in the next few years?
Follow @technadu for continuous infosec updates.

Mitigations for #vmscape have been merged to #Linux mainline and included in new stable and longterm #kernel versions released about an hour ago (like 6.16.7 or 6.12.47).

Vmscape is a vulnerability that essentially takes Spectre-v2 and attacks host userspace from a guest. It particularly affects hypervisors like #QEMU.

For more details see this #LinuxKernel merge commit https://git.kernel.org/torvalds/c/223ba8ee0a3986718c874b66ed24e7f87f6b8124, the doc changes in contains at https://git.kernel.org/torvalds/c/9969779d0803f5dcd4460ae7aca2bc3fd91bff12, or the following page from those that published the vulnerability:

https://comsec.ethz.ch/research/microarch/vmscape-exposing-and-exploiting-incomplete-branch-predictor-isolation-in-cloud-environments/

It is tracked as #CVE-2025-40300

https://www.cve.org/CVERecord?id=CVE-2025-40300

Q: Was there a #CVE issued for the packages involved in the current #NpmAttack already?

Vulnerabilities in the #Perl JSON::XS, Cpanel::JSON::XS and JSON::SIMD modules via @cpansec

If you have applications that handle JSON from untrusted sources (e.g. a web API), then you need to upgrade.

CVE-2025-40928: JSON::XS before version 4.04 for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified impact

CVE-2025-40929: Cpanel::JSON::XS before version 4.40 for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified impact

CVE-2025-40930: JSON::SIMD before version 1.07 and earlier for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified impact

New update for CVE Crowd!

You can now:
- Search for vendors or products to see all related CVEs and discussions
- Browse Bluesky posts alongside Fediverse ones
- Enjoy cleaner feeds thanks to the "similar post counter"

And believe it or not... all of that without any AI

Learn more below or visit https://cvecrowd.com to see the changes live and in color

GCVE-BCP-04 - Recommendations and Best Practices for ID Allocation version 1.1 published.

BCP Document https://gcve.eu/bcp/gcve-bcp-04/

PDF https://gcve.eu/files/bcp/gcve-bcp-04.pdf

Comments and feedback https://discourse.ossbase.org/t/gcve-bcp-04-drafting-recommendations-and-best-practices-for-id-allocation/119/4

#cve #gcve #vulnerability #cybersecurity #vulnerabilitymanagement

@gcve @circl @cedric

I played in a little team with Valkerie and others looking at hypervisor escapes back forever ago. Hardcore shit, that.

Docker Fixes CVE-2025-9074, Critical Container Escape Vulnerability With CVSS Score 9.3

https://thehackernews.com/2025/08/docker-fixes-cve-2025-9074-critical.html

BCP-04 Draft Preparation - Work-group session 25/08/2025 - Luxembourg

- 128 bytes including the prefix recommendation.
- ID format (7-bit character sets versus UTF).
- Assignment and allocation for same vulnerabilities.

#gcve #cve #opensource #cybersecurity

Thanks to for the feedback

@claushoumann @cedric
@adulau
@todb

https://discourse.ossbase.org/t/gcve-bcp-04-drafting-recommendations-and-best-practices-for-id-allocation/119/2

How is it, that in the year of the flying spaghetti monster of 2025, people are still allowed to submit CVE's on Java versions as recent as Java 24, that contains the following text (from EUVD-2025-11051 (alternatively CVE-2025-30698)):

This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

In case anyone think I'm not being cautious enough, I present to you a quote from JEP 486, which explains why the Java security manager is being removed:

The Security Manager has not been the primary means of securing client-side Java code for many years, it has rarely been used to secure server-side code, and it is costly to maintain. We therefore deprecated it for removal in Java 17 via JEP 411 (2021). As the next step toward removing the Security Manager, we will revise the Java Platform specification so that developers cannot enable it and other Platform classes do not refer to it. This change will have no impact on the vast majority of applications, libraries, and tools. We will remove the Security Manager API in a future release.

Seriously. And people wonder why I don't take the vulnerability ecosystem seriously.

How many man-years are wasted doing analysis on these kinds of useless reports?

All projects needs someone like @bagder to keep things serious.