Aggregator

Фонд свободного ПО наградил главных героев 2024 года.

A vulnerability classified as problematic has been found in okta okta-sdk-java up to 20.0.0. This impacts the function ApiClient of the component Okta Management API. Performing manipulation results in race condition. This vulnerability is reported as CVE-2025-67505. The attack is possible to be carried out remotely. No exploit exists. It is recommended to upgrade the affected component.

A vulnerability described as problematic has been identified in auth0 nextjs-auth0 up to 4.11.1/4.12.0. This affects the function TokenRequestCache. Such manipulation leads to incorrect authorization. This vulnerability is documented as CVE-2025-67490. The attack can be executed remotely. There is not any exploit available. Upgrading the affected component is recommended.

A vulnerability marked as critical has been reported in GitLab Community Edition and Enterprise Edition up to 18.4.5/18.5.3/18.6.1. The impacted element is an unknown function of the component API Handler. This manipulation causes allocation of resources. This vulnerability is registered as CVE-2025-14157. Remote exploitation of the attack is possible. No exploit is available. It is suggested to upgrade the affected component.

A vulnerability labeled as problematic has been found in GitLab Community Edition and Enterprise Edition up to 18.4.5/18.5.3/18.6.1. The affected element is an unknown function. The manipulation results in cross site scripting. This vulnerability is cataloged as CVE-2025-12716. The attack may be launched remotely. There is no exploit available. The affected component should be upgraded.

A vulnerability identified as problematic has been detected in GitLab Community Edition and Enterprise Edition up to 18.4.5/18.5.3/18.6.1. Impacted is an unknown function. The manipulation leads to basic cross site scripting. This vulnerability is listed as CVE-2025-8405. The attack may be initiated remotely. There is no available exploit. You should upgrade the affected component.

A vulnerability categorized as critical has been discovered in Qihang Media Web Digital Signage 3.0.9. This issue affects some unknown processing of the file QH.aspx. Executing manipulation of the argument data can lead to path traversal. This vulnerability is tracked as CVE-2020-36898. The attack can be launched remotely. Moreover, an exploit is present.

HackerNews 编译，转载请注明出处： 谷歌 Gemini 企业级 AI 生态系统中一个新发现的提示词注入漏洞已被修复，该漏洞曾允许攻击者窃取敏感的 Gmail 邮件、文档及日历数据，但专家表示，这只是 AI 漏洞时代的开端。 “GeminiJack” 漏洞存在于谷歌 Gemini Enterprise（此前也存在于 Vertex AI Search）中，由诺玛实验室（Noma Labs）的研究人员于今年 5 月发现，在与谷歌合作完成修复后，该漏洞已于本周二被公开披露。 攻击者利用企业对谷歌 Workspace 工具及共享功能的依赖，能够操纵日常工作流程，进而访问并窃取企业敏感信息。 诺玛实验室指出：“一份共享的谷歌文档、一则谷歌日历邀请，甚至一封 Gmail 邮件，都能瞬间成为侵入企业数据的持续性开放通道。” 更关键的是，诺玛实验室称，与传统软件漏洞不同，GeminiJack 并非常规缺陷，而是谷歌企业级 AI 系统在解读用户提供内容时存在的架构性弱点。 同时，由于该漏洞无需用户任何操作即可造成危害，它也被视为迄今企业级云环境中遭遇的最严重 AI 驱动型安全风险之一。 诺玛实验室在其安全博客中解释：“目标员工无需进行任何点击，不会出现任何警示信号，也不会触发任何传统安全工具。” DryRun Security 首席执行官詹姆斯・威克特（James Wickett）表示：“GeminiJack 这类事件表明，提示词注入和数据泄露已不再是边缘性研究课题，这些漏洞是企业（即便是大型科技公司）将大语言模型接入系统时，深层架构问题的外在表现。” 漏洞攻击原理 诺玛实验室研究人员称，攻击者可在共享文档或消息中嵌入隐藏指令。 当员工后续使用谷歌 Gemini Enterprise AI 执行常规搜索时，AI 助手会自动检索被篡改的内容、执行恶意指令，并通过伪装的外部图片请求，轻松将敏感数据外传。 借助 GeminiJack 零点击漏洞，单次常规 AI 查询就可能泄露以下信息： 数年的内部邮件，包括客户沟通及财务往来信息 完整的日历历史，可泄露商务谈判、合作关系及企业组织运作情况 全部文档库，涵盖合同文件至技术架构方案等各类资料 谷歌方面表示 “已对漏洞披露做出迅速响应”，其团队与诺玛实验室协作 “厘清了攻击路径并实施了全面的缓解措施”。 诺玛实验室称，此次修复解决了检索增强生成（RAG）处理管道中指令与内容混淆的核心问题。 据英伟达定义，检索增强生成（RAG）是一套循环式处理流程，可实时完成文档预处理、数据摄入及嵌入向量生成，将用户查询转化为易于理解的信息，同时最大限度降低模型 “幻觉” 现象。 而所有窃取的数据，都会通过看似正常的图片请求直接流向攻击者，这类请求与合法流量难以区分。 诺玛实验室研究人员评价道：“这是 AI 过度自主权限的典型体现。AI 助手完全按设计逻辑运行，却沦为了可想象到的最高效企业间谍工具。” 谷歌指出，作为修复措施的一部分，Vertex AI Search 现已与 Gemini Enterprise 完全分离，确保二者不再共用同一大语言模型驱动的检索管道。 对于未来的 AI 注入攻击，威克特指出 “我们仍处于 AI 应用初期阶段”。 他认为，在团队为模型输入、检索来源及智能体操作建立起真正的防护屏障前，未来几年内类似 GeminiJack 的故障还会不断出现。 威克特表示：“若缺乏此类管控且不重视构建安全的 AI 应用，这类安全事件大概率会愈发频繁。”     消息来源：cybernews； 本文由 HackerNews.cc 翻译整理，封面来源于网络； 转载请注明“转自 HackerNews.cc”并附上原文

A vulnerability was found in Aqara Camera Hub G3, Hub M2 and Hub M3. It has been rated as critical. This vulnerability affects unknown code. Performing manipulation results in improper certificate validation. This vulnerability is identified as CVE-2025-65291. The attack can be initiated remotely. There is not any exploit available.

A vulnerability was found in Aqara Camera Hub G3, Hub M2 and Hub M3. It has been declared as critical. This affects an unknown part of the component Firmware Update Handler. Such manipulation leads to improper certificate validation. This vulnerability is referenced as CVE-2025-65290. It is possible to launch the attack remotely. No exploit is available.

A vulnerability was found in Qihang QiHang Media Web Digital Signage 3.0.9.0. It has been classified as problematic. Affected by this issue is some unknown functionality of the file QH.aspx. This manipulation of the argument path/filename causes exposure of backup file to an unauthorized control sphere. The identification of this vulnerability is CVE-2020-36899. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.

A vulnerability was found in Qihang QiHang Media Web Digital Signage 3.0.9 and classified as critical. Affected by this vulnerability is an unknown functionality of the file QH.aspx. The manipulation of the argument remotePath/fileToUpload results in unrestricted upload. This vulnerability was named CVE-2020-36897. The attack may be performed from remote. In addition, an exploit is available.

A vulnerability has been found in GitLab Community Edition and Enterprise Edition up to 18.4.5/18.5.3/18.6.1 and classified as critical. Affected is an unknown function. The manipulation leads to allocation of resources. This vulnerability is uniquely identified as CVE-2025-4097. The attack is possible to be carried out remotely. No exploit exists. The affected component should be upgraded.

A vulnerability, which was classified as critical, was found in GitLab Community Edition and Enterprise Edition up to 18.4.5/18.5.3/18.6.1. This impacts an unknown function of the component WebAuthn Two-Factor Authentication. Executing manipulation can lead to authentication bypass using alternate channel. This vulnerability is handled as CVE-2025-11984. The attack can be executed remotely. There is not any exploit available. You should upgrade the affected component.

A vulnerability, which was classified as critical, has been found in auth0 nextjs-auth0 up to 4.12.x. This affects an unknown function. Performing manipulation of the argument returnTo results in incomplete blacklist. This vulnerability is known as CVE-2025-67716. Remote exploitation of the attack is possible. No exploit is available. It is advisable to upgrade the affected component.

HackerNews 编译，转载请注明出处： 俄罗斯媒体The Bell发布了一篇深度报道，揭秘今年 7 月俄罗斯国家航空公司俄罗斯国际航空公司（俄航，Aeroflot）遭遇的重大黑客攻击事件，证实该公司当时整个基础设施曾濒临崩溃边缘。 早在 7 月，两个亲乌黑客组织 ——“沉默乌鸦（Silent Crow）” 和 “白俄罗斯网络游击队（Belarusian Cyber-Partisans）” 就已宣称对这起针对俄航的攻击负责。 黑客们不仅瘫痪了 7000 台服务器、窃取了乘客及员工数据，还控制了包括高管在内的员工个人电脑。他们透露，此次行动是一场耗时一年的俄航网络渗透计划。 不过，当时现场的实际情况究竟如何？据The Bell报道，与其他多起规模较小的同类攻击不同，俄航遇袭事件根本无法被俄罗斯官方掩盖：数百架航班延误或取消，数千名乘客滞留于大大小小的机场。 尽管如此，俄航仍试图隐瞒。The Bell指出，该航空公司甚至未告知内部员工公司正遭受黑客攻击，反而将事件定性为 “信息系统故障”。但事实上，攻击者当时已险些摧毁其全部基础设施。 紧急切断全楼电源 这场攻击始于 7 月 28 日凌晨 5 时，彼时俄航技术支持群内开始上报紧急情况：系统瘫痪、电脑反复重启且无法恢复。 两小时后，在确认黑客正实时擦除员工办公电脑数据后，俄航下达了 “全面停机” 的指令。 《The Bell》的消息源透露，当时切断总部所有楼层的电源，是阻止攻击者彻底摧毁公司全部网络基础设施的唯一办法。 这是因为，正如黑客后续所言，且有匿名俄航官员向《The Bell》证实的那样，他们已获取了航空公司整个企业网络的管理员权限。 随后，攻击者在俄航企业网络中推送了一项组策略，触发了工作站的定时数据擦除程序。局势一度濒临全面失控 —— 不过俄航团队的应对其实十分迅速。 一位接近仍在进行中的调查的消息人士解释道：“他们切断了与俄罗斯电信公司（Rostelecom）的通信，中断了与机票数据库的连接，还断开了和谢列梅捷沃机场的链路，以至于工作人员只能靠 Excel 表格重建所有数据，在大幅纸上重新绘制全部航线。” “这无疑对公司声誉造成了损害。但如果当时没有如此迅速地行动，公司的基础设施恐怕会荡然无存。” 事发当天，俄航共取消 108 架次航班，仅在其枢纽机场谢列梅捷沃机场，就有超 80 架次航班延误。该航空公司称，此次航班取消造成的损失至少达 2.6 亿卢布（约合 334 万美元）—— 但这个数字其实并不算多。 薄弱环节：合作承包商 尽管直接经济损失有限，此次攻击造成的整体危害却极大。《The Bell》指出，被窃取的数据中，“非商业航班” 相关信息或为最敏感的内容。 原因在于，攻击发生后，黑客公布了一份由俄国防部代表签署的文件，文件中国防部要求将其设备接入俄航内部网络，以 “高效规划军事空运任务”。 一位俄航消息人士指出：“这对俄航是沉重一击。该公司一直将自身定位为纯民用航空公司，过去几年也一直在刻意与战事保持距离，而这份文件却将一切白纸黑字地摆到了台面上。” 该人士认为，这或许正是此次网络攻击的核心目的。 此次攻击的初始入口，似乎是一家名为巴卡软件（Bakka Soft）的小型 IT 公司。该公司负责为俄航开发移动及网页应用，且在攻击发生前一个月，还刚宣布推出了俄航新版 iOS 网页应用。 《The Bell》称，早在 2025 年 1 月，也就是攻击发生前 6 个月，为俄航提供技术支持的 IT 专家就已在俄航及巴卡软件的网络中监测到了可疑活动。 巴卡软件从未公开披露其系统遭黑客入侵的消息，但种种迹象表明入侵确实发生过。 白俄罗斯网络游击队的代表尤利娅娜・舍梅托维茨（Yuliana Shemetovets）指出，俄航管理层使用的是简单且极易被破解的密码。 网络安全专家虽已将入侵者逐出俄航系统，但消息人士称，他们并未彻底清理巴卡软件的基础设施，这使得攻击者得以着手筹备后续的网络攻击。 《The Bell》的一位消息人士惋惜道：“这类事件中，承包商往往是薄弱环节：他们难以及时取得联系、会抗拒配合调查、不允许访问其基础设施，而且基础设施的清理工作也做得一塌糊涂。” 该媒体还联系到白俄罗斯网络游击队代表尤利娅娜・舍梅托维茨，她也指出俄航管理层存在使用简易密码的问题。   消息来源：cybernews； 本文由 HackerNews.cc 翻译整理，封面来源于网络； 转载请注明“转自 HackerNews.cc”并附上原文

A vulnerability classified as problematic was found in formio Form.io up to 3.5.6/4.4.2 on Serverless. The impacted element is an unknown function of the component API Endpoint. Such manipulation leads to improper handling of case sensitivity. This vulnerability is traded as CVE-2025-67718. The attack may be launched remotely. There is no exploit available. Upgrading the affected component is advised.

A vulnerability classified as critical has been found in Mayuri-Chan pyrofork up to 2.3.68. The affected element is an unknown function of the component Telegram Message Handler. This manipulation causes path traversal. This vulnerability appears as CVE-2025-67720. The attack may be initiated remotely. There is no available exploit. It is recommended to upgrade the affected component.

A vulnerability described as problematic has been identified in ibexa user up to 5.0.3. Impacted is an unknown function. The manipulation results in unverified password change. This vulnerability is reported as CVE-2025-67719. The attack requires a local approach. No exploit exists. Upgrading the affected component is recommended.

英伟达开发出了一种地理位置验证技术去判断 AI 芯片运行时所处的区域位置。它已经在内部演示了该功能，但尚未正式发布。该功能将作为可选的软件工具提供给客户安装。该技术利用了英伟达 GPU 的机密计算能力，通过与英伟达服务器通信的时间延迟估算芯片的地理位置。该技术将首先应用于最新一代的基于 Blackwell 架构的 AI 芯片，英伟达还在考虑将其应用于上一代的 Hopper 架构和 Ampere 架构芯片。该技术有助于解决美国政府对先进 AI 芯片走私到中国的担忧。