Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-35942PUBLISHED: 2022-08-12
Improper input validation on the `contains` LoopBack filter may allow for arbitrary SQL injection. When the extended filter property `contains` is permitted to be interpreted by the Postgres connector, it is possible to inject arbitrary SQL which may affect the confidentiality and integrity of data ...
CVE-2022-35949PUBLISHED: 2022-08-12
undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js con...
CVE-2022-35953PUBLISHED: 2022-08-12
BookWyrm is a social network for tracking your reading, talking about books, writing reviews, and discovering what to read next. Some links in BookWyrm may be vulnerable to tabnabbing, a form of phishing that gives attackers an opportunity to redirect a user to a malicious site. The issue was patche...
CVE-2022-35956PUBLISHED: 2022-08-12
This Rails gem adds two methods to the ActiveRecord::Base class that allow you to update many records on a single database hit, using a case sql statement for it. Before version 0.1.3 `update_by_case` gem used custom sql strings, and it was not sanitized, making it vulnerable to sql injection. Upgra...
CVE-2022-35943PUBLISHED: 2022-08-12
Shield is an authentication and authorization framework for CodeIgniter 4. This vulnerability may allow [SameSite Attackers](https://canitakeyoursubdomain.name/) to bypass the [CodeIgniter4 CSRF protection](https://codeigniter4.github.io/userguide/libraries/security.html) mechanism with CodeIgniter ...
User Rank: Apprentice
8/6/2014 | 11:58:58 AM
That means they are complementary, like the yin and the yang, the masculine and the feminine.
In the same way, you would protect your systems on your network each themselves, but you also make sure no one can reach them if you don't need them to be able to be reached. Those things are also orthogonal.
In IPv6, the idea seems to be that we don't need network encapsulation anymore (NAT) because some moron says "most attacks are coming from application vulnerabilities anyway". But protecting your systems (internally) is orthogonal to not letting outside attackers in without invitations (a firewall) - you can do both at the same time, independent of one another (that's what orthogonal means).
So these are two different directions or dimensions and you can travel both whenever you like, both at the same time, only one and not the other, etcetera.
You can bolster your credentials-that-are-bound-to-one-user based model and at the same time bolster your "you are in unknown territory friend, and I have the upper hand here" model.
It is utterly foolish to suggest that a system needs to be secury only by way of its essential technical design.
A thief that knows a map of your palace will be a much harder threat than someone accidentally stumbling in.
Any thief knows this, so why don't the guards??
Technical open source systems are by definition vulnerable to mass exploits.
Obfuscated systems are, by definition, not.
At the same time, obfuscated systems are vulnerable to single-point attacks. Open source systems are not more vulnerable to those kinds of attacks, than to mass attacks.
Therefore you use both kinds of defense at the same time, and you use both of them to your maximum extent or capability.