Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-36192PUBLISHED: 2021-01-18
An issue was discovered in the Source Integration plugin before 2.4.1 for MantisBT. An attacker can gain access to the Summary field of private Issues (either marked as Private, or part of a private Project), if they are attached to an existing Changeset. The information is visible on the view.php p...
CVE-2020-36193PUBLISHED: 2021-01-18Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.
CVE-2020-7343PUBLISHED: 2021-01-18Missing Authorization vulnerability in McAfee Agent (MA) for Windows prior to 5.7.1 allows local users to block McAfee product updates by manipulating a directory used by MA for temporary files. The product would continue to function with out-of-date detection files.
CVE-2020-28476PUBLISHED: 2021-01-18
All versions of package tornado are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configura...
CVE-2020-28473PUBLISHED: 2021-01-18
The package bottle from 0 and before 0.12.19 are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with defa...
User Rank: Author
6/8/2015 | 12:36:22 PM
To your next point - no network architecture or data center is ever 100% safe. The security that we deploy is only as good as the policies, configurations, and best practices that we incorporate around it all. I have to argue that those organizations facilitating the architecture going into the modern cloud and data center environment are very much interested in more intelligent security practices. A breach will cost them customers, reputation, and - in this fast-paced world - potentially their entire business. It's not perfect out there - but it certainly is improving.
Now, to cloud security; we're seeing that it's certainly evolving and doing so at a very fast pace. We have yet to see ANY major cloud breach within some of the biggest cloud providers. Many of the biggest breaches have all happened with on-premise resources. And yes, I'll take a slightly more positive approach here and show that the way we secure our data centers today are a bit better than "dismal." Cloud providers don't want a legal process... they also really don't want negative public attention. So they'll do whatever they can to secure these multi-tenant environments. I'm not talking about some unrealistic pristine cloud security architecture here. I'm being realistic. The way we have created better network and cloud intelligence allows you to see more of the "bits" which are traveling the wire.
As for any open-source cloud management technology out there - yes, there are still some challenges to overcome. But OpenStack - when deployed properly - is a powerful cloud orchestration and API layer. A good security architecture will work with security to ensure no critical data is ever close to any holes. Joe - you take a very bleak approach to cloud and security in your comments. In working with data centers, cloud providers, and many security professionals - it's clear that big progress has been made around the security of your data. But you're right - it's not perfect. And, there are more breaches potentially happening as we store more data in the cloud and within our own data centers. The only way to work around this is to continue to improve the capabilities of the products in the field - and hope that they're not too "dismal" moving forward.