Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-31650PUBLISHED: 2022-05-25In SoX 14.4.2, there is a floating-point exception in lsx_aiffstartwrite in aiff.c in libsox.a.
CVE-2022-31651PUBLISHED: 2022-05-25In SoX 14.4.2, there is an assertion failure in rate_init in rate.c in libsox.a.
CVE-2022-29256PUBLISHED: 2022-05-25
sharp is an application for Node.js image processing. Prior to version 0.30.5, there is a possible vulnerability in logic that is run only at `npm install` time when installing versions of `sharp` prior to the latest v0.30.5. If an attacker has the ability to set the value of the `PKG_CONFIG_PATH` e...
CVE-2022-26067PUBLISHED: 2022-05-25
An information disclosure vulnerability exists in the OAS Engine SecureTransferFiles functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted series of network requests can lead to arbitrary file read. An attacker can send a sequence of requests to trigger this vulnera...
CVE-2022-26077PUBLISHED: 2022-05-25
A cleartext transmission of sensitive information vulnerability exists in the OAS Engine configuration communications functionality of Open Automation Software OAS Platform V16.00.0112. A targeted network sniffing attack can lead to a disclosure of sensitive information. An attacker can sniff networ...
User Rank: Ninja
8/27/2019 | 10:18:55 AM
This was done intentionally because of the WAF's configuration, it has to be configured to allow such entry (she had insider knowledge). She intentionally modified permissions from the AWS WAF-Role to allow for this type of attack. One thing that they left out, how did she gain access to the AWS cloud environment when the SG (Security Groups) and VPN access should have blocked this intrusion from an mgmt standpoint (again another area of weak security rules and no one reviewing the work).
Also, there is something that was left out, if they (Capital-One) were not notified of the incident and she did not share her experience online, then how long would this have gone on before they would have known (years)?
This is what I mean by organizations who have been lax in their security mechanisms even though they profess to ensure data integrity at all costs (why didn't they know about customer account data being moved or copied, NSA had the same problem with Ed Snowden, if he had not said anything to the public, they would have never known, seems as though history is repeating itself and we continue to miss our lessons-learned).
T