Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27225PUBLISHED: 2021-03-01In Dataiku DSS before 8.0.6, insufficient access control in the Jupyter notebooks integration allows users (who have coding permissions) to read and overwrite notebooks in projects that they are not authorized to access.
CVE-2021-27132PUBLISHED: 2021-02-27SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
CVE-2021-25284PUBLISHED: 2021-02-27An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
CVE-2021-3144PUBLISHED: 2021-02-27In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
CVE-2021-3148PUBLISHED: 2021-02-27An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
User Rank: Author
10/30/2019 | 4:59:47 PM
Security and its many disciplines are tough jobs. You're usually an overhead function, which means constant budget pressure, especially if you don't have a clear risk management process/plan. Security leaders have a difficult time navigating what the relationship with the board should be (and thier responsibilties), leaving the security team in ambiguous states of responsibility - a bad place ot be in a breach. Every company today is tehcnolgy driven, and tech adoption and operationalization is often the lynchpin of competitive edge... agile security is hard and can drag the business in it's goals.
I think there's some organizational coaching work, better leadership around roles and repsonsibilties, and better technical approaches that could change the climate for the security proffessional.