Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25533PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
CVE-2021-3162PUBLISHED: 2021-01-15Docker Desktop Community before 2.5.0.0 on macOS mishandles certificate checking, leading to local privilege escalation.
CVE-2021-21242PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
CVE-2021-21245PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...
CVE-2021-21246PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the `/users/` endpoint there are no security checks enforced so it is possible to retrieve ar...
User Rank: Apprentice
3/19/2014 | 1:04:31 AM
@ubm_techweb_disqus_sso_-0480d4a7522709036363932f5b73339c:disqus - I've been at cybersecurity in many different sectors for a long time (20+ yrs). In the recent past I used to see non-techies go into threat intelligence, policy, and strategy; the latter two _generally_ only if you have an advanced degree from a prestigious university. In the commercial sector, threat intel weenies produced interesting but generally not actionable reporting, so we started to use techies and trained them in intel so they can produce actionable threat reporting & indicators (it's hard to connect the dots if you don't understand the rules of the environment). Fwiw, neither my colleagues I speak with nor I have had generally positive experiences with candidates who have cybersecurity degrees, advanced or otherwise. Personally, I generally hire based on references. If I do take a chance, I generally look for at least a minor in EE/Computer Engineering/ComSci from a top 50 program and some experience (~2-3 yrs) as network/systems engineer or low-level software engineer. The best people I've taken a chance on have had a minor in one of those fields and a major in the arts/humanities. I admit, my criteria is generally narrow and I may miss qualified candidates. However, I can't spend the time required to find the diamond in the rough ... and neither can my recruiters.