Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

On October 26, 2023, F5 released security hotfixes for a critical unauthenticated RCE vulnerability (CVE-2023-46747) in BIG-IP’s Traffic Management User Interface (TMUI). If successfully exploited a threat actor with network access to the vulnerable system could bypass the configuration utility authentication and execute arbitrary system commands. CVE-2023-46747 is exploitable if the Traffic Management User Interface is exposed to the Internet.

Three security issues were reported on October 27th by the Kubernetes security community, all of them related to the popular NGINX ingress component.

Earlier this month, the District of Columbia Board of Elections (DCBOE) warned that a threat actor may have gained access to the personal information of their registered voters. This would include personally identifiable information (PII) such as contact details, partial social security numbers, dates of birth, and driver’s license numbers. In an X post on Friday 20th October, the agency was keen to stress that it was only a possibility the voter roll had been accessed.

The Fireblocks research team recently uncovered an ERC-4337 Account Abstraction vulnerability in the smart contract wallet UniPass. Fireblocks worked with UniPass to fully mitigate the vulnerability, which was found in hundreds of mainnet wallets in a whitehat operation. All funds are now safe and accounted for.

On October 25, 2023 VMware published a security advisory regarding a critical out-of-bounds write vulnerability (CVE-2023-34048) that has been fixed in the latest updates by VMware. The vulnerability has received a critical severity rating by VMware as it could potentially allow a remote, unauthenticated threat actor to achieve remote code execution if successfully exploited.

In today's world of fast-paced software development, security is not an option — it’s a necessity. Security has become an integral part of the development process rather than a separate concern addressed by a different team once development is complete. Integrating Snyk security into your development workflows is a crucial step toward achieving comprehensive software security.

Everyone is talking about generative artificial intelligence (GenAI) and a massive wave of developers already incorporate this life-changing technology in their work. However, GenAI coding assistants should only ever be used in tandem with AI security tools. Let's take a look at why this is and what we're seeing in the data. Thanks to AI assistance, developers are building faster than ever.

On October 18, security researcher Zemnmez began the process of responsibly disclosing a "Use of Weak Hash" vulnerability that they found in crypto-js, an open source JavaScript library of crypto standards, for which maintenance has been discontinued. The vulnerability also impacts the crypto-es package (for ES6 and TypeScript), and the researcher has opened a similar issue requesting that the maintainers enable private disclosures.