API ThreatStats’ Post

Vulnerability 02 Critical Gitlab vulnerability exposes 2FA-less users to account takeovers Tracked as CVE-2023-7028, exploits a change introduced in version 16.1.0 back in May 2023 that allowed users to issue password resets through a secondary email address.

Hi friends, One of my reports submitted in HackerOne is now triaged and the issue related to my report in GitLab is now public. So, you can read it below and find out how I was able to find the bug. I hope this helps someone smoehow. ✌️✌️✌️✌️ https://lnkd.in/gvY4giRY #bugbounty #hackerone #gitlab

🚨 High Risk Vulnerability Alert! GitLab EE has a resource exhaustion issue affecting versions from 13.3.0 to 16.8.2. This flaw allows an attacker to exploit the system using GraphQL, leading to potential system instability. CVE-2024-1066. #GitLab #Vulnerability #OWASP #API4 #API7 #CWE400 🚨 https://lnkd.in/enCGjE7e

Congrats to Aditya Sirish A Yelgundhalli and team for their release of GitTuf! The Update Framework (TUF) is an incredibly powerful framework for managing trust policies for software artifacts, and it can now be easily applied at the source code level. We use TUF extensively within Sigstore, and it really is the only framework that works at scale for artifact signing, PKI, and rotation. Excited to see this work continue into different domains. #tuf #updateframework #openssf https://gittuf.github.io/

Excited to share my latest accomplishment in Spring Security! 💻 Just successfully configured Spring Security for version 3.2.4, and it's running seamlessly across all 3.0 versions. 🚀 Tested the code on my system, and it's performing exceptionally well. Stay tuned for more insights as I'll be sharing the configuration details soon. Plus, keep an eye out for my upcoming project on GitHub! 👀 #SpringSecurity #VersionUpgrade #CodePerformance #GitHubProject

🚨Medium Risk Vulnerability🚨 in #gRPC #Go library by #GitHub. Private tokens could appear in logs if context containing gRPC metadata is logged. This is a potential PII concern. The issue is patched in versions 1.64.1 and 1.65.0. #OWASP #APIsecurity #InfoSec https://lnkd.in/eT7_YJu2

NEW FREE RECENT THREAT ROOM - GitLab 👀 Get hold of any GitLab admin/user account using CVE-2023-7028 🕵️♂️ Explore the initial cause 🛡 Exploit the vulnerability 🔥 Implement detection and mitigation https://hubs.la/Q02gMXQc0

TryHackMe offers insightful threat rooms that facilitate a comprehensive understanding of how threat actors can potentially infiltrate your environment. I highly recommend individuals interested in security to leverage these tools!

A Bucket of Monkey...wrenches: researchers game insecurities in "Secured Variables" function of version control repository, while vendor claims it's goes against best practice security instructions https://lnkd.in/ec_wnQMQ

Top 12 Tips for API Security - Use HTTPS - Use OAuth2 - Use WebAuthn - Use Leveled API Keys - Authorization - Rate Limiting - API Versioning - Whitelisting - Check OWASP API Security Risks - Use API Gateway - Error Handling - Input Validation Follow Mohamed Rilwan for more such content Like | Share | Comment Credits: ByteByteGo