24h | 7d | 30d

Overview

  • vstakhov
  • libucl

23 Jun 2025
Published
23 Jun 2025
Updated

CVSS v4.0
MEDIUM (4.8)
EPSS
0.01%

KEV

Description

A vulnerability classified as problematic was found in vstakhov libucl up to 0.9.2. Affected by this vulnerability is the function ucl_parse_multiline_string of the file src/ucl_parser.c. The manipulation leads to heap-based buffer overflow. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used.

Statistics

  • 1 Post

Fediverse

Profile picture

🔎 MEDIUM severity: Heap-based buffer overflow in vstakhov libucl (≤0.9.2). Local access required, public exploit disclosed. Audit usage, restrict privileges, monitor for crashes. CVE-2025-6499 radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 19 hours ago

Overview

  • pypa
  • pypa/setuptools

15 Jul 2024
Published
01 Aug 2024
Updated

CVSS v3.0
HIGH (8.8)
EPSS
0.23%

KEV

Description

A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.

Statistics

  • 1 Post

Fediverse

Profile picture

🚨 New HIGH CVE detected in AWS Lambda 🚨
CVE-2024-6345 impacts setuptools in 3 Lambda base images.

Details: github.com/aws/aws-lambda-base
More: lambdawatchdog.com/

  • 0
  • 0
  • 16 hours ago

Overview

  • Sitecore
  • Experience Manager

17 Jun 2025
Published
18 Jun 2025
Updated

CVSS v3.1
HIGH (8.2)
EPSS
0.05%

KEV

Description

Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP.

Statistics

  • 1 Post
  • 1 Interaction

Fediverse

Profile picture

🚨 New Exploits Targeting Sitecore Experience Platform (XP)
Another wake-up call: Monitoring disclosed CVEs isn't enough anymore.

🔍 Last week, WatchTowr Labs dropped a detailed analysis of a pre-auth RCE chain in Sitecore XP – and it didn’t take long for attackers to move.

Within hours, CrowdSec’s network detected active exploitation in the wild.

⚠️ Key findings:
🔹 The Vulnerability-to-Exploit Window Is Critical: Attacks now outpace CVE assignments, leaving organizations exposed during the disclosure gap. This was demonstrated when, within hours of WatchTowr’s public analysis, CrowdSec’s threat network detected three distinct IPs actively scanning and exploiting vulnerable Sitecore XP instances.
🔹 Official CVE Designation a Few Hours After WatchTowr’s Article: The flaw is now formally tracked as CVE-2025-34509, CVE-2025-34510, and CVE-2025-34511 (listed on NVD).

🛠️ About the exploit:
The vulnerability chain enables unauthenticated remote code execution (RCE) through Sitecore’s publishing service, allowing attackers to compromise the entire CMS without requiring credentials. Successful exploitation could lead to data theft, malware deployment, or lateral movement within affected systems.

📈 Trend analysis:
🗓️ June 17: WatchTowr publishes the article.
⏱️ Hours later: CrowdSec’s decentralized threat network detected exploitation attempts from 104.248.137.152.
📍 Following days:
Two more IPs (130.33.178.14, 217.156.122.239) launched aggressive scans, with 130.33.178.14 alone responsible for 50+ attacks over the weekend.

🛡️ How to protect your systems:
🔹 Investigate: If your organization uses Sitecore XP, check your logs for these IPs: 130.33.178.14, 217.156.122.239, 104.248.137.152.
🔹 Patch: Do the necessary to patch your Sitecore XP CMS system.
🔹 Stay proactive: Gain additional protection by installing the Crowdsec Web Application Firewall to stay ahead of exploit attempts with 100+ virtual patching rules available: doc.crowdsec.net/docs/next/app

📣 Real-time threat intelligence is not optional. Let’s stay ahead of these threats together 👉 crowdsec.net

  • 0
  • 1
  • 12 hours ago

Overview

  • Sitecore
  • Powershell Extension

17 Jun 2025
Published
18 Jun 2025
Updated

CVSS v3.1
HIGH (8.8)
EPSS
2.26%

KEV

Description

Sitecore PowerShell Extensions, an add-on to Sitecore Experience Manager (XM) and Experience Platform (XP), through version 7.0 is vulnerable to an unrestricted file upload issue. A remote, authenticated attacker can upload arbitrary files to the server using crafted HTTP requests, resulting in remote code execution.

Statistics

  • 1 Post
  • 1 Interaction

Fediverse

Profile picture

🚨 New Exploits Targeting Sitecore Experience Platform (XP)
Another wake-up call: Monitoring disclosed CVEs isn't enough anymore.

🔍 Last week, WatchTowr Labs dropped a detailed analysis of a pre-auth RCE chain in Sitecore XP – and it didn’t take long for attackers to move.

Within hours, CrowdSec’s network detected active exploitation in the wild.

⚠️ Key findings:
🔹 The Vulnerability-to-Exploit Window Is Critical: Attacks now outpace CVE assignments, leaving organizations exposed during the disclosure gap. This was demonstrated when, within hours of WatchTowr’s public analysis, CrowdSec’s threat network detected three distinct IPs actively scanning and exploiting vulnerable Sitecore XP instances.
🔹 Official CVE Designation a Few Hours After WatchTowr’s Article: The flaw is now formally tracked as CVE-2025-34509, CVE-2025-34510, and CVE-2025-34511 (listed on NVD).

🛠️ About the exploit:
The vulnerability chain enables unauthenticated remote code execution (RCE) through Sitecore’s publishing service, allowing attackers to compromise the entire CMS without requiring credentials. Successful exploitation could lead to data theft, malware deployment, or lateral movement within affected systems.

📈 Trend analysis:
🗓️ June 17: WatchTowr publishes the article.
⏱️ Hours later: CrowdSec’s decentralized threat network detected exploitation attempts from 104.248.137.152.
📍 Following days:
Two more IPs (130.33.178.14, 217.156.122.239) launched aggressive scans, with 130.33.178.14 alone responsible for 50+ attacks over the weekend.

🛡️ How to protect your systems:
🔹 Investigate: If your organization uses Sitecore XP, check your logs for these IPs: 130.33.178.14, 217.156.122.239, 104.248.137.152.
🔹 Patch: Do the necessary to patch your Sitecore XP CMS system.
🔹 Stay proactive: Gain additional protection by installing the Crowdsec Web Application Firewall to stay ahead of exploit attempts with 100+ virtual patching rules available: doc.crowdsec.net/docs/next/app

📣 Real-time threat intelligence is not optional. Let’s stay ahead of these threats together 👉 crowdsec.net

  • 0
  • 1
  • 12 hours ago

Overview

  • Sitecore
  • Experience Manager

17 Jun 2025
Published
18 Jun 2025
Updated

CVSS v3.1
HIGH (8.8)
EPSS
1.83%

KEV

Description

Sitecore Experience Manager (XM), Experience Platform (XP), and Experience Commerce (XC) versions 9.0 through 9.3 and 10.0 through 10.4 are affected by a Zip Slip vulnerability. A remote, authenticated attacker can exploit this issue by sending a crafted HTTP request to upload a ZIP archive containing path traversal sequences, allowing arbitrary file writes and leading to code execution.

Statistics

  • 1 Post
  • 1 Interaction

Fediverse

Profile picture

🚨 New Exploits Targeting Sitecore Experience Platform (XP)
Another wake-up call: Monitoring disclosed CVEs isn't enough anymore.

🔍 Last week, WatchTowr Labs dropped a detailed analysis of a pre-auth RCE chain in Sitecore XP – and it didn’t take long for attackers to move.

Within hours, CrowdSec’s network detected active exploitation in the wild.

⚠️ Key findings:
🔹 The Vulnerability-to-Exploit Window Is Critical: Attacks now outpace CVE assignments, leaving organizations exposed during the disclosure gap. This was demonstrated when, within hours of WatchTowr’s public analysis, CrowdSec’s threat network detected three distinct IPs actively scanning and exploiting vulnerable Sitecore XP instances.
🔹 Official CVE Designation a Few Hours After WatchTowr’s Article: The flaw is now formally tracked as CVE-2025-34509, CVE-2025-34510, and CVE-2025-34511 (listed on NVD).

🛠️ About the exploit:
The vulnerability chain enables unauthenticated remote code execution (RCE) through Sitecore’s publishing service, allowing attackers to compromise the entire CMS without requiring credentials. Successful exploitation could lead to data theft, malware deployment, or lateral movement within affected systems.

📈 Trend analysis:
🗓️ June 17: WatchTowr publishes the article.
⏱️ Hours later: CrowdSec’s decentralized threat network detected exploitation attempts from 104.248.137.152.
📍 Following days:
Two more IPs (130.33.178.14, 217.156.122.239) launched aggressive scans, with 130.33.178.14 alone responsible for 50+ attacks over the weekend.

🛡️ How to protect your systems:
🔹 Investigate: If your organization uses Sitecore XP, check your logs for these IPs: 130.33.178.14, 217.156.122.239, 104.248.137.152.
🔹 Patch: Do the necessary to patch your Sitecore XP CMS system.
🔹 Stay proactive: Gain additional protection by installing the Crowdsec Web Application Firewall to stay ahead of exploit attempts with 100+ virtual patching rules available: doc.crowdsec.net/docs/next/app

📣 Real-time threat intelligence is not optional. Let’s stay ahead of these threats together 👉 crowdsec.net

  • 0
  • 1
  • 12 hours ago

Overview

  • corydolphin
  • corydolphin/flask-cors

20 Mar 2025
Published
20 Mar 2025
Updated

CVSS v3.0
MEDIUM (5.3)
EPSS
0.05%

KEV

Description

A vulnerability in corydolphin/flask-cors version 4.0.1 allows for inconsistent CORS matching due to the handling of the '+' character in URL paths. The request.path is passed through the unquote_plus function, which converts the '+' character to a space ' '. This behavior leads to incorrect path normalization, causing potential mismatches in CORS configuration. As a result, endpoints may not be matched correctly to their CORS settings, leading to unexpected CORS policy application. This can cause unauthorized cross-origin access or block valid requests, creating security vulnerabilities and usability issues.

Statistics

  • 1 Post
  • 3 Interactions

Fediverse

Profile picture

Malcolm v25.06.0 includes a some new and oft-requested features, bug fixes, and component version bumps.

Compare v25.05.0 to v25.06.0

NOTE: As this Malcolm release enables the OpenSearch Security Plugin as described below, even inter-container access to OpenSearch must now be authenticated when using Malcolm's embedded OpenSearch instance. To accomplish this, an internal-use-only account and password is used for connecting to OpenSearch by Malcolm's other components as needed. This credential (saved in .opensearch.primary.curlrc in the Malcolm installation directory) needs to be generated before Malcolm starts up the first time after upgrading. To do so, please run ./scripts/auth_setup and select (Re)generate internal passwords for local primary OpenSearch instance. This credential is only used internally for OpenSearch and cannot be used to remotely access Malcolm.

  • ✨ Features and enhancements
    • This release adds role-based access control (RBAC) to Malcolm (cisagov/Malcolm#460).
      • Malcolm's RBAC feature is based on Keycloak realm roles and is implemented in to layers:
        1. Whenever possible, Malcolm's backend Keycloak realm roles are mapped to the roles/groups/permissions features provided by the components that make up Malcolm (see release notes for details)
        2. For other Malcolm components that don't implement their own permission management systems, Malcolm handles the enforcement roles based on request URIs in its NGINX proxy layer.
      • This is an optional feature. RBAC is only available when the authentication method is keycloak or keycloak_remote. With other authentication methods such as HTTP basic or LDAP, or when RBAC is disabled, all Malcolm users effectively have administrator privileges.
      • Because the OpenSearch Security Plugin requires TLS even internally, Malcolm's internal connections to the embedded OpenSearch instance, when used, are now all performed over HTTPS. However, this is all handled internally and should not behave or appear different to the user than it did in previous versions.
      • See the role-based access control documentation for more information on this feature.
    • Malcolm's embedded KeyCloak instance now automatically creates and configures the default client by ID, if specified in ./config/keycloak.env.
    • Allow user to specify subnet filters for NetBox autopopulation (cisagov/Malcolm#634)
      • This feature is especially useful for excluding dynamic address ranges such as those used by DHCP, which should generally not trigger autopopulation in NetBox. Since these addresses can change frequently and aren't tied to specific devices, including them could result in inaccurate or noisy inventory data. By fine-tuning which private subnets are included or excluded, users can ensure that only meaningful, typically static assignments are autopopulated.
    • Expose init arguments for Arkime's db.pl and also use them for Malcolm's creation of its own index templates (cisagov/Malcolm#692)
    • Extend Zeek's intel.log with additional fields using corelight/ExtendIntel (part 1) (cisagov/Malcolm#502)
      • This integrates the corelight/ExtendIntel plugin into Malcolm internally but does not significantly change how Malcolm presents intel.log to the user. Further work to do so will be continued in cisagov/Malcolm#695.
    • Some internal tweaks to the PCAP processing pipeline that are going to be leveraged by the Malcolm-Helm project (idaholab/Malcolm#630)
    • Handle a fix in the ICSNPP OPCUA-Binary plugin that adds a new sec_token_id field (cisagov/icsnpp-opcua-binary#101)
    • Moved the configuration for Zeek's use of the zeek-kafka plugin to its own file (kafka.zeek) to make it easier to override in Docker using a volume bind mount or in K8s using a configMap.
    • Changed some internal objects used for NetBox enrichment caching from Ruby's Concurrent::Hash to Concurrent::Map for better performance
    • Minor improvements to the icons, shortcuts, and convenience bash functions in the ISO-installed Malcolm desktop environment
    • NGINX now generates a robots.txt file to avoid web crawlers
  • ✅ Component version updates
  • 🐛 Bug fixes
    • NetBox autodiscovery no longer populating host name from DNS, DHCP, NTLM (regression, cisagov/Malcolm#699)
    • documentation served at /readme is trying to pull fonts from use.fontawesome.com (cisagov/Malcolm#694)
    • support fractional gigabytes correctly when generating Arkime's config.ini setting maxFileSizeG from PCAP_ROTATE_MEGABYTES
    • Improved logstash filters that calculate unique hashes used as document IDs for Zeek and Suricata logs to better prevent duplicate logs from being written to the document store
  • 🧹 Code and project maintenance
    • Tweaked some code comments and documentation to bring the cisagov and idaholab repos into harmony.
    • Documentation improvements
    • Removed some unused files and outdated comments

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

  • 2
  • 1
  • 12 hours ago

Overview

  • corydolphin
  • corydolphin/flask-cors

20 Mar 2025
Published
20 Mar 2025
Updated

CVSS v3.0
MEDIUM (4.3)
EPSS
0.05%

KEV

Description

corydolphin/flask-cors version 4.0.1 contains an improper regex path matching vulnerability. The plugin prioritizes longer regex patterns over more specific ones when matching paths, which can lead to less restrictive CORS policies being applied to sensitive endpoints. This mismatch in regex pattern priority allows unauthorized cross-origin access to sensitive data or functionality, potentially exposing confidential information and increasing the risk of unauthorized actions by malicious actors.

Statistics

  • 1 Post
  • 3 Interactions

Fediverse

Profile picture

Malcolm v25.06.0 includes a some new and oft-requested features, bug fixes, and component version bumps.

Compare v25.05.0 to v25.06.0

NOTE: As this Malcolm release enables the OpenSearch Security Plugin as described below, even inter-container access to OpenSearch must now be authenticated when using Malcolm's embedded OpenSearch instance. To accomplish this, an internal-use-only account and password is used for connecting to OpenSearch by Malcolm's other components as needed. This credential (saved in .opensearch.primary.curlrc in the Malcolm installation directory) needs to be generated before Malcolm starts up the first time after upgrading. To do so, please run ./scripts/auth_setup and select (Re)generate internal passwords for local primary OpenSearch instance. This credential is only used internally for OpenSearch and cannot be used to remotely access Malcolm.

  • ✨ Features and enhancements
    • This release adds role-based access control (RBAC) to Malcolm (cisagov/Malcolm#460).
      • Malcolm's RBAC feature is based on Keycloak realm roles and is implemented in to layers:
        1. Whenever possible, Malcolm's backend Keycloak realm roles are mapped to the roles/groups/permissions features provided by the components that make up Malcolm (see release notes for details)
        2. For other Malcolm components that don't implement their own permission management systems, Malcolm handles the enforcement roles based on request URIs in its NGINX proxy layer.
      • This is an optional feature. RBAC is only available when the authentication method is keycloak or keycloak_remote. With other authentication methods such as HTTP basic or LDAP, or when RBAC is disabled, all Malcolm users effectively have administrator privileges.
      • Because the OpenSearch Security Plugin requires TLS even internally, Malcolm's internal connections to the embedded OpenSearch instance, when used, are now all performed over HTTPS. However, this is all handled internally and should not behave or appear different to the user than it did in previous versions.
      • See the role-based access control documentation for more information on this feature.
    • Malcolm's embedded KeyCloak instance now automatically creates and configures the default client by ID, if specified in ./config/keycloak.env.
    • Allow user to specify subnet filters for NetBox autopopulation (cisagov/Malcolm#634)
      • This feature is especially useful for excluding dynamic address ranges such as those used by DHCP, which should generally not trigger autopopulation in NetBox. Since these addresses can change frequently and aren't tied to specific devices, including them could result in inaccurate or noisy inventory data. By fine-tuning which private subnets are included or excluded, users can ensure that only meaningful, typically static assignments are autopopulated.
    • Expose init arguments for Arkime's db.pl and also use them for Malcolm's creation of its own index templates (cisagov/Malcolm#692)
    • Extend Zeek's intel.log with additional fields using corelight/ExtendIntel (part 1) (cisagov/Malcolm#502)
      • This integrates the corelight/ExtendIntel plugin into Malcolm internally but does not significantly change how Malcolm presents intel.log to the user. Further work to do so will be continued in cisagov/Malcolm#695.
    • Some internal tweaks to the PCAP processing pipeline that are going to be leveraged by the Malcolm-Helm project (idaholab/Malcolm#630)
    • Handle a fix in the ICSNPP OPCUA-Binary plugin that adds a new sec_token_id field (cisagov/icsnpp-opcua-binary#101)
    • Moved the configuration for Zeek's use of the zeek-kafka plugin to its own file (kafka.zeek) to make it easier to override in Docker using a volume bind mount or in K8s using a configMap.
    • Changed some internal objects used for NetBox enrichment caching from Ruby's Concurrent::Hash to Concurrent::Map for better performance
    • Minor improvements to the icons, shortcuts, and convenience bash functions in the ISO-installed Malcolm desktop environment
    • NGINX now generates a robots.txt file to avoid web crawlers
  • ✅ Component version updates
  • 🐛 Bug fixes
    • NetBox autodiscovery no longer populating host name from DNS, DHCP, NTLM (regression, cisagov/Malcolm#699)
    • documentation served at /readme is trying to pull fonts from use.fontawesome.com (cisagov/Malcolm#694)
    • support fractional gigabytes correctly when generating Arkime's config.ini setting maxFileSizeG from PCAP_ROTATE_MEGABYTES
    • Improved logstash filters that calculate unique hashes used as document IDs for Zeek and Suricata logs to better prevent duplicate logs from being written to the document store
  • 🧹 Code and project maintenance
    • Tweaked some code comments and documentation to bring the cisagov and idaholab repos into harmony.
    • Documentation improvements
    • Removed some unused files and outdated comments

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

  • 2
  • 1
  • 12 hours ago

Overview

  • corydolphin
  • corydolphin/flask-cors

20 Mar 2025
Published
20 Mar 2025
Updated

CVSS v3.0
MEDIUM (5.3)
EPSS
0.05%

KEV

Description

corydolphin/flask-cors version 4.01 contains a vulnerability where the request path matching is case-insensitive due to the use of the `try_match` function, which is originally intended for matching hosts. This results in a mismatch because paths in URLs are case-sensitive, but the regex matching treats them as case-insensitive. This misconfiguration can lead to significant security vulnerabilities, allowing unauthorized origins to access paths meant to be restricted, resulting in data exposure and potential data leaks.

Statistics

  • 1 Post
  • 3 Interactions

Fediverse

Profile picture

Malcolm v25.06.0 includes a some new and oft-requested features, bug fixes, and component version bumps.

Compare v25.05.0 to v25.06.0

NOTE: As this Malcolm release enables the OpenSearch Security Plugin as described below, even inter-container access to OpenSearch must now be authenticated when using Malcolm's embedded OpenSearch instance. To accomplish this, an internal-use-only account and password is used for connecting to OpenSearch by Malcolm's other components as needed. This credential (saved in .opensearch.primary.curlrc in the Malcolm installation directory) needs to be generated before Malcolm starts up the first time after upgrading. To do so, please run ./scripts/auth_setup and select (Re)generate internal passwords for local primary OpenSearch instance. This credential is only used internally for OpenSearch and cannot be used to remotely access Malcolm.

  • ✨ Features and enhancements
    • This release adds role-based access control (RBAC) to Malcolm (cisagov/Malcolm#460).
      • Malcolm's RBAC feature is based on Keycloak realm roles and is implemented in to layers:
        1. Whenever possible, Malcolm's backend Keycloak realm roles are mapped to the roles/groups/permissions features provided by the components that make up Malcolm (see release notes for details)
        2. For other Malcolm components that don't implement their own permission management systems, Malcolm handles the enforcement roles based on request URIs in its NGINX proxy layer.
      • This is an optional feature. RBAC is only available when the authentication method is keycloak or keycloak_remote. With other authentication methods such as HTTP basic or LDAP, or when RBAC is disabled, all Malcolm users effectively have administrator privileges.
      • Because the OpenSearch Security Plugin requires TLS even internally, Malcolm's internal connections to the embedded OpenSearch instance, when used, are now all performed over HTTPS. However, this is all handled internally and should not behave or appear different to the user than it did in previous versions.
      • See the role-based access control documentation for more information on this feature.
    • Malcolm's embedded KeyCloak instance now automatically creates and configures the default client by ID, if specified in ./config/keycloak.env.
    • Allow user to specify subnet filters for NetBox autopopulation (cisagov/Malcolm#634)
      • This feature is especially useful for excluding dynamic address ranges such as those used by DHCP, which should generally not trigger autopopulation in NetBox. Since these addresses can change frequently and aren't tied to specific devices, including them could result in inaccurate or noisy inventory data. By fine-tuning which private subnets are included or excluded, users can ensure that only meaningful, typically static assignments are autopopulated.
    • Expose init arguments for Arkime's db.pl and also use them for Malcolm's creation of its own index templates (cisagov/Malcolm#692)
    • Extend Zeek's intel.log with additional fields using corelight/ExtendIntel (part 1) (cisagov/Malcolm#502)
      • This integrates the corelight/ExtendIntel plugin into Malcolm internally but does not significantly change how Malcolm presents intel.log to the user. Further work to do so will be continued in cisagov/Malcolm#695.
    • Some internal tweaks to the PCAP processing pipeline that are going to be leveraged by the Malcolm-Helm project (idaholab/Malcolm#630)
    • Handle a fix in the ICSNPP OPCUA-Binary plugin that adds a new sec_token_id field (cisagov/icsnpp-opcua-binary#101)
    • Moved the configuration for Zeek's use of the zeek-kafka plugin to its own file (kafka.zeek) to make it easier to override in Docker using a volume bind mount or in K8s using a configMap.
    • Changed some internal objects used for NetBox enrichment caching from Ruby's Concurrent::Hash to Concurrent::Map for better performance
    • Minor improvements to the icons, shortcuts, and convenience bash functions in the ISO-installed Malcolm desktop environment
    • NGINX now generates a robots.txt file to avoid web crawlers
  • ✅ Component version updates
  • 🐛 Bug fixes
    • NetBox autodiscovery no longer populating host name from DNS, DHCP, NTLM (regression, cisagov/Malcolm#699)
    • documentation served at /readme is trying to pull fonts from use.fontawesome.com (cisagov/Malcolm#694)
    • support fractional gigabytes correctly when generating Arkime's config.ini setting maxFileSizeG from PCAP_ROTATE_MEGABYTES
    • Improved logstash filters that calculate unique hashes used as document IDs for Zeek and Suricata logs to better prevent duplicate logs from being written to the document store
  • 🧹 Code and project maintenance
    • Tweaked some code comments and documentation to bring the cisagov and idaholab repos into harmony.
    • Documentation improvements
    • Removed some unused files and outdated comments

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

  • 2
  • 1
  • 12 hours ago

Overview

  • psf
  • requests

09 Jun 2025
Published
09 Jun 2025
Updated

CVSS v3.1
MEDIUM (5.3)
EPSS
0.06%

KEV

Description

Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc file can be disabled with `trust_env=False` on one's Requests Session.

Statistics

  • 1 Post
  • 3 Interactions

Fediverse

Profile picture

Malcolm v25.06.0 includes a some new and oft-requested features, bug fixes, and component version bumps.

Compare v25.05.0 to v25.06.0

NOTE: As this Malcolm release enables the OpenSearch Security Plugin as described below, even inter-container access to OpenSearch must now be authenticated when using Malcolm's embedded OpenSearch instance. To accomplish this, an internal-use-only account and password is used for connecting to OpenSearch by Malcolm's other components as needed. This credential (saved in .opensearch.primary.curlrc in the Malcolm installation directory) needs to be generated before Malcolm starts up the first time after upgrading. To do so, please run ./scripts/auth_setup and select (Re)generate internal passwords for local primary OpenSearch instance. This credential is only used internally for OpenSearch and cannot be used to remotely access Malcolm.

  • ✨ Features and enhancements
    • This release adds role-based access control (RBAC) to Malcolm (cisagov/Malcolm#460).
      • Malcolm's RBAC feature is based on Keycloak realm roles and is implemented in to layers:
        1. Whenever possible, Malcolm's backend Keycloak realm roles are mapped to the roles/groups/permissions features provided by the components that make up Malcolm (see release notes for details)
        2. For other Malcolm components that don't implement their own permission management systems, Malcolm handles the enforcement roles based on request URIs in its NGINX proxy layer.
      • This is an optional feature. RBAC is only available when the authentication method is keycloak or keycloak_remote. With other authentication methods such as HTTP basic or LDAP, or when RBAC is disabled, all Malcolm users effectively have administrator privileges.
      • Because the OpenSearch Security Plugin requires TLS even internally, Malcolm's internal connections to the embedded OpenSearch instance, when used, are now all performed over HTTPS. However, this is all handled internally and should not behave or appear different to the user than it did in previous versions.
      • See the role-based access control documentation for more information on this feature.
    • Malcolm's embedded KeyCloak instance now automatically creates and configures the default client by ID, if specified in ./config/keycloak.env.
    • Allow user to specify subnet filters for NetBox autopopulation (cisagov/Malcolm#634)
      • This feature is especially useful for excluding dynamic address ranges such as those used by DHCP, which should generally not trigger autopopulation in NetBox. Since these addresses can change frequently and aren't tied to specific devices, including them could result in inaccurate or noisy inventory data. By fine-tuning which private subnets are included or excluded, users can ensure that only meaningful, typically static assignments are autopopulated.
    • Expose init arguments for Arkime's db.pl and also use them for Malcolm's creation of its own index templates (cisagov/Malcolm#692)
    • Extend Zeek's intel.log with additional fields using corelight/ExtendIntel (part 1) (cisagov/Malcolm#502)
      • This integrates the corelight/ExtendIntel plugin into Malcolm internally but does not significantly change how Malcolm presents intel.log to the user. Further work to do so will be continued in cisagov/Malcolm#695.
    • Some internal tweaks to the PCAP processing pipeline that are going to be leveraged by the Malcolm-Helm project (idaholab/Malcolm#630)
    • Handle a fix in the ICSNPP OPCUA-Binary plugin that adds a new sec_token_id field (cisagov/icsnpp-opcua-binary#101)
    • Moved the configuration for Zeek's use of the zeek-kafka plugin to its own file (kafka.zeek) to make it easier to override in Docker using a volume bind mount or in K8s using a configMap.
    • Changed some internal objects used for NetBox enrichment caching from Ruby's Concurrent::Hash to Concurrent::Map for better performance
    • Minor improvements to the icons, shortcuts, and convenience bash functions in the ISO-installed Malcolm desktop environment
    • NGINX now generates a robots.txt file to avoid web crawlers
  • ✅ Component version updates
  • 🐛 Bug fixes
    • NetBox autodiscovery no longer populating host name from DNS, DHCP, NTLM (regression, cisagov/Malcolm#699)
    • documentation served at /readme is trying to pull fonts from use.fontawesome.com (cisagov/Malcolm#694)
    • support fractional gigabytes correctly when generating Arkime's config.ini setting maxFileSizeG from PCAP_ROTATE_MEGABYTES
    • Improved logstash filters that calculate unique hashes used as document IDs for Zeek and Suricata logs to better prevent duplicate logs from being written to the document store
  • 🧹 Code and project maintenance
    • Tweaked some code comments and documentation to bring the cisagov and idaholab repos into harmony.
    • Documentation improvements
    • Removed some unused files and outdated comments

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

  • 2
  • 1
  • 12 hours ago
Showing 21 to 29 of 29 CVEs