CVE-2025-5025: No QUIC certificate pinning with wolfSSL

Bug reported by Hiroki Kurosawa was disclosed at May 28, 2025, 6:35 am   |   Improper Certificate Validation

CVE-2025-4947: QUIC certificate check skip with wolfSSL

Bug reported by Hiroki Kurosawa was disclosed at May 28, 2025, 6:35 am   |   Improper Validation of Certificate with Host Mismatch

Non-Production API Endpoints for the bedrock-agent Service Fail to Log to CloudTrail Resulting in Silent Permission Enumeration

Bug reported by Nick Frichette (Datadog) was disclosed at May 28, 2025, 12:39 am   |   Insufficient Logging

The non-production API endpoints for the bedrock-agent service failed to log to CloudTrail, resulting in silent permission enumeration. A total of 26 non-production endpoints were found that could be used with standard IAM credentials without generating CloudTrail logs. This vulnerability was considered a security issue by AWS, as it allowed for invisible enumeration of permissions.

Non-Production API Endpoints for the bedrock Service Fail to Log to CloudTrail Resulting in Silent Permission Enumeration

Bug reported by Nick Frichette (Datadog) was disclosed at May 28, 2025, 12:38 am   |   Insufficient Logging

The bedrock service was found to have 5 non-production API endpoints that could be used with standard IAM credentials to enumerate permissions without logging to CloudTrail. The impacted endpoints allowed the invocation of bedrock:ListImportedModels and bedrock:ListModelImportJobs actions. This vulnerability was reported to AWS, who considered it a security issue.

Non-Production API Endpoint for the EventBridge Service Fails to Log to CloudTrail Resulting in Silent Permission Enumeration

Bug reported by Nick Frichette (Datadog) was disclosed at May 28, 2025, 12:35 am   |   Insufficient Logging

The non-production API endpoint for the EventBridge service was found to fail to log to CloudTrail, resulting in silent permission enumeration. This vulnerability was reported to AWS, as it allowed for the enumeration of permissions of compromised credentials without generating CloudTrail logs, which could be used by adversaries to assess the access they have gained.

Non-Production API Endpoints for the Global Accelerator Service Fail to Log to CloudTrail Resulting in Silent Permission Enumeration

Bug reported by Nick Frichette (Datadog) was disclosed at May 28, 2025, 12:34 am   |   Insufficient Logging

The researchers discovered that there are 8 non-production endpoints for the Global Accelerator service which can be used with standard IAM credentials and do not log to CloudTrail. This allows for silent permission enumeration, where an adversary can determine the permissions of compromised credentials without generating any logs.

Non-Production API Endpoints for the Health Service Fail to Log to CloudTrail Resulting in Silent Permission Enumeration

Bug reported by Nick Frichette (Datadog) was disclosed at May 28, 2025, 12:32 am   |   Insufficient Logging

The AWS Health service was found to have 11 non-production API endpoints that could be accessed using standard IAM credentials without logging to CloudTrail. This allowed for silent permission enumeration, where an adversary could test the capabilities of compromised credentials without generating auditable CloudTrail logs.

Amazon Pinpoint SMS and Voice, version 2 Service Reporting "AWS Internal" for CloudTrail Events Generated from FIPS Endpoints

Bug reported by Nick Frichette (Datadog) was disclosed at May 28, 2025, 12:30 am   |   Insufficient Logging

The Amazon Pinpoint SMS and Voice, version 2 service was found to incorrectly report the user-agent and network information as "AWS Internal" for five specific API endpoints that are FIPS endpoints. This issue was discovered to be similar to a previous bug reported for the Comprehend Medical and Kendra services, suggesting a potential wider issue across a small number of services. As a result of this vulnerability, an adversary could have performed API calls using these endpoints and evaded the logging of their IP address and operating system information.

Amazon Kendra Intelligent Ranking Service Reporting "AWS Internal" for CloudTrail Events Generated from FIPS Endpoints

Bug reported by Nick Frichette (Datadog) was disclosed at May 28, 2025, 12:24 am   |   Insufficient Logging

The AWS Kendra Intelligent Ranking service was found to incorrectly report the user-agent and network information as "AWS Internal" for four API endpoints that are FIPS endpoints. This issue can lead to the obscuring of request information that may be used to track down an adversary.

Non-Production API Endpoints for the Neptune Graph Service Fail to Log to CloudTrail Resulting in Silent Permission Enumeration

Bug reported by Nick Frichette (Datadog) was disclosed at May 27, 2025, 10:39 pm   |   Insufficient Logging

The non-production API endpoints for the Neptune Graph Service were found to fail logging to CloudTrail, resulting in silent permission enumeration. Specifically, seven non-production endpoints were identified that could be used with standard IAM credentials without generating CloudTrail logs. This allowed potential adversaries to enumerate permissions without leaving a trail.

Non-Production API Endpoints for the Route 53 Service Fail to Log to CloudTrail Resulting in Silent Permission Enumeration

Bug reported by Nick Frichette (Datadog) was disclosed at May 27, 2025, 10:15 pm   |   Insufficient Logging

The non-production API endpoints for the Route 53 service failed to log to CloudTrail, resulting in silent permission enumeration. Two non-production endpoints were found that could be used with standard IAM credentials without logging to CloudTrail. This allowed an adversary to perform permission enumeration activities without generating any logs.

unauthorized access and add user and change personal information all users

Bug reported by BugHunter0x7 was disclosed at May 27, 2025, 8:53 pm   |   Improper Access Control - Generic

The report describes a vulnerability in the ██████████ website, where unauthorized access to an API endpoint allowed attackers to add new users and modify personal information of existing users. The vulnerability was classified as Improper Access Control. The issue stemmed from the absence of proper authentication and authorization mechanisms on the ██████████ endpoint, which handled user registration and profile updates. This vulnerability allowed anyone to create new user accounts or modify existing user information without requiring any authentication. Additionally, the vulnerability was compounded by a predictable user identifier system (4-digit codes) that could be easily enumerated through brute force methods to identify valid user profiles through the ██████████ endpoint.

Customer Data Exposure via Insecure Endpoint of coupon

Bug reported by BugHunter0x7 was disclosed at May 27, 2025, 8:33 pm   |   Information Disclosure

A security vulnerability was identified in the Royal Canin Greece website. An insecure API endpoint was exposed that allowed unauthorized access to customer information without requiring authentication. The endpoint related to coupon functionality and revealed sensitive customer data, including company names, phone numbers, email addresses, tokens, and coupon details. The vulnerability was classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) with a medium severity rating (CVSS score 5.7). Customer information could be accessed by modifying a parameter in the request.

Apache Airflow Sql injection by authenticated user

Bug reported by nxczje was disclosed at May 27, 2025, 5:55 pm   |   SQL Injection

Apache Airflow versions 2.10.5 were affected by a vulnerability that allowed an attacker to manipulate query construction, leading to an SQL Injection vulnerability. The vulnerability was present in the SQLColumnCheckOperator, which could result in remote code execution.

[SECURITY] CVE-2024-50379 Apache Tomcat - RCE via write-enabled default servlet

Bug reported by Nacl was disclosed at May 27, 2025, 3:31 pm   |   Code Injection

A vulnerability was discovered in Apache Tomcat where a race condition could be triggered on a Windows machine with a write-enabled default servlet, leading to remote code execution. The issue was caused by the case-insensitive nature of the file system, which allowed an uploaded file to be treated as a JSP script.

TLS client authentication can be bypassed due to ticket resumption

Bug reported by Sven Hebrok was disclosed at May 27, 2025, 1:18 pm   |   Improper Authentication - Generic

The TLS client authentication can be bypassed due to ticket resumption. The issue was that TLS session tickets were not properly isolated for multiple virtual hosts in one server. This allowed a ticket issued for one virtual host to be resumed at a different virtual host, circumventing client authentication. The vulnerability affected both the NGINX http and NGINX stream modules.

CVE-2024-56374: Denial-of-service vulnerability in IPv6 validation

Bug reported by was disclosed at May 27, 2025, 12:26 pm   |  

A denial-of-service vulnerability was discovered in Django's IPv6 validation. The lack of an upper bound limit enforcement in strings passed during IPv6 validation could lead to a potential denial-of-service attack. The vulnerable functions, `clean_ipv6_address` and `is_valid_ipv6_address`, as well as the `django.forms.GenericIPAddressField` form field, have been updated to address this issue.