Tencent Security Xuanwu Lab Daily News

• REST API Security Best Practices:
https://www.akamai.com/blog/security/2023/nov/rest-api-security-best-practices

   ・ REST API安全最佳实践 – SecTodayBot

• Firmware Security - Saumil Shah - PSW #741:
https://buff.ly/3PJblU6

   ・ 一个关于固件安全的讲座 – SecTodayBot

• Flip Feng Shui: Hammering a Needle in the Software Stack:
https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/razavi

   ・ Flip Feng Shui: A new attack vector that allows an attacker to induce bit flips in physical memory, compromising OpenSSH and Ubuntu/Debian update mechanism. – SecTodayBot

• Analysis of CVE-2023-46729: URL Rewrite Vulnerability in Sentry Next.js SDK:
https://blog.huli.tw/2023/11/13/en/sentry-nextjs-sdk-cve-2023-46729/

   ・ Sentry发布了一篇博文，标题为《Next.js SDK安全通告 - CVE-2023-46729》，详细讨论了CVE-2023-46729漏洞的原因、发现时间和修复时间。该漏洞已在10/31发布的7.77.0版本中修复，开发者有时间来进行补丁更新。 – SecTodayBot

• WebKitGTK and WPE WebKit Security Advisory WSA-2023-0010:
https://seclists.org/oss-sec/2023/q4/217

   ・ 发现多个WebKitGTK和WPE WebKit漏洞，可能导致UI欺骗、信息泄露、地址栏欺骗等问题。 – SecTodayBot

• Assessing the security posture of a widely used vision model: YOLOv7:
https://blog.trailofbits.com/2023/11/15/assessing-the-security-posture-of-a-widely-used-vision-model-yolov7/

   ・ 计算机视觉框架YOLOv7中发现了11个安全漏洞，可能导致远程代码执行、拒绝服务和模型差异攻击。这篇文章详细介绍了这一研究结果，并指出YOLOv7不适合关键应用或需要高可用性的场景 – SecTodayBot

• Analysis of Unauthenticated Command Execution Vulnerability in Cisco IOS XE System WebUI:
https://paper.seebug.org/3073/

   ・ 这篇文章分析和总结了Cisco IOS XE中最近的关键CVE（CVE-2023-20198，CVE-2023-20273），主要涉及到授权RCE漏洞和未授权命令执行漏洞。 – SecTodayBot

• OracleIV emerges as a ‘Dockerized’ DDoS bot agent:
https://packetstormsecurity.com/news/view/35193

   ・ 攻击者利用Docker Engine API的配置错误，传递了一个恶意的Docker容器OracleIV，它作为分布式拒绝服务（DDoS）机器人代理进行攻击，该镜像包含编译为可执行和可链接格式（ELF）文件的Python恶意软件。 – SecTodayBot

* 查看或搜索历史推送内容请访问：
https://sec.today

* 新浪微博账号：腾讯玄武实验室
https://weibo.com/xuanwulab