Andrea Menin brings us a great find with a deviously simple WAF bypass. The core bug belongs to ModSecurity and the variables it exposes to be used by the various rulesets others have created.
Vulnerabilities tagged "desync"
Normalization gone wrong, Mastodon, when attempting to normalize a domain would intend to remove any trailing `/`from it, however they did this using `.delete("/")` which removes all `/` characters from the string instead of just a trailing `/`. This meant that someone could use an account like `email@example.com/cial` to spoof the account `firstname.lastname@example.org`.
A request smuggling to global cache poisoning chain impacting Akami Edge nodes in front of an F5 BigIP server.
A desync between the parameter the authorization check reads, and the value the actual action reads. Leading to an attacker being able to access resources that would have been denied normally.
XNU VM copy-on-write bypass due to incorrect shadow creation logic during unaligned vm_map_copy operations [CVE-2022-46689]
Kinda of a cool race condition and sort of differential attack deep inside XNU's virtual memory system that allows for bypassing "copy on write" and writing to the underlying page without making a copy.
**tl;dr** Android Parcels have their own memory pool rather than being free'd all the way back to the general Java memory pool. This custom memory management, combined with a bug resulting in a dangling reference in a Parcel to an older version of the parcel creates a "use-after-free" like situation
A post by project zero on a vuln in a new library used for DER entitlements.Entitlements are Apple's fine-grained permission system and essentially define what capabilities an app or service has...
Improper handling of multi-line header values, specifically in handling the `Transfer-Encoding` header Node would parse the value up to the first new-line and not include the remaining content.
Cisco's Jabber, an XMPP client would treat the ending `` XML tag as a special case resetting the state of the XML parsing, which would allow any next tag to be treated as the root of the XML document and allow injecting of control stanzas.
What happens when you tell a server to treat the `Content-Length` header as a hop-by-hop header and remove it? Request smuggling.