Another day, another stack of tools blindly trusting user input.
๐ธ๏ธ Dynamic Key Fetching Disasters
Centrifugo builds JWKS URLs using unverified JWT claims. Pass it a junk token, and it interpolates your payload into the endpoint before checking signatures. Result: unauthenticated SSRF. Attackers can pillage cloud metadata or fetch rogue keys to completely bypass auth.
Action: Patch and kill templated JWKS configs. Centrifugo advisory.
๐๏ธ Observability Stack Takeovers
OneUptime blindly pastes unsanitized telemetry query parameters straight into ClickHouse. Itโs textbook SQL injection that nukes tenant isolation. Any authenticated user can dump cross-tenant data or escalate straight to RCE.
Action: Update to `10.0.23` before your telemetry backend gets owned. OneUptime report.
๐ Poisoning Official Documentation
Researchers found 39 fully-privileged Algolia admin keys hardcoded in open-source doc sites (including KEDA, vcluster, and Rancher). Attackers can hijack search indexes to serve malicious `curl-to-bash` snippets to engineers copy-pasting from official docs.
Action: Rotate leaked keys and stop hardcoding secrets in doc builds. Algolia admin key writeup.