Security

jwt-encde, local and fast GUI JWT encoder/decoder, 1.1 🎉 now supports installation via npm 🤍

npm install -g jwt-encde
npx jwt-encde

If you’re looking for a way to analyze JWTs without using online tools, jwt-encde might be helpful.

It is a dedicated GUI app that brings JWT decoding and encoding to your local desktop. The first stable version was released today, built with Rust and iced.

Security vulnerability

A new sudo vulnerability was found. It was on sudoedit (sudo -e) flaw. With it, attackers can edit arbitrary files, and therefore machines were at the risk of the pwned and having information steeled.

Overview

Google Chrome vulnerabilities

CVE-2023-0140 (and more)

Chrome on Windows (and more), whose version is prior to 109.0.5414.74, has risk to make remote attack easy.

Summary

Are you interested in JSON Web Token (JWT) authentication and authorization in PHP or Symfony, one of its frameworks? If so, this post might be helpful.

Summary

With EasyAdmin bundle, you can create admin panel easily.

Well, as to User entity, given it has password field, you must want to hash it before it stored for security.

Summary

EasyAdmin enables you to create admin panel bound to storage such as RDBMS easily.

Summary

Symfony is one of PHP web frameworks. It is my favorite one, because it is clearly classified, functional and robust.

Log4j 2.17.1 was released because a new vulnerability on RCE (Remote Code Execution) had been found in 2.17.0. (CVE-2021-4483)

According to The Apache Software Founndation, CVSS is 6.6 and the severity is moderate.

Log4j 2.17.0 was released due to security reason. It fixes DoS vulnerability in 2.16.0 and below on v2.

As to the new vulnerability on DoS (denial-of-service), it’s safe with a default Pattern Layout where a Context Lookup such as $${ctx:loginId} are NOT used in logging configuration. Otherwise, the CVSS score is 7.5 and the severity is high.

As to Log4j, found and reported was the new vulnerability also in 2.15.0 as CVE-2021-45046. It was fixed in the next 2.16.0 released in 13 Dec 2021. Well, it is less dangerous than one in 2.14.1 and above aka log4shell.

Summary

• Caused by Apache Log4j’s JNDI (“Java Naming and Directory Interface”) features.
• How is it severe? The CVSS score is 10, the maximum, which means the highest risk.

Description

CVE-2021-44228 (named “log4shell” or “log4jam”): Remote code execution (RCE) severe vulnerability, discovered in Log4j, affects a wide range.

Today, our company detected attack trials on Apache Log4j RCE vulnerability (CVE-2021-44228) due to its JNDI (“Java Naming and Directory Interface”) features to one of our servers in Swiss: