VULNERA Pulse

CVE-2024-1597

CRITICAL CVSS 10.00 EPSS Score 0.04 EPSS Percentile 12.92

Remote Code Execution

Published: Feb. 19, 2024

pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.8 are affected.

Quotes

• Presents a lower assessed risk
• This org.postgresql:postgresql Dependency vulnerability, with a CVSS Score of 10 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H could allow an unauthenticated attacker to expose assets in your environment susceptible to exploitation which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction

Headlines

• March 21, 2024 - Atlassian Releases Fixes for Over 2 Dozen Flaws, Including Critical Bamboo Bug
• March 20, 2024 - Critical flaw in Atlassian Bamboo Data Center and Server must be fixed immediately
• March 19, 2024 - Atlassian's Bamboo has critical SQL injection vulnerability

CVE-2023-48788

CRITICAL CVSS 9.80 EPSS Score 0.09 EPSS Percentile 37.66

Remote Code Execution Public Exploits Available

Published: March 12, 2024

A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiClientEMS version 7.2.0 through 7.2.2, FortiClientEMS 7.0.1 through 7.0.10 allows attacker to execute unauthorized code or commands via specially crafted packets.

Vendor Impacted: Fortinet

Product Impacted: Forticlient Enterprise Management Server

Quotes

• This was another case of a network/security appliance having a pretty serious memory corruption vulnerability
• An improper neutralization of special elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted requests

Headlines

• March 21, 2024 - Exploit released for Fortinet RCE bug used in attacks, patch now
• March 21, 2024 - PoC Exploit Released for Critical Fortinet FortiClient EMS CVE-2023-48788 Flaw
• March 19, 2024 - Fortinet Releases Security Updates for Multiple Products.
• March 18, 2024 - 133k+ Fortinet appliances still vulnerable to CVE-2024-21762
• March 17, 2024 - Week in review: Cybersecurity job openings, hackers use 1-day flaws to drop custom Linux malware

CVE-2024-25153

CRITICAL CVSS 9.80 EPSS Score 0.04 EPSS Percentile 7.30

Remote Code Execution Public Exploits Available

Published: March 13, 2024

A directory traversal within the ‘ftpservlet’ of the FileCatalyst Workflow Web Portal allows files to be uploaded outside of the intended ‘uploadtemp’ directory with a specially crafted POST request. In situations where a file is successfully uploaded to web portal’s DocumentRoot, specially crafted JSP files could be used to execute code, including web shells.

Quotes

• The transfer of large files over remote networks experiencing high latency or packet loss
• A directory traversal within the 'ftpservlet' of the FileCatalyst Workflow Web Portal allows files to be uploaded outside of the intended 'uploadtemp' directory with a specially crafted POST request
• A directory traversal within the ‘ftpservlet’ of the FileCatalyst Workflow Web Portal allows files to be uploaded outside of the intended ‘uploadtemp’ directory with a specially crafted POST request. In situations where a file is successfully uploaded to web portal’s DocumentRoot, specially crafted JSP files could be used to execute code, including web shells

Headlines

• March 19, 2024 - Fortra Releases Update on Critical Severity RCE Flaw
• March 19, 2024 - PoC exploit for critical Fortra FileCatalyst MFT vulnerability released (CVE-2024-25153)
• March 18, 2024 - PoC exploit for critical RCE in Fortra FileCatalyst tool released
• March 18, 2024 - Fortra Patches Critical RCE Vulnerability in FileCatalyst Transfer Tool

CVE-2024-27198

CRITICAL CVSS 9.80 EPSS Score 97.21 EPSS Percentile 99.81

CISA Known Exploited Actively Exploited Remote Code Execution Used In Ransomware Public Exploits Available

Published: March 4, 2024

In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible

Vendor Impacted: Jetbrains

Product Impacted: Teamcity

Quotes

• Similar to the cryptocurrency miner installation, the threat actors deploying SparkRAT also used a variety of batch files and LOLBins to perform a multistage attack
• The vulnerabilities may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server
• The attackers are then able to install malware that can reach out to its command-and-control (C&C) server and perform additional commands such as deploying Cobalt Strike beacons and remote access trojans (RATs)

Headlines

• March 21, 2024 - Attackers are exploiting JetBrains TeamCity flaw to deliver a variety of malware
• March 20, 2024 - Threat actors actively exploit JetBrains TeamCity flaws to deliver malware
• March 20, 2024 - TeamCity Flaw Leads to Surge in Ransomware, Cryptomining, and RAT Attacks
• March 20, 2024 - Critical TeamCity Flaws Exploited: Ransomware, Cryptominers, and More Target Businesses

CVE-2022-21587

CRITICAL CVSS 9.80 EPSS Score 97.31 EPSS Percentile 99.87

CISA Known Exploited Public Exploits Available

Published: Oct. 18, 2022

Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Upload). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. Successful attacks of this vulnerability can result in takeover of Oracle Web Applications Desktop Integrator. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Vendor Impacted: Oracle

Product Impacted: E-Business Suite

Quotes

• The use of open source tools to compromise government entities is notable, but not entirely surprising
• We noticed that Earth Krahang retrieves hundreds of email addresses from their targets during the reconnaissance phase
• We found that at least 48 government organizations were compromised, with a further 49 other government entities being targeted. Foreign Affairs ministries and departments were a top target, compromising 10 such organizations and targeting five others
• One of the threat actor's favorite tactics involves using its malicious access to government infrastructure to attack other government entities, abusing the infrastructure to host malicious payloads, proxy attack traffic, and send spear-phishing emails to government-related targets using compromised government email accounts

Headlines

• March 19, 2024 - Beijing-backed cyberspies attacked 70+ orgs in 23 countries
• March 19, 2024 - Chinese APT Hacks 48 Government Organizations
• March 18, 2024 - Chinese APT 'Earth Krahang' Compromises 48 Gov't Orgs on 5 Continents
• March 18, 2024 - Chinese Earth Krahang hackers breach 70 orgs in 23 countries

CVE-2017-9841

CRITICAL CVSS 9.80 EPSS Score 97.48 EPSS Percentile 99.96

CISA Known Exploited Remote Code Execution Public Exploits Available

Published: June 27, 2017

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "

Vendors Impacted: Phpunit Project, Oracle, Phpunit

Products Impacted: Communications Diameter Signaling Router, Phpunit

Quotes

• Laravel App Key Deserialization RCE
• It works by scanning and taking out important information from .env files, revealing login details linked to AWS and Twilio

Headlines

• March 21, 2024 - AndroxGh0st Malware Targets Laravel Apps to Steal Cloud Credentials
• March 20, 2024 - AndroxGh0st: The Python Malware Targeting Laravel Apps
• March 19, 2024 - Shielding Networks From Androxgh0st | Official Blogs

CVE-2018-15133

HIGH CVSS 8.10 EPSS Score 62.42 EPSS Percentile 97.75

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: Aug. 9, 2018

In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in gadgetchains/Laravel/RCE/3/chain.php in phpggc. The attacker must know the application key, which normally would never occur, but could happen if the attacker previously had privileged access or successfully accomplished a previous attack.

Vendor Impacted: Laravel

Products Impacted: Laravel Framework, Laravel

Quotes

• Laravel App Key Deserialization RCE
• It works by scanning and taking out important information from .env files, revealing login details linked to AWS and Twilio

Headlines

• March 21, 2024 - AndroxGh0st Malware Targets Laravel Apps to Steal Cloud Credentials
• March 20, 2024 - AndroxGh0st: The Python Malware Targeting Laravel Apps
• March 19, 2024 - Shielding Networks From Androxgh0st | Official Blogs

CVE-2023-32315

HIGH CVSS 7.50 EPSS Score 97.38 EPSS Percentile 99.91

CISA Known Exploited Actively Exploited Remote Code Execution Used In Ransomware Public Exploits Available

Published: May 26, 2023

Openfire is an XMPP server licensed under the Open Source Apache License. Openfire's administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users. This vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0. The problem has been patched in Openfire release 4.7.5 and 4.6.8, and further improvements will be included in the yet-to-be released first version on the 4.8 branch (which is expected to be version 4.8.0). Users are advised to upgrade. If an Openfire upgrade isn’t available for a specific release, or isn’t quickly actionable, users may see the linked github advisory (GHSA-gw42-f939-fhvm) for mitigation advice.

Vendors Impacted: Ignite Realtime, Igniterealtime

Product Impacted: Openfire

Quotes

• The use of open source tools to compromise government entities is notable, but not entirely surprising
• We noticed that Earth Krahang retrieves hundreds of email addresses from their targets during the reconnaissance phase
• We found that at least 48 government organizations were compromised, with a further 49 other government entities being targeted. Foreign Affairs ministries and departments were a top target, compromising 10 such organizations and targeting five others
• One of the threat actor's favorite tactics involves using its malicious access to government infrastructure to attack other government entities, abusing the infrastructure to host malicious payloads, proxy attack traffic, and send spear-phishing emails to government-related targets using compromised government email accounts

Headlines

• March 19, 2024 - Beijing-backed cyberspies attacked 70+ orgs in 23 countries
• March 19, 2024 - Chinese APT Hacks 48 Government Organizations
• March 18, 2024 - Chinese APT 'Earth Krahang' Compromises 48 Gov't Orgs on 5 Continents
• March 18, 2024 - Chinese Earth Krahang hackers breach 70 orgs in 23 countries

CVE-2024-27199

HIGH CVSS 7.30 EPSS Score 0.90 EPSS Percentile 82.28

Risk Context N/A

Published: March 4, 2024

In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform limited admin actions was possible

Quotes

• Similar to the cryptocurrency miner installation, the threat actors deploying SparkRAT also used a variety of batch files and LOLBins to perform a multistage attack
• The vulnerabilities may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server

Headlines

• March 21, 2024 - Attackers are exploiting JetBrains TeamCity flaw to deliver a variety of malware
• March 20, 2024 - Threat actors actively exploit JetBrains TeamCity flaws to deliver malware
• March 20, 2024 - Critical TeamCity Flaws Exploited: Ransomware, Cryptominers, and More Target Businesses