VULNERA Pulse

Atlassian — Confluence Data Center and Server

CVE-2023-22527 / Added: Jan. 24, 2024

CRITICAL CVSS 9.80 EPSS Score 97.05 EPSS Percentile 99.71

Atlassian Confluence Data Center and Server contain an unauthenticated OGNL template injection vulnerability that can lead to remote code execution.

Headlines

• Jan. 25, 2024 - CISA adds Atlassian Confluence Data Center bug to its Known Exploited Vulnerabilities catalog
• Jan. 23, 2024 - Hackers Target Atlassian Confluence With RCE Exploits
• Jan. 23, 2024 - ~40,000 Attacks in 3 Days: Critical Confluence RCE Under Active Exploitation
• Jan. 22, 2024 - Atlassian Confluence Server RCE attacks underway
• Jan. 22, 2024 - Hackers Targeting Critical Atlassian Confluence Vulnerability Days After Disclosure
• Jan. 22, 2024 - Hackers start exploiting critical Atlassian Confluence RCE flaw
• Jan. 22, 2024 - Researchers Published Technical Details for Atlassian Confluence RCE (CVE-2023-22527)
• Jan. 21, 2024 - Week in review: 10 cybersecurity frameworks you need to know, exploited Chrome zero-day fixed
• Jan. 18, 2024 - Atlassian Releases Security Updates for Multiple Products | CISA
• Jan. 17, 2024 - Citrix, VMware, and Atlassian Hit with Critical Flaws — Patch ASAP!
• Jan. 17, 2024 - Atlassian issues urgent Confluence patch
• Jan. 16, 2024 - Atlassian fixed critical RCE in older Confluence versions
• Jan. 16, 2024 - Patch now: Critical VMware, Atlassian flaws found
• Jan. 16, 2024 - Patch ASAP: Max-Critical Atlassian Bug Allows Unauthenticated RCE
• Jan. 16, 2024 - Atlassian reveals critical Confluence RCE flaw, urges "immediate action" (CVE-2023-22527)
• Jan. 16, 2024 - Atlassian warns of critical RCE flaw in older Confluence versions
• Jan. 16, 2024 - CVE-2023-22527 (CVSS 10): Critical RCE Flaw in Confluence Data Center and Server

Back to top ↑

Apple — Multiple Products

CVE-2024-23222 / Added: Jan. 23, 2024

CVSS Not Assigned EPSS Score 0.13 EPSS Percentile 48.22

Apple iOS, iPadOS, macOS, tvOS, and Safari WebKit contain a type confusion vulnerability that leads to code execution when processing maliciously crafted web content.

Headlines

• Jan. 25, 2024 - Why is the cost of cyber insurance rising?
• Jan. 23, 2024 - Days After Google, Apple Reveals Exploited Zero-Day in Browser Engine
• Jan. 23, 2024 - Apple fixes actively exploited WebKit zero-day (CVE-2024-23222)
• Jan. 23, 2024 - Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution
• Jan. 23, 2024 - CVE-2024-23222: Apple's First Zero-Day Flaw of the Year
• Jan. 23, 2024 - Apple Issues Patch for Critical Zero-Day in iPhones, Macs - Update Now
• Jan. 22, 2024 - Apple patches 2024's first zero-day
• Jan. 22, 2024 - Apple fixed actively exploited zero-day CVE-2024-23222
• Jan. 22, 2024 - Apple fixes first zero-day bug exploited in attacks this year

Back to top ↑

VMware — vCenter Server

CVE-2023-34048 / Added: Jan. 22, 2024

CRITICAL CVSS 9.80 EPSS Score 1.72 EPSS Percentile 86.52

VMware vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol that allows an attacker to conduct remote code execution.

Headlines

• Jan. 23, 2024 - CISA adds VMware vCenter Server bug to its Known Exploited Vulnerabilities catalog
• Jan. 22, 2024 - Chinese Spies Exploited Critical VMware Bug for Nearly 2 Years
• Jan. 22, 2024 - Multiple Vulnerabilities in VMware Products Could Allow for Remote Code Execution
• Jan. 21, 2024 - newsletter Round 454 by Pierluigi Paganini
• Jan. 20, 2024 - Chinese Hackers Silently Weaponized VMware Zero-Day Flaw for 2 Years
• Jan. 20, 2024 - Russians break into Microsoft as Chinese hit VMware users
• Jan. 19, 2024 - China-linked APT UNC3886 exploits VMware zero-day since 2021
• Jan. 19, 2024 - Chinese hackers exploit VMware bug as zero-day for two years
• Jan. 19, 2024 - VMware confirms critical vCenter flaw now exploited in attacks
• Jan. 19, 2024 - VMware Confirms CVE-2023-34048 RCE Flaw in vCenter Exploited in the Wild
• Nov. 15, 2023 - Urgent: VMware Warns of Unpatched Critical Cloud Director Vulnerability
• Nov. 14, 2023 - VMWare discloses critical VCD Appliance auth bypass with no patch
• Oct. 31, 2023 - Apple, Google, and Microsoft Just Patched Some Spooky Security Flaws
• Oct. 29, 2023 - Week in review: VMware patches critical vulnerability, 1Password affected by Okta breach
• Oct. 26, 2023 - VMware Releases Security Advisory for vCenter Server | CISA
• Oct. 26, 2023 - vCenter needs patch for critical bug
• Oct. 25, 2023 - Virtual Alarm: VMware Issues Major Security Advisory
• Oct. 25, 2023 - VMware addressed critical vCenter flaw also for End-of-Life products
• Oct. 25, 2023 - VMware vCenter Flaw So Critical, Patches Released for End-of-Life Products
• Oct. 25, 2023 - VMware patches critical vulnerability in vCenter Server (CVE-2023-34048)
• Oct. 25, 2023 - Act Now: VMware Releases Patch for Critical vCenter Server RCE Vulnerability
• Oct. 25, 2023 - VMware fixes critical code execution flaw in vCenter Server
• Oct. 25, 2023 - VMware reveals critical vuln you may have fixed already
• Oct. 25, 2023 - CVE-2023-34048: Critical VMware vCenter Server Flaw Allows Remote Code Execution

Back to top ↑

CVE-2024-20253

CRITICAL CVSS 9.90

Actively Exploited Remote Code Execution

Published: Jan. 26, 2024

A vulnerability in multiple Cisco Unified Communications and Contact Center Solutions products could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to the improper processing of user-provided data that is being read into memory. An attacker could exploit this vulnerability by sending a crafted message to a listening port of an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of the web services user. With access to the underlying operating system, the attacker could also establish root access on the affected device.

Quotes

• Improper processing of user-provided data that is being read into memory
• This vulnerability is due to the improper processing of user-provided data that is being read into memory. An attacker could exploit this vulnerability by sending a crafted message to a listening port of an affected device
• An attacker could exploit this vulnerability by sending a crafted message to a listening port of an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of the web services user
• A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of the web services user. With access to the underlying operating system, the attacker could also establish root access on the affected device

Headlines

• Jan. 26, 2024 - Critical Cisco Flaw Lets Hackers Remotely Take Over Unified Comms Systems
• Jan. 25, 2024 - Cisco warns of a critical bug in Unified Communications products
• Jan. 25, 2024 - Critical Cisco Unified Communications RCE Bug Allows Root Access
• Jan. 25, 2024 - Cisco warns of critical RCE flaw in communications software
• Jan. 25, 2024 - Cisco Patches Critical Vulnerability in Enterprise Collaboration Products
• Jan. 25, 2024 - Cisco Releases Security Advisory for Multiple Unified Communications and Contact Center Solutions Products | CISA
• Jan. 25, 2024 - CVE-2024-20253 (CVSS 9.9): Cisco Unified Communications Products RCE Vulnerability
• Jan. 24, 2024 - Cisco unified comms systems patched against RCE

CVE-2024-0204

CRITICAL CVSS 9.80 EPSS Score 0.06 EPSS Percentile 24.03

Actively Exploited Remote Code Execution Public Exploits Available

Published: Jan. 22, 2024

Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.

Quotes

• Upgrade to version 7.4.1 or higher
• An authentication bypass issue allowing invalid access to create new users
• If the attacker has left this user here you may be able to observe its last logon activity to gauge an approximate date of compromise
• Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal
• Authentication bypass in Fortra’s GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal
• The easiest indicator of compromise that can be analyzed is for any new additions to the Admin Users group in the GoAnywhere administrator portal Users -> Admin Users section
• The advisory mentions that the endpoint /InitialAccountSetup.xhtml can be deleted and the service restarted to mitigate the issue. Looking through the application directories, we find that this endpoint is mapped to the com.linoma.ga.ui.admin.users.InitialAccountSetupForm class by inspecting the file GoAnywhere/adminroot/WEB-INF/forms-faces.xml

Headlines

• Jan. 26, 2024 - Authentication bypass exploit in GoAnywhere MFT
• Jan. 24, 2024 - Fortra Discloses Critical Auth Bypass Vuln in GoAnywhere MFT
• Jan. 24, 2024 - Latest GoAnywhere MFT bug is a must-patch as exploit emerges
• Jan. 24, 2024 - Experts released PoC exploit for Fortra GoAnywhere MFT flaw CVE-2024-0204
• Jan. 24, 2024 - PoC exploit for easily exploitable Fortra GoAnywhere MFT vulnerability released (CVE-2024-0204)
• Jan. 24, 2024 - Exploit Code Released For Critical Fortra GoAnywhere Bug
• Jan. 24, 2024 - Patch Your GoAnywhere MFT Immediately - Critical Flaw Lets Anyone Be Admin
• Jan. 24, 2024 - PoC Exploit Published for Fortra GoAnywhere MFT CVE-2024-0204 Vulnerability
• Jan. 23, 2024 - Exploit released for Fortra GoAnywhere MFT auth bypass bug
• Jan. 23, 2024 - Aatch out, a new critical flaw affects Fortra GoAnywhere MFT
• Jan. 23, 2024 - Fortra warns of new critical GoAnywhere MFT auth bypass, patch now
• Jan. 23, 2024 - CVE-2024-0204 (CVSS 9.8): Critical Authentication Bypass Flaw in GoAnywhere MFT

CVE-2023-22527

CRITICAL CVSS 9.80 EPSS Score 97.05 EPSS Percentile 99.71

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: Jan. 16, 2024

A template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected instance. Customers using an affected version must take immediate action. Most recent supported versions of Confluence Data Center and Server are not affected by this vulnerability as it was ultimately mitigated during regular version updates. However, Atlassian recommends that customers take care to install the latest version to protect their instances from non-critical vulnerabilities outlined in Atlassian’s January Security Bulletin.

Vendor Impacted: Atlassian

Products Impacted: Confluence Server, Confluence Data Center, Confluence Data Center And Server

Quotes

• Testing callback attempts and 'whoami' execution
• Testing callback attempts and ‘whoami’ execution
• Over 600 IPs seen attacking so far (testing callback attempts and 'whoami' execution)
• The method of exploitation is noteworthy, as malicious actors can weaponize various channels, such as emails, URLs or social media posts, to deliver the exploit
• A template injection vulnerability on out-of-date versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected version. Customers using an affected version must take immediate action

Headlines

• Jan. 25, 2024 - CISA adds Atlassian Confluence Data Center bug to its Known Exploited Vulnerabilities catalog
• Jan. 23, 2024 - Hackers Target Atlassian Confluence With RCE Exploits
• Jan. 23, 2024 - ~40,000 Attacks in 3 Days: Critical Confluence RCE Under Active Exploitation
• Jan. 22, 2024 - Atlassian Confluence Server RCE attacks underway
• Jan. 22, 2024 - Hackers Targeting Critical Atlassian Confluence Vulnerability Days After Disclosure
• Jan. 22, 2024 - Hackers start exploiting critical Atlassian Confluence RCE flaw
• Jan. 22, 2024 - Researchers Published Technical Details for Atlassian Confluence RCE (CVE-2023-22527)
• Jan. 21, 2024 - Week in review: 10 cybersecurity frameworks you need to know, exploited Chrome zero-day fixed

CVE-2023-34048

CRITICAL CVSS 9.80 EPSS Score 1.72 EPSS Percentile 86.52

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: Oct. 25, 2023

vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger an out-of-bounds write potentially leading to remote code execution.

Vendor Impacted: Vmware

Product Impacted: Vcenter Server

Quotes

• As of January 18, 2024 VMware is aware of exploitation
• UNC3886 has a track record of utilizing zero-day vulnerabilities to complete their mission without being detected, and this latest example further demonstrates their capabilities
• The exploitation of CVE-2023-34048 reflects a deep technical acumen, indicating a high level of proficiency in identifying and leveraging complex vulnerabilities within widely used software like VMware

Headlines

• Jan. 23, 2024 - CISA adds VMware vCenter Server bug to its Known Exploited Vulnerabilities catalog
• Jan. 22, 2024 - Chinese Spies Exploited Critical VMware Bug for Nearly 2 Years
• Jan. 22, 2024 - Multiple Vulnerabilities in VMware Products Could Allow for Remote Code Execution
• Jan. 21, 2024 - newsletter Round 454 by Pierluigi Paganini
• Jan. 20, 2024 - Chinese Hackers Silently Weaponized VMware Zero-Day Flaw for 2 Years

CVE-2023-42917

HIGH CVSS 8.80 EPSS Score 0.14 EPSS Percentile 49.08

CISA Known Exploited

Published: Nov. 30, 2023

A memory corruption vulnerability was addressed with improved locking. This issue is fixed in iOS 17.1.2 and iPadOS 17.1.2, macOS Sonoma 14.1.2, Safari 17.1.2. Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1.

Vendor Impacted: Apple

Products Impacted: Macos, Multiple Products, Safari, Iphone Os, Ipados

Quotes

• Aware of a report that this issue may have been exploited
• Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited

Headlines

• Jan. 25, 2024 - Why is the cost of cyber insurance rising?
• Jan. 23, 2024 - Apple fixes actively exploited WebKit zero-day (CVE-2024-23222)
• Jan. 23, 2024 - Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution
• Jan. 23, 2024 - CVE-2024-23222: Apple's First Zero-Day Flaw of the Year
• Jan. 23, 2024 - Apple Issues Patch for Critical Zero-Day in iPhones, Macs - Update Now
• Jan. 22, 2024 - Apple fixes first zero-day bug exploited in attacks this year

CVE-2023-7028

HIGH CVSS 7.50 EPSS Score 4.48 EPSS Percentile 91.64

Actively Exploited Remote Code Execution Public Exploits Available

Published: Jan. 12, 2024

An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.

Vendor Impacted: Gitlab

Product Impacted: Gitlab

Quotes

• Running GitLab? We are sharing instances vulnerable to CVE-2023-7028 (Account Takeover via Password Reset without user interactions) – 5379 instances found worldwide (on 2024-01-23). Top: US (964) & Germany (730)
• An issue has been discovered in GitLab CE/EE affecting all versions from 16.0 prior to 16.5.8, 16.6 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 which allows an authenticated user to write files to arbitrary locations on the GitLab server while creating a workspace

Headlines

• Jan. 26, 2024 - CVE-2024-0402: GitLab Releases Urgent Security Patches for Critical Vulnerability
• Jan. 25, 2024 - Thousands of GitLab Instances Unpatched Against Critical Password Reset Bug
• Jan. 24, 2024 - 5379 GitLab servers vulnerable to zero-click account takeover attacks
• Jan. 24, 2024 - Over 5,300 GitLab servers exposed to zero-click account takeover attacks

CVE-2023-0669

HIGH CVSS 7.20 EPSS Score 96.82 EPSS Percentile 99.62

CISA Known Exploited Actively Exploited Remote Code Execution Used In Ransomware Public Exploits Available

Published: Feb. 6, 2023

Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object. This issue was patched in version 7.1.2.

Vendor Impacted: Fortra

Products Impacted: Goanywhere Mft, Goanywhere Managed File Transfer

Quotes

• Upgrade to version 7.4.1 or higher
• An authentication bypass issue allowing invalid access to create new users
• Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal
• The easiest indicator of compromise that can be analyzed is for any new additions to the Admin Users group in the GoAnywhere administrator portal Users -> Admin Users section
• The advisory mentions that the endpoint /InitialAccountSetup.xhtml can be deleted and the service restarted to mitigate the issue. Looking through the application directories, we find that this endpoint is mapped to the com.linoma.ga.ui.admin.users.InitialAccountSetupForm class by inspecting the file GoAnywhere/adminroot/WEB-INF/forms-faces.xml

Headlines

• Jan. 24, 2024 - Fortra Discloses Critical Auth Bypass Vuln in GoAnywhere MFT
• Jan. 24, 2024 - Experts released PoC exploit for Fortra GoAnywhere MFT flaw CVE-2024-0204
• Jan. 24, 2024 - PoC exploit for easily exploitable Fortra GoAnywhere MFT vulnerability released (CVE-2024-0204)
• Jan. 24, 2024 - Exploit Code Released For Critical Fortra GoAnywhere Bug
• Jan. 24, 2024 - Patch Your GoAnywhere MFT Immediately - Critical Flaw Lets Anyone Be Admin
• Jan. 23, 2024 - Exploit released for Fortra GoAnywhere MFT auth bypass bug
• Jan. 23, 2024 - Aatch out, a new critical flaw affects Fortra GoAnywhere MFT
• Jan. 23, 2024 - Fortra warns of new critical GoAnywhere MFT auth bypass, patch now

CVE-2023-42916

MEDIUM CVSS 6.50 EPSS Score 0.13 EPSS Percentile 47.77

CISA Known Exploited

Published: Nov. 30, 2023

An out-of-bounds read was addressed with improved input validation. This issue is fixed in iOS 17.1.2 and iPadOS 17.1.2, macOS Sonoma 14.1.2, Safari 17.1.2. Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1.

Vendor Impacted: Apple

Products Impacted: Macos, Multiple Products, Safari, Iphone Os, Ipados

Quotes

• Aware of a report that this issue may have been exploited
• Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited

Headlines

• Jan. 25, 2024 - Why is the cost of cyber insurance rising?
• Jan. 23, 2024 - Apple fixes actively exploited WebKit zero-day (CVE-2024-23222)
• Jan. 23, 2024 - Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution
• Jan. 23, 2024 - CVE-2024-23222: Apple's First Zero-Day Flaw of the Year
• Jan. 23, 2024 - Apple Issues Patch for Critical Zero-Day in iPhones, Macs - Update Now
• Jan. 22, 2024 - Apple fixes first zero-day bug exploited in attacks this year

CVE-2024-23222

CVSS Not Assigned EPSS Score 0.13 EPSS Percentile 48.22

CISA Known Exploited Actively Exploited

Published: Jan. 23, 2024

A type confusion issue was addressed with improved checks. This issue is fixed in tvOS 17.3, iOS 17.3 and iPadOS 17.3, macOS Sonoma 14.3, iOS 16.7.5 and iPadOS 16.7.5, Safari 17.3, macOS Ventura 13.6.4, macOS Monterey 12.7.3. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited.

Vendor Impacted: Apple

Product Impacted: Multiple Products

Quotes

• Aware of a report that this issue may have been exploited
• Is aware of a report that this issue may have been exploited
• Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited

Headlines

• Jan. 25, 2024 - Why is the cost of cyber insurance rising?
• Jan. 23, 2024 - Days After Google, Apple Reveals Exploited Zero-Day in Browser Engine
• Jan. 23, 2024 - Apple fixes actively exploited WebKit zero-day (CVE-2024-23222)
• Jan. 23, 2024 - Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution
• Jan. 23, 2024 - CVE-2024-23222: Apple's First Zero-Day Flaw of the Year
• Jan. 23, 2024 - Apple Issues Patch for Critical Zero-Day in iPhones, Macs - Update Now
• Jan. 22, 2024 - Apple patches 2024's first zero-day
• Jan. 22, 2024 - Apple fixed actively exploited zero-day CVE-2024-23222
• Jan. 22, 2024 - Apple fixes first zero-day bug exploited in attacks this year

CVE-2024-23897

CVSS Not Assigned

Actively Exploited Remote Code Execution Public Exploits Available

Published: Jan. 24, 2024

Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.

Quotes

• Jenkins uses the args4j library to parse command arguments and options on the Jenkins controller when processing CLI commands
• This allows attackers to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process
• The function checks if the argument starts with the @ character, and if so, it reads the file in the path after the @ and expands a new argument for each line

Headlines

• Jan. 26, 2024 - Watch out, experts warn of a critical flaw in Jenkins
• Jan. 26, 2024 - Breaking Down CVE-2024-23897: PoC Code Surfaces Just After Jenkins Advisory
• Jan. 25, 2024 - Critical Jenkins Vulnerability Exposes Servers to RCE Attacks - Patch ASAP!
• Jan. 25, 2024 - CVE-2024-23897 (CVSS 9.8): Critical Jenkins Security Vulnerability, RCE Possible