VULNERA Pulse

GeoSolutionsGroup — JAI-EXT

CVE-2022-24816 / Added: June 26, 2024

CRITICAL CVSS 9.80 EPSS Score 82.17 EPSS Percentile 98.42

GeoSolutionsGroup JAI-EXT, a component of GeoSolutions GeoServer, contains a code injection vulnerability that, when programs use jt-jiffle and allow Jiffle script to be provided via network request, could allow remote code execution.

Back to top ↑

Linux — Kernel

CVE-2022-2586 / Added: June 26, 2024

HIGH CVSS 7.80 EPSS Score 0.04 EPSS Percentile 10.18

Linux Kernel contains a use-after-free vulnerability in the nft_object, allowing local attackers to escalate privileges.

Headlines

• June 24, 2024 - ExCobalt Cybercrime group targets Russian organizations in multiple sectors
• June 22, 2024 - ExCobalt Cyber Gang Targets Russian Sectors with New GoRed Backdoor

Back to top ↑

Roundcube — Webmail

CVE-2020-13965 / Added: June 26, 2024

MEDIUM CVSS 6.10 EPSS Score 0.34 EPSS Percentile 71.70

Roundcube Webmail contains a cross-site scripting (XSS) vulnerability that allows a remote attacker to manipulate data via a malicious XML attachment.

Back to top ↑

CVE-2024-29973

CRITICAL CVSS 9.80 EPSS Score 93.66 EPSS Percentile 99.13

Actively Exploited Public Exploits Available

Published: June 4, 2024

** UNSUPPORTED WHEN ASSIGNED ** The command injection vulnerability in the “setCookie” parameter in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request.

Quotes

• Exactly the same code base as the original

Headlines

• June 25, 2024 - Mirai-like botnet is exploiting recently disclosed Zyxel NAS flaw
• June 24, 2024 - 'Mirai-like' botnet observed attacking EOL Zyxel NAS devices
• June 24, 2024 - Zyxel NAS Devices Under Attack: CVE-2024-29973 Exploitation Attempts by Mirai-Like Botnet

CVE-2024-5806

CRITICAL CVSS 9.10 EPSS Score 0.04 EPSS Percentile 9.08

Actively Exploited Remote Code Execution Public Exploits Available

Published: June 25, 2024

Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Authentication Bypass.This issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, from 2024.0.0 before 2024.0.2.

Quotes

• Can lead to authentication bypass in limited scenarios
• Improper authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Authentication Bypass
• Upgrading to a patched release, using the full installer, is the only way to remediate this issue. There will be an outage to the system while the upgrade is running
• We attempted to verify this by building the IPWorks SSH samples, and found that they do, indeed, allow us to cause a forced SMB authentication, permitting us to use Responder to crack the resultant hashes

Headlines

• June 26, 2024 - New MOVEit Transfer Vulnerability Under Active Exploitation - Patch ASAP!
• June 26, 2024 - Hackers target new MOVEit Transfer critical auth bypass bug
• June 26, 2024 - Progress tells users to patch new MOVEit auth-bypass bugs
• June 26, 2024 - CVE-2024-5806: MOVEit Transfer Vulnerability Under Active Exploit, PoC Published
• June 25, 2024 - Fresh MOVEit Bug Under Attack Mere Hours After Disclosure
• June 25, 2024 - Progress quietly fixes MOVEit auth bypass flaws (CVE-2024-5805, CVE-2024-5806)
• June 25, 2024 - Multiple Vulnerabilities in Progress MOVEit Products Could Allow for Authentication Bypass

CVE-2024-21887

CRITICAL CVSS 9.10 EPSS Score 96.85 EPSS Percentile 99.71

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: Jan. 12, 2024

A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

Vendor Impacted: Ivanti

Products Impacted: Connect Secure, Policy Secure, Connect Secure And Policy Secure

Quotes

• On January 26, CISA identified potentially malicious activity affecting the CSAT Ivanti Connect Secure appliance
• Improper authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Authentication Bypass
• CISA is notifying all impacted participants in the CFATS program out of an abundance of caution that this information could have been inappropriately accessed
• The impact was limited to two systems, which we immediately took offline. We continue to upgrade and modernize our systems, and there is no operational impact at this time
• Using cloud servers for command and control (C2) operations ensures persistent communication with compromised devices, making it harder for defenders to disrupt an attack. This shift to cloud-based operations marks a significant evolution in the threat landscape
• While CISA's investigation found no evidence of exfiltration of data, this may have resulted in the potential unauthorized access of Top-Screen surveys, Security Vulnerability Assessments, Site Security Plans, Personnel Surety Program submissions, and CSAT user accounts

Headlines

• June 26, 2024 - New MOVEit Transfer Vulnerability Under Active Exploitation - Patch ASAP!
• June 26, 2024 - Cyber Attackers Turn to Cloud Services to Deploy Malware
• June 25, 2024 - Threat Actor May Have Accessed Sensitive Info on CISA Chemical App
• June 25, 2024 - CISA's high-risk chemical facility data portal breached
• June 25, 2024 - CISA confirmed that CSAT environment was breached in January
• June 24, 2024 - Chemical facilities warned of possible data theft in CISA CSAT breach

CVE-2024-5805

CRITICAL CVSS 9.10 EPSS Score 0.04 EPSS Percentile 9.08

Risk Context N/A

Published: June 25, 2024

Improper Authentication vulnerability in Progress MOVEit Gateway (SFTP modules) allows Authentication Bypass.This issue affects MOVEit Gateway: 2024.0.0.

Quotes

• Improper authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Authentication Bypass
• Upgrading to a patched release, using the full installer, is the only way to remediate this issue. There will be an outage to the system while the upgrade is running
• We attempted to verify this by building the IPWorks SSH samples, and found that they do, indeed, allow us to cause a forced SMB authentication, permitting us to use Responder to crack the resultant hashes

Headlines

• June 26, 2024 - New MOVEit Transfer Vulnerability Under Active Exploitation - Patch ASAP!
• June 26, 2024 - Hackers target new MOVEit Transfer critical auth bypass bug
• June 26, 2024 - Progress tells users to patch new MOVEit auth-bypass bugs
• June 26, 2024 - CVE-2024-5805: Critical SFTP Authentication Bypass Vulnerability in MOVEit Gateway
• June 25, 2024 - Progress quietly fixes MOVEit auth bypass flaws (CVE-2024-5805, CVE-2024-5806)

CVE-2024-21893

HIGH CVSS 8.20 EPSS Score 96.14 EPSS Percentile 99.52

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: Jan. 31, 2024

A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.

Vendor Impacted: Ivanti

Products Impacted: Connect Secure, Policy Secure, Neurons For Zero-Trust Access, Connect Secure, Policy Secure, And Neurons

Quotes

• On January 26, CISA identified potentially malicious activity affecting the CSAT Ivanti Connect Secure appliance
• Improper authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Authentication Bypass
• CISA is notifying all impacted participants in the CFATS program out of an abundance of caution that this information could have been inappropriately accessed
• The impact was limited to two systems, which we immediately took offline. We continue to upgrade and modernize our systems, and there is no operational impact at this time
• While CISA's investigation found no evidence of exfiltration of data, this may have resulted in the potential unauthorized access of Top-Screen surveys, Security Vulnerability Assessments, Site Security Plans, Personnel Surety Program submissions, and CSAT user accounts

Headlines

• June 26, 2024 - New MOVEit Transfer Vulnerability Under Active Exploitation - Patch ASAP!
• June 25, 2024 - Threat Actor May Have Accessed Sensitive Info on CISA Chemical App
• June 25, 2024 - CISA's high-risk chemical facility data portal breached
• June 25, 2024 - CISA confirmed that CSAT environment was breached in January
• June 24, 2024 - Chemical facilities warned of possible data theft in CISA CSAT breach

CVE-2023-46805

HIGH CVSS 8.20 EPSS Score 95.87 EPSS Percentile 99.47

CISA Known Exploited Remote Code Execution Public Exploits Available

Published: Jan. 12, 2024

An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.

Vendor Impacted: Ivanti

Products Impacted: Connect Secure, Policy Secure, Connect Secure And Policy Secure

Quotes

• On January 26, CISA identified potentially malicious activity affecting the CSAT Ivanti Connect Secure appliance
• Improper authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Authentication Bypass
• CISA is notifying all impacted participants in the CFATS program out of an abundance of caution that this information could have been inappropriately accessed
• The impact was limited to two systems, which we immediately took offline. We continue to upgrade and modernize our systems, and there is no operational impact at this time
• While CISA's investigation found no evidence of exfiltration of data, this may have resulted in the potential unauthorized access of Top-Screen surveys, Security Vulnerability Assessments, Site Security Plans, Personnel Surety Program submissions, and CSAT user accounts

Headlines

• June 26, 2024 - New MOVEit Transfer Vulnerability Under Active Exploitation - Patch ASAP!
• June 25, 2024 - Threat Actor May Have Accessed Sensitive Info on CISA Chemical App
• June 25, 2024 - CISA's high-risk chemical facility data portal breached
• June 25, 2024 - CISA confirmed that CSAT environment was breached in January
• June 24, 2024 - Chemical facilities warned of possible data theft in CISA CSAT breach

CVE-2021-4034

HIGH CVSS 7.80 EPSS Score 0.05 EPSS Percentile 17.16

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: Jan. 28, 2022

A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.

Vendors Impacted: Starwindsoftware, Suse, Polkit Project, Canonical, Red Hat, Redhat, Siemens, Oracle

Products Impacted: Enterprise Linux Server Tus, Enterprise Linux Server Update Services For Sap Solutions, Starwind Hyperconverged Appliance, Linux Enterprise Workstation Extension, Command Center, Enterprise Linux For Scientific Computing, Starwind Virtual San, Zfs Storage Appliance Kit, Linux Enterprise Server, Enterprise Linux Workstation, Enterprise Linux Server, Enterprise Linux For Ibm Z Systems, Enterprise Linux For Power Little Endian, Enterprise Linux For Power Little Endian Eus, Linux Enterprise Desktop, Scalance Lpe9403, Sinumerik Edge, Scalance Lpe9403 Firmware, Enterprise Linux Eus, Enterprise Storage, Enterprise Linux Server Aus, Enterprise Linux Server Eus, Manager Proxy, Enterprise Linux For Ibm Z Systems Eus, Linux Enterprise High Performance Computing, Manager Server, Polkit, Ubuntu Linux, Enterprise Linux Desktop, Enterprise Linux, Enterprise Linux For Power Big Endian, Http Server

Quotes

• ExCobalt focuses on cyber espionage and includes several members active since at least 2016 and presumably once part of the notorious Cobalt Gang
• ExCobalt continues to demonstrate a high level of activity and determination in attacking Russian companies, constantly adding new tools to its arsenal and improving its techniques. Not only is it developing new attack methods, but it’s also actively improving its existing tools, such as the GoRed backdoor

Headlines

• June 24, 2024 - ExCobalt Cybercrime group targets Russian organizations in multiple sectors
• June 22, 2024 - ExCobalt Cyber Gang Targets Russian Sectors with New GoRed Backdoor

CVE-2021-3156

HIGH CVSS 7.80 EPSS Score 96.95 EPSS Percentile 99.74

CISA Known Exploited Public Exploits Available

Published: Jan. 26, 2021

Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character.

Vendors Impacted: Mcafee, Netapp, Synology, Fedoraproject, Beyondtrust, Debian, Sudo, Oracle, Sudo Project

Products Impacted: Web Gateway, Debian Linux, Diskstation Manager Unified Controller, Oncommand Unified Manager Core Package, Micros Compact Workstation 3, Micros Workstation 5a Firmware, Communications Performance Intelligence Center, Micros Compact Workstation 3 Firmware, Privilege Management For Mac, Vs960hd Firmware, Diskstation Manager, Micros Workstation 5a, Micros Workstation 6, Micros Workstation 6 Firmware, Micros Es400 Firmware, Micros Es400, Solidfire, Hci Management Node, Skynas, Vs960hd, Micros Kitchen Display System Firmware, Skynas Firmware, Tekelec Platform Distribution, Privilege Management For Unix\/linux, Fedora, Micros Kitchen Display System, Sudo

Quotes

• ExCobalt focuses on cyber espionage and includes several members active since at least 2016 and presumably once part of the notorious Cobalt Gang
• ExCobalt continues to demonstrate a high level of activity and determination in attacking Russian companies, constantly adding new tools to its arsenal and improving its techniques. Not only is it developing new attack methods, but it’s also actively improving its existing tools, such as the GoRed backdoor

Headlines

• June 24, 2024 - ExCobalt Cybercrime group targets Russian organizations in multiple sectors
• June 22, 2024 - ExCobalt Cyber Gang Targets Russian Sectors with New GoRed Backdoor

CVE-2019-13272

HIGH CVSS 7.80 EPSS Score 0.05 EPSS Percentile 20.45

CISA Known Exploited Public Exploits Available

Published: July 17, 2019

In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the credentials of a process that wants to create a ptrace relationship, which allows local users to obtain root access by leveraging certain scenarios with a parent-child process relationship, where a parent drops privileges and calls execve (potentially allowing control by an attacker). One contributing factor is an object lifetime issue (which can also cause a panic). Another contributing factor is incorrect marking of a ptrace relationship as privileged, which is exploitable through (for example) Polkit's pkexec helper with PTRACE_TRACEME. NOTE: SELinux deny_ptrace might be a usable workaround in some environments.

Vendors Impacted: Linux, Canonical, Netapp, Redhat, Fedoraproject, Debian

Products Impacted: Enterprise Linux For Real Time, H610s Firmware, Active Iq Unified Manager, Debian Linux, Steelstore Cloud Integrated Storage, Hci Compute Node, Aff A700s Firmware, E-Series Performance Analyzer, H410c Firmware, Service Processor, Solidfire, Hci Management Node, Aff A700s, H610s, H410c, Linux Kernel, Kernel, E-Series Santricity Os Controller, Ubuntu Linux, Fedora, Enterprise Linux

Quotes

• ExCobalt focuses on cyber espionage and includes several members active since at least 2016 and presumably once part of the notorious Cobalt Gang
• ExCobalt continues to demonstrate a high level of activity and determination in attacking Russian companies, constantly adding new tools to its arsenal and improving its techniques. Not only is it developing new attack methods, but it’s also actively improving its existing tools, such as the GoRed backdoor

Headlines

• June 24, 2024 - ExCobalt Cybercrime group targets Russian organizations in multiple sectors
• June 22, 2024 - ExCobalt Cyber Gang Targets Russian Sectors with New GoRed Backdoor

CVE-2024-37032

CVSS Not Assigned

Remote Code Execution Public Exploits Available

Published: May 31, 2024

Ollama before 0.1.34 does not validate the format of the digest (sha256 with 64 hex digits) when getting the model path, and thus mishandles the TestGetBlobsPath test cases such as fewer than 64 hex digits, more than 64 hex digits, or an initial ../ substring.

Quotes

• This issue is extremely severe in Docker installations, as the server runs with `root` privileges and listens on `0.0.0.0` by default – which enables remote exploitation of this vulnerability
• What we found is that when pulling a model from a private registry (by querying the http://[victim]:11434/api/pull API endpoint), it is possible to supply a malicious manifest file that contains a path traversal payload in the digest field

Headlines

• June 24, 2024 - Patch now: 'Easy-to-exploit' RCE in open source Ollama
• June 24, 2024 - Critical RCE Vulnerability Discovered in Ollama AI Infrastructure Tool