Updated network CVEs

patch-1
Prince Chaddha 2023-09-06 18:58:19 +05:30
parent e418b30d19
commit 1bab419ce5
14 changed files with 28 additions and 41 deletions

View File

@ -5,12 +5,12 @@ info:
author: iamthefrogy author: iamthefrogy
severity: high severity: high
description: SSHv1 is deprecated and has known cryptographic issues. description: SSHv1 is deprecated and has known cryptographic issues.
remediation: Upgrade to SSH 2.4 or later.
reference: reference:
- https://www.kb.cert.org/vuls/id/684820 - https://www.kb.cert.org/vuls/id/684820
- https://nvd.nist.gov/vuln/detail/CVE-2001-1473 - https://nvd.nist.gov/vuln/detail/CVE-2001-1473
- http://www.kb.cert.org/vuls/id/684820 - http://www.kb.cert.org/vuls/id/684820
- https://exchange.xforce.ibmcloud.com/vulnerabilities/6603 - https://exchange.xforce.ibmcloud.com/vulnerabilities/6603
remediation: Upgrade to SSH 2.4 or later.
classification: classification:
cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P
cvss-score: 7.5 cvss-score: 7.5

View File

@ -6,14 +6,14 @@ info:
severity: critical severity: critical
description: | description: |
VSFTPD v2.3.4 had a serious backdoor vulnerability allowing attackers to execute arbitrary commands on the server with root-level access. The backdoor was triggered by a specific string of characters in a user login request, which allowed attackers to execute any command they wanted. VSFTPD v2.3.4 had a serious backdoor vulnerability allowing attackers to execute arbitrary commands on the server with root-level access. The backdoor was triggered by a specific string of characters in a user login request, which allowed attackers to execute any command they wanted.
remediation: |
Update to the latest version of VSFTPD, which does not contain the backdoor.
reference: reference:
- https://www.rapid7.com/db/modules/exploit/unix/ftp/vsftpd_234_backdoor/ - https://www.rapid7.com/db/modules/exploit/unix/ftp/vsftpd_234_backdoor/
- https://www.exploit-db.com/exploits/49757 - https://www.exploit-db.com/exploits/49757
- http://packetstormsecurity.com/files/162145/vsftpd-2.3.4-Backdoor-Command-Execution.html - http://packetstormsecurity.com/files/162145/vsftpd-2.3.4-Backdoor-Command-Execution.html
- https://access.redhat.com/security/cve/cve-2011-2523 - https://access.redhat.com/security/cve/cve-2011-2523
- https://security-tracker.debian.org/tracker/CVE-2011-2523 - https://security-tracker.debian.org/tracker/CVE-2011-2523
remediation: |
Update to the latest version of VSFTPD, which does not contain the backdoor.
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8 cvss-score: 9.8
@ -22,15 +22,14 @@ info:
epss-score: 0.87236 epss-score: 0.87236
cpe: cpe:2.3:a:vsftpd_project:vsftpd:2.3.4:*:*:*:*:*:*:* cpe: cpe:2.3:a:vsftpd_project:vsftpd:2.3.4:*:*:*:*:*:*:*
metadata: metadata:
max-request: 2
verified: true verified: true
shodan-query: product:"vsftpd" max-request: 2
vendor: vsftpd_project vendor: vsftpd_project
product: vsftpd product: vsftpd
shodan-query: product:"vsftpd"
tags: cve,cve2011,network,vsftpd,ftp,backdoor tags: cve,cve2011,network,vsftpd,ftp,backdoor
variables: variables:
cmd: "cat /etc/passwd" # shows the the user and group names and numeric IDs cmd: "cat /etc/passwd" # shows the the user and group names and numeric IDs
tcp: tcp:
- host: - host:
- "{{Host}}:21" - "{{Host}}:21"

View File

@ -5,13 +5,13 @@ info:
author: pdteam author: pdteam
severity: critical severity: critical
description: ProFTPD 1.3.5 contains a remote code execution vulnerability via the mod_copy module which allows remote attackers to read and write to arbitrary files via the site cpfr and site cpto commands. description: ProFTPD 1.3.5 contains a remote code execution vulnerability via the mod_copy module which allows remote attackers to read and write to arbitrary files via the site cpfr and site cpto commands.
remediation: Upgrade to ProFTPD 1.3.5a / 1.3.6rc1 or later.
reference: reference:
- https://github.com/t0kx/exploit-CVE-2015-3306 - https://github.com/t0kx/exploit-CVE-2015-3306
- https://www.exploit-db.com/exploits/36803/ - https://www.exploit-db.com/exploits/36803/
- http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157053.html - http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157053.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157054.html - http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157054.html
- https://nvd.nist.gov/vuln/detail/CVE-2015-3306 - https://nvd.nist.gov/vuln/detail/CVE-2015-3306
remediation: Upgrade to ProFTPD 1.3.5a / 1.3.6rc1 or later.
classification: classification:
cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C
cvss-score: 10 cvss-score: 10
@ -24,7 +24,6 @@ info:
vendor: proftpd vendor: proftpd
product: proftpd product: proftpd
tags: cve,cve2015,ftp,rce,network,proftpd,edb tags: cve,cve2015,ftp,rce,network,proftpd,edb
tcp: tcp:
- host: - host:
- "{{Hostname}}" - "{{Hostname}}"

View File

@ -5,14 +5,14 @@ info:
author: pussycat0x author: pussycat0x
severity: critical severity: critical
description: HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9.06 allow remote attackers to execute arbitrary code via unspecified vectors related to lack of authentication. This vulnerability exists because of an incomplete fix for CVE-2014-2623. description: HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9.06 allow remote attackers to execute arbitrary code via unspecified vectors related to lack of authentication. This vulnerability exists because of an incomplete fix for CVE-2014-2623.
remediation: |
Upgrade to the most recent version of HP Data Protector.
reference: reference:
- https://www.exploit-db.com/exploits/39858 - https://www.exploit-db.com/exploits/39858
- https://nvd.nist.gov/vuln/detail/CVE-2016-2004 - https://nvd.nist.gov/vuln/detail/CVE-2016-2004
- http://www.kb.cert.org/vuls/id/267328 - http://www.kb.cert.org/vuls/id/267328
- https://www.exploit-db.com/exploits/39858/ - https://www.exploit-db.com/exploits/39858/
- http://packetstormsecurity.com/files/137199/HP-Data-Protector-A.09.00-Command-Execution.html - http://packetstormsecurity.com/files/137199/HP-Data-Protector-A.09.00-Command-Execution.html
remediation: |
Upgrade to the most recent version of HP Data Protector.
classification: classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8 cvss-score: 9.8
@ -25,7 +25,6 @@ info:
vendor: hp vendor: hp
product: data_protector product: data_protector
tags: cve,cve2016,network,iot,hp,rce,edb tags: cve,cve2016,network,iot,hp,rce,edb
tcp: tcp:
- host: - host:
- "{{Hostname}}" - "{{Hostname}}"

View File

@ -6,13 +6,13 @@ info:
severity: critical severity: critical
description: | description: |
A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges. The Cluster Management Protocol utilizes Telnet internally as a signaling and command protocol between cluster members. The vulnerability is due to the combination of two factors: (1) the failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device; and (2) the incorrect processing of malformed CMP-specific Telnet options. An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections. An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device. This affects Catalyst switches, Embedded Service 2020 switches, Enhanced Layer 2 EtherSwitch Service Module, Enhanced Layer 2/3 EtherSwitch Service Module, Gigabit Ethernet Switch Module (CGESM) for HP, IE Industrial Ethernet switches, ME 4924-10GE switch, RF Gateway 10, and SM-X Layer 2/3 EtherSwitch Service Module. Cisco Bug IDs: CSCvd48893. A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges. The Cluster Management Protocol utilizes Telnet internally as a signaling and command protocol between cluster members. The vulnerability is due to the combination of two factors: (1) the failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device; and (2) the incorrect processing of malformed CMP-specific Telnet options. An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections. An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device. This affects Catalyst switches, Embedded Service 2020 switches, Enhanced Layer 2 EtherSwitch Service Module, Enhanced Layer 2/3 EtherSwitch Service Module, Gigabit Ethernet Switch Module (CGESM) for HP, IE Industrial Ethernet switches, ME 4924-10GE switch, RF Gateway 10, and SM-X Layer 2/3 EtherSwitch Service Module. Cisco Bug IDs: CSCvd48893.
remediation: Deactivate a telnet connection or employ Access Control Lists (ACLs) to limit access.
reference: reference:
- https://github.com/artkond/cisco-rce - https://github.com/artkond/cisco-rce
- https://artkond.com/2017/04/10/cisco-catalyst-remote-code-execution/ - https://artkond.com/2017/04/10/cisco-catalyst-remote-code-execution/
- https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/auxiliary/dos/cisco/ios_telnet_rocem.md - https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/auxiliary/dos/cisco/ios_telnet_rocem.md
- https://nvd.nist.gov/vuln/detail/CVE-2017-3881 - https://nvd.nist.gov/vuln/detail/CVE-2017-3881
- http://www.securitytracker.com/id/1038059 - http://www.securitytracker.com/id/1038059
remediation: Deactivate a telnet connection or employ Access Control Lists (ACLs) to limit access.
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8 cvss-score: 9.8
@ -25,7 +25,6 @@ info:
vendor: cisco vendor: cisco
product: ios product: ios
tags: cve,cve2017,cisco,rce,network,kev,msf tags: cve,cve2017,cisco,rce,network,kev,msf
tcp: tcp:
- host: - host:
- "{{Hostname}}" - "{{Hostname}}"

View File

@ -6,14 +6,14 @@ info:
severity: critical severity: critical
description: | description: |
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code. In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.
remediation: |
Consider updating to Log4j 2.15.0 or a newer version, deactivating JNDI lookups, or implementing a Java Agent to safeguard against potentially harmful JNDI lookups.
reference: reference:
- https://github.com/vulhub/vulhub/tree/master/log4j/CVE-2017-5645 - https://github.com/vulhub/vulhub/tree/master/log4j/CVE-2017-5645
- https://nvd.nist.gov/vuln/detail/CVE-2017-5645 - https://nvd.nist.gov/vuln/detail/CVE-2017-5645
- http://www.openwall.com/lists/oss-security/2019/12/19/2 - http://www.openwall.com/lists/oss-security/2019/12/19/2
- http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html - http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
- http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html - http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
remediation: |
Consider updating to Log4j 2.15.0 or a newer version, deactivating JNDI lookups, or implementing a Java Agent to safeguard against potentially harmful JNDI lookups.
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8 cvss-score: 9.8
@ -26,10 +26,8 @@ info:
vendor: apache vendor: apache
product: log4j product: log4j
tags: cve,cve2017,vulhub,network,apache,log4j,rce,deserialization,oast, tags: cve,cve2017,vulhub,network,apache,log4j,rce,deserialization,oast,
variables: variables:
end: "\r\n" end: "\r\n"
tcp: tcp:
- host: - host:
- "{{Hostname}}" - "{{Hostname}}"

View File

@ -6,13 +6,13 @@ info:
severity: critical severity: critical
description: | description: |
The Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services) versions 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3 contains an easily exploitable vulnerability that allows unauthenticated attackers with network access via T3 to compromise Oracle WebLogic Server. The Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services) versions 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3 contains an easily exploitable vulnerability that allows unauthenticated attackers with network access via T3 to compromise Oracle WebLogic Server.
remediation: Install the suitable patch as per the Oracle Critical Patch Update advisory
reference: reference:
- https://www.nc-lp.com/blog/weaponize-oracle-weblogic-server-poc-cve-2018-2628 - https://www.nc-lp.com/blog/weaponize-oracle-weblogic-server-poc-cve-2018-2628
- https://nvd.nist.gov/vuln/detail/CVE-2018-2628 - https://nvd.nist.gov/vuln/detail/CVE-2018-2628
- http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html - http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
- http://web.archive.org/web/20211207132829/https://securitytracker.com/id/1040696 - http://web.archive.org/web/20211207132829/https://securitytracker.com/id/1040696
- http://www.securitytracker.com/id/1040696 - http://www.securitytracker.com/id/1040696
remediation: Install the suitable patch as per the Oracle Critical Patch Update advisory
classification: classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8 cvss-score: 9.8
@ -25,7 +25,6 @@ info:
vendor: oracle vendor: oracle
product: weblogic_server product: weblogic_server
tags: cve,cve2018,oracle,weblogic,network,deserialization,kev tags: cve,cve2018,oracle,weblogic,network,deserialization,kev
tcp: tcp:
- host: - host:
- "{{Hostname}}" - "{{Hostname}}"

View File

@ -5,13 +5,13 @@ info:
author: milo2012 author: milo2012
severity: critical severity: critical
description: When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations. description: When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.
remediation: https://access.redhat.com/solutions/4851251
reference: reference:
- https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487 - https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487
- https://nvd.nist.gov/vuln/detail/CVE-2020-1938 - https://nvd.nist.gov/vuln/detail/CVE-2020-1938
- https://lists.apache.org/thread.html/r7c6f492fbd39af34a68681dbbba0468490ff1a97a1bd79c6a53610ef%40%3Cannounce.tomcat.apache.org%3E - https://lists.apache.org/thread.html/r7c6f492fbd39af34a68681dbbba0468490ff1a97a1bd79c6a53610ef%40%3Cannounce.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r75113652e46c4dee687236510649acfb70d2c63e074152049c3f399d@%3Cnotifications.ofbiz.apache.org%3E - https://lists.apache.org/thread.html/r75113652e46c4dee687236510649acfb70d2c63e074152049c3f399d@%3Cnotifications.ofbiz.apache.org%3E
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html - http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html
remediation: https://access.redhat.com/solutions/4851251
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8 cvss-score: 9.8
@ -21,11 +21,10 @@ info:
cpe: cpe:2.3:a:apache:geode:1.12.0:*:*:*:*:*:*:* cpe: cpe:2.3:a:apache:geode:1.12.0:*:*:*:*:*:*:*
metadata: metadata:
max-request: 4 max-request: 4
shodan-query: title:"Apache Tomcat"
vendor: apache vendor: apache
product: geode product: geode
shodan-query: title:"Apache Tomcat"
tags: cve,cve2020,kev,tenable,apache,lfi,network,tomcat tags: cve,cve2020,kev,tenable,apache,lfi,network,tomcat
tcp: tcp:
- host: - host:
- "{{Hostname}}" - "{{Hostname}}"

View File

@ -6,13 +6,13 @@ info:
severity: critical severity: critical
description: | description: |
OpenSMTPD versions 6.4.0 - 6.6.1 are susceptible to remote code execution. smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect return value upon failure of input validation. OpenSMTPD versions 6.4.0 - 6.6.1 are susceptible to remote code execution. smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect return value upon failure of input validation.
remediation: OpenBSD users are recommended to install patches for OpenBSD 6.6
reference: reference:
- https://www.openwall.com/lists/oss-security/2020/01/28/3 - https://www.openwall.com/lists/oss-security/2020/01/28/3
- https://nvd.nist.gov/vuln/detail/CVE-2020-7247 - https://nvd.nist.gov/vuln/detail/CVE-2020-7247
- https://github.com/openbsd/src/commit/9dcfda045474d8903224d175907bfc29761dcb45 - https://github.com/openbsd/src/commit/9dcfda045474d8903224d175907bfc29761dcb45
- http://www.openwall.com/lists/oss-security/2020/01/28/3 - http://www.openwall.com/lists/oss-security/2020/01/28/3
- http://packetstormsecurity.com/files/156145/OpenSMTPD-6.6.2-Remote-Code-Execution.html - http://packetstormsecurity.com/files/156145/OpenSMTPD-6.6.2-Remote-Code-Execution.html
remediation: OpenBSD users are recommended to install patches for OpenBSD 6.6
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8 cvss-score: 9.8

View File

@ -5,6 +5,7 @@ info:
author: Y4er author: Y4er
severity: critical severity: critical
description: 'When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible for an attacker to execute arbitrary code on the host. The attacker would need to have enough permissions to create user defined functions in the cluster to be able to exploit this. Note that this configuration is documented as unsafe, and will continue to be considered unsafe after this CVE.' description: 'When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible for an attacker to execute arbitrary code on the host. The attacker would need to have enough permissions to create user defined functions in the cluster to be able to exploit this. Note that this configuration is documented as unsafe, and will continue to be considered unsafe after this CVE.'
remediation: 3.0.x users should upgrade to 3.0.26, 3.11.x users should upgrade to 3.11.12, 4.0.x users should upgrade to 4.0.2
reference: reference:
- https://y4er.com/post/cve-2021-44521-apache-cassandra-udf-rce/ - https://y4er.com/post/cve-2021-44521-apache-cassandra-udf-rce/
- https://nvd.nist.gov/vuln/detail/CVE-2021-44521 - https://nvd.nist.gov/vuln/detail/CVE-2021-44521
@ -12,7 +13,6 @@ info:
- https://lists.apache.org/thread/y4nb9s4co34j8hdfmrshyl09lokm7356 - https://lists.apache.org/thread/y4nb9s4co34j8hdfmrshyl09lokm7356
- http://www.openwall.com/lists/oss-security/2022/02/11/4 - http://www.openwall.com/lists/oss-security/2022/02/11/4
- https://thesecmaster.com/how-to-fix-apache-cassandra-rce-vulnerability-cve-2021-44521/ - https://thesecmaster.com/how-to-fix-apache-cassandra-rce-vulnerability-cve-2021-44521/
remediation: 3.0.x users should upgrade to 3.0.26, 3.11.x users should upgrade to 3.11.12, 4.0.x users should upgrade to 4.0.2
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
cvss-score: 9.1 cvss-score: 9.1

View File

@ -9,13 +9,13 @@ info:
vulnerability was introduced by Debian and Ubuntu Redis packages that vulnerability was introduced by Debian and Ubuntu Redis packages that
insufficiently sanitized the Lua environment. The maintainers failed to insufficiently sanitized the Lua environment. The maintainers failed to
disable the package interface, allowing attackers to load arbitrary libraries. disable the package interface, allowing attackers to load arbitrary libraries.
remediation: Update to the most recent versions currently available.
reference: reference:
- https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce - https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce
- https://attackerkb.com/topics/wyA1c1HIC8/cve-2022-0543/rapid7-analysis#rapid7-analysis - https://attackerkb.com/topics/wyA1c1HIC8/cve-2022-0543/rapid7-analysis#rapid7-analysis
- https://bugs.debian.org/1005787 - https://bugs.debian.org/1005787
- https://www.debian.org/security/2022/dsa-5081 - https://www.debian.org/security/2022/dsa-5081
- https://lists.debian.org/debian-security-announce/2022/msg00048.html - https://lists.debian.org/debian-security-announce/2022/msg00048.html
remediation: Update to the most recent versions currently available.
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10 cvss-score: 10
@ -24,11 +24,10 @@ info:
cpe: cpe:2.3:a:redis:redis:-:*:*:*:*:*:*:* cpe: cpe:2.3:a:redis:redis:-:*:*:*:*:*:*:*
metadata: metadata:
max-request: 4 max-request: 4
shodan-query: redis_version
vendor: redis vendor: redis
product: redis product: redis
shodan-query: redis_version
tags: cve,cve2022,network,redis,unauth,rce,kev tags: cve,cve2022,network,redis,unauth,rce,kev
tcp: tcp:
- host: - host:
- "{{Hostname}}" - "{{Hostname}}"

View File

@ -6,14 +6,14 @@ info:
severity: critical severity: critical
description: | description: |
In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges. In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges.
remediation: |
Upgrade to versions 3.2.2 or newer. Starting from CouchDB 3.2.2, the previous default Erlang cookie value "monster" will be rejected upon startup. Upgraded installations will be required to select an alternative value.
reference: reference:
- https://www.exploit-db.com/exploits/50914 - https://www.exploit-db.com/exploits/50914
- https://github.com/sadshade/CVE-2022-24706-CouchDB-Exploit/blob/main/CVE-2022-24706-Exploit.py - https://github.com/sadshade/CVE-2022-24706-CouchDB-Exploit/blob/main/CVE-2022-24706-Exploit.py
- https://nvd.nist.gov/vuln/detail/CVE-2022-24706 - https://nvd.nist.gov/vuln/detail/CVE-2022-24706
- http://www.openwall.com/lists/oss-security/2022/04/26/1 - http://www.openwall.com/lists/oss-security/2022/04/26/1
- http://www.openwall.com/lists/oss-security/2022/05/09/1 - http://www.openwall.com/lists/oss-security/2022/05/09/1
remediation: |
Upgrade to versions 3.2.2 or newer. Starting from CouchDB 3.2.2, the previous default Erlang cookie value "monster" will be rejected upon startup. Upgraded installations will be required to select an alternative value.
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8 cvss-score: 9.8
@ -22,19 +22,17 @@ info:
epss-score: 0.97407 epss-score: 0.97407
cpe: cpe:2.3:a:apache:couchdb:*:*:*:*:*:*:*:* cpe: cpe:2.3:a:apache:couchdb:*:*:*:*:*:*:*:*
metadata: metadata:
max-request: 2
shodan-query: product:"CouchDB"
verified: "true" verified: "true"
max-request: 2
vendor: apache vendor: apache
product: couchdb product: couchdb
shodan-query: product:"CouchDB"
tags: cve,cve2022,network,couch,rce,kev tags: cve,cve2022,network,couch,rce,kev
variables: variables:
name_msg: "00156e00050007499c4141414141414041414141414141" name_msg: "00156e00050007499c4141414141414041414141414141"
challenge_reply: "00157201020304" challenge_reply: "00157201020304"
cookie: "monster" cookie: "monster"
cmd: "0000006670836804610667770e41414141414140414141414141410000000300000000007700770372657883680267770e41414141414140414141414141410000000300000000006805770463616c6c77026f737703636d646c000000016b000269646a770475736572" cmd: "0000006670836804610667770e41414141414140414141414141410000000300000000007700770372657883680267770e41414141414140414141414141410000000300000000006805770463616c6c77026f737703636d646c000000016b000269646a770475736572"
tcp: tcp:
- host: - host:
- "{{Hostname}}" - "{{Hostname}}"

View File

@ -6,13 +6,13 @@ info:
severity: high severity: high
description: | description: |
muhttpd 1.1.5 and before are vulnerable to unauthenticated local file inclusion. The vulnerability allows retrieval of files from the file system. muhttpd 1.1.5 and before are vulnerable to unauthenticated local file inclusion. The vulnerability allows retrieval of files from the file system.
remediation: Update the application to version 1.10
reference: reference:
- https://derekabdine.com/blog/2022-arris-advisory.html - https://derekabdine.com/blog/2022-arris-advisory.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-31793 - https://nvd.nist.gov/vuln/detail/CVE-2022-31793
- https://derekabdine.com/blog/2022-arris-advisory - https://derekabdine.com/blog/2022-arris-advisory
- https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/08/millions-of-arris-routers-are-vulnerable-to-path-traversal-attacks/ - https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/08/millions-of-arris-routers-are-vulnerable-to-path-traversal-attacks/
- http://inglorion.net/software/muhttpd/ - http://inglorion.net/software/muhttpd/
remediation: Update the application to version 1.10
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5 cvss-score: 7.5
@ -21,12 +21,11 @@ info:
epss-score: 0.25931 epss-score: 0.25931
cpe: cpe:2.3:a:inglorion:muhttpd:*:*:*:*:*:*:*:* cpe: cpe:2.3:a:inglorion:muhttpd:*:*:*:*:*:*:*:*
metadata: metadata:
max-request: 1
verified: true verified: true
max-request: 1
vendor: inglorion vendor: inglorion
product: muhttpd product: muhttpd
tags: cve,cve2022,network,muhttpd,lfi,unauth tags: cve,cve2022,network,muhttpd,lfi,unauth
tcp: tcp:
- host: - host:
- "{{Hostname}}" - "{{Hostname}}"

View File

@ -6,13 +6,13 @@ info:
severity: critical severity: critical
description: | description: |
For RocketMQ versions 5.1.0 and below, under certain conditions, there is a risk of remote command execution. Several components of RocketMQ, including NameServer, Broker, and Controller, are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content. To prevent these attacks, users are recommended to upgrade to version 5.1.1 or above for using RocketMQ 5.x or 4.9.6 or above for using RocketMQ 4.x . For RocketMQ versions 5.1.0 and below, under certain conditions, there is a risk of remote command execution. Several components of RocketMQ, including NameServer, Broker, and Controller, are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content. To prevent these attacks, users are recommended to upgrade to version 5.1.1 or above for using RocketMQ 5.x or 4.9.6 or above for using RocketMQ 4.x .
remediation: Update the RocketMQ application to version 5.1.1
reference: reference:
- https://nvd.nist.gov/vuln/detail/CVE-2023-33246 - https://nvd.nist.gov/vuln/detail/CVE-2023-33246
- https://github.com/I5N0rth/CVE-2023-33246 - https://github.com/I5N0rth/CVE-2023-33246
- http://packetstormsecurity.com/files/173339/Apache-RocketMQ-5.1.0-Arbitrary-Code-Injection.html - http://packetstormsecurity.com/files/173339/Apache-RocketMQ-5.1.0-Arbitrary-Code-Injection.html
- http://www.openwall.com/lists/oss-security/2023/07/12/1 - http://www.openwall.com/lists/oss-security/2023/07/12/1
- https://lists.apache.org/thread/1s8j2c8kogthtpv3060yddk03zq0pxyp - https://lists.apache.org/thread/1s8j2c8kogthtpv3060yddk03zq0pxyp
remediation: Update the RocketMQ application to version 5.1.1
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8 cvss-score: 9.8
@ -21,14 +21,13 @@ info:
epss-score: 0.95581 epss-score: 0.95581
cpe: cpe:2.3:a:apache:rocketmq:*:*:*:*:*:*:*:* cpe: cpe:2.3:a:apache:rocketmq:*:*:*:*:*:*:*:*
metadata: metadata:
fofa-query: protocol="rocketmq"
max-request: 2
shodan-query: title:"RocketMQ"
verified: true verified: true
max-request: 2
vendor: apache vendor: apache
product: rocketmq product: rocketmq
shodan-query: title:"RocketMQ"
fofa-query: protocol="rocketmq"
tags: cve,cve2023,rocketmq,rce,oast,intrusive,network tags: cve,cve2023,rocketmq,rce,oast,intrusive,network
variables: variables:
part_a: '{{ hex_decode ("000000d2000000607b22636f6465223a32352c22666c6167223a302c226c616e6775616765223a224a415641222c226f7061717565223a302c2273657269616c697a655479706543757272656e74525043223a224a534f4e222c2276657273696f6e223a3339357d66696c7465725365727665724e756d733d310a726f636b65746d71486f6d653d2d632024407c7368202e206563686f206375726c20") }}' part_a: '{{ hex_decode ("000000d2000000607b22636f6465223a32352c22666c6167223a302c226c616e6775616765223a224a415641222c226f7061717565223a302c2273657269616c697a655479706543757272656e74525043223a224a534f4e222c2276657273696f6e223a3339357d66696c7465725365727665724e756d733d310a726f636b65746d71486f6d653d2d632024407c7368202e206563686f206375726c20") }}'
part_b: '{{ hex_decode("3b0a") }}' part_b: '{{ hex_decode("3b0a") }}'