What Happened Over the Week: CVEs Edition
Hello, hello cyber-securiters. This is a special edition for CVEs. You need lots of updates this week, and a LinkedIn post is not enough for these CVEs.
Here is a catch-up for you. Let's start.
CVE-2024-25737 & CVE-2024-25738: VuFind Libraries Critical Vulnerabilities
VuFind, the widely used open-source library discovery platform, has issued an urgent security advisory, disclosing two critical vulnerabilities that could expose libraries and their users to serious risks. The vulnerabilities are both rated with a high CVSS score of 9.1.
- CVE-2024-25737: Server-Side Request Forgery (SSRF)
- CVE-2024-25738: Server-Side Request Forgery (SSRF) leading to Remote Code Execution (RCE) in version 9.1
macOS Under Threat: PoC Exploit for CVE-2024-27842 Allows Kernel-Level Code Execution
Security researcher Wang Tielei published proof-of-concept (PoC) exploit codes for a significant privilege escalation vulnerability (CVE-2024-27842) in macOS. While the vulnerability has been patched by Apple, the release of these PoC codes underscores the importance of immediate updates and vigilance.?
In addition to CVE-2024-27842, Wang Tielei has also released a PoC exploit for CVE-2023-40404, another privilege escalation vulnerability in macOS Sonoma.
WinRAR Vulnerability Allows Deceptive File Listings and Potential Denial-of-Service Attacks
A critical vulnerability has been discovered in the popular file compression software WinRAR, allowing cyber attackers to deceive users or even cause system crashes.
This flaw, affecting the console versions of RAR and UnRAR, is tracked as CVE-2024-33899 for Linux and Unix systems and CVE-2024-36052 for Windows systems.
New DNS DoS Attack "DNSBomb" Threatens Internet Infrastructure
Cybersecurity researchers have unveiled a new and potent Denial of Service (DoS) attack, dubbed “DNSBomb.” This attack leverages the inherent mechanisms of the Domain Name System (DNS) to create a powerful pulsing DoS attack that poses a significant threat to internet infrastructure.
10 CVE-IDs have been assigned to address the vulnerabilities exploited by DNSBomb:
CVE-2024-21683: Atlassian Patches RCE Flaw in Confluence Data Center and Server
Atlassian has urgently addressed a remote code execution (RCE) vulnerability in its Confluence Data Center and Server products. Tracked as CVE-2024-21683, carries a CVSS score of 8.3, this flaw could allow authenticated attackers to seize control of affected systems, potentially leading to data breaches and operational disruptions.
CVE-2024-31989: Critical Argo CD Flaw Exposes Kubernetes Clusters to Takeover
Argo CD, a popular GitOps continuous delivery tool for Kubernetes, has disclosed a critical security vulnerability (CVE-2024-31989, CVSS 9.1) that could allow attackers to seize control of Kubernetes clusters.
The flaw stems from the use of a Redis cache with insufficient security measures, potentially granting unauthorized access and manipulation of sensitive data.
领英推荐
Westermo EDW-100 Converter Vulnerable: Critical Flaws Discovered, Replacement Urged
Westermo, a leading provider of industrial data communications equipment, has issued a security advisory highlighting critical vulnerabilities identified in its EDW-100 serial to Ethernet converters.
These vulnerabilities, tracked as CVE-2024-36080 and CVE-2024-36081, pose significant risks to affected systems and necessitate immediate attention and action.
- CVE-2024-36080: Hidden Root User with Hardcoded Password (CVSS 9.8)
- CVE-2024-36081: Unauthenticated User Can Read Configuration Containing Password (CVSS 9.8)
Software Supply Chains Threatened: Nexus Repository CVE-2024-4956
Sonatype, a leading provider of software supply chain management solutions, has issued a security advisory regarding a critical vulnerability (CVE-2024-4956) in Nexus Repository, its widely used artifact repository manager.?The vulnerability has been assigned a CVSS score of 7.5, indicating a high severity level.?
CVE-2024-4978: Backdoor Discovered in Justice AV Solutions Courtroom Software
A critical vulnerability, designated CVE-2024-4978, has been discovered in Justice AV Solutions (JAVS) Viewer software, a widely used audio-visual recording solution for courtrooms and other legal settings.
This backdoor, stealthily introduced in version 8.3.7 through a compromised installer, granted attackers unfettered control of affected systems, potentially exposing sensitive legal information and proceedings to unauthorized access.
CVE-2024-20360: Cisco FMC Vulnerability Grants Hackers Root Access
Cisco, the global leader in networking solutions, has issued a security advisory regarding a vulnerability discovered in its Firepower Management Center (FMC) software.
This flaw, identified as CVE-2024-20360, carries a CVSS score of 8.8, signifying a high severity level and the potential for widespread exploitation.
Critical Veeam Backup Enterprise Manager Flaw Allows Authentication Bypass
Users of Veeam Backup Enterprise Manager are being urged to update to the latest version following the discovery of a critical security flaw that could permit an adversary to bypass authentication protections.
This vulnerability, tracked as CVE-2024-29849 with a CVSS score of 9.8, could allow an unauthenticated attacker to log into the Veeam Backup Enterprise Manager web interface as any user.?
CVE-2024-4835: GitLab Fixes Account Takeover Vulnerability
GitLab, the widely-used web-based DevOps platform, has issued urgent security patches to rectify multiple critical vulnerabilities in various versions of its Community Edition (CE) and Enterprise Edition (EE).
The most severe vulnerability, identified as CVE-2024-4835 with a CVSS score of 8.0, involves a cross-site scripting (XSS) flaw in the code editor on gitlab.com.
Critical Fluent Bit Flaw Impacts All Major Cloud Providers
Fluent Bit is an extremely popular logging and metrics solution for Windows, Linux, and macOS embedded in major Kubernetes distributions, including those from Amazon AWS, Google GCP, and Microsoft Azure.
This critical memory corruption vulnerability, tracked as?CVE-2024-4323?and dubbed Linguistic Lumberjack, was introduced with version 2.0.7 and is caused by a heap buffer overflow vulnerability in Fluent Bit's built-in HTTP server's parsing of trace requests.
Follow Us on Twitter.