What Happened Over the Week? | CVEs Special

What Happened Over the Week? | CVEs Special

Hello, hello cyber-securiters. This is a special edition for CVEs. You need lots of updates this week, and a LinkedIn post is not enough for these CVEs.

Here is a catch-up for you. Let's start.


1) CVE-2024-39676: Critical Security Flaw in Apache Pinot Exposes Sensitive Data

Apache Pinot, an open-source platform for real-time analytics, has disclosed a serious security vulnerability identified as CVE-2024-39676. This flaw could allow unauthorized actors to access sensitive system information, potentially leading to data leaks and security breaches.

The vulnerability affects Pinot versions 0.1 to 0.9.


2) CVE-2024-40767: Critical Vulnerability in OpenStack Nova

A critical security vulnerability identified as CVE-2024-40767 has been discovered in OpenStack Nova. This flaw allows unauthorized users to access sensitive data on cloud servers, posing a significant threat to users of the platform.

The CVE-2024-40767 vulnerability affects all Nova deployments prior to versions 27.4.1, 28.2.1, and 29.1.1.


3) Microsoft and Twilio Authy Vulnerabilities Actively Exploited

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning regarding two actively exploited vulnerabilities affecting Microsoft Internet Explorer and Twilio Authy, a popular two-factor authentication app.

The vulnerabilities, identified as CVE-2012-4792 (CVSS 9.3) and CVE-2024-39891 (CVSS 5.3), pose significant risks to users and organizations.

Federal agencies have been given a deadline of August 13, 2024, to patch their systems.


4) CVE-2024-6327: Critical RCE Flaw in Telerik Report Server:

Progress Software has alerted customers to patch a critical remote code execution (RCE) security flaw in the Telerik Report Server that could be exploited to compromise vulnerable devices.


5) CVE-2024-37998 & CVE-2024-39601: Urgent Security Update Required for Siemens SICAM Products Due to Critical Vulnerabilities

Siemens, a global leader in industrial automation, has issued a critical security advisory warning users of multiple SICAM products about serious vulnerabilities that could lead to unauthorized access and data leaks.

The affected products include the SICAM A8000 RTUs, SICAM EGS, and the SICAM 8 Power automation platform.

CVE-2024-37998 has a severity score of 9.3 (critical), while CVE-2024-39601 has a 7.1 (high) score.


6) CVE-2024-37084: Critical RCE in Spring Cloud Data Flow

A recent security advisory has identified a critical vulnerability in Spring Cloud Data Flow, a widely used microservices-based streaming and batch data processing platform for Cloud Foundry and Kubernetes environments.

The vulnerability has been assigned a CVSS score of 9.8, indicating its high severity.


7) CVE-2024-41827: Critical Security Vulnerability Discovered in JetBrains TeamCity

JetBrains TeamCity, a widely used continuous integration and continuous delivery (CI/CD) platform, has been found to contain a high-severity security vulnerability (CVE-2024-41827).

This flaw allows deleted or expired access tokens to continue functioning, potentially granting attackers extended and unauthorized access to critical development environments.


8) High-Severity Vulnerabilities in Nvidia Products

Nvidia has issued patches for several high-severity vulnerabilities affecting its artificial intelligence and networking products. The vulnerabilities are detailed in two security bulletins that address issues in Jetson products and the Mellanox OS switch operating system.

Jetson Products: CVE-2024-0108

Mellanox OS: CVE-2024-0101, CVE-2024-0104


9) Critical Security Vulnerabilities Detected in BIND Software

Significant security vulnerabilities have been detected in the BIND software developed by the Internet Systems Consortium (ISC). These vulnerabilities could allow cyber attackers to target the system, execute various attacks, and cause damage.

The Vulnerabilities:

  • CVE-2024-0760
  • CVE-2024-1737
  • CVE-2024-4076
  • CVE-2024-1975


10) CVE-2024-39700 (CVSS 9.9): Severe Flaw in JupyterLab Template Discovered

A critical vulnerability, designated CVE-2024-39700 (CVSS 9.9), has been discovered in the widely-used JupyterLab extension template.

This flaw could enable attackers to remotely execute code on affected systems, potentially leading to widespread compromise and data breaches.


11) CVE-2024-40075: New Security Flaw Discovered in Laravel 11.x

A significant security vulnerability has been discovered in the popular PHP framework Laravel version 11.x, designated as CVE-2024-40075.

This vulnerability is an XML External Entity (XXE) flaw that could potentially allow attackers to execute arbitrary commands and access sensitive data.


12) CVE-2024-3246: Critical Security Vulnerability in LiteSpeed Cache Plugin

A security vulnerability tracked as CVE-2024-3246 has been discovered in the LiteSpeed Cache (LS Cache) plugin. This vulnerability puts over five million WordPress sites at risk, allowing attackers to inject malicious code and gain control over the site.


13) CVE-2024-41110: Critical Security Vulnerability in Docker Engine

Docker has released a security advisory concerning a critical vulnerability identified as CVE-2024-41110, affecting specific versions of Docker Engine. This vulnerability has been assigned a CVSS score of 10, categorizing it as a critical issue.


14) CVE-2024-33352: Major Security Flaw in BlueStacks Puts Millions of Users at Risk

A vulnerability in BlueStacks, a popular Android emulator used by millions of gamers worldwide, has been discovered.

Tracked as CVE-2024-33352, this vulnerability could allow attackers to gain full control of a victim’s computer if exploited.


15) AWS Issues Security Bulletin for Client VPN Vulnerabilities CVE-2024-30164 and CVE-2024-30165

Amazon Web Services (AWS) has issued a security bulletin regarding two vulnerabilities discovered in its Client VPN service. Identified as CVE-2024-30164 and CVE-2024-30165, these flaws could allow a malicious actor with access to a user's device to execute arbitrary commands with elevated privileges, potentially escalating to root access.


16) CVE-2024-0981: XSS Vulnerability in Okta Browser Plugin

A leading identity and access management provider, Okta, recently patched a high-severity cross-site scripting (XSS) vulnerability (CVE-2024-0981) in its browser plugin.

This vulnerability affected versions 6.5.0 through 6.31.0 of the Okta Browser Plugin for Chrome, Edge, Firefox, and Safari, potentially exposing users’ sensitive data to malicious actors.


17) CVE-2024-41107: Apache CloudStack Vulnerability Exposes User Accounts to Compromise

The Apache Software Foundation has issued a security advisory regarding a critical vulnerability (CVE-2024-41107) in its open-source cloud computing platform, Apache CloudStack.

This flaw affects the Security Assertion Markup Language (SAML) authentication mechanism, potentially allowing attackers to bypass authentication and gain unauthorized access to user accounts and resources.

要查看或添加评论,请登录

社区洞察

其他会员也浏览了