This week saw the publication of 565 new CVE IDs. Of those, 170 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 22% were of critical severity, 46% were high, 32% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:
The modern threat landscape represents an ever-changing vista of vulnerabilities, tools, tactics, and procedures which pose an existential threat to the security of organizations’ IT infrastructures. A key part of an evergreen security program is to maintain an up-to-date knowledge base of actionable threat intelligence that an organization can leverage to improve its security posture. Where dozens of novel threats and vulnerabilities become public each week, it can be challenging for IT professionals to keep pace. Control Gap intends to separate the signal from the noise by highlighting in this weekly segment newly disclosed vulnerabilities that have been assigned a CVE ID and which may be exceedingly novel, widespread, critical, or otherwise noteworthy.
The available threat intelligence at time of writing is documented below. Updates will be clearly marked.
Real-World Exploitability High |
Exploited in the Wild Unknown |
Available Public Exploits No |
All versions of Atlassian BitBucket Server and Data Center between 7.0.0 and 8.3.0 are affected by a remote code execution vulnerability being tracked as CVE-2022-36804. Multiple API endpoints in the software would allow an attacker with read permissions on any public or private BitBucket repository to execute arbitrary code in the context of the server by sending a crafted HTTP request. The vulnerability was reported to Atlassian through their bug bounty program by the user “TheGrandPew”. Atlassian has released a security advisory and patches and have assigned the vulnerability a CVSS score of 9.9.
Real-World Exploitability High |
Exploited in the Wild Unknown |
Available Public Exploits No |
GitLab Community Editions and Enterprise Editions between 11.3.4 to 15.1.5, 15.2 to 15.2.3, and 15.3 to 15.3.1 are affected by an authenticated remote code execution vulnerability. Users with the ability to use the “Import from GitHub” API endpoint can achieve arbitrary code execution on the affected GitLab server. The vulnerability was discovered through the software’s HackerOne bug bounty program by the user “yvvdwf”. GitLab has released a security advisory highlighting a patch and a workaround for users who cannot apply the patch immediately. The CVE id is currently reserved at the time of writing with no further information, GitLab has declared it is being published with the id CVE-2022-2884.
|
Real-World Exploitability High |
Exploited in the Wild No |
Available Public Exploits No |
Researchers for the NCS group, the National University of Singapore, and DSBJ Pte. Ltd. have developed an exploit titled “RollBack” targeting vulnerabilities CVE-2022-36945, CVE-2022-37305, and CVE-2022-37418 which are logic vulnerabilities in the remote keyless entry (RKE) systems of vehicles produced by Hyundai, Honda, Kia, Mazda, Nissan and Toyota. Through a novel replay attack the researchers were able to exploit variations of the vulnerability across vehicle manufacturers to trigger the RKE system of the vehicles. The researchers presented their findings in a presentation at BlackHat in early August and just this week the CVE ids were published. The exploit was deemed “time-agnostic” meaning attackers could exploit the vulnerability at any time (after some preparation) which is unlike exploits targeting RKE systems in the past in which an attacker payload could “expire”. The research found that across different vehicle make, models, and RKE system manufacturers approximately 70% of vehicles in the Asian market were vulnerable. The researchers posit that given three out of four manufacturers were using vulnerable RKE systems, the impact is likely to be higher. It is not clear if manufacturers plan to fix these types of vulnerabilities in older model vehicles but some have stated they will fix them moving forward.
|
Real-World Exploitability High |
Exploited in the Wild Unknown |
Available Public Exploits No |
Tabit, a popular online solution for managing restaurant services has had seven vulnerabilities published this week including sensitive information disclosure, account modification, database injection, weak passwords, and arbitrary SMS send. Due to Covid-19 health and safety protocols in countries which have seen significant adoption of Tabit software the information disclosure vulnerabilities have the potential to expose sensitive health information recorded by the application. In addition to covid status, the application may also expose billing information and itemized receipts. Limited information on the vulnerabilities is available at the time of writing but the Israel National Cyber Directorate is encouraging users to update to version 3.27.0. The seven vulnerabilities are being tracked with the following CVE ids: