1 min read
Control Gap Vulnerability Roundup: April 8th to April14th
This week saw the publication of 652 new CVE IDs. Of those, 240 have not yet been assigned official CVSS scores, however, of the ones that were,...
3 min read
Zach Matthews : Jan 13, 2023 10:21:45 AM
This week saw the publication of 425 new CVE IDs. Of those, 240have not yet been assigned official CVSS scores, however, of the ones that were, approximately 18% were of critical severity, 33% were high, 48% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:
The modern threat landscape represents an ever-changing vista of vulnerabilities, tools, tactics, and procedures which pose an existential threat to the security of organizations’ IT infrastructures. A key part of an evergreen security program is to maintain an up-to-date knowledge base of actionable threat intelligence that an organization can leverage to improve its security posture. Where dozens of novel threats and vulnerabilities become public each week, it can be challenging for IT professionals to keep pace. Control Gap intends to separate the signal from the noise by highlighting in this weekly segment newly disclosed vulnerabilities that have been assigned a CVE ID and which may be exceedingly novel, widespread, critical, or otherwise noteworthy.
The available threat intelligence at time of writing is documented below. Updates will be clearly marked.
Real-World Exploitability High |
Exploited in the Wild Unknown |
Available Public Exploits No |
The popular NAS vendor Synology has released a security advisory addressing a remote code execution vulnerability that has been labelled with a CVSS score of 10. The vulnerability, tracked as CVE-2022-43931, affects the Remote Desktop Functionality of the Synology VPN Plus Server versions before 1.4.3-0534 and 1.4.4-0635. The vulnerability was discovered by Synology’s internal PSIRT team and stems from an out-of-bounds write which would allow an unauthenticated attacker to execute arbitrary code on the server. Synology is urging customers to update their products to the latest available version.
Real-World Exploitability High |
Exploited in the Wild Unknown |
Available Public Exploits Yes |
Versions of Control Web Panel (CWP), previously known as CentOS Web Panel, prior to 0.9.8.1147 were found to be affected by an unauthenticated remote code execution vulnerability. The flaw stems from the improper usage of user supplied input within an “echo” command which is used to log invalid login attempts, crafted payloads can be used to escape the command and execute arbitrary commands in the shell. The vulnerability was initially discovered and reported to the Control Web Panel Team in July by Numan Türle, a researcher working for Gais Security. The Control Web Panel team produced a patch within two days. The vulnerability, now tracked as CVE-2022-44877, was published only after CWP could confirm that a sufficient majority of servers had been patched. Anyone who has not yet patched should update to the latest version of CWP 7.
Real-World Exploitability High |
Exploited in the Wild Unknown |
Available Public Exploits No |
An SQL injection vulnerability, now tracked as CVE-2022-47523, was disclosed this past week which affects several Zoho ManageEngine products including PAM360, Password Manager Pro, and Access Manager Plus. The SQL injection vulnerability requires an attacker to be authenticated to the affected system but would compromise the entire backend database system. Given the highly sensitive nature of the products, unfettered access to the back-end database would represent a severe compromise of organizational information. Zoho has released an advisory and patch instructions and is urging customers to update to the latest product builds immediately.
Real-World Exploitability High |
Exploited in the Wild Unknown |
Available Public Exploits Yes |
Apache Dubbo is a Java-based “microservice framework that provides high-performance RPC communication, traffic governance, observability, and other solutions for large-scale microservice practices”. Alvaro Munoz, a security researcher, has recently identified multiple vulnerabilities (CVE-2021-25641, CVE-2021-30179, CVE-2021-301880, CVE-2021-30181, and CVE-2021-32824) in the product which would allow an attacker to execute arbitrary code on both Dubbo consumers and providers. Perhaps the most concerning vulnerability, CVE-2021-32824, which was only disclosed this past week, would allow an unauthenticated attacker to abuse the Dubbo Telnet handler to instantiate arbitrary classes to achieve code execution. The vulnerability affects all versions of Apache Dubbo prior to 2.6.10 and 2.7.10. Alvaro Munoz has released a blog post which discusses all of the research in great detail. Apache Dubbo users are urged to update to the latest available version of the product which at the time of writing is 3.1.4 and 2.7.19.
1 min read
This week saw the publication of 652 new CVE IDs. Of those, 240 have not yet been assigned official CVSS scores, however, of the ones that were,...
1 min read
This week saw the publication of 788 new CVE IDs. Of those, 526 have not yet been assigned official CVSS scores, however, of the ones that were,...
1 min read
This week saw the publication of 493 new CVE IDs. Of those, 58 have not yet been assigned official CVSS scores, however, of the ones that were,...