Control Gap Vulnerability Roundup: November 5th to November 11th
This week saw the publication of 507 new CVE IDs. Of those, 133 have not yet been assigned official CVSS scores, however, of the ones that were,...
3 min read
Zach Matthews : Nov 23, 2022 12:19:29 AM
This week saw the publication of 500 new CVE IDs. Of those, 144 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 18% were of critical severity, 35% were high, 45% were medium, and 2% were low. Listed below are the vulnerabilities that caught our attention:
The modern threat landscape represents an ever-changing vista of vulnerabilities, tools, tactics, and procedures which pose an existential threat to the security of organizations’ IT infrastructures. A key part of an evergreen security program is to maintain an up-to-date knowledge base of actionable threat intelligence that an organization can leverage to improve its security posture. Where dozens of novel threats and vulnerabilities become public each week, it can be challenging for IT professionals to keep pace. Control Gap intends to separate the signal from the noise by highlighting in this weekly segment newly disclosed vulnerabilities that have been assigned a CVE ID and which may be exceedingly novel, widespread, critical, or otherwise noteworthy.
The available threat intelligence at time of writing is documented below. Updates will be clearly marked.
Real-World Exploitability High |
Exploited in the Wild No |
Available Public Exploits Yes |
Researchers at Rapid7 have discovered a pair of vulnerabilities which could be leveraged to achieve remote code execution on F5’s Big-IP and Big-IQ products. The first vulnerability, CVE-2022-41622 is very similar to the Plesk vulnerability disclosed last week. The SOAP API on the appliances lacks typical CSRF protections allowing attackers who can convince an administrator to visit a malicious website to take attacker defined actions on the API. The second vulnerability, CVE-2022-41800, described in F5’s support article states that an attacker with valid administrator credentials could bypass “appliance mode restrictions”, Rapid7 has indicated that this could lead to remote code execution. Despite F5’s devices being utilized widely across the industry, Rapid7 wrote in their blog post that “widespread exploitation of the issues in this disclosure is unlikely”.
Real-World Exploitability High |
Exploited in the Wild No |
Available Public Exploits No |
Liferay is a digital solutions developer who specializes in building tailored “digital experiences” for its clients. Liferay’s website claims the company works across the globe with corporations such as Honda and Airbus. This week 17 unique vulnerabilities were disclosed for multiple Liferay products and product versions. The worst of these vulnerabilities are CVE-2022-42122, and CVE-2022-42120, which describe SQL injection vulnerabilities that could allow an attacker to execute arbitrary SQL commands on affected versions of Liferay Portal and Liferay DXP. Other vulnerabilities which were disclosed for the products include cross-site scripting, information disclosure, access control bypass and filesystem modification. A complete list of vulnerabilities can be found here.
|
Real-World Exploitability High |
Exploited in the Wild No |
Available Public Exploits No |
IBM InfoSphere is an information management server which helps organizations more easily understand, cleanse, monitor, and transform data. IBM has addressed the vulnerability, tracked as CVE-2022-40752, in an X-Force disclosure and released a patch. While information on the vulnerability is currently limited, the vulnerability affects InfoSphere DataStage version 11.7 and would allow an unauthenticated attacker to achieve command execution through command injection. IBM has assigned the vulnerability a CVSS score of 9.8 on its X-Force platform. IBM is encouraging customers to apply the relevant patch immediately.
|
Real-World Exploitability High |
Exploited in the Wild No |
Available Public Exploits No |
Atlassian’s BitBucket server is a Git platform for developers with strong Jira integration. The vulnerability, CVE-2022-43781, is a command injection vulnerability stemming from improperly handled environment variables. A user or attacker who can control their username can achieve command execution on the affected server by changing their username to a crafted value. It should be noted that an attacker can exploit this vulnerability from an unauthenticated context if the BitBucket server has public sign-ups enabled. Atlassian has addressed the vulnerability and is encouraging users to update their product to the latest available version.
This week saw the publication of 507 new CVE IDs. Of those, 133 have not yet been assigned official CVSS scores, however, of the ones that were,...
This week saw the publication of 343new CVE IDs. Of those, 144 have not yet been assigned official CVSS scores, however, of the ones that were,...
This week saw the publication of 517 new CVE IDs. Of those, 9 have not yet been assigned official CVSS scores, however, of the ones that were,...