Tag
#rce
Attackers can use a seemingly innocuous IP address to exploit localhost APIs to conduct a range of malicious activity, including unauthorized access to user data and the delivery of malware.
Journyx version 11.5.4 has an issue where attackers with a valid username and password can exploit a python code injection vulnerability during the natural login flow.
Log4j 2.15.0 was released to address the widely reported JNDI Remote Code Execution (RCE) (CVE-2021-44228) vulnerability in Log4j. Shortly thereafter, 2.16.0 was released to address a Denial of Service (DoS) vulnerability (CVE-2021-45046). When examining the 2.15.0 release, Google security engineers found several issues with the Log4j 2.15.0 patch that showed that the severity of the issue addressed in 2.16 was in fact worse than initially understood. This is Google's proof of concept exploit.
Cybersecurity researchers have discovered a new "0.0.0.0 Day" impacting all major web browsers that malicious websites could take advantage of to breach local networks. The critical vulnerability "exposes a fundamental flaw in how browsers handle network requests, potentially granting malicious actors access to sensitive services running on local devices," Oligo Security researcher Avi Lumelsky
Researchers at Aqua Security discovered the "Shadow Resource" attack vector and the "Bucket Monopoly" problem, where threat actors can guess the name of S3 buckets based on their public account IDs.
**According to the CVSS metrics, successful exploitation of this vulnerability could lead to minor loss of confidentiality (C:L), integrity (I:L) and availability (A:L). What does that mean for this vulnerability?** While we cannot rule out the impact to Confidentiality, Integrity, and Availability, the ability to exploit this vulnerability by itself is limited. An attacker would need to combine this with other vulnerabilities to perform an attack.
A critical security flaw impacting Progress Software WhatsUp Gold is seeing active exploitation attempts, making it essential that users move quickly to apply the latest. The vulnerability in question is CVE-2024-4885 (CVSS score: 9.8), an unauthenticated remote code execution bug impacting versions of the network monitoring application released before 2023.1.3. "The
Red Hat Security Advisory 2024-5040-03 - An update for python-setuptools is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service. Issues addressed include a code execution vulnerability.
Gentoo Linux Security Advisory 202408-5 - Multiple vulnerabilities have been discovered in Redis, the worst of which may lead to a denial of service or possible remote code execution. Versions greater than or equal to 7.2.4 are affected.
Red Hat Security Advisory 2024-5002-03 - An update for python3.11-setuptools is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include a code execution vulnerability.