Security
Headlines
HeadlinesLatestCVEs

Tag

#rce

GHSA-56xg-wfcc-g829: llama-cpp-python vulnerable to Remote Code Execution by Server-Side Template Injection in Model Metadata

## Description `llama-cpp-python` depends on class `Llama` in `llama.py` to load `.gguf` llama.cpp or Latency Machine Learning Models. The `__init__` constructor built in the `Llama` takes several parameters to configure the loading and running of the model. Other than `NUMA, LoRa settings`, `loading tokenizers,` and `hardware settings`, `__init__` also loads the `chat template` from targeted `.gguf` 's Metadata and furtherly parses it to `llama_chat_format.Jinja2ChatFormatter.to_chat_handler()` to construct the `self.chat_handler` for this model. Nevertheless, `Jinja2ChatFormatter` parse the `chat template` within the Metadate with sandbox-less `jinja2.Environment`, which is furthermore rendered in `__call__` to construct the `prompt` of interaction. This allows `jinja2` Server Side Template Injection which leads to RCE by a carefully constructed payload. ## Source-to-Sink ### `llama.py` -> `class Llama` -> `__init__`: ```python class Llama: """High-level Python wrapper for a ...

ghsa
#vulnerability#mac#google#dos#git#rce
Severe Vulnerabilities in Cinterion Cellular Modems Pose Risks to Various Industries

Cybersecurity researchers have disclosed multiple security flaws in Cinterion cellular modems that could be potentially exploited by threat actors to access sensitive information and achieve code execution. "These vulnerabilities include critical flaws that permit remote code execution and unauthorized privilege escalation, posing substantial risks to integral communication networks and IoT

Red Hat Security Advisory 2024-2799-03

Red Hat Security Advisory 2024-2799-03 - An update for glibc is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include buffer overflow, code execution, null pointer, and out of bounds write vulnerabilities.

GHSA-wpcv-5jgp-69f3: Genie Path Traversal vulnerability via File Uploads

### Overview Path Traversal vulnerability via File Uploads in Genie ### Impact Any Genie OSS users running their own instance and relying on the filesystem to store file attachments submitted to the Genie application may be impacted. Using this technique, it is possible to write a file with any user-specified filename and file contents to any location on the file system that the Java process has write access - potentially leading to remote code execution (RCE). Genie users who do not store these attachments locally on the underlying file system are not vulnerable to this issue. ### Description Genie's API accepts a multipart/form-data file upload which can be saved to a location on disk. However, it takes a user-supplied filename as part of the request and uses this as the filename when writing the file to disk. Since this filename is user-controlled, it is possible for a malicious actor to manipulate the filename in order to break out of the default attachment storage path and p...

A new alert system from CISA seems to be effective — now we just need companies to sign up

Under a pilot program, CISA has sent out more than 2,000 alerts to registered organizations regarding the existence of any unpatched vulnerabilities in CISA’s KEV catalog.

Openmediavault Remote Code Execution / Local Privilege Escalation

Openmediavault versions prior to 7.0.32 have a vulnerability that occurs when users in the web-admin group enter commands on the crontab by selecting the root shell. As a result of exploiting the vulnerability, authenticated web-admin users can run commands with root privileges and receive reverse shell connections.

GHSA-f8ch-w75v-c847: 1Panel arbitrary file write vulnerability

### Summary There are many command injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs. We can use the following mirror configuration write symbol `>` to achieve arbitrary file writing ### PoC Dockerfile ``` FROM bash:latest COPY echo.sh /usr/local/bin/echo.sh RUN chmod +x /usr/local/bin/echo.sh CMD ["echo.sh"] ``` echo.sh ``` #!/usr/local/bin/bash echo "Hello, World!" ``` Build this image like this, upload it to dockerhub, and then 1panel pulls the image to build the container Send the following packet, taking care to change the containerID to the malicious container we constructed ``` GET /api/v1/containers/search/log?container=6e6308cb8e4734856189b65b3ce2d13a69e87d2717898d120dac23b13b6f1377%3E%2Ftmp%2F1&since=all&tail=100&follow=true HTTP/1.1 Host: xxxx:42713 Connection: Upgrade Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, li...

Delta Electronics InfraSuite Device Master

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Delta Electronics Equipment: InfraSuite Device Master Vulnerability: Deserialization of Untrusted Data 2. RISK EVALUATION Successful exploitation of this vulnerability could allow remote code execution. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Delta Electronics products are affected: InfraSuite Device Master: Versions 1.0.10 and prior 3.2 Vulnerability Overview 3.2.1 Deserialization of Untrusted Data CWE-502 Delta Electronics InfraSuite Device Master contains a deserialization of untrusted data vulnerability because it runs a version of Apache ActiveMQ (5.15.2) which is vulnerable to CVE-2023-46604. CVE-2023-46604 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). A CVSS v4 score has also been calculated for CVE-2023-46604. A base score of 9.3 has been calculated...

Talos discloses multiple zero-day vulnerabilities, two of which could lead to code execution

Two vulnerabilities in this group — one in the Tinyroxy HTTP proxy daemon and another in the stb_vorbis.c file library — could lead to arbitrary code execution, earning both issues a CVSS score of 9.8 out of 10.