Latest News

# CWA-2024-007 **Severity** Medium (Moderate + Likely)[^1] **Affected versions:** - wasmvm >= 2.1.0, < 2.1.3 - wasmvm >= 2.0.0, < 2.0.4 - wasmvm < 1.5.5 - cosmwasm-vm >= 2.1.0, < 2.1.4 - cosmwasm-vm >= 2.0.0, < 2.0.7 - cosmwasm-vm < 1.5.8 **Patched versions:** - wasmvm 1.5.5, 2.0.4, 2.1.3 - cosmwasm-vm 1.5.8, 2.0.7, 2.1.4 ## Description of the bug (Blank for now. We'll add more detail once chains had a chance to upgrade.) ## Patch - 1.5: https://github.com/CosmWasm/cosmwasm/commit/16eabd681790508b13dac8e67f9e6e61045240ea - 2.0: https://github.com/CosmWasm/cosmwasm/commit/0e70bd83119b02f99a2c0397f0913e0803750fd9 - 2.1: https://github.com/CosmWasm/cosmwasm/commit/f5bf24f3acadca2892afd58cc3ce5fdeb932d492 ## Applying the patch The patch will be shipped in releases of wasmvm. You can update more or less as follows: 1. Check the current wasmvm version: `go list -m github.com/CosmWasm/wasmvm` 2. Bump the `github.com/CosmWasm/wasmvm` dependency in your go.mod to 1.5.5, 2.0.4, 2.1....

# CWA-2024-008 **Severity** Medium (Moderate + Likely)[^1] **Affected versions:** - wasmvm >= 2.1.0, < 2.1.3 - wasmvm >= 2.0.0, < 2.0.4 - wasmvm < 1.5.5 - cosmwasm-vm >= 2.1.0, < 2.1.4 - cosmwasm-vm >= 2.0.0, < 2.0.7 - cosmwasm-vm < 1.5.8 **Patched versions:** - wasmvm 1.5.5, 2.0.4, 2.1.3 - cosmwasm-vm 1.5.8, 2.0.7, 2.1.4 ## Description of the bug (Blank for now. We'll add more detail once chains had a chance to upgrade.) ## Patch - 1.5: https://github.com/CosmWasm/cosmwasm/commit/edcdbc520d4f5521eed42de6e2869658278e91fd - 2.0: https://github.com/CosmWasm/cosmwasm/commit/f63429ca59eb44dd5d780c1572016581337091e4 - 2.1: https://github.com/CosmWasm/cosmwasm/commit/108e7dcbf9c21df0fa83f355ad3a7355d7f220cb ## Applying the patch The patch will be shipped in releases of wasmvm. You can update more or less as follows: 1. Check the current wasmvm version: `go list -m github.com/CosmWasm/wasmvm` 2. Bump the `github.com/CosmWasm/wasmvm` dependency in your go.mod to 1.5.5, 2.0.4, 2.1....

# CWA-2024-009 **Severity** Low (Marginal + Likely)[^1] **Affected versions:** - wasmd < 0.53.1 **Patched versions:** - wasmd 0.53.2 (please note that wasmd 0.53.1 is broken and must not be used) ## Description of the bug (Blank for now. We'll add more detail once chains had a chance to upgrade.) ## Mitigations Apart from upgrading, it is recommended to **not** open the gRPC and REST APIs of _validator_ nodes to the public internet. Use isolated and resource-constrained environments for running separate public RPC nodes instead. These can then easily be thrown away and replaced with new instances in case of problems. ## Applying the patch ### Official Wasmd patch The patch will be shipped in a wasmd release. You will also have to update `libwasmvm` if you build statically. If you already use the latest / close to latest wasmd, you can update more or less as follows: 1. Check the current wasmd version: `go list -m github.com/CosmWasm/wasmd` 2. Bump the `github.com/CosmWasm...

### Impact An attacker can write a malicious expression that escapes the sandbox to execute arbitrary code on the system. Example of vulnerable code: ```js const expressions = require("angular-expressions"); const result = expressions.compile("__proto__.constructor")({}, {}); // result should be undefined, however for versions <=1.4.2, it returns an object. ``` With a more complex (undisclosed) payload, one can get full access to Arbitrary code execution on the system. ### Patches The problem has been patched in version 1.4.3 of angular-expressions. ### Workarounds There is one workaround if it not possible for you to update : * Make sure that you use the compiled function with just one argument : ie this is not vulnerable : `const result = expressions.compile("__proto__.constructor")({});` : in this case you lose the feature of locals if you need it. ### Credits Credits go to [JorianWoltjer](https://github.com/JorianWoltjer) who has found the issue and reported it to ...

The Nemesis and ShinyHunters attackers scanned millions of IP addresses to find exploitable cloud-based flaws, though their operation ironically was discovered due to a cloud misconfiguration of their own doing.

Users of Cleo-managed file transfer software are being urged to ensure that their instances are not exposed to the internet following reports of mass exploitation of a vulnerability affecting fully patched systems. Cybersecurity company Huntress said it discovered evidence of threat actors exploiting the issue en masse on December 3, 2024. The vulnerability, which impacts Cleo's LexiCom,

Nette Database through 3.2.4 allows SQL injection in certain situations involving an untrusted filter that is directly passed to the where method.

The software supply chain is a growing target, and organizations need to take special care to safeguard it.

SUMMARY Zimperium’s zLabs has shared its latest research with Hackread.com, ahead of its publishing on December 10. According…

The ABB BMS/BAS controller suffers from an authenticated reflected cross-site scripting vulnerability. Input passed to the GET parameter 'port' is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.