Overview On December 5, NSFOCUS CERT found that Google officially released a type confusion vulnerability (CVE-2022-4262) in Google Chrome V8. A type confusion error occurs because a program uses one type of method to allocate or initialize a resource, such as a pointer, object, or variable, but then accesses that resource with another method that […]
Overview On December 2, NSFOCUS CERT detected that Qualys released a local privilege escalation vulnerability (CVE-2022-3328) in Snapd. There is a conditional race vulnerability in the must_mkdir_and_open_with_perms() function in snap-confine, an attacker with normal user privileges can use Multipath Privilege Escalation Vulnerability (CVE-2022-41974) and Multipath Symbolic Link Vulnerability, bind the /tmp directory to any directory […]
Overview Recently, NSFOCUS CERT found that Atlassian officially fixed a command injection vulnerability in Bitbucket Server and Data Center. Due to flaws in Bitbucket Server and Data Center, attackers with user name control rights can implement command injection through environment variables, and eventually cause commands to be executed arbitrarily on the system. The CVSS score […]
Overview On November 21, NSFOCUS CERT discovered on Internet a PoC of a remote code execution vulnerability (CVE-2022-40127) in Apache Airflow. Due to the flaw in Example Dags in Apache Airflow, an attacker with UI access rights can use this vulnerability to trigger Dags, and then by manually providing the run_id parameter, attacker can execute […]
Overview Recently, NSFOCUS CERT detected that Citrix released a security notice, fixing an authentication bypass vulnerability (CVE-2022-27510). When Citrix Gateway is running with Citrix ADC as a gateway device (either using the SSL VPN feature or deployed as an ICA proxy with authentication enabled), an unauthenticated remote attacker can send malicious packets to the target […]
Overview Recently, NSFOCUS CERT detected that an open source API interface management platform YApi mongo injection vulnerability was publicly released on the Internet. Due to the splicing of a certain function in YApi, MongoDB injection can be realized. Unauthenticated remote attackers can exploit this vulnerability to obtain the user token (including necessary parameters such as […]
Overview Recently, NSFOCUS CERT found that the PoC of the Spring Security authentication bypass vulnerability (CVE-2022-31692) was publicly disclosed online. Due to improper authorization flaws, under certain conditions, an unauthenticated remote attacker can use FORWARD or INCLUDE for forwarding, thereby exploiting the vulnerability to bypass the authorization rules and ultimately achieve authentication bypass. At present, […]
Overview On November 2, 2022, NSFOCUS CERT detected that openssl officially released a security notice and fixed multiple buffer overflow vulnerabilities in OpenSSL. OpenSSL is an open source software library package. Applications can use this package to communicate securely, avoid eavesdropping, and confirm the identity of the other end of the connection. It is widely […]
Overview Recently, NSFOCUS CERT monitored that Google Chrome has officially released a security bulletin and fixed a remote code execution vulnerability in Chrome V8 (JavaScript engine). Due to a type confusion vulnerability in Chrome V8, a remote attacker could exploit the vulnerability to execute arbitrary code on the target system. At present, the official has […]
Overview On October 19, NSFOCUS CERT found that Apache issued a security notice to fix a remote code execution vulnerability (CVE-2022-39198) in Dubbo. Due to a deserialization vulnerability in Dubbo’s hessian-lite, an attacker can exploit this vulnerability to remotely execute arbitrary code on the target system. Relevant users are requested to take measures to protect […]
