In the dynamic realm of cybersecurity, staying updated on the latest vulnerabilities is imperative.
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between October 29-30, 2023.
During this period, The National Vulnerability Database published 15, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 1
High: 5
Medium: 7
Low: 0
Severity Not Assigned: 2
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2023-5839
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.0
Impact Score: 6.0
Description: Privilege Chaining in GitHub repository hestiacp/hestiacp prior to 1.8.9.
References: https://github.com/hestiacp/hestiacp/commit/acb766e1db53de70534524b3fbc2270689112630
https://huntr.com/bounties/21125f12-64a0-42a3-b218-26b9945a5bc0
CWE-ID: CWE-268
Common Platform Enumerations (CPE): Not Found
2. CVE-2023-40685
Base Score: 7.4
Base Severity: HIGH
Exploitability Score: 1.4
Impact Score: 5.9
Description: Management Central as part of IBM i 7.2, 7.3, 7.4, and 7.5 Navigator contains a local privilege escalation vulnerability. A malicious actor with command line access to the operating system can exploit this vulnerability to elevate privileges to gain root access to the operating system. IBM X-Force ID: 264116.
References: https://exchange.xforce.ibmcloud.com/vulnerabilities/264116
https://www.ibm.com/support/pages/node/7060686
CWE-ID: CWE-269
Common Platform Enumerations (CPE): Not Found
3. CVE-2021-33635
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: When malicious images are pulled by isula pull, attackers can execute arbitrary code.
References: https://gitee.com/src-openeuler/iSulad/pulls/600/files
https://gitee.com/src-openeuler/iSulad/pulls/627/files
https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1686
CWE-ID: CWE-665
Common Platform Enumerations (CPE): Not Found
4. CVE-2021-33636
Base Score: 8.4
Base Severity: HIGH
Exploitability Score: 2.5
Impact Score: 5.9
Description:
When the isula load command is used to load malicious images, attackers can execute arbitrary code.
References: https://gitee.com/src-openeuler/iSulad/pulls/600/files
https://gitee.com/src-openeuler/iSulad/pulls/627/files
https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1686
CWE-ID: CWE-665
Common Platform Enumerations (CPE): Not Found
5. CVE-2021-33637
Base Score: 8.4
Base Severity: HIGH
Exploitability Score: 2.5
Impact Score: 5.9
Description:
When the isula export command is used to export a container to an image and the container is controlled by an attacker, the attacker can escape the container.
References: https://gitee.com/src-openeuler/iSulad/pulls/600/files
https://gitee.com/src-openeuler/iSulad/pulls/627/files
https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1686
CWE-ID: CWE-665
Common Platform Enumerations (CPE): Not Found
6. CVE-2021-33638
Base Score: 8.4
Base Severity: HIGH
Exploitability Score: 2.5
Impact Score: 5.9
Description:
When the isula cp command is used to copy files from a container to a host machine and the container is controlled by an attacker, the attacker can escape the container.
References: https://gitee.com/src-openeuler/iSulad/pulls/600/files
https://gitee.com/src-openeuler/iSulad/pulls/627/files
https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1686
CWE-ID: CWE-665
Common Platform Enumerations (CPE): Not Found
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between October 29-30, 2023.
During this period, The National Vulnerability Database published 15, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 1
High: 5
Medium: 7
Low: 0
Severity Not Assigned: 2
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2023-5839
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.0
Impact Score: 6.0
Description: Privilege Chaining in GitHub repository hestiacp/hestiacp prior to 1.8.9.
References: https://github.com/hestiacp/hestiacp/commit/acb766e1db53de70534524b3fbc2270689112630
https://huntr.com/bounties/21125f12-64a0-42a3-b218-26b9945a5bc0
CWE-ID: CWE-268
Common Platform Enumerations (CPE): Not Found
2. CVE-2023-40685
Base Score: 7.4
Base Severity: HIGH
Exploitability Score: 1.4
Impact Score: 5.9
Description: Management Central as part of IBM i 7.2, 7.3, 7.4, and 7.5 Navigator contains a local privilege escalation vulnerability. A malicious actor with command line access to the operating system can exploit this vulnerability to elevate privileges to gain root access to the operating system. IBM X-Force ID: 264116.
References: https://exchange.xforce.ibmcloud.com/vulnerabilities/264116
https://www.ibm.com/support/pages/node/7060686
CWE-ID: CWE-269
Common Platform Enumerations (CPE): Not Found
3. CVE-2021-33635
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: When malicious images are pulled by isula pull, attackers can execute arbitrary code.
References: https://gitee.com/src-openeuler/iSulad/pulls/600/files
https://gitee.com/src-openeuler/iSulad/pulls/627/files
https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1686
CWE-ID: CWE-665
Common Platform Enumerations (CPE): Not Found
4. CVE-2021-33636
Base Score: 8.4
Base Severity: HIGH
Exploitability Score: 2.5
Impact Score: 5.9
Description:
When the isula load command is used to load malicious images, attackers can execute arbitrary code.
References: https://gitee.com/src-openeuler/iSulad/pulls/600/files
https://gitee.com/src-openeuler/iSulad/pulls/627/files
https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1686
CWE-ID: CWE-665
Common Platform Enumerations (CPE): Not Found
5. CVE-2021-33637
Base Score: 8.4
Base Severity: HIGH
Exploitability Score: 2.5
Impact Score: 5.9
Description:
When the isula export command is used to export a container to an image and the container is controlled by an attacker, the attacker can escape the container.
References: https://gitee.com/src-openeuler/iSulad/pulls/600/files
https://gitee.com/src-openeuler/iSulad/pulls/627/files
https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1686
CWE-ID: CWE-665
Common Platform Enumerations (CPE): Not Found
6. CVE-2021-33638
Base Score: 8.4
Base Severity: HIGH
Exploitability Score: 2.5
Impact Score: 5.9
Description:
When the isula cp command is used to copy files from a container to a host machine and the container is controlled by an attacker, the attacker can escape the container.
References: https://gitee.com/src-openeuler/iSulad/pulls/600/files
https://gitee.com/src-openeuler/iSulad/pulls/627/files
https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1686
CWE-ID: CWE-665
Common Platform Enumerations (CPE): Not Found