In the dynamic realm of cybersecurity, staying updated on the latest vulnerabilities is imperative.
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between December 08-09, 2023.
During this period, The National Vulnerability Database published 78, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 1
High: 10
Medium: 14
Low: 6
Severity Not Assigned: 47
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2023-5008
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Student Information System v1.0 is vulnerable to an unauthenticated SQL Injection vulnerability on the 'regno' parameter of index.php page, allowing an external attacker to dump all the contents of the database contents and bypass the login control.
References: https://fluidattacks.com/advisories/blechacz/
https://www.kashipara.com/
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
2. CVE-2023-26158
Base Score: 8.2
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 4.2
Description: All versions of the package mockjs are vulnerable to Prototype Pollution via the Util.extend function due to missing check if the attribute resolves to the object prototype. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf).
User controlled inputs inside the extend() method of the Mock.Handler, Mock.Random, Mock.RE.Handler or Mock.Util, will allow an attacker to exploit this vulnerability.
Workaround
By using a denylist of dangerous attributes, this weakness can be eliminated.
Add the following line in the Util.extend function:
js
js if (["__proto__", "constructor", "prototype"].includes(name)) continue
js
// src/mock/handler.js
Util.extend = function extend() {
var target = arguments[0] || {},
i = 1,
length = arguments.length,
options, name, src, copy, clone
if (length === 1) {
target = this
i = 0
}
for (; i < length; i++) {
options = arguments[i]
if (!options) continue
for (name in options) {
if (["__proto__", "constructor", "prototype"].includes(name)) continue
src = target[name]
copy = options[name]
if (target === copy) continue
if (copy === undefined) continue
if (Util.isArray(copy) || Util.isObject(copy)) {
if (Util.isArray(copy)) clone = src && Util.isArray(src) ? src : []
if (Util.isObject(copy)) clone = src && Util.isObject(src) ? src : {}
target[name] = Util.extend(clone, copy)
} else {
target[name] = copy
}
}
}
return target
}
References: https://github.com/nuysoft/Mock/blob/00ce04b92eb464e664a4438430903f2de96efb47/dist/mock.js%23L721-L755
https://security.snyk.io/vuln/SNYK-JS-MOCKJS-6051365
CWE-ID: CWE-1321
Common Platform Enumerations (CPE): Not Found
3. CVE-2023-32460
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.0
Impact Score: 6.0
Description:
Dell PowerEdge BIOS contains an improper privilege management security vulnerability. An unauthenticated local attacker could potentially exploit this vulnerability, leading to privilege escalation.
References: https://www.dell.com/support/kbdoc/en-us/000219550/dsa-2023-361-security-update-for-dell-poweredge-server-bios-for-an-improper-privilege-management-security-vulnerability
CWE-ID: CWE-306
Common Platform Enumerations (CPE): Not Found
4. CVE-2023-6245
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: The Candid library causes a Denial of Service while
parsing a specially crafted payload with 'empty' data type. For example,
if the payload is `record { * ; empty }` and the canister interface expects `record { * }` then the Rust candid decoder treats empty as an extra field required by the type. The problem with the type empty is that the candid Rust library wrongly categorizes empty as a recoverable error when skipping the field and thus causing an infinite decoding loop.
Canisters using affected versions of candid
are exposed to denial of service by causing the decoding to run
indefinitely until the canister traps due to reaching maximum
instruction limit per execution round. Repeated exposure to the payload
will result in degraded performance of the canister. Note: Canisters written in Motoko are unaffected.
References: https://github.com/dfinity/candid/blob/master/spec/Candid.md
https://github.com/dfinity/candid/pull/478
https://github.com/dfinity/candid/security/advisories/GHSA-7787-p7x6-fq3j
https://internetcomputer.org/docs/current/references/candid-ref
https://internetcomputer.org/docs/current/references/ic-interface-spec
CWE-ID: CWE-1288 CWE-168 CWE-20 CWE-835
Common Platform Enumerations (CPE): Not Found
5. CVE-2023-47565
Base Score: 8.0
Base Severity: HIGH
Exploitability Score: 2.1
Impact Score: 5.9
Description: An OS command injection vulnerability has been found to affect legacy QNAP VioStor NVR models running QVR Firmware 4.x. If exploited, the vulnerability could allow authenticated users to execute commands via a network.
We have already fixed the vulnerability in the following versions:
QVR Firmware 5.0.0 and later
References: https://www.qnap.com/en/security-advisory/qsa-23-48
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
6. CVE-2023-6606
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.2
Description: An out-of-bounds read vulnerability was found in smbCalcSize in fs/smb/client/netmisc.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.
References: https://access.redhat.com/security/cve/CVE-2023-6606
https://bugzilla.kernel.org/show_bug.cgi?id=218218
https://bugzilla.redhat.com/show_bug.cgi?id=2253611
CWE-ID: CWE-125
Common Platform Enumerations (CPE): Not Found
7. CVE-2023-6610
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.2
Description: An out-of-bounds read vulnerability was found in smb2_dump_detail in fs/smb/client/smb2ops.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.
References: https://access.redhat.com/security/cve/CVE-2023-6610
https://bugzilla.kernel.org/show_bug.cgi?id=218219
https://bugzilla.redhat.com/show_bug.cgi?id=2253614
CWE-ID: CWE-125
Common Platform Enumerations (CPE): Not Found
8. CVE-2023-48311
Base Score: 8.0
Base Severity: HIGH
Exploitability Score: 2.1
Impact Score: 5.9
Description: dockerspawner is a tool to spawn JupyterHub single user servers in Docker containers. Users of JupyterHub deployments running DockerSpawner starting with 0.11.0 without specifying `DockerSpawner.allowed_images` configuration allow users to launch _any_ pullable docker image, instead of restricting to only the single configured image, as intended. This issue has been addressed in commit `3ba4b665b` which has been included in dockerspawner release version 13. Users are advised to upgrade. Users unable to upgrade should explicitly set `DockerSpawner.allowed_images` to a non-empty list containing only the default image will result in the intended default behavior.
References: https://github.com/jupyterhub/dockerspawner/commit/3ba4b665b6ca6027ea7a032d7ca3eab977574626
https://github.com/jupyterhub/dockerspawner/security/advisories/GHSA-hfgr-h3vc-p6c2
CWE-ID: CWE-20
Common Platform Enumerations (CPE): Not Found
9. CVE-2023-49782
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Collabora Online is a collaborative online office suite based on LibreOffice technology. Users of Nextcloud with `Collabora Online - Built-in CODE Server` app can be vulnerable to attack via proxy.php. The bug was fixed in Collabora Online - Built-in CODE Server (richdocumentscode) release 23.5.601. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://apps.nextcloud.com/apps/richdocumentscode
https://github.com/CollaboraOnline/online/security/advisories/GHSA-8xm5-pgfr-8mjr
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
10. CVE-2023-49788
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 2.7
Description: Collabora Online is a collaborative online office suite based on LibreOffice technology. Unlike a standalone dedicated Collabora Online server, the Built-in CODE Server (richdocumentscode) is run without chroot sandboxing. Vulnerable versions of the richdocumentscode app can be susceptible to attack via modified client->server commands to overwrite files outside the sub directory the server has provided for the transient session. Files which can be accessed are limited to those that the server process has access to. The bug was fixed in Collabora Online - Built-in CODE Server (richdocumentscode) release 23.5.602. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://github.com/CollaboraOnline/online/security/advisories/GHSA-3r69-xvf7-v94j
CWE-ID: CWE-22 CWE-501
Common Platform Enumerations (CPE): Not Found
11. CVE-2023-6337
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: HashiCorp Vault and Vault Enterprise 1.12.0 and newer are vulnerable to a denial of service through memory exhaustion of the host when handling large unauthenticated and authenticated HTTP requests from a client. Vault will attempt to map the request to memory, resulting in the exhaustion of available memory on the host, which may cause Vault to crash.
Fixed in Vault 1.15.4, 1.14.8, 1.13.12.
References: https://discuss.hashicorp.com/t/hcsec-2023-34-vault-vulnerable-to-denial-of-service-through-memory-exhaustion-when-handling-large-http-requests/60741
CWE-ID: CWE-770
Common Platform Enumerations (CPE): Not Found
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between December 08-09, 2023.
During this period, The National Vulnerability Database published 78, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 1
High: 10
Medium: 14
Low: 6
Severity Not Assigned: 47
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2023-5008
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Student Information System v1.0 is vulnerable to an unauthenticated SQL Injection vulnerability on the 'regno' parameter of index.php page, allowing an external attacker to dump all the contents of the database contents and bypass the login control.
References: https://fluidattacks.com/advisories/blechacz/
https://www.kashipara.com/
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
2. CVE-2023-26158
Base Score: 8.2
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 4.2
Description: All versions of the package mockjs are vulnerable to Prototype Pollution via the Util.extend function due to missing check if the attribute resolves to the object prototype. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf).
User controlled inputs inside the extend() method of the Mock.Handler, Mock.Random, Mock.RE.Handler or Mock.Util, will allow an attacker to exploit this vulnerability.
Workaround
By using a denylist of dangerous attributes, this weakness can be eliminated.
Add the following line in the Util.extend function:
js
js if (["__proto__", "constructor", "prototype"].includes(name)) continue
js
// src/mock/handler.js
Util.extend = function extend() {
var target = arguments[0] || {},
i = 1,
length = arguments.length,
options, name, src, copy, clone
if (length === 1) {
target = this
i = 0
}
for (; i < length; i++) {
options = arguments[i]
if (!options) continue
for (name in options) {
if (["__proto__", "constructor", "prototype"].includes(name)) continue
src = target[name]
copy = options[name]
if (target === copy) continue
if (copy === undefined) continue
if (Util.isArray(copy) || Util.isObject(copy)) {
if (Util.isArray(copy)) clone = src && Util.isArray(src) ? src : []
if (Util.isObject(copy)) clone = src && Util.isObject(src) ? src : {}
target[name] = Util.extend(clone, copy)
} else {
target[name] = copy
}
}
}
return target
}
References: https://github.com/nuysoft/Mock/blob/00ce04b92eb464e664a4438430903f2de96efb47/dist/mock.js%23L721-L755
https://security.snyk.io/vuln/SNYK-JS-MOCKJS-6051365
CWE-ID: CWE-1321
Common Platform Enumerations (CPE): Not Found
3. CVE-2023-32460
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.0
Impact Score: 6.0
Description:
Dell PowerEdge BIOS contains an improper privilege management security vulnerability. An unauthenticated local attacker could potentially exploit this vulnerability, leading to privilege escalation.
References: https://www.dell.com/support/kbdoc/en-us/000219550/dsa-2023-361-security-update-for-dell-poweredge-server-bios-for-an-improper-privilege-management-security-vulnerability
CWE-ID: CWE-306
Common Platform Enumerations (CPE): Not Found
4. CVE-2023-6245
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: The Candid library causes a Denial of Service while
parsing a specially crafted payload with 'empty' data type. For example,
if the payload is `record { * ; empty }` and the canister interface expects `record { * }` then the Rust candid decoder treats empty as an extra field required by the type. The problem with the type empty is that the candid Rust library wrongly categorizes empty as a recoverable error when skipping the field and thus causing an infinite decoding loop.
Canisters using affected versions of candid
are exposed to denial of service by causing the decoding to run
indefinitely until the canister traps due to reaching maximum
instruction limit per execution round. Repeated exposure to the payload
will result in degraded performance of the canister. Note: Canisters written in Motoko are unaffected.
References: https://github.com/dfinity/candid/blob/master/spec/Candid.md
https://github.com/dfinity/candid/pull/478
https://github.com/dfinity/candid/security/advisories/GHSA-7787-p7x6-fq3j
https://internetcomputer.org/docs/current/references/candid-ref
https://internetcomputer.org/docs/current/references/ic-interface-spec
CWE-ID: CWE-1288 CWE-168 CWE-20 CWE-835
Common Platform Enumerations (CPE): Not Found
5. CVE-2023-47565
Base Score: 8.0
Base Severity: HIGH
Exploitability Score: 2.1
Impact Score: 5.9
Description: An OS command injection vulnerability has been found to affect legacy QNAP VioStor NVR models running QVR Firmware 4.x. If exploited, the vulnerability could allow authenticated users to execute commands via a network.
We have already fixed the vulnerability in the following versions:
QVR Firmware 5.0.0 and later
References: https://www.qnap.com/en/security-advisory/qsa-23-48
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
6. CVE-2023-6606
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.2
Description: An out-of-bounds read vulnerability was found in smbCalcSize in fs/smb/client/netmisc.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.
References: https://access.redhat.com/security/cve/CVE-2023-6606
https://bugzilla.kernel.org/show_bug.cgi?id=218218
https://bugzilla.redhat.com/show_bug.cgi?id=2253611
CWE-ID: CWE-125
Common Platform Enumerations (CPE): Not Found
7. CVE-2023-6610
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.2
Description: An out-of-bounds read vulnerability was found in smb2_dump_detail in fs/smb/client/smb2ops.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.
References: https://access.redhat.com/security/cve/CVE-2023-6610
https://bugzilla.kernel.org/show_bug.cgi?id=218219
https://bugzilla.redhat.com/show_bug.cgi?id=2253614
CWE-ID: CWE-125
Common Platform Enumerations (CPE): Not Found
8. CVE-2023-48311
Base Score: 8.0
Base Severity: HIGH
Exploitability Score: 2.1
Impact Score: 5.9
Description: dockerspawner is a tool to spawn JupyterHub single user servers in Docker containers. Users of JupyterHub deployments running DockerSpawner starting with 0.11.0 without specifying `DockerSpawner.allowed_images` configuration allow users to launch _any_ pullable docker image, instead of restricting to only the single configured image, as intended. This issue has been addressed in commit `3ba4b665b` which has been included in dockerspawner release version 13. Users are advised to upgrade. Users unable to upgrade should explicitly set `DockerSpawner.allowed_images` to a non-empty list containing only the default image will result in the intended default behavior.
References: https://github.com/jupyterhub/dockerspawner/commit/3ba4b665b6ca6027ea7a032d7ca3eab977574626
https://github.com/jupyterhub/dockerspawner/security/advisories/GHSA-hfgr-h3vc-p6c2
CWE-ID: CWE-20
Common Platform Enumerations (CPE): Not Found
9. CVE-2023-49782
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Collabora Online is a collaborative online office suite based on LibreOffice technology. Users of Nextcloud with `Collabora Online - Built-in CODE Server` app can be vulnerable to attack via proxy.php. The bug was fixed in Collabora Online - Built-in CODE Server (richdocumentscode) release 23.5.601. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://apps.nextcloud.com/apps/richdocumentscode
https://github.com/CollaboraOnline/online/security/advisories/GHSA-8xm5-pgfr-8mjr
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
10. CVE-2023-49788
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 2.7
Description: Collabora Online is a collaborative online office suite based on LibreOffice technology. Unlike a standalone dedicated Collabora Online server, the Built-in CODE Server (richdocumentscode) is run without chroot sandboxing. Vulnerable versions of the richdocumentscode app can be susceptible to attack via modified client->server commands to overwrite files outside the sub directory the server has provided for the transient session. Files which can be accessed are limited to those that the server process has access to. The bug was fixed in Collabora Online - Built-in CODE Server (richdocumentscode) release 23.5.602. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://github.com/CollaboraOnline/online/security/advisories/GHSA-3r69-xvf7-v94j
CWE-ID: CWE-22 CWE-501
Common Platform Enumerations (CPE): Not Found
11. CVE-2023-6337
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: HashiCorp Vault and Vault Enterprise 1.12.0 and newer are vulnerable to a denial of service through memory exhaustion of the host when handling large unauthenticated and authenticated HTTP requests from a client. Vault will attempt to map the request to memory, resulting in the exhaustion of available memory on the host, which may cause Vault to crash.
Fixed in Vault 1.15.4, 1.14.8, 1.13.12.
References: https://discuss.hashicorp.com/t/hcsec-2023-34-vault-vulnerable-to-denial-of-service-through-memory-exhaustion-when-handling-large-http-requests/60741
CWE-ID: CWE-770
Common Platform Enumerations (CPE): Not Found