In the dynamic realm of cybersecurity, staying updated on the latest vulnerabilities is imperative.
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between July 15-16, 2024.
During this period, The National Vulnerability Database published 89, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 4
High: 10
Medium: 36
Low: 3
Severity Not Assigned: 36
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2024-6345
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.
References: https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0
https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5
CWE-ID: CWE-94
Common Platform Enumerations (CPE): Not Found
2. CVE-2024-6737
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The access control in the Electronic Official Document Management System from 2100 TECHNOLOGY is not properly implemented, allowing remote attackers with regular privileges to access the account settings functionality and create an administrator account.
References: https://www.twcert.org.tw/en/cp-139-7924-85606-2.html
https://www.twcert.org.tw/tw/cp-132-7923-46df3-1.html
CWE-ID: CWE-284
Common Platform Enumerations (CPE): Not Found
3. CVE-2024-21513
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 6.0
Description: Versions of the package langchain-experimental from 0.0.15 and before 0.0.21 are vulnerable to Arbitrary Code Execution when retrieving values from the database, the code will attempt to call 'eval' on all values. An attacker can exploit this vulnerability and execute arbitrary python code if they can control the input prompt and the server is configured with VectorSQLDatabaseChain.
**Notes:**
Impact on the Confidentiality, Integrity and Availability of the vulnerable component:
Confidentiality: Code execution happens within the impacted component, in this case langchain-experimental, so all resources are necessarily accessible.
Integrity: There is nothing protected by the impacted component inherently. Although anything returned from the component counts as 'information' for which the trustworthiness can be compromised.
Availability: The loss of availability isn't caused by the attack itself, but it happens as a result during the attacker's post-exploitation steps.
Impact on the Confidentiality, Integrity and Availability of the subsequent system:
As a legitimate low-privileged user of the package (PR:L) the attacker does not have more access to data owned by the package as a result of this vulnerability than they did with normal usage (e.g. can query the DB). The unintended action that one can perform by breaking out of the app environment and exfiltrating files, making remote connections etc. happens during the post exploitation phase in the subsequent system - in this case, the OS.
AT:P: An attacker needs to be able to influence the input prompt, whilst the server is configured with the VectorSQLDatabaseChain plugin.
References: https://github.com/langchain-ai/langchain/blob/672907bbbb7c38bf19787b78e4ffd7c8a9026fe4/libs/experimental/langchain_experimental/sql/vector_sql.py%23L81
https://github.com/langchain-ai/langchain/commit/7b13292e3544b2f5f2bfb8a27a062ea2b0c34561
https://security.snyk.io/vuln/SNYK-PYTHON-LANGCHAINEXPERIMENTAL-7278171
CWE-ID: CWE-94
Common Platform Enumerations (CPE): Not Found
4. CVE-2024-6743
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: AguardNet's Space Management System does not properly validate user input, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
References: https://www.twcert.org.tw/en/cp-139-7933-9a38d-2.html
https://www.twcert.org.tw/tw/cp-132-7932-a6d4d-1.html
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
5. CVE-2024-6744
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The SMTP Listener of Secure Email Gateway from Cellopoint does not properly validate user input, leading to a Buffer Overflow vulnerability. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary system commands on the remote server.
References: https://www.twcert.org.tw/en/cp-139-7937-acbb5-2.html
https://www.twcert.org.tw/tw/cp-132-7936-f6381-1.html
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
6. CVE-2024-6689
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.1
Impact Score: 6.0
Description: Local Privilege Escalation in MSI-Installer in baramundi Management Agent v23.1.172.0 on Windows allows a local unprivileged user to escalate privileges to SYSTEM.
References: https://www.baramundi.com/en-us/security-info/s-2024-01/
CWE-ID: CWE-749
Common Platform Enumerations (CPE): Not Found
7. CVE-2024-27238
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.2
Description: Race condition in the installer for some Zoom Apps and SDKs for Windows before version 6.0.0 may allow an authenticated user to conduct a privilege escalation via local access.
References: https://www.zoom.com/en/trust/security-bulletin/zsb-24021
CWE-ID: CWE-367
Common Platform Enumerations (CPE): Not Found
8. CVE-2024-27240
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.2
Description: Improper input validation in the installer for some Zoom Apps for Windows may allow an authenticated user to conduct a privilege escalation via local access.
References: https://www.zoom.com/en/trust/security-bulletin/zsb-24019
CWE-ID: CWE-20
Common Platform Enumerations (CPE): Not Found
9. CVE-2024-36432
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 0.8
Impact Score: 6.0
Description: An arbitrary memory write vulnerability was discovered in Supermicro X11DPG-HGX2, X11PDG-QT, X11PDG-OT, and X11PDG-SN motherboards with BIOS firmware before 4.4.
References: https://www.supermicro.com/en/support/security_center#%21advisories
https://www.supermicro.com/zh_tw/support/security_BIOS_Jul_2024
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
10. CVE-2024-36433
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 0.8
Impact Score: 6.0
Description: An arbitrary memory write vulnerability was discovered in Supermicro X11DPH-T, X11DPH-Tq, and X11DPH-i motherboards with BIOS firmware before 4.4.
References: https://www.supermicro.com/en/support/security_BIOS_Jul_2024
https://www.supermicro.com/en/support/security_center#%21advisories
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
11. CVE-2024-36434
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 0.8
Impact Score: 6.0
Description: An SMM callout vulnerability was discovered in Supermicro X11DPH-T, X11DPH-Tq, and X11DPH-i motherboards with BIOS firmware before 4.4.
References: https://www.supermicro.com/en/support/security_BIOS_Jul_2024
https://www.supermicro.com/en/support/security_center#%21advisories
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
12. CVE-2024-40631
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.2
Description: Plate media is an open source, rich-text editor for React. Editors that use `MediaEmbedElement` and pass custom `urlParsers` to the `useMediaState` hook may be vulnerable to XSS if a custom parser allows `javascript:`, `data:` or `vbscript:` URLs to be embedded. Editors that do not use `urlParsers` and consume the `url` property directly may also be vulnerable if the URL is not sanitised. The default parsers `parseTwitterUrl` and `parseVideoUrl` are not affected. `@udecode/plate-media` 36.0.10 resolves this issue by only allowing HTTP and HTTPS URLs during parsing. This affects only the `embed` property returned from `useMediaState`. In addition, the `url` property returned from `useMediaState` has been renamed to `unsafeUrl` to indicate that it has not been sanitised. The `url` property on `element` is also unsafe, but has not been renamed. If you're using either of these properties directly, you will still need to validate the URL yourself. Users are advised to upgrade. Users unable to upgrade should ensure that any custom `urlParsers` do not allow `javascript:`, `data:` or `vbscript:` URLs to be returned in the `url` property of their return values. If `url` is consumed directly, validate the URL protocol before passing it to the `iframe` element.
References: https://github.com/udecode/plate/commit/1bc0971774fbfb770780c9bdb94746a6f0f196a0
https://github.com/udecode/plate/security/advisories/GHSA-h3pq-667x-r789
https://stackoverflow.com/a/43467144
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
13. CVE-2024-39915
Base Score: 9.9
Base Severity: CRITICAL
Exploitability Score: 3.1
Impact Score: 6.0
Description: Thruk is a multibackend monitoring webinterface for Naemon, Nagios, Icinga and Shinken using the Livestatus API. This authenticated RCE in Thruk allows authorized users with network access to inject arbitrary commands via the URL parameter during PDF report generation. The Thruk web application does not properly process the url parameter when generating a PDF report. An authorized attacker with access to the reporting functionality could inject arbitrary commands that would be executed when the script /script/html2pdf.sh is called. The vulnerability can be exploited by an authorized user with network access. This issue has been addressed in version 3.16. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://github.com/sni/Thruk/commit/7e7eb251e76718a07639c4781f0d959d817f173b
https://github.com/sni/Thruk/security/advisories/GHSA-r7gx-h738-4w6f
CWE-ID: CWE-94
Common Platform Enumerations (CPE): Not Found
14. CVE-2024-40624
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: TorrentPier is an open source BitTorrent Public/Private tracker engine, written in php. In `torrentpier/library/includes/functions.php`, `get_tracks()` uses the unsafe native PHP serialization format to deserialize user-controlled cookies. One can use phpggc and the chain Guzzle/FW1 to write PHP code to an arbitrary file, and execute commands on the system. For instance, the cookie bb_t will be deserialized when browsing to viewforum.php. This issue has been addressed in commit `ed37e6e52` which is expected to be included in release version 2.4.4. Users are advised to upgrade as soon as the new release is available. There are no known workarounds for this vulnerability.
References: https://github.com/torrentpier/torrentpier/blob/84f6c9f4a081d9ffff4c233098758280304bf50f/library/includes/functions.php#L41-L60
https://github.com/torrentpier/torrentpier/commit/ed37e6e522f345f2b46147c6f53c1ab6dec1db9e
https://github.com/torrentpier/torrentpier/security/advisories/GHSA-fg86-4c2r-7wxw
CWE-ID: CWE-502
Common Platform Enumerations (CPE): Not Found
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between July 15-16, 2024.
During this period, The National Vulnerability Database published 89, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 4
High: 10
Medium: 36
Low: 3
Severity Not Assigned: 36
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2024-6345
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.
References: https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0
https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5
CWE-ID: CWE-94
Common Platform Enumerations (CPE): Not Found
2. CVE-2024-6737
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The access control in the Electronic Official Document Management System from 2100 TECHNOLOGY is not properly implemented, allowing remote attackers with regular privileges to access the account settings functionality and create an administrator account.
References: https://www.twcert.org.tw/en/cp-139-7924-85606-2.html
https://www.twcert.org.tw/tw/cp-132-7923-46df3-1.html
CWE-ID: CWE-284
Common Platform Enumerations (CPE): Not Found
3. CVE-2024-21513
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 6.0
Description: Versions of the package langchain-experimental from 0.0.15 and before 0.0.21 are vulnerable to Arbitrary Code Execution when retrieving values from the database, the code will attempt to call 'eval' on all values. An attacker can exploit this vulnerability and execute arbitrary python code if they can control the input prompt and the server is configured with VectorSQLDatabaseChain.
**Notes:**
Impact on the Confidentiality, Integrity and Availability of the vulnerable component:
Confidentiality: Code execution happens within the impacted component, in this case langchain-experimental, so all resources are necessarily accessible.
Integrity: There is nothing protected by the impacted component inherently. Although anything returned from the component counts as 'information' for which the trustworthiness can be compromised.
Availability: The loss of availability isn't caused by the attack itself, but it happens as a result during the attacker's post-exploitation steps.
Impact on the Confidentiality, Integrity and Availability of the subsequent system:
As a legitimate low-privileged user of the package (PR:L) the attacker does not have more access to data owned by the package as a result of this vulnerability than they did with normal usage (e.g. can query the DB). The unintended action that one can perform by breaking out of the app environment and exfiltrating files, making remote connections etc. happens during the post exploitation phase in the subsequent system - in this case, the OS.
AT:P: An attacker needs to be able to influence the input prompt, whilst the server is configured with the VectorSQLDatabaseChain plugin.
References: https://github.com/langchain-ai/langchain/blob/672907bbbb7c38bf19787b78e4ffd7c8a9026fe4/libs/experimental/langchain_experimental/sql/vector_sql.py%23L81
https://github.com/langchain-ai/langchain/commit/7b13292e3544b2f5f2bfb8a27a062ea2b0c34561
https://security.snyk.io/vuln/SNYK-PYTHON-LANGCHAINEXPERIMENTAL-7278171
CWE-ID: CWE-94
Common Platform Enumerations (CPE): Not Found
4. CVE-2024-6743
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: AguardNet's Space Management System does not properly validate user input, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
References: https://www.twcert.org.tw/en/cp-139-7933-9a38d-2.html
https://www.twcert.org.tw/tw/cp-132-7932-a6d4d-1.html
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
5. CVE-2024-6744
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The SMTP Listener of Secure Email Gateway from Cellopoint does not properly validate user input, leading to a Buffer Overflow vulnerability. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary system commands on the remote server.
References: https://www.twcert.org.tw/en/cp-139-7937-acbb5-2.html
https://www.twcert.org.tw/tw/cp-132-7936-f6381-1.html
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
6. CVE-2024-6689
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.1
Impact Score: 6.0
Description: Local Privilege Escalation in MSI-Installer in baramundi Management Agent v23.1.172.0 on Windows allows a local unprivileged user to escalate privileges to SYSTEM.
References: https://www.baramundi.com/en-us/security-info/s-2024-01/
CWE-ID: CWE-749
Common Platform Enumerations (CPE): Not Found
7. CVE-2024-27238
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.2
Description: Race condition in the installer for some Zoom Apps and SDKs for Windows before version 6.0.0 may allow an authenticated user to conduct a privilege escalation via local access.
References: https://www.zoom.com/en/trust/security-bulletin/zsb-24021
CWE-ID: CWE-367
Common Platform Enumerations (CPE): Not Found
8. CVE-2024-27240
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.2
Description: Improper input validation in the installer for some Zoom Apps for Windows may allow an authenticated user to conduct a privilege escalation via local access.
References: https://www.zoom.com/en/trust/security-bulletin/zsb-24019
CWE-ID: CWE-20
Common Platform Enumerations (CPE): Not Found
9. CVE-2024-36432
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 0.8
Impact Score: 6.0
Description: An arbitrary memory write vulnerability was discovered in Supermicro X11DPG-HGX2, X11PDG-QT, X11PDG-OT, and X11PDG-SN motherboards with BIOS firmware before 4.4.
References: https://www.supermicro.com/en/support/security_center#%21advisories
https://www.supermicro.com/zh_tw/support/security_BIOS_Jul_2024
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
10. CVE-2024-36433
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 0.8
Impact Score: 6.0
Description: An arbitrary memory write vulnerability was discovered in Supermicro X11DPH-T, X11DPH-Tq, and X11DPH-i motherboards with BIOS firmware before 4.4.
References: https://www.supermicro.com/en/support/security_BIOS_Jul_2024
https://www.supermicro.com/en/support/security_center#%21advisories
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
11. CVE-2024-36434
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 0.8
Impact Score: 6.0
Description: An SMM callout vulnerability was discovered in Supermicro X11DPH-T, X11DPH-Tq, and X11DPH-i motherboards with BIOS firmware before 4.4.
References: https://www.supermicro.com/en/support/security_BIOS_Jul_2024
https://www.supermicro.com/en/support/security_center#%21advisories
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
12. CVE-2024-40631
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.2
Description: Plate media is an open source, rich-text editor for React. Editors that use `MediaEmbedElement` and pass custom `urlParsers` to the `useMediaState` hook may be vulnerable to XSS if a custom parser allows `javascript:`, `data:` or `vbscript:` URLs to be embedded. Editors that do not use `urlParsers` and consume the `url` property directly may also be vulnerable if the URL is not sanitised. The default parsers `parseTwitterUrl` and `parseVideoUrl` are not affected. `@udecode/plate-media` 36.0.10 resolves this issue by only allowing HTTP and HTTPS URLs during parsing. This affects only the `embed` property returned from `useMediaState`. In addition, the `url` property returned from `useMediaState` has been renamed to `unsafeUrl` to indicate that it has not been sanitised. The `url` property on `element` is also unsafe, but has not been renamed. If you're using either of these properties directly, you will still need to validate the URL yourself. Users are advised to upgrade. Users unable to upgrade should ensure that any custom `urlParsers` do not allow `javascript:`, `data:` or `vbscript:` URLs to be returned in the `url` property of their return values. If `url` is consumed directly, validate the URL protocol before passing it to the `iframe` element.
References: https://github.com/udecode/plate/commit/1bc0971774fbfb770780c9bdb94746a6f0f196a0
https://github.com/udecode/plate/security/advisories/GHSA-h3pq-667x-r789
https://stackoverflow.com/a/43467144
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
13. CVE-2024-39915
Base Score: 9.9
Base Severity: CRITICAL
Exploitability Score: 3.1
Impact Score: 6.0
Description: Thruk is a multibackend monitoring webinterface for Naemon, Nagios, Icinga and Shinken using the Livestatus API. This authenticated RCE in Thruk allows authorized users with network access to inject arbitrary commands via the URL parameter during PDF report generation. The Thruk web application does not properly process the url parameter when generating a PDF report. An authorized attacker with access to the reporting functionality could inject arbitrary commands that would be executed when the script /script/html2pdf.sh is called. The vulnerability can be exploited by an authorized user with network access. This issue has been addressed in version 3.16. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://github.com/sni/Thruk/commit/7e7eb251e76718a07639c4781f0d959d817f173b
https://github.com/sni/Thruk/security/advisories/GHSA-r7gx-h738-4w6f
CWE-ID: CWE-94
Common Platform Enumerations (CPE): Not Found
14. CVE-2024-40624
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: TorrentPier is an open source BitTorrent Public/Private tracker engine, written in php. In `torrentpier/library/includes/functions.php`, `get_tracks()` uses the unsafe native PHP serialization format to deserialize user-controlled cookies. One can use phpggc and the chain Guzzle/FW1 to write PHP code to an arbitrary file, and execute commands on the system. For instance, the cookie bb_t will be deserialized when browsing to viewforum.php. This issue has been addressed in commit `ed37e6e52` which is expected to be included in release version 2.4.4. Users are advised to upgrade as soon as the new release is available. There are no known workarounds for this vulnerability.
References: https://github.com/torrentpier/torrentpier/blob/84f6c9f4a081d9ffff4c233098758280304bf50f/library/includes/functions.php#L41-L60
https://github.com/torrentpier/torrentpier/commit/ed37e6e522f345f2b46147c6f53c1ab6dec1db9e
https://github.com/torrentpier/torrentpier/security/advisories/GHSA-fg86-4c2r-7wxw
CWE-ID: CWE-502
Common Platform Enumerations (CPE): Not Found