In the dynamic realm of cybersecurity, staying updated on the latest vulnerabilities is imperative.
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between September 19-20, 2024.
During this period, The National Vulnerability Database published 52, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 6
High: 9
Medium: 21
Low: 0
Severity Not Assigned: 16
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2024-46946
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: langchain_experimental (aka LangChain Experimental) 0.1.17 through 0.3.0 for LangChain allows attackers to execute arbitrary code through sympy.sympify (which uses eval) in LLMSymbolicMathChain. LLMSymbolicMathChain was introduced in fcccde406dd9e9b05fc9babcbeb9ff527b0ec0c6 (2023-10-05).
References: https://cwe.mitre.org/data/definitions/95.html
https://docs.sympy.org/latest/modules/codegen.html
https://gist.github.com/12end/68c0c58d2564ef4141bccd4651480820#file-cve-2024-46946-txt
https://github.com/langchain-ai/langchain/releases/tag/langchain-experimental%3D%3D0.3.0
CWE-ID: CWE-20
Common Platform Enumerations (CPE): Not Found
2. CVE-2024-46394
Base Score: 8.0
Base Severity: HIGH
Exploitability Score: 2.1
Impact Score: 5.9
Description: FrogCMS v0.9.5 was discovered to contain a Cross-Site Request Forgery (CSRF) via /admin/?/user/add
References: https://github.com/fffccx1/cms/tree/main/14/readme.md
CWE-ID: CWE-352
Common Platform Enumerations (CPE): Not Found
3. CVE-2024-45752
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 6.0
Description: logiops through 0.3.4, in its default configuration, allows any unprivileged user to configure its logid daemon via an unrestricted D-Bus service, including setting malicious keyboard macros. This allows for privilege escalation with minimal user interaction.
References: https://bugzilla.suse.com/show_bug.cgi?id=1226598
https://github.com/PixlOne/logiops/releases
CWE-ID: CWE-269
Common Platform Enumerations (CPE): Not Found
4. CVE-2024-7736
Base Score: 8.7
Base Severity: HIGH
Exploitability Score: 2.3
Impact Score: 5.8
Description: A reflected Cross-site Scripting (XSS) vulnerability affecting ENOVIA Collaborative Industry Innovator from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2024x allows an attacker to execute arbitrary script code in user's browser session.
References: https://www.3ds.com/vulnerability/advisories
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
5. CVE-2024-7737
Base Score: 8.7
Base Severity: HIGH
Exploitability Score: 2.3
Impact Score: 5.8
Description: A stored Cross-site Scripting (XSS) vulnerability affecting 3DSwym in 3DSwymer from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2024x allows an attacker to execute arbitrary script code in user's browser session.
References: https://www.3ds.com/vulnerability/advisories
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
6. CVE-2024-8698
Base Score: 7.7
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.3
Description: A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks.
References: https://access.redhat.com/errata/RHSA-2024:6878
https://access.redhat.com/errata/RHSA-2024:6879
https://access.redhat.com/errata/RHSA-2024:6880
https://access.redhat.com/errata/RHSA-2024:6882
https://access.redhat.com/errata/RHSA-2024:6886
https://access.redhat.com/errata/RHSA-2024:6887
https://access.redhat.com/errata/RHSA-2024:6888
https://access.redhat.com/errata/RHSA-2024:6889
https://access.redhat.com/errata/RHSA-2024:6890
https://access.redhat.com/security/cve/CVE-2024-8698
https://bugzilla.redhat.com/show_bug.cgi?id=2311641
https://github.com/keycloak/keycloak/blob/main/saml-core/src/main/java/org/keycloak/saml/processing/core/util/XMLSignatureUtil.java#L415
CWE-ID: CWE-347
Common Platform Enumerations (CPE): Not Found
7. CVE-2024-38016
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: Microsoft Office Visio Remote Code Execution Vulnerability
References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38016
CWE-ID: CWE-284
Common Platform Enumerations (CPE): Not Found
8. CVE-2024-8963
Base Score: 9.4
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.5
Description: Path Traversal in the Ivanti CSA before 4.6 Patch 519 allows a remote unauthenticated attacker to access restricted functionality.
References: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-CSA-4-6-Cloud-Services-Appliance-CVE-2024-8963
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
9. CVE-2024-33109
Base Score: 9.9
Base Severity: CRITICAL
Exploitability Score: 3.1
Impact Score: 6.0
Description: Directory Traversal in the web interface of the Tiptel IP 286 with firmware version 2.61.13.10 allows attackers to overwrite arbitrary files on the phone via the Ringtone upload function.
References: http://tiptel.com
https://www.bdosecurity.de/en-gb/advisories/cve-2024-33109
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
10. CVE-2024-40125
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: An arbitrary file upload vulnerability in the Media Manager function of Closed-Loop Technology CLESS Server v4.5.2 allows attackers to execute arbitrary code via uploading a crafted PHP file to the upload endpoint.
References: https://github.com/brendontkl/My-CVEs/tree/main/CVE-2024-40125
https://www.closed-loop.biz/
CWE-ID: CWE-94
Common Platform Enumerations (CPE): Not Found
11. CVE-2023-27584
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Dragonfly is an open source P2P-based file distribution and image acceleration system. It is hosted by the Cloud Native Computing Foundation (CNCF) as an Incubating Level Project. Dragonfly uses JWT to verify user. However, the secret key for JWT, "Secret Key", is hard coded, which leads to authentication bypass. An attacker can perform any action as a user with admin privileges. This issue has been addressed in release version 2.0.9. All users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://github.com/dragonflyoss/Dragonfly2/releases/tag/v2.0.9
https://github.com/dragonflyoss/Dragonfly2/security/advisories/GHSA-hpc8-7wpm-889w
CWE-ID: CWE-321
Common Platform Enumerations (CPE): Not Found
12. CVE-2024-45410
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Traefik is a golang, Cloud Native Application Proxy. When a HTTP request is processed by Traefik, certain HTTP headers such as X-Forwarded-Host or X-Forwarded-Port are added by Traefik before the request is routed to the application. For a HTTP client, it should not be possible to remove or modify these headers. Since the application trusts the value of these headers, security implications might arise, if they can be modified. For HTTP/1.1, however, it was found that some of theses custom headers can indeed be removed and in certain cases manipulated. The attack relies on the HTTP/1.1 behavior, that headers can be defined as hop-by-hop via the HTTP Connection header. This issue has been addressed in release versions 2.11.9 and 3.1.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://github.com/traefik/traefik/releases/tag/v2.11.9
https://github.com/traefik/traefik/releases/tag/v3.1.3
https://github.com/traefik/traefik/security/advisories/GHSA-62c8-mh53-4cqv
CWE-ID: CWE-345 CWE-348
Common Platform Enumerations (CPE): Not Found
13. CVE-2024-46983
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: sofa-hessian is an internal improved version of Hessian3/4 powered by Ant Group CO., Ltd. The SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But there is a gadget chain that can bypass the SOFA Hessian blacklist protection mechanism, and this gadget chain only relies on JDK and does not rely on any third-party components. This issue is fixed by an update to the blacklist, users can upgrade to sofahessian version 3.5.5 to avoid this issue. Users unable to upgrade may maintain a blacklist themselves in the directory `external/serialize.blacklist`.
References: https://github.com/sofastack/sofa-hessian/security/advisories/GHSA-c459-2m73-67hj
CWE-ID: CWE-74
Common Platform Enumerations (CPE): Not Found
14. CVE-2024-46984
Base Score: 8.6
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 4.0
Description: The reference validator is a tool to perform advanced validation of FHIR resources for TI applications and interoperability standards. The profile location routine in the referencevalidator commons package is vulnerable to `XML External Entities` attack due to insecure defaults of the used Woodstox WstxInputFactory. A malicious XML resource can lead to network requests issued by referencevalidator and thus to a `Server Side Request Forgery` attack. The vulnerability impacts applications which use referencevalidator to process XML resources from untrusted sources. The problem has been patched with the 2.5.1 version of the referencevalidator. Users are strongly recommended to update to this version or a more recent one. A pre-processing or manual analysis of input XML resources on existence of DTD definitions or external entities can mitigate the problem.
References: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#transformerfactory
https://github.com/gematik/app-referencevalidator/releases/tag/2.5.1
https://github.com/gematik/app-referencevalidator/security/advisories/GHSA-68j8-fp38-p48q
https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)
https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)#
CWE-ID: CWE-611
Common Platform Enumerations (CPE): Not Found
15. CVE-2024-7207
Base Score: 8.2
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 4.2
Description: A flaw was found in Envoy. It is possible to modify or manipulate headers from external clients when pass-through routes are used for the ingress gateway. This issue could allow a malicious user to forge what is logged by Envoy as a requested path and cause the Envoy proxy to make requests to internal-only services or arbitrary external systems. This is a regression of the fix for CVE-2023-27487.
References: https://access.redhat.com/security/cve/CVE-2024-7207
https://bugzilla.redhat.com/show_bug.cgi?id=2300352
https://github.com/envoyproxy/envoy/security/advisories/GHSA-ffhv-fvxq-r6mf
CWE-ID: CWE-20
Common Platform Enumerations (CPE): Not Found
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between September 19-20, 2024.
During this period, The National Vulnerability Database published 52, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 6
High: 9
Medium: 21
Low: 0
Severity Not Assigned: 16
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2024-46946
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: langchain_experimental (aka LangChain Experimental) 0.1.17 through 0.3.0 for LangChain allows attackers to execute arbitrary code through sympy.sympify (which uses eval) in LLMSymbolicMathChain. LLMSymbolicMathChain was introduced in fcccde406dd9e9b05fc9babcbeb9ff527b0ec0c6 (2023-10-05).
References: https://cwe.mitre.org/data/definitions/95.html
https://docs.sympy.org/latest/modules/codegen.html
https://gist.github.com/12end/68c0c58d2564ef4141bccd4651480820#file-cve-2024-46946-txt
https://github.com/langchain-ai/langchain/releases/tag/langchain-experimental%3D%3D0.3.0
CWE-ID: CWE-20
Common Platform Enumerations (CPE): Not Found
2. CVE-2024-46394
Base Score: 8.0
Base Severity: HIGH
Exploitability Score: 2.1
Impact Score: 5.9
Description: FrogCMS v0.9.5 was discovered to contain a Cross-Site Request Forgery (CSRF) via /admin/?/user/add
References: https://github.com/fffccx1/cms/tree/main/14/readme.md
CWE-ID: CWE-352
Common Platform Enumerations (CPE): Not Found
3. CVE-2024-45752
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 6.0
Description: logiops through 0.3.4, in its default configuration, allows any unprivileged user to configure its logid daemon via an unrestricted D-Bus service, including setting malicious keyboard macros. This allows for privilege escalation with minimal user interaction.
References: https://bugzilla.suse.com/show_bug.cgi?id=1226598
https://github.com/PixlOne/logiops/releases
CWE-ID: CWE-269
Common Platform Enumerations (CPE): Not Found
4. CVE-2024-7736
Base Score: 8.7
Base Severity: HIGH
Exploitability Score: 2.3
Impact Score: 5.8
Description: A reflected Cross-site Scripting (XSS) vulnerability affecting ENOVIA Collaborative Industry Innovator from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2024x allows an attacker to execute arbitrary script code in user's browser session.
References: https://www.3ds.com/vulnerability/advisories
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
5. CVE-2024-7737
Base Score: 8.7
Base Severity: HIGH
Exploitability Score: 2.3
Impact Score: 5.8
Description: A stored Cross-site Scripting (XSS) vulnerability affecting 3DSwym in 3DSwymer from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2024x allows an attacker to execute arbitrary script code in user's browser session.
References: https://www.3ds.com/vulnerability/advisories
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
6. CVE-2024-8698
Base Score: 7.7
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.3
Description: A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks.
References: https://access.redhat.com/errata/RHSA-2024:6878
https://access.redhat.com/errata/RHSA-2024:6879
https://access.redhat.com/errata/RHSA-2024:6880
https://access.redhat.com/errata/RHSA-2024:6882
https://access.redhat.com/errata/RHSA-2024:6886
https://access.redhat.com/errata/RHSA-2024:6887
https://access.redhat.com/errata/RHSA-2024:6888
https://access.redhat.com/errata/RHSA-2024:6889
https://access.redhat.com/errata/RHSA-2024:6890
https://access.redhat.com/security/cve/CVE-2024-8698
https://bugzilla.redhat.com/show_bug.cgi?id=2311641
https://github.com/keycloak/keycloak/blob/main/saml-core/src/main/java/org/keycloak/saml/processing/core/util/XMLSignatureUtil.java#L415
CWE-ID: CWE-347
Common Platform Enumerations (CPE): Not Found
7. CVE-2024-38016
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: Microsoft Office Visio Remote Code Execution Vulnerability
References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38016
CWE-ID: CWE-284
Common Platform Enumerations (CPE): Not Found
8. CVE-2024-8963
Base Score: 9.4
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.5
Description: Path Traversal in the Ivanti CSA before 4.6 Patch 519 allows a remote unauthenticated attacker to access restricted functionality.
References: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-CSA-4-6-Cloud-Services-Appliance-CVE-2024-8963
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
9. CVE-2024-33109
Base Score: 9.9
Base Severity: CRITICAL
Exploitability Score: 3.1
Impact Score: 6.0
Description: Directory Traversal in the web interface of the Tiptel IP 286 with firmware version 2.61.13.10 allows attackers to overwrite arbitrary files on the phone via the Ringtone upload function.
References: http://tiptel.com
https://www.bdosecurity.de/en-gb/advisories/cve-2024-33109
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
10. CVE-2024-40125
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: An arbitrary file upload vulnerability in the Media Manager function of Closed-Loop Technology CLESS Server v4.5.2 allows attackers to execute arbitrary code via uploading a crafted PHP file to the upload endpoint.
References: https://github.com/brendontkl/My-CVEs/tree/main/CVE-2024-40125
https://www.closed-loop.biz/
CWE-ID: CWE-94
Common Platform Enumerations (CPE): Not Found
11. CVE-2023-27584
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Dragonfly is an open source P2P-based file distribution and image acceleration system. It is hosted by the Cloud Native Computing Foundation (CNCF) as an Incubating Level Project. Dragonfly uses JWT to verify user. However, the secret key for JWT, "Secret Key", is hard coded, which leads to authentication bypass. An attacker can perform any action as a user with admin privileges. This issue has been addressed in release version 2.0.9. All users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://github.com/dragonflyoss/Dragonfly2/releases/tag/v2.0.9
https://github.com/dragonflyoss/Dragonfly2/security/advisories/GHSA-hpc8-7wpm-889w
CWE-ID: CWE-321
Common Platform Enumerations (CPE): Not Found
12. CVE-2024-45410
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Traefik is a golang, Cloud Native Application Proxy. When a HTTP request is processed by Traefik, certain HTTP headers such as X-Forwarded-Host or X-Forwarded-Port are added by Traefik before the request is routed to the application. For a HTTP client, it should not be possible to remove or modify these headers. Since the application trusts the value of these headers, security implications might arise, if they can be modified. For HTTP/1.1, however, it was found that some of theses custom headers can indeed be removed and in certain cases manipulated. The attack relies on the HTTP/1.1 behavior, that headers can be defined as hop-by-hop via the HTTP Connection header. This issue has been addressed in release versions 2.11.9 and 3.1.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://github.com/traefik/traefik/releases/tag/v2.11.9
https://github.com/traefik/traefik/releases/tag/v3.1.3
https://github.com/traefik/traefik/security/advisories/GHSA-62c8-mh53-4cqv
CWE-ID: CWE-345 CWE-348
Common Platform Enumerations (CPE): Not Found
13. CVE-2024-46983
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: sofa-hessian is an internal improved version of Hessian3/4 powered by Ant Group CO., Ltd. The SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But there is a gadget chain that can bypass the SOFA Hessian blacklist protection mechanism, and this gadget chain only relies on JDK and does not rely on any third-party components. This issue is fixed by an update to the blacklist, users can upgrade to sofahessian version 3.5.5 to avoid this issue. Users unable to upgrade may maintain a blacklist themselves in the directory `external/serialize.blacklist`.
References: https://github.com/sofastack/sofa-hessian/security/advisories/GHSA-c459-2m73-67hj
CWE-ID: CWE-74
Common Platform Enumerations (CPE): Not Found
14. CVE-2024-46984
Base Score: 8.6
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 4.0
Description: The reference validator is a tool to perform advanced validation of FHIR resources for TI applications and interoperability standards. The profile location routine in the referencevalidator commons package is vulnerable to `XML External Entities` attack due to insecure defaults of the used Woodstox WstxInputFactory. A malicious XML resource can lead to network requests issued by referencevalidator and thus to a `Server Side Request Forgery` attack. The vulnerability impacts applications which use referencevalidator to process XML resources from untrusted sources. The problem has been patched with the 2.5.1 version of the referencevalidator. Users are strongly recommended to update to this version or a more recent one. A pre-processing or manual analysis of input XML resources on existence of DTD definitions or external entities can mitigate the problem.
References: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#transformerfactory
https://github.com/gematik/app-referencevalidator/releases/tag/2.5.1
https://github.com/gematik/app-referencevalidator/security/advisories/GHSA-68j8-fp38-p48q
https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)
https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)#
CWE-ID: CWE-611
Common Platform Enumerations (CPE): Not Found
15. CVE-2024-7207
Base Score: 8.2
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 4.2
Description: A flaw was found in Envoy. It is possible to modify or manipulate headers from external clients when pass-through routes are used for the ingress gateway. This issue could allow a malicious user to forge what is logged by Envoy as a requested path and cause the Envoy proxy to make requests to internal-only services or arbitrary external systems. This is a regression of the fix for CVE-2023-27487.
References: https://access.redhat.com/security/cve/CVE-2024-7207
https://bugzilla.redhat.com/show_bug.cgi?id=2300352
https://github.com/envoyproxy/envoy/security/advisories/GHSA-ffhv-fvxq-r6mf
CWE-ID: CWE-20
Common Platform Enumerations (CPE): Not Found