This Metasploit module leverages an insecure setting to get remote code execution on the target OS in the context of the user running Gogs. This is possible when the current user is allowed to create git hooks, which is the default for administrative users. For non-administrative users, the permission needs to be specifically granted by an administrator. To achieve code execution, the module authenticates to the Gogs web interface, creates a temporary repository, sets a post-receive git hook with the payload and creates a dummy file in the repository. This last action will trigger the git hook and execute the payload. Everything is done through the web interface. No mitigation has been implemented so far (latest stable version is 0.12.3). This module has been tested successfully against version 0.12.3 on docker. Windows version could not be tested since the git hook feature seems to be broken.
4e19a5ed4cbfca5897bf97baac1af8eb8a2e38d3a71e67bc5dd454724c8f460dThis Metasploit module leverages an insecure setting to get remote code execution on the target OS in the context of the user running Gitea. This is possible when the current user is allowed to create git hooks, which is the default for administrative users. For non-administrative users, the permission needs to be specifically granted by an administrator. To achieve code execution, the module authenticates to the Gitea web interface, creates a temporary repository, sets a post-receive git hook with the payload and creates a dummy file in the repository. This last action will trigger the git hook and execute the payload. Everything is done through the web interface. It has been mitigated in version 1.13.0 by setting the Gitea DISABLE_GIT_HOOKS configuration setting to true by default. This disables this feature and prevents all users (including admin) from creating custom git hooks. This module has been tested successfully against docker versions 1.12.5, 1.12.6 and 1.13.6 with DISABLE_GIT_HOOKS set to false, and on version 1.12.6 on Windows.
777838a8c7aba78aa158817a5091acfd7337de3556b2fc8c26c13ab9c90a1621Clam AntiVirus is an anti-virus toolkit for Unix. The main purpose of this software is the integration with mail servers (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a command-line scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with the Clam AntiVirus package, which you can use in your own software.
d4b5d0ac666262e423a326fb54778caa7c69624d6c3f9542895feb8478271bd2Global Socket is a tool for moving data from here to there, securely, fast, and through NAT and firewalls. It uses the Global Socket Relay Network to connect TCP pipes, has end-to-end encryption (using OpenSSL's SRP / RFC-5054), AES-256 and key exchange using 4096-bit Prime, requires no PKI, has Perfect Forward Secrecy, and TOR support.
5d6beae72888b5b7c4d4d6bcef2c37256c736435fd1b08ff642ee4c60a310ea5A radio proximity kernel memory corruption vulnerability exists in iOS and macOS due to bad state machine in BSS steering.
9e6c28acc2dc2cdb2acc5704dda5595cbbba3c80139500e4fad8a275eaa86716Monospace Directus Headless CMS versions prior to 8.8.2 suffers from .htaccess rule bypass and arbitrary file upload vulnerabilities.
0a87fe85b52203eaf5e6bafacaf4a67e5b5538421123168457d798bfb86748ddPiotr Krysiuk discovered that the BPF subsystem in the Linux kernel did not properly apply speculative execution limits on some pointer types. A local attacker could use this to expose sensitive information (kernel memory). It was discovered that the memory management subsystem in the Linux kernel did not properly handle copy-on-write operations in some situations. A local attacker could possibly use this to gain unintended write access to read-only memory pages. Various other issues were also addressed.
469cc31bae7443b09e56a62b4aac4c6a731592910bda9c7097efee0cfc5ebb11Ignition versions prior to 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel versions prior to 8.4.2.
aebc0026e687e1ba339c5b60a3565c3f18d9a8afd3eb4765ef9daaf8dbe63898Ubuntu Security Notice 4903-1 - Viktor Szakats discovered that curl did not strip off user credentials from referrer header fields. A remote attacker could possibly use this issue to obtain sensitive information.
02c8361a95e70f06ae715eb14ee9a526a590f4cc220b11e1c03c911317a1febfUbuntu Security Notice 4901-1 - Adam Nichols discovered that heap overflows existed in the iSCSI subsystem in the Linux kernel. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that the LIO SCSI target implementation in the Linux kernel performed insufficient identifier checking in certain XCOPY requests. An attacker with access to at least one LUN in a multiple backstore environment could use this to expose sensitive information or modify data. Various other issues were also addressed.
6d1fd34ada85522e50965e160e5c5eef31b6ea21b01517798c6cc78c4cbd7ac9Red Hat Security Advisory 2021-1131-01 - OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength general-purpose cryptography library. Issues addressed include a null pointer vulnerability.
29571e441c23765095e598556f319229c5fd625d92327db83a4b1dcd6ff3d0b4Red Hat Security Advisory 2021-1125-01 - The Advanced Virtualization module provides the user-space component for running virtual machines that use KVM in environments managed by Red Hat products.
5a2b602bddb1c9f5cc58521ec0aaf557cb5877a7c6055dff7bc3cacdf3ce1fa3Red Hat Security Advisory 2021-1093-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include buffer overflow, out of bounds read, and use-after-free vulnerabilities.
059ac98f927be53cb34bfbcaf019e55b9c1f39acbc7086390533a8aeb6488dfaComposr CMS version 10.0.36 suffers from a cross site scripting vulnerability.
4bc04416a81138adbe52b758e8877b677b6794ad88b18f373fc167b1077703bbDell EMC OpenManage Server Administrator (OMSA) versions 9.4 and prior contain multiple path traversal vulnerabilities. An unauthenticated remote attacker could potentially exploit these vulnerabilities by sending a crafted Web API request containing directory traversal character sequences to gain file system access on the compromised management station.
e814cdcda952cd0c269fb5d5234748b455d85366a559993b5b6eaf6fbbb27457Red Hat Security Advisory 2021-1086-01 - 389 Directory Server is an LDAP version 3 compliant server. The base packages include the Lightweight Directory Access Protocol server and command-line utilities for server administration. Issues addressed include an information leakage vulnerability.
0af248b34d3fe9f578cc781cd47e04041d1e644d526f9a96bd95cd41ea9c6263Red Hat Security Advisory 2021-1081-01 - The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Issues addressed include buffer overflow, out of bounds read, and use-after-free vulnerabilities.
aef5b23a4fe73958169e2989069fbdd8e0bd4e5e24e1ccfe2f32980af659f93eAtlassian Jira Service Desk version 4.9.1 suffers from a cross site scripting vulnerability via a file upload.
dfcde77b165540e992acf77b90f6fd749ada31c0790bd7b52362a5e4ecd40c70Insufficient data validation in V8 in Google Chrome versions prior to 87.0.4280.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
fdb909de2de5f3f2a4de99d31ea1db5b05b9e57c4f4895104dd5197dbcab1f7fAn out of bounds write in V8 in Google Chrome prior to 83.0.4103.106 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
2c8ea5f50ab121008f02e900d18acb7ad7c8294b6561f0aa5441fbab13086bfb
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed