10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
10 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.954 High
EPSS
Percentile
99.3%
This week, Metasploit community member h00die added the second of two modules targeting Rancher instances. These modules each leak sensitive information from vulnerable instances of the application which is intended to manage Kubernetes clusters. These are a great addition to Metasploit’s coverage for testing Kubernetes environments.
Metasploit also released an exploit for the unauthenticated RCE in PAN-OS that has been receiving a lot of attention recently. This vulnerability is an unauthenticated file creation that can be leveraged to trigger the execution of remote commands. See Rapid7’s analysis on AttackerKB for an in depth explanation of the root cause.
Authors: Florian Struck, Marco Stuurman, and h00die
Type: Auxiliary
Pull request: #18956 contributed by h00die
Path: gather/rancher_authenticated_api_cred_exposure
AttackerKB reference: CVE-2021-36782
Description: This adds an exploit for CVE-2021-36782, a vulnerability which can be leveraged by an authenticated attacker to leak API credentials from an affected Rancher instance.
Author: Julien (jvoisin) Voisin
Type: Auxiliary
Pull request: #18723 contributed by jvoisin
Path: scanner/http/gitlab_version
Description: A web page exists that can be reached without authentication that contains a hash that can be used to determine the approximate version of gitlab running on the endpoint. This PR enhances our current GitLab fingerprinting capabilities to include the aforementioned technique.
Authors: jheysel-r7 and l3yx
Type: Exploit
Pull request: #19046 contributed by jheysel-r7
Path: linux/http/apache_solr_backup_restore
AttackerKB reference: CVE-2023-50386
Description: Adds apache_solr_backup_restore module, taking advantage of a Unrestricted Upload of File with Dangerous Type vulnerability, allowing the user to gain a session in an Apache Solr instance for remote code execution.
Authors: remmons-r7 and sfewer-r7
Type: Exploit
Pull request: #19101 contributed by remmons-r7
Path: linux/http/panos_telemetry_cmd_exec
AttackerKB reference: CVE-2024-3400
Description: This adds an exploit module for <https://security.paloaltonetworks.com/CVE-2024-3400>, affecting PAN-OS GlobalProtect Gateway and GlobalProtect Portal deployments with the default telemetry service enabled.
Authors: Paul Gerste and h00die
Type: Exploit
Pull request: #18997 contributed by h00die
Path: multi/fileformat/gitlens_local_config_exec
AttackerKB reference: CVE-2023-46944
Description: This adds a FileFormat exploit for VSCode. The VSCode extension GitLens by GitKraken before v.14.0.0 allows an untrusted workspace to execute git commands. A repo may include its own .git folder including a malicious config file to execute arbitrary code.
Author: h00die
Type: Exploit
Pull request: #18996 contributed by h00die
Path: multi/fileformat/visual_studio_vsix_exec
Description: This adds a new exploit module that creates a malicious VS / VSCode extension file.
Authors: h00die-gr3y [email protected] and usd Herolab
Type: Exploit
Pull request: #19005 contributed by h00die-gr3y
Path: multi/http/gambio_unauth_rce_cve_2024_23759
AttackerKB reference: CVE-2024-23759
Description: This adds a module for a Remote Code Execution vulnerability in Gambio Online Webshop version 4.9.2.0 and lower allows remote attackers to run arbitrary commands via unauthenticated HTTP POST request.
Authors: James Horseman, Spencer McIntyre, Zach Hanley, and jheysel-r7
Type: Exploit
Pull request: #19082 contributed by jheysel-r7
Path: windows/http/forticlient_ems_fctid_sqli
AttackerKB reference: CVE-2023-48788
Description: Adds windows/http/forticlient_ems_fctid_sqli module that takes advantage of a SQLi injection vulnerability in FortiNet FortiClient EMS.
EVENT_DEPENDENT
value for module reliability metadata.modules/auxiliary/gather/ldap_query.rb
module when running queries from a file.default_options
metadata.exploits/linux/local/vcenter_java_wrapper_vmon_priv_esc
.password_spray
module option was being ignored.nil
values rather than the types expected, causing crashes and stack traces in LDAP-related modules.notes
command included an example which contained a flag that was not supported.You can always find more documentation on our docsite at docs.metasploit.com.
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
10 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.954 High
EPSS
Percentile
99.3%