Lucene search

Christopher GranleeseRAPID7BLOG:723072DF2F493B2AABC926CDFE835868

HistoryAug 16, 2024 - 6:33 p.m.

Metasploit Weekly Wrap-Up 08/16/2024

2024-08-1618:33:17

Christopher Granleese

blog.rapid7.com

apache hugegraph server

rce

openmetadata

authentication bypass

spel injection

lg simple editor

command injection

cve-2024-27348

cve-2024-28254

cve-2023-40504

metasploit.

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

Low

EPSS

0.009

Percentile

82.9%

JSON

New module content (3)

Apache HugeGraph Gremlin RCE

Metasploit Weekly Wrap-Up 08/16/2024

Authors: 6right and jheysel-r7
Type: Exploit
Pull request: #19348 contributed by jheysel-r7
Path: linux/http/apache_hugegraph_gremlin_rce
AttackerKB reference: CVE-2024-27348

Description: Adds an Apache HugeGraph Server exploit for GHSA-29rc-vq7f-x335, which is a Remote Code Execution (RCE) vulnerability that exists in Apache HugeGraph Server in versions before 1.3.0. An attacker can bypass the sandbox restrictions and achieve RCE through Gremlin, resulting in complete control over the server.

OpenMetadata authentication bypass and SpEL injection exploit chain

Authors: Alvaro Muñoz alias pwntester (<https://github.com/pwntester>) and h00die-gr3y [email protected]
Type: Exploit
Pull request: #19347 contributed by h00die-gr3y
Path: linux/http/openmetadata_auth_bypass_rce
AttackerKB reference: CVE-2024-28254

Description: This module chains two vulnerabilities that exist in the OpenMetadata application. The first vulnerability, CVE-2024-28255, bypasses the API authentication using JWT tokens. It misuses the JwtFilter that checks the path of the URL endpoint against a list of excluded endpoints that does not require authentication. By chaining this vulnerability with CVE-2024-28254, that allows for arbitrary SpEL injection at the endpoint.

LG Simple Editor Command Injection (CVE-2023-40504)

Authors: Michael Heinzl and rgod
Type: Exploit
Pull request: #19370 contributed by h4x-x0r
Path: windows/http/lg_simple_editor_rce_uploadvideo
CVE reference: ZDI-23-1208

Description: This adds an exploit module for CVE-2023-40504, a command injection vulnerability in LG Simple Editor application allowing the execution of arbitrary commands as NT AUTHORITY\SYSTEM.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro