CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
73.7%
In this release, we feature a double-double: two exploits each targeting two pieces of software. The first pair is from h00die targeting the Jasmine Ransomeware Web Server. The first uses CVE-2024-30851 to retrieve the login for the ransomware server, and the second is a directory traversal vulnerability allowing arbitrary file read. The second pair from Dave Yesland of Rhino Security targets Progress Flowmon with CVE-2024-2389 and it pairs well like wine with the additional and accompanying Privilege Escalation module.
Authors: chebuya and h00die
Type: Auxiliary
Pull request: #19103 contributed by h00die
Path: gather/jasmin_ransomware_dir_traversal
AttackerKB reference: CVE-2024-30851
Description: This adds an unauthenticated directory traversal and a SQLi exploit against the Jasmin ransomware web panel.
Authors: chebuya and h00die
Type: Auxiliary
Pull request: #19103 contributed by h00die
Path: gather/jasmin_ransomware_sqli
Description: This adds an unauthenticated directory traversal and a SQLi exploit against the Jasmin ransomware web panel.
Author: Dave Yesland with Rhino Security Labs
Type: Exploit
Pull request: #19150 contributed by DaveYesland
Path: linux/http/progress_flowmon_unauth_cmd_injection
AttackerKB reference: CVE-2024-2389
Description: Unauthenticated Command Injection Module for Progress Flowmon CVE-2024-2389.
Author: Dave Yesland with Rhino Security Labs
Type: Exploit
Pull request: #19151 contributed by DaveYesland
Path: linux/local/progress_flowmon_sudo_privesc_2024
Description: Privilege escalation module for Progress Flowmon unpatched feature.
None
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro
Be the first to learn about the latest vulnerabilities and cybersecurity news.
Subscribe Now
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
73.7%