Lucene search
K

49 matches found

Prion
Prion
added 2023/03/21 5:15 p.m.18 views

Design/Logic Flaw

An authenticated attacker can leverage an exposed “box” object to read and write arbitrary files from disk, provided those files can be parsed as yaml or JSON. This issue was resolved in the Managed and SaaS deployments on February 1, 2023, and in version 23.2.1 of the Self-Managed version of...

5.5CVSS7.9AI score0.00777EPSS
Exploits1References2Affected Software2
CVE
CVE
added 2023/03/21 4:53 p.m.49 views

CVE-2023-1306

CVE-2023-1306 affects Rapid7 InsightCloudSec. An authenticated attacker could abuse an exposed resource.db() accessor to smuggle Python methods via a Jinja template, enabling code execution. Mitigation: upgrade to InsightCloudSec 23.2.1 (Self-Managed) or apply the managed/SaaS patch released on 2...

8.8CVSS8.7AI score0.01208EPSS
Exploits1References2Affected Software2
Cvelist
Cvelist
added 2023/03/21 4:53 p.m.23 views

CVE-2023-1306 Rapid7 InsightCloudSec resource.db() method access

An authenticated attacker can leverage an exposed resource.db accessor method to smuggle Python method calls via a Jinja template, which can lead to code execution. This issue was resolved in the Managed and SaaS deployments on February 1, 2023, and in version 23.2.1 of the Self-Managed version o...

8.8AI score0.01208EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2023/03/21 4:53 p.m.9 views

CVE-2023-1306 Rapid7 InsightCloudSec resource.db() method access

An authenticated attacker can leverage an exposed resource.db accessor method to smuggle Python method calls via a Jinja template, which can lead to code execution. This issue was resolved in the Managed and SaaS deployments on February 1, 2023, and in version 23.2.1 of the Self-Managed version o...

8.7AI score0.01208EPSS
Exploits1References2
CVE
CVE
added 2023/03/21 4:51 p.m.53 views

CVE-2023-1305

CVE-2023-1305 affects Rapid7 InsightCloudSec where an authenticated attacker could leverage an exposed “box” object to read and write arbitrary files on disk as long as they are parsable as YAML/JSON. The issue has been mitigated in the Managed and SaaS deployments as of February 1, 2023 and in t...

8.1CVSS8AI score0.00777EPSS
Exploits1References2Affected Software2
Vulnrichment
Vulnrichment
added 2023/03/21 4:51 p.m.8 views

CVE-2023-1305 Rapid7 InsightCloudSec box object access

An authenticated attacker can leverage an exposed “box” object to read and write arbitrary files from disk, provided those files can be parsed as yaml or JSON. This issue was resolved in the Managed and SaaS deployments on February 1, 2023, and in version 23.2.1 of the Self-Managed version of...

8AI score0.00777EPSS
Exploits1References2
CVE
CVE
added 2023/03/21 4:45 p.m.47 views

CVE-2023-1304

CVE-2023-1304 affects InsightCloudSec. An authenticated attacker can use an exposed getattr() via a Jinja template to smuggle OS commands and invoke actions normally restricted to private methods. Affected are InsightCloudSec versions prior to the fixes; the issue was resolved in Managed and SaaS...

8.8CVSS8.6AI score0.01079EPSS
Exploits1References2Affected Software2
Vulnrichment
Vulnrichment
added 2023/03/21 4:45 p.m.9 views

CVE-2023-1304 Rapid7 InsightCloudSec getattr() method access

An authenticated attacker can leverage an exposed getattr method via a Jinja template to smuggle OS commands and perform other actions that are normally expected to be private methods. This issue was resolved in the Managed and SaaS deployments on February 1, 2023, and in version 23.2.1 of the...

8.6AI score0.01079EPSS
Exploits1References2
CNNVD
CNNVD
added 2023/03/21 12:0 a.m.5 views

InsightCloudSec 代码注入漏洞

InsightCloudSec is a fully integrated cloud-native security platform from InsightCloudSec. A security vulnerability exists in versions of InsightCloudSec prior to 23.3.21 that stems from an attacker being able to utilize the publicly available resource.db accessor method to invoke Python methods...

8.8CVSS8.1AI score0.01208EPSS
Exploits1References3
CNNVD
CNNVD
added 2023/03/21 12:0 a.m.8 views

InsightCloudSec 代码注入漏洞

InsightCloudSec is a fully integrated cloud-native security platform from InsightCloudSec. A security vulnerability exists in versions of InsightCloudSec prior to 23.3.21 that stems from an attacker being able to execute OS commands via a Jinja template utilizing the publicly available getattr...

8.8CVSS8AI score0.01079EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2023/03/21 12:0 a.m.2 views

PT-2023-16876 · Unknown · Insightcloudsec

Name of the Vulnerable Software and Affected Versions: InsightCloudSec versions prior to 23.2.1 Description: An authenticated attacker can leverage an exposed getattr method via a Jinja template to smuggle OS commands and perform other actions that are normally expected to be private methods. Thi...

8.8CVSS7.1AI score0.01079EPSS
Exploits1References6
Positive Technologies
Positive Technologies
added 2023/03/21 12:0 a.m.5 views

PT-2023-16878 · Unknown · Insightcloudsec

Name of the Vulnerable Software and Affected Versions: InsightCloudSec versions prior to 23.2.1 Description: An authenticated attacker can leverage an exposed resource.db accessor method to smuggle Python method calls via a Jinja template, which can lead to code execution. This issue was resolved...

8.8CVSS8.6AI score0.01208EPSS
Exploits1References5
Rapid7 Blog
Rapid7 Blog
added 2022/12/14 2:0 p.m.19 views

Cloud Audit: Compliance + Automation

Setting your own standard Today’s regulatory environment is incredibly fractured and extensive. Depending on the industry—and the part of the world your business and/or security organization resides in—you may be subject to several regulatory compliance standards. Adding to the complexity, there ...

0.2AI score
Exploits0
Rapid7 Blog
Rapid7 Blog
added 2022/11/17 3:56 p.m.19 views

Rapid7 and HashiCorp Partner to Secure Terraform-based Cloud Infrastructure Deployments

Welcome to the latest installment in our cloud security “shift-left” blog series. In our last post, we covered the importance of integrating cloud infrastructure security assessments into DevOps tools and enabling Infrastructure as Code IaC developers. This time, we’re focusing on Rapid7’s recent...

Exploits0
Rapid7 Blog
Rapid7 Blog
added 2022/10/14 3:0 p.m.20 views

Cloud IAM Done Right: How LPA Helps Significantly Reduce Cloud Risk

Authored by Sanjeev Williams and Ryan Blanchard Today almost all cloud users, roles, and identities are overly permissive. This leads to repeated headlines and forensic reports of attackers leveraging weak identity postures to gain a foothold, and then moving laterally within an organization's...

0.4AI score
Exploits0
Rapid7 Blog
Rapid7 Blog
added 2022/09/09 2:33 p.m.25 views

Integrating Cloud Security With DevOps and CI/CD Tools

This is the latest post in our blog series on shifting left in cloud security. In our last post, we kicked off the series with a high-level overview about Rapid7’s approach to shifting cloud security into the application development lifecycle. For this post, we’ll dive into a key aspect of our...

0.4AI score
Exploits0
Rapid7 Blog
Rapid7 Blog
added 2022/08/01 1:58 p.m.23 views

Shift Left: Secure Your Innovation Pipeline

There’s no shortage of buzzwords in the tech world. Some are purely marketing spin. But others are colloquial ways for the industry to talk about complex topics that have a massive impact on how organizations and teams drive innovation and work more efficiently. Here at Rapid7, we believe the...

Exploits0
Rapid7 Blog
Rapid7 Blog
added 2022/07/25 3:0 p.m.22 views

What We’re Looking Forward to at AWS re:Inforce

AWS re:Inforce 2022 starts tomorrow — Tuesday, July 26th — and we couldn't be more excited to gather with the tech, cloud, and security communities in our home city of Boston. Here's a sneak peek of the highlights to come at re:Inforce and what we're looking forward to the most this Tuesday and...

7.2AI score
Exploits0
Rapid7 Blog
Rapid7 Blog
added 2022/05/13 2:0 p.m.26 views

Update for CIS Google Cloud Platform Foundation Benchmarks - Version 1.3.0

The Center for Internet Security CIS recently released an updated version of their Google Cloud Platform Foundation Benchmarks - Version 1.3.0. Expanding on previous iterations, the update adds 21 new benchmarks covering best practices for securing Google Cloud environments. The updates were broa...

Exploits0
Rapid7 Blog
Rapid7 Blog
added 2022/04/14 6:0 p.m.18 views

InsightCloudSec Supports the Recently Updated NSA/CISA Kubernetes Hardening Guide

The National Security Agency NSA and the Cybersecurity and Infrastructure Security Agency CISA recently updated their Kubernetes Hardening Guide, which was originally published in August 2021. With the help and feedback received from numerous partners in the cybersecurity community, this guide...

7.7AI score
Exploits0
Rows per page
Query Builder