EUVD-2022-24822

Malicious code in bioql PyPI...

EUVD-2022-24819

Malicious code in bioql PyPI...

CVE-2022-1524

LRM version 2.4 and lower does not implement TLS encryption. A malicious actor can MITM attack sensitive data in-transit, including credentials...

CVE-2022-1521

LRM does not implement authentication or authorization by default. A malicious actor can inject, replay, modify, and/or intercept sensitive data...

CVE-2022-1517

LRM utilizes elevated privileges. An unauthenticated malicious actor can upload and execute code remotely at the operating system level, which can allow an attacker to change settings, configurations, software, or access sensitive data on the affected produc. An attacker could also exploit this...

CVE-2022-1518

LRM contains a directory traversal vulnerability that can allow a malicious actor to upload outside the intended directory structure...

CVE-2022-1519

LRM does not restrict the types of files that can be uploaded to the affected product. A malicious actor can upload any file type, including executable code that allows for a remote code exploit...

CVE-2022-1524

LRM version 2.4 and lower does not implement TLS encryption. A malicious actor can MITM attack sensitive data in-transit, including credentials...

Code injection

LRM utilizes elevated privileges. An unauthenticated malicious actor can upload and execute code remotely at the operating system level, which can allow an attacker to change settings, configurations, software, or access sensitive data on the affected produc. An attacker could also exploit this...

Directory traversal

LRM contains a directory traversal vulnerability that can allow a malicious actor to upload outside the intended directory structure...

Command injection

LRM version 2.4 and lower does not implement TLS encryption. A malicious actor can MITM attack sensitive data in-transit, including credentials...

Authorization

LRM does not implement authentication or authorization by default. A malicious actor can inject, replay, modify, and/or intercept sensitive data...

CVE-2022-1524 3.2.5 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319

LRM version 2.4 and lower does not implement TLS encryption. A malicious actor can MITM attack sensitive data in-transit, including credentials...

CVE-2022-1524

CVE-2022-1524 affects Illumina Local Run Manager (LRM) versions 2.4 and lower, where lack of TLS encryption enables potential MITM disclosure of in-transit data, including credentials. Connected advisories specify LC/LRM exposure and a patch release to mitigate the issue, with remediation guidanc...

CVE-2022-1521

CVE-2022-1521 affects Illumina Local Run Manager (LRM) software versions 1.3–3.1 used on various Illumina instruments. The root cause is that LRM does not implement authentication or authorization by default, allowing an unauthenticated, network-facing attacker to inject, replay, modify, or inter...

CVE-2022-1521 3.2.4 IMPROPER ACCESS CONTROL CWE-284

LRM does not implement authentication or authorization by default. A malicious actor can inject, replay, modify, and/or intercept sensitive data...

CVE-2022-1518

CVE-2022-1518 affects Illumina Local Run Manager (LRM) software (LRM 1.3–3.1) used with NextSeq/MiSeq/iSeq/MiniSeq devices. It is a directory traversal vulnerability that could let an unauthenticated, network remote attacker upload files outside the intended directory, per ICS/CISA and CVE record...

CVE-2022-1519

LRM does not restrict the types of files that can be uploaded to the affected product. A malicious actor can upload any file type, including executable code that allows for a remote code exploit...

CVE-2022-1517 3.2.1 EXECUTION WITH UNNECESSARY PRIVILEGES CWE-250

LRM utilizes elevated privileges. An unauthenticated malicious actor can upload and execute code remotely at the operating system level, which can allow an attacker to change settings, configurations, software, or access sensitive data on the affected produc. An attacker could also exploit this...

CVE-2022-1517

Illumina Local Run Manager (LRM) software, affected versions 1.3–3.1, contains CVE-2022-1517 (execution with unnecessary privileges). An unauthenticated attacker could upload and execute code remotely at the OS level, potentially tampering with settings, software, data, or APIs and interacting ov...