‼ CVE-2023-36883 ‼
📖 Read
via "National Vulnerability Database".
Microsoft Edge for iOS Spoofing Vulnerability📖 Read
via "National Vulnerability Database".
‼ CVE-2023-36887 ‼
📖 Read
via "National Vulnerability Database".
Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability📖 Read
via "National Vulnerability Database".
‼ CVE-2023-38253 ‼
📖 Read
via "National Vulnerability Database".
An out-of-bounds read flaw was found in w3m, in the growbuf_to_Str function in indep.c. This issue may allow an attacker to cause a denial of service through a crafted HTML file.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-36848 ‼
📖 Read
via "National Vulnerability Database".
An Improper Handling of Undefined Values vulnerability in the periodic packet management daemon (PPMD) of Juniper Networks Junos OS on MX Series(except MPC10, MPC11 and LC9600) allows an unauthenticated adjacent attacker to cause a Denial of Service (DoS).When a malformed CFM packet is received, it leads to an FPC crash. Continued receipt of these packets causes a sustained denial of service. This vulnerability occurs only when CFM has been configured on the interface.This issue affects Juniper Networks Junos OS:versions prior to 19.1R3-S10 on MX Series;19.2 versions prior to 19.2R3-S7 on MX Series;19.3 versions prior to 19.3R3-S8 on MX Series;19.4 versions prior to 19.4R3-S12 on MX Series;20.1 version 20.1R1 and later versions on MX Series;20.2 versions prior to 20.2R3-S8 on MX Series;20.3 version 20.3R1 and later versions on MX Series;20.4 versions prior to 20.4R3-S7 on MX Series;21.1 versions prior to 21.1R3-S5 on MX Series;21.2 versions prior to 21.2R3-S5 on MX Series;21.3 versions prior to 21.3R3-S4 on MX Series;21.4 versions prior to 21.4R3-S4 on MX Series;22.1 versions prior to 22.1R3-S3 on MX Series;22.2 versions prior to 22.2R3-S1 on MX Series;22.3 versions prior to 22.3R3 on MX Series;22.4 versions prior to 22.4R1-S2, 22.4R2 on MX Series.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-36850 ‼
📖 Read
via "National Vulnerability Database".
An Improper Validation of Specified Index, Position, or Offset in Input vulnerability in the Connectivity Fault Management(CFM) module of Juniper Networks Junos OS on MX Series(except MPC10, MPC11 and LC9600) allows an adjacent attacker on the local broadcast domain to cause a Denial of Service(DoS).Upon receiving a malformed CFM packet, the MPC crashes. Continued receipt of these packets causes a sustained denial of service. This issue can only be triggered when CFM hasn't been configured.This issue affects:Juniper Networks Junos OSAll versions prior to 19.1R3-S10 on MX Series;19.2 versions prior to 19.2R3-S7 on MX Series;19.3 versions prior to 19.3R3-S8 on MX Series;19.4 versions prior to 19.4R3-S12 on MX Series;20.1 version 20.1R1 and later versions on MX Series;20.2 versions prior to 20.2R3-S7 on MX Series;20.3 version 20.3R1 and later versions on MX Series;20.4 versions prior to 20.4R3-S7 on MX Series;21.1 versions prior to 21.1R3-S5 on MX Series;21.2 versions prior to 21.2R3-S4 on MX Series;21.3 versions prior to 21.3R3-S4 on MX Series;21.4 versions prior to 21.4R3-S3 on MX Series;22.1 versions prior to 22.1R3-S2 on MX Series;22.2 versions prior to 22.2R3 on MX Series;22.3 versions prior to 22.3R2, 22.3R3 on MX Series;22.4 versions prior to 22.4R2 on MX Series.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-32759 ‼
📖 Read
via "National Vulnerability Database".
An issue in Archer Platform before v.6.13 and fixed in 6.12.0.6 and 6.13.0 allows an authenticated attacker to obtain sensitive information via a crafted URL.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-37223 ‼
📖 Read
via "National Vulnerability Database".
Cross Site Scripting (XSS) vulnerability in Archer Platform before v.6.13 and fixed in v.6.12.0.6 and v.6.13.0 allows a remote authenticated attacker to execute arbitrary code via a crafted malicious script.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-36834 ‼
📖 Read
via "National Vulnerability Database".
An Incomplete Internal State Distinction vulnerability in the packet forwarding engine (PFE) of Juniper Networks Junos OS on SRX 4600 and SRX 5000 Series allows an adjacent attacker to cause a Denial of Service (DoS).If an SRX is configured in L2 transparent mode the receipt of a specific genuine packet can cause a single Packet Processing Engines (PPE) component of the PFE to run into a loop, which in turn will render the PPE unavailable. Each packet will cause one PPE to get into a loop, leading to a gradual performance degradation until all PPEs are unavailable and all traffic processing stops. To recover the affected FPC need to be restarted.This issue affects Juniper Networks Junos OS on SRX 4600 and SRX 5000 Series:20.1 version 20.1R1 and later versions;20.2 versions prior to 20.2R3-S7;20.3 version 20.3R1 and later versions;20.4 versions prior to 20.4R3-S7;21.1 versions prior to 21.1R3-S5;21.2 versions prior to 21.2R3-S3;21.3 versions prior to 21.3R3-S3;21.4 versions prior to 21.4R3-S1;22.1 versions prior to 22.1R3;22.2 versions prior to 22.2R2;22.3 versions prior to 22.3R1-S1, 22.3R2.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-37224 ‼
📖 Read
via "National Vulnerability Database".
An issue in Archer Platform before v.6.13 fixed in v.6.12.0.6 and v.6.13.0 allows an authenticated attacker to obtain sensitive information via the log files.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-36835 ‼
📖 Read
via "National Vulnerability Database".
An Improper Check for Unusual or Exceptional Conditions vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on QFX10000 Series allows a network based attacker to cause a Denial of Service (DoS).If a specific valid IP packet is received and that packet needs to be routed over a VXLAN tunnel, this will result in a PFE wedge condition due to which traffic gets impacted. As this is not a crash and restart scenario, this condition will persist until the system is rebooted to recover.This issue affects Juniper Networks Junos OS on QFX10000:20.3 version 20.3R1 and later versions;20.4 versions prior to 20.4R3-S5;21.1 versions prior to 21.1R3-S5;21.2 versions prior to 21.2R3-S5;21.3 versions prior to 21.3R3-S4;21.4 versions prior to 21.4R3-S1;22.1 versions prior to 22.1R3;22.2 versions prior to 22.2R2;22.3 versions prior to 22.3R1-S2, 22.3R2.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-36836 ‼
📖 Read
via "National Vulnerability Database".
A Use of an Uninitialized Resource vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows a local, authenticated attacker with low privileges to cause a Denial of Service (DoS).On all Junos OS and Junos OS Evolved platforms, in a Multicast only Fast Reroute (MoFRR) scenario, the rpd process can crash when a a specific low privileged CLI command is executed. The rpd crash will impact all routing protocols until the process has automatically been restarted. As the operational state which makes this issue exploitable is outside the attackers control, this issue is considered difficult to exploit. Continued execution of this command will lead to a sustained DoS.This issue affects:Juniper Networks Junos OS19.4 version 19.4R3-S5 and later versions prior to 19.4R3-S9;20.1 version 20.1R2 and later versions;20.2 versions prior to 20.2R3-S7;20.3 versions prior to 20.3R3-S5;20.4 versions prior to 20.4R3-S6;21.1 versions prior to 21.1R3-S4;21.2 versions prior to 21.2R3-S2;21.3 versions prior to 21.3R3-S1;21.4 versions prior to 21.4R3;22.1 versions prior to 22.1R1-S2, 22.1R2;22.2 versions prior to 22.2R2.Juniper Networks Junos OS EvolvedAll versions prior to 20.4R3-S6-EVO;21.1-EVO version 21.1R1-EVO and later versions;21.2-EVO version 21.2R1-EVO and later versions;21.3-EVO versions prior to 21.3R3-S1-EVO;21.4-EVO versions prior to 21.4R3-EVO;22.1-EVO versions prior to 22.1R1-S2-EVO, 22.1R2-EVO;22.2-EVO versions prior to 22.2R2-EVO.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-36888 ‼
📖 Read
via "National Vulnerability Database".
Microsoft Edge for Android (Chromium-based) Tampering Vulnerability📖 Read
via "National Vulnerability Database".
‼ CVE-2023-24896 ‼
📖 Read
via "National Vulnerability Database".
Dynamics 365 Finance Spoofing Vulnerability📖 Read
via "National Vulnerability Database".
‼ CVE-2023-32760 ‼
📖 Read
via "National Vulnerability Database".
An issue in Archer Platform before v.6.13 fixed in v.6.12.0.6 and v.6.13.0 allows an authenticated attacker to obtain sensitive information via API calls related to data feeds and data publication.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-36840 ‼
📖 Read
via "National Vulnerability Database".
A Reachable Assertion vulnerability in Routing Protocol Daemon (RPD) of Juniper Networks Junos OS and Junos OS Evolved allows a locally-based, low-privileged attacker to cause a Denial of Service (DoS).On all Junos OS and Junos OS Evolved, when a specific L2VPN command is run, RPD will crash and restart. Continued execution of this specific command will create a sustained Denial of Service (DoS) condition.This issue affects:Juniper Networks Junos OSAll versions prior to 19.3R3-S10;20.1 versions prior to 20.1R3-S4;20.2 versions prior to 20.2R3-S6;20.3 versions prior to 20.3R3-S6;20.4 versions prior to 20.4R3-S5;21.1 versions prior to 21.1R3-S4;21.2 versions prior to 21.2R3-S3;21.3 versions prior to 21.3R3-S2;21.4 versions prior to 21.4R3;22.1 versions prior to 22.1R3;22.2 versions prior to 22.2R2;22.3 versions prior to 22.3R2;Juniper Networks Junos OS EvolvedAll versions prior to 20.4R3-S7-EVO;21.1 versions prior to 21.1R3-S3-EVO;21.2 versions prior to 21.2R3-S5-EVO;21.3 versions prior to 21.3R3-S4-EVO;21.4 versions prior to 21.4R3-EVO;22.1 versions prior to 22.1R3-EVO;22.2 versions prior to 22.2R2-EVO;22.3 versions prior to 22.3R2-EVO;📖 Read
via "National Vulnerability Database".
🦿 Scarleteel Threat Targets AWS Fargate, Launches DDoS and Cryptojacking Campaigns 🦿
📖 Read
via "Tech Republic".
The Scarleteel threat targets AWS Fargate environments for data theft and more malicious types of attacks such as cryptojacking and DDoS. Learn how to mitigate this threat.📖 Read
via "Tech Republic".
TechRepublic
Scarleteel Threat Targets AWS Fargate, Launches DDoS and Cryptojacking Campaigns
Read more about the Scarleteel threat, which targets AWS Fargate environments for malicious types of attacks such as cryptojacking and DDoS.
‼ CVE-2023-34236 ‼
📖 Read
via "National Vulnerability Database".
Weave GitOps Terraform Controller (aka Weave TF-controller) is a controller for Flux to reconcile Terraform resources in a GitOps way. A vulnerability has been identified in Weave GitOps Terraform Controller which could allow an authenticated remote attacker to view sensitive information. This vulnerability stems from Weave GitOps Terraform Runners (`tf-runner`), where sensitive data is inadvertently printed - potentially revealing sensitive user data in their pod logs. In particular, functions `tfexec.ShowPlan`, `tfexec.ShowPlanRaw`, and `tfexec.Output` are implicated when the `tfexec` object set its `Stdout` and `Stderr` to be `os.Stdout` and `os.Stderr`. An unauthorized remote attacker could exploit this vulnerability by accessing these prints of sensitive information, which may contain configurations or tokens that could be used to gain unauthorized control or access to resources managed by the Terraform controller. A successful exploit could allow the attacker to utilize this sensitive data, potentially leading to unauthorized access or control of the system. This vulnerability has been addressed in Weave GitOps Terraform Controller versions `v0.14.4` and `v0.15.0-rc.5`. Users are urged to upgrade to one of these versions to mitigate the vulnerability. As a temporary measure until the patch can be applied, users can add the environment variable `DISABLE_TF_LOGS` to the tf-runners via the runner pod template of the Terraform Custom Resource. This will prevent the logging of sensitive information and mitigate the risk of this vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-36818 ‼
📖 Read
via "National Vulnerability Database".
Discourse is an open source discussion platform. In affected versions a request to create or update custom sidebar section can cause a denial of service. This issue has been patched in commit `52b003d915`. Users are advised to upgrade. There are no known workarounds for this vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-37793 ‼
📖 Read
via "National Vulnerability Database".
WAYOS FBM-291W 19.09.11V was discovered to contain a buffer overflow via the component /upgrade_filter.asp.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-38337 ‼
📖 Read
via "National Vulnerability Database".
rswag before 2.10.1 allows remote attackers to read arbitrary JSON and YAML files via directory traversal, because rswag-api can expose a file that is not the OpenAPI (or Swagger) specification file of a project.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-37268 ‼
📖 Read
via "National Vulnerability Database".
Warpgate is an SSH, HTTPS and MySQL bastion host for Linux that doesn't need special client apps. When logging in as a user with SSO enabled an attacker may authenticate as an other user. Any user account which does not have a second factor enabled could be compromised. This issue has been addressed in commit `8173f6512a` and in releases starting with version 0.7.3. Users are advised to upgrade. Users unable to upgrade should require their users to use a second factor in authentication.📖 Read
via "National Vulnerability Database".