The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has added six safety flaws to its Identified Exploited Vulnerabilities (KEV) catalog, citing proof of energetic exploitation.
This contains CVE-2023-27524 (CVSS rating: 8.9), a high-severity vulnerability impacting the Apache Superset open-source knowledge visualization software program that might allow distant code execution. It was fastened in model 2.1.
Particulars of the difficulty first got here to gentle in April 2023, with Horizon3.ai’s Naveen Sunkavally describing it as a “harmful default configuration in Apache Superset that permits an unauthenticated attacker to realize distant code execution, harvest credentials, and compromise knowledge.”
It is at present not identified how the vulnerability is being exploited within the wild. Additionally added by CISA are 5 different flaws –
- CVE-2023-38203 (CVSS rating: 9.8) – Adobe ColdFusion Deserialization of Untrusted Knowledge Vulnerability
- CVE-2023-29300 (CVSS rating: 9.8) – Adobe ColdFusion Deserialization of Untrusted Knowledge Vulnerability
- CVE-2023-41990 (CVSS rating: 7.8) – Apple A number of Merchandise Code Execution Vulnerability
- CVE-2016-20017 (CVSS rating: 9.8) – D-Hyperlink DSL-2750B Units Command Injection Vulnerability
- CVE-2023-23752 (CVSS rating: 5.3) – Joomla! Improper Entry Management Vulnerability
It is price noting that CVE-2023-41990, patched by Apple in iOS 15.7.8 and iOS 16.3, was utilized by unknown actors as a part of Operation Triangulation spy ware assaults to realize distant code execution when processing a specifically crafted iMessage PDF attachment.
Federal Civilian Government Department (FCEB) businesses have been beneficial to use fixes for the aforementioned bugs by January 29, 2024, to safe their networks towards energetic threats.
