tonyharris.io

PoC Week 2024-10-28

Posted on Oct 30, 2024

The most featured CVEs in this week’s security newsletters, with public Proof-of-Concepts, ordered by mention count. Older CVEs and those affecting open source projects with very small userbases aren’t listed.

For the most up-to-date and accurate info, visit the NIST links. Always audit PoCs thoroughly before running them.

CVE-2024-9264

  • Severity: 9.9 CRITICAL
  • Impacted Products: Grafana
  • Description: The SQL Expressions experimental feature of Grafana allows for the evaluation of duckdb queries containing user input. These queries are insufficiently sanitized before being passed to duckdb, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The duckdb binary must be present in Grafana’s $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.
  • Remediation: Follow developer guidance.
  • More Info: NVD - CVE-2024-9264
  • PoC: https://github.com/z3k0sec/File-Read-CVE-2024-9264/

CVE-2024-28987

  • Severity: Awaiting analysis.
  • Impacted Products: SolarWinds Web Help Desk (WHD)
  • Description: A hardcoded credential vulnerability, allowing remote unauthenticated user to access internal functionality and modify data.
  • Remediation: Follow developer guidance.
  • More Info: NVD - CVE-2024-28987
  • PoC: https://github.com/horizon3ai/CVE-2024-28987/

CVE-2024-5274

  • Severity: 8.8 HIGH
  • Impacted Products: Google Chrome prior to 125.0.6422.112
  • Description: Type Confusion in V8 in Google Chrome prior to 125.0.6422.112 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
  • Remediation: Follow developer guidance.
  • More Info: NVD - CVE-2024-5274
  • PoC: https://github.com/mistymntncop/CVE-2024-5274/

CVE-2024-48914

  • Severity: 8.8 HIGH
  • Impacted Products: Vendure versions prior to 3.0.5 and 2.3.3
  • Description: Vendure is an open-source headless commerce platform. Prior to versions 3.0.5 and 2.3.3, a vulnerability in Vendure’s asset server plugin allows an attacker to craft a request which is able to traverse the server file system and retrieve the contents of arbitrary files, including sensitive data such as configuration files, environment variables, and other critical data stored on the server. In the same code path is an additional vector for crashing the server via a malformed URI. Patches are available in versions 3.0.5 and 2.3.3. Some workarounds are also available. One may use object storage rather than the local file system, e.g. MinIO or S3, or define middleware which detects and blocks requests with urls containing /../.
  • Remediation: Follow developer guidance.
  • More Info: NVD - CVE-2024-48914
  • PoC: https://github.com/EQSTLab/CVE-2024-48914/

CVE-2024-48153

CVE-2024-47945

  • Severity: Awaiting analysis
  • Impacted Products: Rittal iot interface firmware < 6.21.00.2
  • Description: The devices are vulnerable to session hijacking due to insufficient entropy in its session ID generation algorithm. The session IDs are predictable, with only 32,768 possible values per user, which allows attackers to pre-generate valid session IDs, leading to unauthorized access to user sessions. This is not only due to the use of an (insecure) rand() function call but also because of missing initialization via srand(). As a result only the PIDs are effectively used as seed.
  • Remediation: Follow developer guidance.
  • More Info: NVD - CVE-2024-47945
  • PoC: https://sec-consult.com/fileadmin/user_upload/sec-consult/Dynamisch/Advisories/2024_10/sessionID_online_Brute_Forcer.py

CVE-2024-44000

CVE-2024-38094, CVE-2024-38024, CVE-2024-38023

References

This list was scraped from the quite amazing and highly recommended newsletters below:

Thanks for reading! For corrections, omissions (e.g. newsletter recs) feel free to get in touch.