The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has added six security flaws to its Recognized Exploited Vulnerabilities (KEV) catalog, citing proof of lively exploitation.
This consists of CVE-2023-27524 (CVSS rating: 8.9), a high-severity vulnerability impacting the Apache Superset open-source knowledge visualization software program that might allow distant code execution. It was mounted in model 2.1.
Particulars of the difficulty first got here to mild in April 2023, with Horizon3.ai’s Naveen Sunkavally describing it as a “harmful default configuration in Apache Superset that permits an unauthenticated attacker to achieve distant code execution, harvest credentials, and compromise knowledge.”
It is at present not identified how the vulnerability is being exploited within the wild. Additionally added by CISA are 5 different flaws –
- CVE-2023-38203 (CVSS rating: 9.8) – Adobe ColdFusion Deserialization of Untrusted Data Vulnerability
- CVE-2023-29300 (CVSS rating: 9.8) – Adobe ColdFusion Deserialization of Untrusted Data Vulnerability
- CVE-2023-41990 (CVSS rating: 7.8) – Apple A number of Merchandise Code Execution Vulnerability
- CVE-2016-20017 (CVSS rating: 9.8) – D-Hyperlink DSL-2750B Gadgets Command Injection Vulnerability
- CVE-2023-23752 (CVSS rating: 5.3) – Joomla! Improper Entry Management Vulnerability
It is value noting that CVE-2023-41990, patched by Apple in iOS 15.7.8 and iOS 16.3, was utilized by unknown actors as a part of Operation Triangulation adware assaults to realize distant code execution when processing a specifically crafted iMessage PDF attachment.
Federal Civilian Government Department (FCEB) businesses have been advisable to use fixes for the aforementioned bugs by January 29, 2024, to safe their networks towards lively threats.
