Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Security Update. Show all posts
Vulnerability and Exploits.
API Bug CVE vulnerability Patch Fix Security Update SQL Injection Vulnerabilities and Exploits Vulnerability and Exploits.

A SQL Injection bug Hits the Django web Framework

 

A serious vulnerability has been addressed in the most recent versions of the open-source Django web framework. 

Updates decrease the risk of SQL Injection

Developers are advised to update or patch their Django instances as soon after the Django team issues versions Django 4.0.6 and Django 3.2.14 that fix a high-severity SQL injection vulnerability. 

Malicious actors may exploit the vulnerability, CVE-2022-34265, by passing particular inputs to the Trunc and Extract methods.

The issue, which can be leveraged if untrusted data was used as a kind/lookup name value, is said to be present in the Trunc() and Extract() database functions, according to the researchers. It is feasible to lessen the danger of being exploited by implementing input sanitization for these functions.

Bugfixes 

Django's main branch and the 4.1, 4.0, and 3.2 release branches have all received patches to fix the problem. 

"This security update eliminates the problem, but we've found enhancements to the Database API methods for date extract and truncate that should be added to Django 4.1 before its official release. Django 4.1 releases candidate 1 or newer third-party database backends will be affected by this until they can be updated to the new API. We apologize for the trouble," Django team stated.
Read more »
Vulnerabilities and Exploits
Flaws Security Patch Security Update SSRF Flaw VMware Vulnerabilities and Exploits

VMware Patched SSRF& Arbitrary File Read Flaws in vCenter Server

 

VMware has published security upgrades for the vCenter Server after addressing arbitrary file read and server-side request forgery (SSRF) vulnerabilities in the vSphere Web Client (FLEX/Flash).

A VMWare security alert was released on November 23 and the US Cybersecurity and Infrastructure Security Agency (CISA) also encouraged enterprises to use vulnerable instances of the server management platform to deploy required upgrades. 

In terms of severity, both flaws were labelled as 'important.' The most serious, with a CVSS rating of 7.5, is the arbitrary file read flaw (CVE-2021-21980), which if exploited might allow a nefarious attacker to get access to sensitive data. The SSRF vulnerability (CVE-2021-22049) was discovered in the vSAN Web Client (vSAN UI) plugin, with a CVSS of 6.5. An attacker might take advantage of this vulnerability by gaining access to an internal service or making a URL request from outside of the vCenter Server. 

VMware has released security updates for vCenter Server versions 6.5 and 6.7 that address both vulnerabilities. The issues do not impact the 7.x release line, which cannot utilise vSphere Web Client (FLEX/Flash).Cloud Foundation's 3.x release line is still waiting for patches for both problems, whereas 4.x is untouched. 

VMware acknowledged Orz lab's 'ch0wn' for disclosing the arbitrary file read issue and the QI-ANXIN Group's'magiczero for reporting the SSRF. As per Statista, three of the top five server virtualization systems with the largest market share are VMware platforms, with vSphere leading the pack and vCenter Server ranking fifth. 

VMware's dominance in the server virtualization market, along with many organisations' latency to implement upgrades, has made its systems great targets for skilled attackers. The Daily Swig revealed in September that another significant arbitrary file upload flaw in the vCenter Server was being exploited. 

In June, it was revealed that thousands of vCenter Server instances remained unpatched for three weeks after a pair of serious issues in the vSphere Client (HTML5) were discovered.
Read more »
Subscribe to: Posts (Atom)