CVE-2024-42362 – GHSL-2023-255: HertzBeat Authenticated (user role) RCE via unsafe deserialization in /api/monitors/import
https://notcve.org/view.php?id=CVE-2024-42362
Hertzbeat has an authenticated (user role) RCE via unsafe deserialization in /api/monitors/import. • https://securitylab.github.com/advisories/GHSL-2023-254_GHSL-2023-256_HertzBeat https://github.com/apache/hertzbeat/pull/1611 https://github.com/apache/hertzbeat/pull/1620 https://github.com/apache/hertzbeat/pull/1620/files#diff-9c5fb3d1b7e3b0f54bc5c4182965c4fe1f9023d449017cece3005d3f90e8e4d8 https://github.com/apache/hertzbeat/commit/79f5408e345e8e89da97be05f43e3204a950ddfb https://github.com/apache/hertzbeat/commit/9dbbfb7812fc4440ba72bdee66799edd519d06bb • CWE-502: Deserialization of Untrusted Data •
CVE-2024-42363 – GHSL-2023-136_Samson
https://notcve.org/view.php?id=CVE-2024-42363
This issue may lead to Remote Code Execution (RCE). • https://securitylab.github.com/advisories/GHSL-2023-136_Samson https://github.com/zendesk/samson/pull/4071 https://github.com/zendesk/samson/blob/107efb4a252425966aac5e77d0c3670f9b5d7229/plugins/kubernetes/app/controllers/kubernetes/role_verifications_controller.rb#L10 https://github.com/zendesk/samson/blob/107efb4a252425966aac5e77d0c3670f9b5d7229/plugins/kubernetes/app/controllers/kubernetes/role_verifications_controller.rb#L7 https://github.com/zendesk/samson/blob/107efb4a252425966aac5e77d0c3670f9b5d7229/plugins/kubernetes/app/models/kubernetes/role_conf • CWE-502: Deserialization of Untrusted Data •
CVE-2024-43404 – Remote Code Execution Vulnerability in MEGABOT
https://notcve.org/view.php?id=CVE-2024-43404
The `/math` command and functionality of MEGABOT versions < 1.5.0 contains a remote code execution vulnerability due to a Python `eval()`. • https://github.com/NicPWNs/MEGABOT/commit/71e79e5581ea36313700385b112d863053fb7ed6 https://github.com/NicPWNs/MEGABOT/issues/137 https://github.com/NicPWNs/MEGABOT/pull/138 https://github.com/NicPWNs/MEGABOT/releases/tag/v1.5.0 https://github.com/NicPWNs/MEGABOT/security/advisories/GHSA-vhxp-4hwq-w3p2 • CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •
CVE-2024-21689
https://notcve.org/view.php?id=CVE-2024-21689
This High severity RCE (Remote Code Execution) vulnerability CVE-2024-21689 was introduced in versions 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0, and 9.6.0 of Bamboo Data Center and Server. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.6, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction. Atlassian recommends that Bamboo Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Bamboo Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.17 Bamboo Data Center and Server 9.6: Upgrade to a release greater than or equal to 9.6.5 See the release notes ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). ... Esta vulnerabilidad de ejecución remota de código (RCE) de alta gravedad, CVE-2024-21689, se introdujo en las versiones 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0 y 9.6.0 de Bamboo Data Center and Server. Esta vulnerabilidad de ejecución remota de código (RCE), con una puntuación CVSS de 7,6, permite a un atacante autenticado ejecutar código arbitrario que tiene un alto impacto en la confidencialidad, la integridad y la disponibilidad, y requiere la interacción del usuario. • https://github.com/salvadornakamura/CVE-2024-21689 https://confluence.atlassian.com/pages/viewpage.action?pageId=1431535667 https://jira.atlassian.com/browse/BAM-25858 •
CVE-2024-43202 – Apache DolphinScheduler: Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2024-43202
Exposure of Remote Code Execution in Apache Dolphinscheduler. This issue affects Apache DolphinScheduler: before 3.2.2. We recommend users to upgrade Apache DolphinScheduler to version 3.2.2, which fixes the issue. • https://github.com/apache/dolphinscheduler/pull/15758 https://lists.apache.org/thread/nlmdp7q7l7o3l27778vxc5px24ncr5r5 https://lists.apache.org/thread/qbhk9wqyxhrn4z7m4m343wqxpwg926nh https://www.cve.org/CVERecord?id=CVE-2023-49109 • CWE-94: Improper Control of Generation of Code ('Code Injection') •