CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-37273 – Docker escape in Auto-GPT when running from docker-compose.yml included in git repo
https://notcve.org/view.php?id=CVE-2023-37273
Auto-GPT is an experimental open-source application showcasing the capabilities of the GPT-4 language model. Running Auto-GPT version prior to 0.4.3 by cloning the git repo and executing `docker compose run auto-gpt` in the repo root uses a different docker-compose.yml file from the one suggested in the official docker set up instructions. The docker-compose.yml file located in the repo root mounts itself into the docker container without write protection. This means that if malicious custom python code is executed via the `execute_python_file` and `execute_python_code` commands, it can overwrite the docker-compose.yml file and abuse it to gain control of the host system the next time Auto-GPT is started. The issue has been patched in version 0.4.3. • https://github.com/Significant-Gravitas/Auto-GPT/pull/4761 https://github.com/Significant-Gravitas/Auto-GPT/security/advisories/GHSA-x5gj-2chr-4ch6 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.0EPSS: 0%CPEs: 10EXPL: 0CVE-2023-37565
https://notcve.org/view.php?id=CVE-2023-37565
Code injection vulnerability in ELECOM wireless LAN routers allows a network-adjacent authenticated attacker to execute arbitrary code by sending a specially crafted request. • https://jvn.jp/en/jp/JVN05223215 https://www.elecom.co.jp/news/security/20230711-01 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.7EPSS: 0%CPEs: 2EXPL: 1CVE-2022-42045
https://notcve.org/view.php?id=CVE-2022-42045
Certain Zemana products are vulnerable to Arbitrary code injection. • https://github.com/ReCryptLLC/CVE-2022-42045 https://github.com/ReCryptLLC/CVE-2022-42045/tree/main •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-38198
https://notcve.org/view.php?id=CVE-2023-38198
acme.sh before 3.0.6 runs arbitrary commands from a remote server via eval, as exploited in the wild in June 2023. • http://www.openwall.com/lists/oss-security/2023/07/13/1 https://github.com/acmesh-official/acme.sh/issues/4659 https://github.com/acmesh-official/acme.sh/releases/tag/3.0.6 https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/heXVr8o83Ys https://news.ycombinator.com/item?id=36252310 https://news.ycombinator.com/item?id=36254093 https://www.reddit.com/r/netsec/comments/144ygg7/acmesh_runs_arbitrary_commands_from_a_remote • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-29308 – [FG-VD-23-009] Adobe InDesign 2023 Arbitrary Code Execution Vulnerability Notification
https://notcve.org/view.php?id=CVE-2023-29308
Adobe InDesign versions ID18.3 (and earlier) and ID17.4.1 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. • https://helpx.adobe.com/security/products/indesign/apsb23-38.html • CWE-787: Out-of-bounds Write •