CVSS: 8.1EPSS: 0%CPEs: 54EXPL: 44CVE-2024-6387 – Openssh: regresshion - race condition in ssh allows rce/dos
https://notcve.org/view.php?id=CVE-2024-6387
A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period. Se encontró una condición de ejecución del controlador de señales en el servidor de OpenSSH (sshd), donde un cliente no se autentica dentro de los segundos de LoginGraceTime (120 de forma predeterminada, 600 en versiones anteriores de OpenSSH), luego se llama al controlador SIGALRM de sshd de forma asincrónica. Sin embargo, este controlador de señales llama a varias funciones que no son seguras para señales asíncronas, por ejemplo, syslog(). • https://github.com/l0n3m4n/CVE-2024-6387 https://github.com/thegenetic/CVE-2024-6387-exploit https://github.com/d0rb/CVE-2024-6387 https://github.com/devarshishimpi/CVE-2024-6387-Check https://github.com/AiGptCode/ssh_exploiter_CVE-2024-6387 https://github.com/Symbolexe/CVE-2024-6387 https://github.com/xonoxitron/regreSSHion https://github.com/PrincipalAnthony/CVE-2024-6387-Updated-x64bit https://github.com/4lxprime/regreSSHive https://github.com/shamo0/CVE-2024-6387_PoC https:&# • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-364: Signal Handler Race Condition •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-21988 – CVE-2024-21988 SSH Cryptographic Implementation Vulnerability in StorageGRID (formerly StorageGRID Webscale)
https://notcve.org/view.php?id=CVE-2024-21988
StorageGRID (formerly StorageGRID Webscale) versions prior to 11.7.0.9 and 11.8.0.5 are susceptible to disclosure of sensitive information via complex MiTM attacks due to a vulnerability in the SSH cryptographic implementation. Las versiones de StorageGRID (anteriormente StorageGRID Webscale) anteriores a 11.7.0.9 y 11.8.0.5 son susceptibles a la divulgación de información confidencial a través de ataques MiTM complejos debido a una vulnerabilidad en la implementación criptográfica SSH. • https://security.netapp.com/advisory/ntap-20240614-0010 •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 2CVE-2024-27316 – Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames
https://notcve.org/view.php?id=CVE-2024-27316
HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion. Los encabezados entrantes HTTP/2 que exceden el límite se almacenan temporalmente en nghttp2 para generar una respuesta HTTP 413 informativa. Si un cliente no deja de enviar encabezados, esto provoca que se agote la memoria. A vulnerability was found in how Apache httpd implements the HTTP/2 protocol. • https://github.com/lockness-Ko/CVE-2024-27316 https://github.com/aeyesec/CVE-2024-27316_poc http://www.openwall.com/lists/oss-security/2024/04/04/4 https://httpd.apache.org/security/vulnerabilities_24.html https://www.openwall.com/lists/oss-security/2024/04/03/16 https://support.apple.com/kb/HT214119 http://seclists.org/fulldisclosure/2024/Jul/18 https://access.redhat.com/security/cve/CVE-2024-27316 https://bugzilla.redhat.com/show_bug.cgi?id=2268277 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-21984 – Reflected Cross-Site Scripting Vulnerability in StorageGRID (formerly StorageGRID Webscale)
https://notcve.org/view.php?id=CVE-2024-21984
StorageGRID (formerly StorageGRID Webscale) versions prior to 11.8 are susceptible to a difficult to exploit Reflected Cross-Site Scripting (XSS) vulnerability. Successful exploit requires the attacker to know specific information about the target instance and trick a privileged user into clicking a specially crafted link. This could allow the attacker to view or modify configuration settings or add or modify user accounts. Las versiones de StorageGRID (anteriormente StorageGRID Webscale) anteriores a la 11.8 son susceptibles a una vulnerabilidad difícil de explotar de Cross-Site Scripting (XSS) Reflejado. Una explotación exitosa requiere que el atacante conozca información específica sobre la instancia de destino y engañe a un usuario privilegiado para que haga clic en un enlace especialmente manipulado. • https://security.netapp.com/advisory/ntap-20240216-0013 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-21983 – Denial of Service Vulnerability in StorageGRID (formerly StorageGRID Webscale)
https://notcve.org/view.php?id=CVE-2024-21983
StorageGRID (formerly StorageGRID Webscale) versions prior to 11.8 are susceptible to a Denial of Service (DoS) vulnerability. Successful exploit by an authenticated attacker could lead to an out of memory condition or node reboot. Las versiones de StorageGRID (anteriormente StorageGRID Webscale) anteriores a la 11.8 son susceptibles a una vulnerabilidad de denegación de servicio (DoS). La explotación exitosa por parte de un atacante autenticado podría provocar una condición de falta de memoria o el reinicio del nodo. • https://security.netapp.com/advisory/ntap-20240216-0012 • CWE-248: Uncaught Exception •