Notices where this attachment appears
-
Embed this notice
Caitlin Condon (catc0n@infosec.exchange)'s status on Thursday, 19-Dec-2024 05:47:42 JST 
Caitlin Condon
Almost exactly a year ago, Rapid7 put out a technical analysis of Apache #Struts 2 CVE-2023-50164 that said:
* Exploit payloads were going to need to be customized to the target
* It wasn't clear that there was any critical mass of remotely exploitable applications out of the box
* The reports of exploitation in the wild all appeared to be unsuccessful attempts rather than IRL compromises of production systems.
https://attackerkb.com/topics/pe3CCtOE81/cve-2023-50164/rapid7-analysis
Fast-forward to CVE-2024-53677 and we can repeat the above verbatim, with one pretty notable exception — the "fixed" version that ostensibly remediates the vulnerability actually doesn't, and code-level changes are required (to migrate away from the vulnerable file upload interceptor) to actually remediate it. Also the "fixed" release (6.4.0) appears to have gone out a year ago? No idea. Big ups to @fuzz for the analysis!
https://attackerkb.com/assessments/28f08c0a-702c-4ab0-99cb-eea00202fa2c
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.