Public
- Public
- Network
- Groups
- Featured
- Popular
- People

Conversation

Notices

Embed this notice
cR0w :cascadia: (cr0w@infosec.exchange)'s status on Thursday, 12-Dec-2024 22:36:09 JST cR0w :cascadia:
in reply to
- Fritz Adalis
- screaminggoat
@FritzAdalis @screaminggoat CVE Feed lists it as Apache Solr Remote Code Execution but I'm not sure if it's mislabeled or if Solr is impacted by the ComfyUI-Manager bug in that CVE.

In conversation about 2 months ago from infosec.exchange permalink
- Embed this notice
  screaminggoat (screaminggoat@infosec.exchange)'s status on Thursday, 12-Dec-2024 22:36:09 JST screaminggoat
  in reply to
  - Fritz Adalis
  @cR0w I agree with @FritzAdalis, it looks like cvefeed.io dun goofed and wrote CVE-2024-21574 as Apache Solr when the vendor is ltdrdata and product ComfyUI-Manager.
  I don't go off assumptions so I will rely on the public record of ComfyUI-Manager (which I've never heard of).
  In conversation about 2 months ago permalink
  Attachments
  1. Domain not in remote thumbnail source whitelist: cdn.cvefeed.io
    
    CVEFeed.io: The Ultimate Hub for CVE Vulnerability Insights and Intelligence Feed.
    
    from cvefeed.io
    
    We provide a comprehensive and up-to-date feed of the latest CVEs, security advisories, and other vulnerabilities. Our mission is to help organizations and individuals stay informed and protected from the latest security threats.
- Embed this notice
  cR0w :cascadia: (cr0w@infosec.exchange)'s status on Thursday, 12-Dec-2024 22:36:10 JST cR0w :cascadia:
  
  Critical ../ -> RCE in Apache Struts? Nice. The bulletin is from a couple weeks ago but the CVE was just published today: https://cwiki.apache.org/confluence/display/WW/S2-067
  https://nvd.nist.gov/vuln/detail/CVE-2024-53677
  In conversation about 2 months ago permalink
  Attachments
  1. The actor who played Catwoman in the Dark Knight movie with Bane when she did the second best Lip Sync Battle performance and was riding a wrecking ball and leaning back with a middle finger up. On the wrecking ball itself is `../`.
  2. Untitled attachment
- Embed this notice
  cR0w :cascadia: (cr0w@infosec.exchange)'s status on Thursday, 12-Dec-2024 22:36:10 JST cR0w :cascadia:
  in reply to
  
  There sure is a lot public exposure of important-looking systems that run Struts still, here in the year of our Sasquatch 2024.
  
  In conversation about 2 months ago permalink
- Embed this notice
  cR0w :cascadia: (cr0w@infosec.exchange)'s status on Thursday, 12-Dec-2024 22:36:10 JST cR0w :cascadia:
  in reply to
  - screaminggoat
  Another hit for Apache. This time it's a perfect 10 ( 🍻 @screaminggoat ) in Solr: https://cvefeed.io/vuln/detail/CVE-2024-21574
  Note: Apache Solr does not list the CVE on their site ( yet? ) and I have not confirmed that this Comfy-UI-Manager vuln does indeed impact Solr. I'm relying on CVE Feed for this one. But it's a 10 so it's worth putting out there to look into.
  In conversation about 2 months ago permalink
  Attachments
  1. Untitled attachment
- Embed this notice
  Fritz Adalis (fritzadalis@infosec.exchange)'s status on Thursday, 12-Dec-2024 22:36:10 JST Fritz Adalis
  in reply to
  - screaminggoat
  @cR0w @screaminggoat
  Is that the right cve? It looks like a different product.
  
  In conversation about 2 months ago permalink
- Embed this notice
  cR0w :cascadia: (cr0w@infosec.exchange)'s status on Thursday, 12-Dec-2024 22:38:09 JST cR0w :cascadia:
  @GossiTheDog @screaminggoat @FritzAdalis Well that looks like a shit sandwich.
  
  In conversation about 2 months ago permalink

Public

Conversation

Notices

Feeds