GNU social JP
  • FAQ
  • Login
GNU social JPは日本のGNU socialサーバーです。
Usage/ToS/admin/test/Pleroma FE

  • Public

    • Public
    • Network
    • Groups
    • Featured
    • Popular
    • People

Conversation

Notices

  1. Embed this notice
    Caitlin Condon (catc0n@infosec.exchange)'s status on Thursday, 19-Dec-2024 05:47:42 JST Caitlin Condon Caitlin Condon
    • Ryan Emmons

    Almost exactly a year ago, Rapid7 put out a technical analysis of Apache #Struts 2 CVE-2023-50164 that said:

    * Exploit payloads were going to need to be customized to the target

    * It wasn't clear that there was any critical mass of remotely exploitable applications out of the box

    * The reports of exploitation in the wild all appeared to be unsuccessful attempts rather than IRL compromises of production systems.

    https://attackerkb.com/topics/pe3CCtOE81/cve-2023-50164/rapid7-analysis

    Fast-forward to CVE-2024-53677 and we can repeat the above verbatim, with one pretty notable exception — the "fixed" version that ostensibly remediates the vulnerability actually doesn't, and code-level changes are required (to migrate away from the vulnerable file upload interceptor) to actually remediate it. Also the "fixed" release (6.4.0) appears to have gone out a year ago? No idea. Big ups to @fuzz for the analysis!

    https://attackerkb.com/assessments/28f08c0a-702c-4ab0-99cb-eea00202fa2c

    In conversation about a year ago from infosec.exchange permalink

    Attachments



    Feeds

    • Activity Streams
    • RSS 2.0
    • Atom
    • Help
    • About
    • FAQ
    • TOS
    • Privacy
    • Source
    • Version
    • Contact

    GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.

    Creative Commons Attribution 3.0 All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.