Security Vulnerabilities - CVEs Published In July 2024
An Improper Neutralization of Special Elements vulnerability in Juniper Networks Junos OS Evolved commands allows a local, authenticated attacker with low privileges to escalate their privileges to 'root' leading to a full compromise of the system.
The Junos OS Evolved CLI doesn't properly handle command options in some cases, allowing users which execute specific CLI commands with a crafted set of parameters to escalate their privileges to root on shell level.
This issue affects Junos OS Evolved:
* All versions before 20.4R3-S7-EVO,
* 21.2-EVO versions before 21.2R3-S8-EVO,
* 21.4-EVO versions before 21.4R3-S7-EVO,
* 22.1-EVO versions before 22.1R3-S6-EVO,
* 22.2-EVO versions before 22.2R3-EVO,
* 22.3-EVO versions before 22.3R2-EVO,
* 22.4-EVO versions before 22.4R2-EVO.
CVSS Score
7.8
EPSS Score
0.002
Published
2024-07-11
An Improper Neutralization of Special Elements vulnerability in Juniper Networks Junos OS Evolved commands allows a local, authenticated attacker with low privileges to escalate their privileges to 'root' leading to a full compromise of the system.
The Junos OS Evolved CLI doesn't properly handle command options in some cases, allowing users which execute specific CLI commands with a crafted set of parameters to escalate their privileges to root on shell level.
This issue affects Junos OS Evolved:
All versions before 20.4R3-S7-EVO,
21.2-EVO versions before 21.2R3-S8-EVO,
21.4-EVO versions before 21.4R3-S7-EVO,
22.2-EVO versions before 22.2R3-EVO,
22.3-EVO versions before 22.3R2-EVO,
22.4-EVO versions before 22.4R2-EVO.
CVSS Score
7.8
EPSS Score
0.002
Published
2024-07-11
Wagtail is an open source content management system built on Django. A bug in Wagtail's `parse_query_string` would result in it taking a long time to process suitably crafted inputs. When used to parse sufficiently long strings of characters without a space, `parse_query_string` would take an unexpectedly large amount of time to process, resulting in a denial of service. In an initial Wagtail installation, the vulnerability can be exploited by any Wagtail admin user. It cannot be exploited by end users. If your Wagtail site has a custom search implementation which uses `parse_query_string`, it may be exploitable by other users (e.g. unauthenticated users). Patched versions have been released as Wagtail 5.2.6, 6.0.6 and 6.1.3.
CVSS Score
6.5
EPSS Score
0.003
Published
2024-07-11
An Improper Check for Unusual or Exceptional Conditions vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS Evolved on ACX7000 Series allows an unauthenticated, adjacent attacker to cause a
Denial-of-Service (DoS).
On all ACX 7000 Series platforms running
Junos OS Evolved, and configured with IRBs, if a Customer Edge device (CE) device is dual homed to two Provider Edge devices (PE) a traffic loop will occur when the CE sends multicast packets. This issue can be triggered by IPv4 and IPv6 traffic.
This issue affects Junos OS Evolved:
All versions from 22.2R1-EVO and later versions before 22.4R2-EVO,
This issue does not affect Junos OS Evolved versions before 22.1R1-EVO.
CVSS Score
6.5
EPSS Score
0.002
Published
2024-07-11
An Improper Neutralization of Special Elements vulnerability in Juniper Networks Junos OS Evolved commands allows a local, authenticated attacker with low privileges to escalate their privileges to 'root' leading to a full compromise of the system.
The Junos OS Evolved CLI doesn't properly handle command options in some cases, allowing users which execute specific CLI commands with a crafted set of parameters to escalate their privileges to root on shell level.
This issue affects Junos OS Evolved:
* All version before 20.4R3-S6-EVO,
* 21.2-EVO versions before 21.2R3-S4-EVO,
* 21.4-EVO versions before 21.4R3-S6-EVO,
* 22.2-EVO versions before 22.2R2-S1-EVO, 22.2R3-EVO,
* 22.3-EVO versions before 22.3R2-EVO.
CVSS Score
7.8
EPSS Score
0.002
Published
2024-07-11
A vulnerability classified as critical has been found in witmy my-springsecurity-plus up to 2024-07-04. Affected is an unknown function of the file /api/role. The manipulation of the argument params.dataScope leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-271152.
CVSS Score
6.3
EPSS Score
0.0
Published
2024-07-11
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Crafted modbus traffic can lead to unlimited resource accumulation within a flow. Upgrade to 7.0.6. Set a limited stream.reassembly.depth to reduce the issue.
CVSS Score
7.5
EPSS Score
0.006
Published
2024-07-11
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Suricata can run out of memory when parsing crafted HTTP/2 traffic. Upgrade to 6.0.20 or 7.0.6.
CVSS Score
7.5
EPSS Score
0.011
Published
2024-07-11
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. A memory allocation failure due to `http.memcap` being reached leads to a NULL-ptr reference leading to a crash. Upgrade to 7.0.6.
CVSS Score
7.5
EPSS Score
0.008
Published
2024-07-11
The TLS certificate validation code is flawed. An attacker can obtain a TLS certificate from the Stork server and use it to connect to the Stork agent. Once this connection is established with the valid certificate, the attacker can send malicious commands to a monitored service (Kea or BIND 9), possibly resulting in confidential data loss and/or denial of service. It should be noted that this vulnerability is not related to BIND 9 or Kea directly, and only customers using the Stork management tool are potentially affected.
This issue affects Stork versions 0.15.0 through 1.15.0.
CVSS Score
8.9
EPSS Score
0.003
Published
2024-07-11