【漏洞预警】10.10号多个漏洞预警
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/ibhQpAia4xu03ZdJ9jYwJyLlLtTWSRibib9MVibB3qic6EGiadWhkeDqfoPC1YR4bQxjZKYca7eRkPe8lyUU6ywV6snVw/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">1 ThingsBoard FreeMarker模板注入漏洞(CVE-2023-45303)</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">1、</span><strong style="color: blue;">漏洞描述:</strong>
</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">ThingsBoard是一个开源的物联网平台,可用于数据收集、处理、可视化和设备管理,支持云和本地<span style="color: black;">安排</span>。ThingsBoard 在 3.5 版本之前存在FreeMarker模板注入漏洞。经过身份认证的攻击者<span style="color: black;">能够</span><span style="color: black;">经过</span> /api/admin/settings 路由<span style="color: black;">能够</span>配置邮件模板,<span style="color: black;">经过</span>发送测试邮件触发漏洞,从而<span style="color: black;">引起</span>远程代码执行。</p><span style="color: black;">2、</span><strong style="color: blue;"><span style="color: black;">危害</span>等级:</strong>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">高危</p><span style="color: black;">3、</span><strong style="color: blue;">影响范围:</strong>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">ThingsBoard < 3.5</p><span style="color: black;">4、</span><strong style="color: blue;">修复<span style="color: black;">意见</span>:</strong>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">日前</span>厂商已发布升级补丁以修复漏洞,补丁获取链接:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">https://github.com/thingsboard/thingsboard/releases</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/ibhQpAia4xu03ZdJ9jYwJyLlLtTWSRibib9MibtfZQdyOJcjkb6vm1DC74OIdjLL20DzXeaiaZnMkrdVrEUwhXYicnMzQ/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">2 Emlog 反序列化漏洞(CVE-2023-43291)</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">1、</span><strong style="color: blue;">漏洞描述:</strong>
</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">emlog是emlog个人<span style="color: black;">研发</span>者的一套基于PHP和MySQL的CMS建站系统。emlog pro v.2.1.15及之前版本存在安全漏洞,该漏洞源于不受信任数据反序列化<span style="color: black;">准许</span>远程攻击者<span style="color: black;">经过</span>特制的请求获取数据库<span style="color: black;">敏锐</span>信息<span style="color: black;">乃至</span>获取服务器权限。</p><span style="color: black;">2、</span><strong style="color: blue;"><span style="color: black;">危害</span>等级:</strong>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">高危</p><span style="color: black;">3、</span><strong style="color: blue;">影响范围:</strong>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">emlog pro <= v.2.1.15</p><span style="color: black;">4、</span><strong style="color: blue;">修复<span style="color: black;">意见</span>:</strong>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">日前</span>厂商已发布升级补丁以修复漏洞,补丁获取链接:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">https://www.emlog.net/download</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/ibhQpAia4xu03ZdJ9jYwJyLlLtTWSRibib9MZZUnIHteboB3yQ8MD1icmmRFK5U6HjfX3txw9wHbWNK8QPWKNxNSIjw/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">3 urllib3 信息<span style="color: black;">泄密</span>漏洞(CVE-2023-43804)</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">1、</span><strong style="color: blue;">漏洞描述:</strong>
</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">urllib3 是Python 的一个<span style="color: black;">加强</span>版的HTTP 客户端<span style="color: black;">研发</span>包,它<span style="color: black;">加强</span>了Python 标准库中的<span style="color: black;">非常多</span>特性,<span style="color: black;">包含</span>: 线程安全连接池客户端SSL/TLS 验证.urllib3 不会特殊对待“Cookie” HTTP 标头,<span style="color: black;">亦</span>不会<span style="color: black;">供给</span>任何<span style="color: black;">经过</span> HTTP 管理 cookie 的<span style="color: black;">帮忙</span>程序,这是用户的责任。<span style="color: black;">然则</span>,<span style="color: black;">倘若</span>用户<span style="color: black;">无</span>显式禁用重定向,则用户可能会指定“Cookie”标头,并在不知不觉中<span style="color: black;">经过</span> HTTP 重定向将信息泄漏到<span style="color: black;">区别</span>的源。</p><span style="color: black;">2、</span><strong style="color: blue;"><span style="color: black;">危害</span>等级:</strong>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">高危</p><span style="color: black;">3、</span><strong style="color: blue;">影响范围:</strong>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">2</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">urllib3 <=1.26.16</p><span style="color: black;">4、</span><strong style="color: blue;">修复<span style="color: black;">意见</span>:</strong>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">日前</span>厂商已发布升级补丁以修复漏洞,补丁获取链接:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">https://pypi.org/project/urllib3/</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/ibhQpAia4xu03ZdJ9jYwJyLlLtTWSRibib9MBBYhDVmHwXgic2LkeE3gYSCvXicynAwCC1frrG1XdQr4hZ8mFwaz2BBw/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">4 Gradle XML<span style="color: black;">外边</span>实体注入漏洞(CVE-2023-42445)</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">1、</span><strong style="color: blue;">漏洞描述:</strong>
</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">Gradle是一种构建工具,可<span style="color: black;">帮忙</span>团队构建、自动化和交付更好的软件,加速<span style="color: black;">研发</span>人员的生产力。Gradle 在 7.6.3 和 8.4 版本之前存在XML<span style="color: black;">外边</span>实体注入漏洞。在某些<span style="color: black;">状况</span>下,当 Gradle 解析 XML 文件时,不会禁用解析 XML <span style="color: black;">外边</span>实体。与带外 XXE 攻击 (OOB-XXE) 相结合,仅解析 XML 就可能<span style="color: black;">引起</span>本地文本文件<span style="color: black;">泄密</span>到远程服务器。</p><span style="color: black;">2、</span><strong style="color: blue;"><span style="color: black;">危害</span>等级</strong>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">高危</p><span style="color: black;">3、</span><strong style="color: blue;">影响范围</strong>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">Gradle < 7.6.3</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">Gradle < 8.4</p><span style="color: black;">4、</span><strong style="color: blue;">修复<span style="color: black;">意见</span>:</strong>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">日前</span>厂商已发布升级补丁以修复漏洞,补丁获取链接:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">https://github.com/gradle/gradle/releases </p>
谷歌网站排名优化 http://www.fok120.com/ 你的话深深触动了我,仿佛说出了我心里的声音。 可以发布外链的网站 http://www.fok120.com/
页:
[1]