Atlassian Drops Patches for Critical Jira Authentication Bypass Vulnerability
Description:
Atlassian has published a security advisory to alert that its Jira and Jira Service Management products are affected by a critical authentication bypass vulnerability in Seraph, the company's web application security framework.
Seraph is used in Jira and Confluence for handling all login and logout requests via a system of pluggable core elements. The flaw tracked as CVE2022-0540 allows a remote attacker to bypass authentication by sending a specially crafted HTTP request to vulnerable endpoints.
Seraph is used in Jira and Confluence for handling all login and logout requests via a system of pluggable core elements. The flaw tracked as CVE2022-0540 allows a remote attacker to bypass authentication by sending a specially crafted HTTP request to vulnerable endpoints.
CVE_IDs:
CVE-2022-0540
Source:
Atlassian Drops Patches for Critical Jira Authentication Bypass Vulnerability (thehackernews.com)
Impact:
The vulnerability allows a remote attacker to
bypass authentication by sending a specially
crafted HTTP request to vulnerable
endpoints
Suggestions and Recommendations:
Users are strongly recommended to update
to one of the patched versions to mitigate
potential exploitation attempts
Critical bug in Android could allow access to users' media files
Description:
Android devices running on Qualcomm and
MediaTek chipsets were found to be vulnerable to
remote code execution due to a flaw in the
implementation of the Apple Lossless Audio Codec
(ALAC). ALAC is an audio coding format for lossless
audio developed by Apple Inc. The vulnerability
enables a remote attacker to execute code on a
target device by sending a maliciously crafted audio
file and tricking the user into opening it. The
researchers are calling this attack "ALHACK."
Source:
Critical bug in Android could allow access to users' media files (bleepingcomputer.com)
Impact:
The impact of an RCE vulnerability can
range from malware execution to an
attacker gaining control over a user’s
multimedia data, including streaming from a
compromised machine’s camera
Suggestions and Recommendations:
Users are recommended to apply the
patches.
QNAP Advises Users to Update NAS Firmware to Patch Apache HTTP Vulnerabilities
Description:
QNAP has issued a notice recommending users update firmware for network-attached storage (NAS) appliances to fix two flaws affecting Apache HTTP software. The flaws in questions are exploited in the wild.
The critical flaws tracked as CVE-2022-22721 and
CVE-2022-23943, impact Apache HTTP Server
versions 2.4.52 and earlier.CVE-2022-22721 is a
buffer overflow with very large or unlimited
LimitXMLRequestBody and CVE-2022-23943 is
Out-of-bounds Write vulnerability in mod_sed of
Apache HTTP Server that allows an attacker to
overwrite the memory of an httpd instance that is
using mod_sed with data provided by the attacker.
CVE_IDs:
- CVE-2022-22721
- CVE-2022-23943
Source:
QNAP Advises Users to Update NAS Firmware to Patch Apache HTTP Vulnerabilities (thehackernews.com)
Impact:
Successful exploitation of this vulnerability
can crash the browser and even lead to the
execution of arbitrary code.
Suggestions and Recommendations:
The fix has been released and we strongly recommend updating to the latest version.
Hackers Exploiting Recently Reported Windows Print Spooler Vulnerability in the Wild
Description:
CISA warns about the security flaw in the Windows Print Spooler component that was patched by Microsoft in February is being actively exploited in the wild.
CISA warns about the security flaw in the Windows
Print Spooler component that was patched by
Microsoft in February is being actively exploited in
the wild.
CVE_IDs:
-
CVE-2022-22718
Source:
Impact:
Successful exploitation of the flaw could
lead to local privilege escalation in the
vulnerable devices
Suggestions and Recommendations:
Successful exploitation of the flaw could lead to local privilege escalation in the vulnerable devices