CISA Adds Minio, Papercut, and Chrome Bugs to Its Known Exploited Vulnerabilities Catalog

Summary:
U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the following three new issues to its Known Exploited Vulnerabilities Catalog:

  • CVE-2023-28432 (CVSS score – 7.5) – MinIO Information Disclosure Vulnerability. The issue resides in a cluster deployment where MinIO returns all environment variables, which allows for information disclosure.
  • CVE-2023-27350 (CVSS score – 9.8) – PaperCut MF/NG Improper Access Control Vulnerability. PaperCut MF/NG contains an improper access control vulnerability within the SetupCompleted class that allows authentication bypass and code execution in the context of system.
  • CVE-2023-2136 – Google Chrome Skia Integer Overflow Vulnerability. The vulnerability is an Integer overflow in the Skia graphics library, the issue was reported by Clément Lecigne of Google’s Threat Analysis Group on April 12, 2023. A remote attacker who had compromised the renderer process can exploit the integer overflow in the Skia library to potentially perform a sandbox escape via a crafted HTML page.

    According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog. Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

    Analyst comments:
    CISA has been promptly updating its website upon detecting CVEs or vulnerabilities that are being actively exploited. The mentioned CVEs could potentially compromise system confidentiality and integrity if exploited successfully. While the inclusion of these CVEs in CISA's catalog suggests that organizations may have been affected, the updates provide an opportunity for those who have not yet been targeted to take remedial action before any damage occurs.

    Mitigation:
    Companies should take note of CISA’s catalog and patch accordingly if they have not already done so.

    Source:
    https://securityaffairs.com

    Contact Us for Threat Assistance Back to Current Threats

    • Just Starting?



    Contact LACyber for More Info



    Current Active Cyber Threats