RCE in Tailscale, DNS Rebinding, and You [CVE-2022-41924]
A number of bugs in Tailscale leading to an RCE chain.
Vulnerabilities tagged "rce"
Blind SSRF to LQL Injection to File Deletion to Authentication Bypass in Checkmk
A long chain of issues going from blind SSRF to new-line injection to a blind Livestatus Query Language (LQL) injection to arbitrary file deletion and finally a race condition leading to authentication bypass.
Integer Truncation in Java's XML Signature Verification
The root of the issue is that XSLTC (turns XSLT into a Java Class to be executed for better performance) does not account for that fact that the `constant_pool_count` in a Java class is only 16bits. An attacker can create an XSLT document containing too many constants, all of which will be written to the class file, but the count will be truncated to 16bits, leading to some of those constants being interpreted as part of the classfile containing things like field and method descriptions for the class.
SSRF and RCE in Apache Batlik due to Improper Parsing of `jar:` URI
A somewhat simple security control bypass in Apache Batik's `DefaultScriptSecurity` and `DefaultExternalResourceSecurity` controls.Where Batik has to be able to load SVG files (and associated resources) from either a local or remote source, it makes for an interesting attack for SSRF and/or RCE...
Galaxy Store Applications Installation/Launching without User Interaction
There seems to be a lot of gaps in this writeup, but to the best of my understanding the bug a straight forward XSS but only in the MCS Webview giving access to the `window.GalaxyStore` object to download or open any application from the store.
Analysis of a Remote Code Execution (RCE) Vulnerability in Cobalt Strike 4.7.1
So Java's Swing UI Toolkit in some cases will try to parse any strings that start with a `<` as HTML, and dangerously so as its handling of `
[GitLab] Conversion of Hashmap into arbitrary object allows for RCE when Importing from GitHub
Yet another case of turning attacker data into full-blown objects automatically being a bad idea, in this case we have the Sawyer library used by Octokit turning API response into Ruby objects that is used to build Redis commands, allowing an attacker to inject arbitrary Redis commands leading to code execution with a crafted API response.
[Dompdf] RCE via Polyglot phar/ttf File
This vulnerability builds on/is complicated by two past issues.The first being an RCE via caching of remote font files, we discussed this vulnerability on [Episode 129](https://dayzerosec.com/vulns/2022/03/21/from-xss-to-rce-dompdf-0day.html)...
Breaking Bitbucket: Pre Auth Remote Command Execution [CVE-2022-36804]
Two argument injections that were found in Bitbucket server, though only one of them was exploitable.The first was in the `/rest/api/latest/projects/~USER/repos/repo1/browse` endpoint, where an `at` parameter could be provided...
Abusing GitHub and GitLab Webhooks to Compromise Internal Jenkins Instances
Just what can be accomplished when webhooks are allowed to access internal services, Cider Security takes a look specifically at abusing GitHub and GitLab webhooks to access internally hosted Jenkin instances.