Twitter: @justinsteven
Blog: https://www.justinsteven.com/
Listed in chronological order. Click on any title to read the full advisory.
- Disclosure Date: 2016-09-19
- CVE: CVE-2016-1000243, CVE-2016-1000244
- Certain weekly updates of Metasploit Community/Express/Pro 4.12 were vulnerable to pre-auth RCE as the webserver user. Software update packages contained hard-coded cookie signing keys which, upon installation, would overwrite the unique cookie signing key of an installation. This allowed a remote unauthenticated attacker to cause unmarshalling of arbitrary Ruby objects leading to RCE.
Metasploit arbitrary file write via directory traversal when downloading files from a machine running Meterpreter
- Disclosure date: 2017-02-08
- CVE: CVE-2017-5228, CVE-2017-5231, CVE-2017-5229
- Versions of Metasploit Framework <=4.13.20 were affected by various directory traversal vulnerabilities when downloading files from a victim machine running Meterpreter. The victim machine could cause the attacker's Metasploit instance to write arbitrary files at arbitrary locations on the attacker's filesystem, potentially leading to RCE.
- Disclosure date: 2017-02-15
- CVE: CVE-2017-1000037
- Versions of RVM <1.29.0 were vulnerable to various issues that could trigger arbitrary code execution when a user used
cdto swich into a directory containing malicious files.
- Disclosure date: 2017-03-02
- CVE: Not assigned. Use OVE-20170302-0001
- Versions of Microsoft Visual Studio Code <1.9.0 were vulnerable to an arbitrary code execution issue when opening a workspace that contains a workspace settings file where the file specified a malicious
git.pathvalue.
- Disclosure date: 2017-03-04
- CVE: CVE-2017-1000047
- Versions of
rbenvuse the contents of the.ruby-versionfile within a directory, or within any directory up to the root, to determine the Ruby interpreter to use. Furthermore, the.ruby-versionfile may contain path traversal sequences, allowing the specification of an arbitrary binary on the local filesystem. In some situations this can result in arbitrary code execution or local privilege escalation.
- Disclosure date: 2020-03-19
- CVE: Not assigned
- Versions of the Visual Studio Code Python extension were vulnerable to an arbitrary code execution issue when opening a workspace that contains a workspace settings file where the file specified a malicious
python.pythonPathvalue.
- Disclosure date: 2020-06-09
- CVE: CVE-2020-10759
fwupduses LVFS to obtain firmware metadata for performing firmware updates on Linux systems. A legacy LVFS S3 bucket was available for registration, and a signature verification bypass infwupdwas discovered which could have allowed an attacker to offer malicious firmware updates to ~100,000 Linux machines.
- Disclosure date: 2020-10-31
- CVE: CVE-2020-7384
- Versions of Metasploit's
msfvenompayload generator, when given a crafted APK file to use as a payload template, were vulnerable to a command injection vulnerability in the handling of the crafted APK file.
- Disclosure date: 2021-08-12
- CVE: Not assigned
- OVE: OVE-20210809-0001
- Visual Studio Code 1.59.0 ships with the Jupyter Notebook extension by default. An XSS vulnerability in the rendering of a crafted Jupyter Notebook file allows for theft of local files.
- Disclosure date: 2021-09-09
- CVE: CVE-2021-32724
- The
check-spellingGitHub actions community workflow can be made to leak aGITHUB_TOKENshort-lived API key within a Pull Request comment by sending a Pull Request containing a symlink called.github/actions/advice.txtwhich points to/proc/self/environ.