免责声明:以下内容原文来自互联网的公共方式,仅用于有限分享,译文内容不代表安天实验室观点,因此第三方对以下内 容进行分享、传播等行为,以及所带来的一切后果与译者和安天实验室无关。以下内容亦不得用于任何商业目的,若产生法律责任,译者与安天实验室一律不予承担。
1 Microsoft Outlook 权限提升漏洞(CVE-2023-23397)
一、漏洞描述:
Microsoft Outlook 存在权限提升漏洞,未经身份验证的远程攻击者可以向受害者发送特制的电子邮件,导致受害者连接到攻击者控制的外部 UNC 位置。这会将受害者的 Net-NTLMv2 散列泄露给攻击者,然后攻击者可以将其中继到另一个服务并作为受害者进行身份验证。
二、风险等级:
高危
三、影响范围:
Microsoft Outlook 2016 (64-bit edition)
Microsoft Outlook 2013 Service Pack 1 (32-bit editions)
Microsoft Outlook 2013 RT Service Pack 1
Microsoft Outlook 2013 Service Pack 1 (64-bit editions)
Microsoft Office 2019 for 32-bit editions
Microsoft 365 Apps for Enterprise for 32-bit Systems
Microsoft Office 2019 for 64-bit editions
Microsoft 365 Apps for Enterprise for 64-bit Systems
Microsoft Office LTSC 2021 for 64-bit editions
Microsoft Outlook 2016 (32-bit edition)
Microsoft Office LTSC 2021 for 32-bit editions
四、修复建议:
目前厂商已发布升级补丁以修复漏洞,补丁获取链接:
https://support.microsoft.com/help/5002265
https://support.microsoft.com/help/5002254
2 Jenkins 跨站脚本攻击漏洞(CVE-2023-27898)
一、漏洞描述:
Jenkins 插件管理器中存在存储型跨站点脚本 (XSS) 漏洞,允许攻击者利用脚本控制台 API在 Jenkins 服务器上运行任意代码。
二、风险等级:
高危
三、影响范围:
2.270 <= Jenkins < 2.394
四、修复建议:
目前厂商已发布升级补丁以修复漏洞,补丁获取链接:
https://www.jenkins.io/download/
3 Wallabag 拒绝服务漏洞(CVE-2023-0734)
一、漏洞描述:
Wallabag 存在IDOR 漏洞,IDOR 漏洞允许添加标签条目用户其他,允许为任何用户添加标签,因为没有用户身份验证。并且不限制输入导致入口界面崩溃。
二、风险等级:
高危
三、影响范围:
wallabag 2.5.3
四、修复建议:
目前厂商已发布升级补丁以修复漏洞,补丁获取链接:
https://github.com/wallabag/wallabag/releases
4 Dell PowerEdge Server BIOS 缓冲区错误漏洞(CVE-2022-34407)
一、漏洞描述:
Dell PowerEdge Server BIOS 存在缓冲区错误漏洞,该漏洞源于不正确的 SMM 通信缓冲区验证漏洞。
二、风险等级:
高危
三、影响范围:
DSS 8440, PowerEdge XR2, PowerEdge C4130, PowerEdge C4140, PowerEdge C6320, PowerEdge C6420, PowerEdge C6520, PowerEdge C6525, PowerEdge FC430, PowerEdge FC630, PowerEdge FC640, PowerEdge FC830, PowerEdge M630, PowerEdge M630 (for PE VRTX) , PowerEdge M640, PowerEdge M640 (for PE VRTX), PowerEdge M830, PowerEdge M830 (for PE VRTX), PowerEdge MX740c, PowerEdge MX750c, PowerEdge MX840c, PowerEdge R230, PowerEdge R250, PowerEdge R330, PowerEdge R350, PowerEdge R430, PowerEdge R440, PowerEdge R450, PowerEdge R530, PowerEdge R540, PowerEdge R550, PowerEdge R630, PowerEdge R640, PowerEdge R6415, PowerEdge R650, PowerEdge R650xs, PowerEdge R6515, PowerEdge R6525, PowerEdge R730, PowerEdge R730xd, PowerEdge R740, PowerEdge R740xd, PowerEdge R740xd2, PowerEdge R7415, PowerEdge R7425, PowerEdge R750, PowerEdge R750xa, PowerEdge R750xs, PowerEdge R7515, PowerEdge R830, PowerEdge R840, PowerEdge R930, PowerEdge R940, PowerEdge R940xa, PowerEdge T130, PowerEdge T140, PowerEdge T150, PowerEdge T330, PowerEdge T340, PowerEdge T350, PowerEdge T430, PowerEdge T440, PowerEdge T550, PowerEdge T630, PowerEdge T640, PowerEdge XE2420, PowerEdge XE7420, PowerEdge XE7440, PowerEdge XE8545, PowerEdge XR11, PowerEdge XR12, PowerVault NX3000, PowerVault NX3100, PowerVault NX3200, PowerVault NX3300, PowerVault NX3500, PowerVault NX3600, PowerVault NX3610, Powervault NX400, Product Security Information
四、修复建议:
目前厂商已发布升级补丁以修复漏洞,补丁获取链接:
https://www.dell.com/support/kbd ... ation-vulnerability
|
发表于 2023-3-21 09:05
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡