Several recently identified vulnerabilities:
- A critical vulnerability (CVE-2022-41034) has been identified in Visual Studio Code (VS Code) that allows code execution when a user opens a link prepared by an attacker. The code can be executed either on the VS Code machine or on any other machine connected to VS Code using the Remote Development feature. The problem poses the greatest danger to users of the web version of VS Code and web editors based on it, including GitHub Codespaces and github.dev.
The vulnerability is caused by the ability to process “command:” service links to open a window with a terminal and execute arbitrary shell commands in it, when processing specially designed documents in the Jypiter Notebook format in the editor, downloaded from a web server controlled by the attacker (external files with the extension “ .ipynb" without additional confirmations are opened in the "isTrusted" mode, which allows the processing of "command:").
- A vulnerability has been identified in the GNU Emacs text editor (CVE-2022-45939), which allows organizing the execution of commands when opening a file with code, through the substitution of special characters in the name processed using the ctags toolkit.
- A vulnerability (CVE-2022-31097) has been identified in the Grafana open source data visualization platform that could allow JavaScript code to be executed when a notification is displayed through the Grafana Alerting system. An attacker with Editor rights can prepare a specially designed link and gain access to the Grafana interface with administrator rights if the administrator clicks on this link. The vulnerability has been fixed in Grafana 9.2.7, 9.3.0, 9.0.3, 8.5.9, 8.4.10 and 8.3.10 releases.
- Vulnerability (CVE-2022-46146) in the exporter-toolkit library used to create metrics exporters for Prometheus. The problem allows you to bypass basic authentication.
- Vulnerability (CVE-2022-44635) in the Apache Fineract financial services platform that allows an unauthenticated user to achieve remote code execution. The problem is caused by the lack of proper escaping of the ".." characters in the paths processed by the component for loading files. The vulnerability was fixed in Apache Fineract 1.7.1 and 1.8.1 releases.
- A vulnerability (CVE-2022-46366) in the Apache Tapestry Java framework that allows custom code to be executed when specially formatted data is deserialized. The problem appears only in the old branch of Apache Tapestry 3.x, which is no longer supported.
- Vulnerabilities in Apache Airflow providers to Hive (CVE-2022-41131), Pinot (CVE-2022-38649), Pig (CVE-2022-40189) and Spark (CVE-2022-40954), leading to remote code execution through loading arbitrary files or command substitution in the context of job execution without having write access to DAG files.
Source: opennet.ru