Kwetsbaarheden - Week 31

02 aug 2023

Het CSIRT-DSP maakt op wekelijkse basis een selectie van kwetsbaarheden, waarbij het CSIRT-DSP de inschatting heeft gemaakt dat deze relevant zijn voor digitale dienstverleners.

Het betreft een selectie van 'Medium' en 'High' kwetsbaarheden. Voor de inschatting hiervan wordt er gebruik gemaakt van de CVSS 3.1 base scores indien deze beschikbaar zijn. Indien deze niet beschikbaar zijn, zal dit worden aangegeven met 'n/a'.

Critical & High

BeyondTrust Privileged Remote Access (PRA) / Remote Support (RS)
https://infosec.exchange/@briankrebs/110810874163596603 (10.0)

Veritas NetBackup Snapshot Manager
https://www.veritas.com/content/support/en_US/security/VTS23-011 (9.8)

Aruba AOS-CX Command Line Interface
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-010.txt (8.8)

OTRS
https://nvd.nist.gov/vuln/detail/CVE-2023-38060 (8.8)
https://nvd.nist.gov/vuln/detail/CVE-2023-38056 (7.2)
https://nvd.nist.gov/vuln/detail/CVE-2023-38057 (5.4)
https://nvd.nist.gov/vuln/detail/CVE-2023-38058 (4.3)

GitLab CE/EE
https://nvd.nist.gov/vuln/detail/CVE-2023-3364 (7.5)
https://nvd.nist.gov/vuln/detail/CVE-2023-3994 (7.5)
https://nvd.nist.gov/vuln/detail/CVE-2023-0632 (6.5)
https://nvd.nist.gov/vuln/detail/CVE-2023-3385 (6.3)
https://nvd.nist.gov/vuln/detail/CVE-2023-2164 (5.5)
https://nvd.nist.gov/vuln/detail/CVE-2023-3993 (4.9)
https://nvd.nist.gov/vuln/detail/CVE-2023-3500 (4.8)
https://nvd.nist.gov/vuln/detail/CVE-2023-3900 (4.3)
https://nvd.nist.gov/vuln/detail/CVE-2023-4011 (4.3)

IBM Spectrum Scale
https://nvd.nist.gov/vuln/detail/CVE-2022-43831 (7.4)

IBM Security Verify Governance / Identity Manager
https://nvd.nist.gov/vuln/detail/CVE-2023-35019 (7.2)
https://nvd.nist.gov/vuln/detail/CVE-2023-35016 (6.5)

Ivanti Endpoint Manager Mobile (EPMM)
https://forums.ivanti.com/s/article/CVE-2023-35081-Arbitrary-File-Write (7.2)

Jenkins diverse plugins
https://www.jenkins.io/security/advisory/2023-07-26/ (high-medium)

Supermicro Baseboard Management Controller (BMC) in X12 / X13 / H12 / H13 motherboards
https://nvd.nist.gov/vuln/detail/CVE-2023-35861 (high)

Zoho ManageEngine Support Center Plus
https://nvd.nist.gov/vuln/detail/CVE-2023-38331 (high)

Trustwave ModSecurity
https://nvd.nist.gov/vuln/detail/CVE-2023-38285 (n/a)

Xen
https://xenbits.xenproject.org/xsa/advisory-436.html (n/a)

Zimbra Collaboration (ZCS)
https://nvd.nist.gov/vuln/detail/CVE-2023-37580 (n/a)
https://nvd.nist.gov/vuln/detail/CVE-2023-38750 (n/a)

Zoho ManageEngine Password Manager Pro
https://www.manageengine.com/products/passwordmanagerpro/release-notes… (n/a)

Medium

SolarWinds Network Configuration Manager
https://nvd.nist.gov/vuln/detail/CVE-2023-23842 (6.8)

SolarWinds Platform
https://nvd.nist.gov/vuln/detail/CVE-2023-23843 (6.8)
https://nvd.nist.gov/vuln/detail/CVE-2023-23844 (6.8)
https://nvd.nist.gov/vuln/detail/CVE-2023-33224 (6.8)
https://nvd.nist.gov/vuln/detail/CVE-2023-33225 (6.8)
https://nvd.nist.gov/vuln/detail/CVE-2023-3622 (4.6)

HCL BigFix Mobile
https://nvd.nist.gov/vuln/detail/CVE-2023-28014 (6.6)
https://nvd.nist.gov/vuln/detail/CVE-2023-28012 (5.4)

Dell ECS Streamer
https://nvd.nist.gov/vuln/detail/CVE-2023-32468 (5.8)

Octopus Deploy
https://nvd.nist.gov/vuln/detail/CVE-2022-2416 (5.5)
https://nvd.nist.gov/vuln/detail/CVE-2022-2346 (5.5)

Tribe29 Checkmk
https://nvd.nist.gov/vuln/detail/CVE-2023-23548 (5.4)

HashiCorp Vault / Vault Enterprise
https://nvd.nist.gov/vuln/detail/CVE-2023-3462 (5.3)
https://nvd.nist.gov/vuln/detail/CVE-2023-3774 (4.9)

GitLab DAST scanner
https://nvd.nist.gov/vuln/detail/CVE-2023-1401 (5.0)

GitHub Enterprise Server
https://nvd.nist.gov/vuln/detail/CVE-2023-23764 (4.8)

Trend Micro Apex Central
https://success.trendmicro.com/dcx/s/solution/000294176 (4.2)