每日安全动态推送(12-21)
2023-12-21 17:0:35 Author: mp.weixin.qq.com(查看原文) 阅读量:3 收藏

Tencent Security Xuanwu Lab Daily News

• CVE-2023-46104: Apache Superset: Allows for uncontrolled resource consumption via a ZIP bomb:
https://seclists.org/oss-sec/2023/q4/293

   ・ Apache Superset存在漏洞CVE-2023-46104,允许通过ZIP炸弹进行不受控制的资源消耗。 – SecTodayBot

• Re: CVE-2023-48795: Prefix Truncation Attacks in SSH Specification (Terrapin Attack):
https://seclists.org/oss-sec/2023/q4/300

   ・ 介绍了一个与SSH规范相关的CVE漏洞 – SecTodayBot

• Disclosure of CVE-2023-50917: RCE Vulnerability in MajorDoM:
https://seclists.org/fulldisclosure/2023/Dec/19

   ・ 该文章披露了MajorDoM中的RCE漏洞,详细分析了漏洞的根本原因和利用方式,强调了潜在影响以及建议的缓解措施。  – SecTodayBot

• CVE-2023-49736: Apache Superset: SQL Injection on where_in JINJA macro:
https://seclists.org/oss-sec/2023/q4/294

   ・ Apache Superset存在SQL注入漏洞 – SecTodayBot

• Mute the Sound: Chaining Vulnerabilities to Achieve RCE on Outlook: Pt 2:
https://www.akamai.com/blog/security-research/2023/dec/chaining-vulnerabilities-to-achieve-rce-part-two

   ・ 该文章重点介绍了利用声音文件解析漏洞在Outlook和Windows上实现远程代码执行的技术细节和分析。  – SecTodayBot

• 高通 MSM Linux 内核和 ARM Mali GPU 中 0-day 漏洞攻击利用分析:
https://paper.seebug.org/3091/

   ・ 高通 MSM Linux 内核和 ARM Mali GPU 中 0-day 漏洞攻击利用分析  – SecTodayBot

• OilRig APT 攻击行为分析:
https://paper.seebug.org/3092/

   ・ 该文章内容涉及2022年OilRig坚持使用云服务为动力的下载器进行持久攻击。文章详细分析了OilRig下载器的技术细节,包括它们如何使用各种合法的云服务API进行C&C通信和数据窃取。  – SecTodayBot

* 查看或搜索历史推送内容请访问:
https://sec.today

* 新浪微博账号: 腾讯玄武实验室
https://weibo.com/xuanwulab


文章来源: https://mp.weixin.qq.com/s?__biz=MzA5NDYyNDI0MA==&mid=2651959470&idx=1&sn=8573f2f8375d1e1e24df04e62708c682&chksm=8baed031bcd95927c43c7384a0f7abdfd6ee18e4886f927111d6c2525daa498c7739c55f3d82&scene=58&subscene=0#rd
如有侵权请联系:admin#unsafe.sh