CVE-2018-0001
published 2018-01-10CVE-2018-0001: A remote, unauthenticated attacker may be able to execute code by exploiting a use-after-free defect found in older versions of PHP through injection of…
PriorityP265critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
6.33%
92.8th percentile
A remote, unauthenticated attacker may be able to execute code by exploiting a use-after-free defect found in older versions of PHP through injection of crafted data via specific PHP URLs within the context of the J-Web process. Affected releases are Juniper Networks Junos OS: 12.1X46 versions prior to 12.1X46-D67; 12.3 versions prior to 12.3R12-S5; 12.3X48 versions prior to 12.3X48-D35; 14.1 versions prior to 14.1R8-S5, 14.1R9; 14.1X53 versions prior to 14.1X53-D44, 14.1X53-D50; 14.2 versions prior to 14.2R7-S7, 14.2R8; 15.1 versions prior to 15.1R3; 15.1X49 versions prior to 15.1X49-D30; 15.1X53 versions prior to 15.1X53-D70.
Affected
21 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| juniper | j-web | — | — |
| juniper | junos | — | — |
| juniper | junos | — | — |
| juniper | junos | — | — |
| juniper | junos | — | — |
| juniper | junos | — | — |
| juniper | junos | — | — |
| juniper | junos | — | — |
| juniper | junos | — | — |
| juniper | junos | — | — |
| juniper | junos_os | — | — |
| juniper_networks | junos_os | >= 12.1X46 < 12.1X46-D67 | 12.1X46-D67 |
| juniper_networks | junos_os | >= 12.3 < 12.3R12-S5 | 12.3R12-S5 |
| juniper_networks | junos_os | >= 12.3X48 < 12.3X48-D35 | 12.3X48-D35 |
| juniper_networks | junos_os | >= 14.1 < 14.1R8-S5, 14.1R9 | 14.1R8-S5, 14.1R9 |
| juniper_networks | junos_os | >= 14.1X53 < 14.1X53-D44, 14.1X53-D50 | 14.1X53-D44, 14.1X53-D50 |
| juniper_networks | junos_os | >= 14.2 < 14.2R7-S7, 14.2R8 | 14.2R7-S7, 14.2R8 |
| juniper_networks | junos_os | >= 15.1 < 15.1R3 | 15.1R3 |
| juniper_networks | junos_os | >= 15.1X49 < 15.1X49-D30 | 15.1X49-D30 |
| juniper_networks | junos_os | >= 15.1X53 < 15.1X53-D70 | 15.1X53-D70 |
| mercurial | mercurial | >= 0 < 4.6.1 | 4.6.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit traffic targets the J-Web process via crafted PHP URLs; monitor HTTP/S requests to J-Web endpoints containing anomalous or malformed PHP URL patterns on Junos OS devices. ↗
- →The attack is remote and unauthenticated; alert on unexpected or unauthenticated code execution attempts originating from external sources targeting J-Web (typically TCP/443 or TCP/80). ↗
- ·Vulnerable only on Junos OS versions prior to the fixed releases listed; verify device OS version before applying detections. Fixed versions include 12.1X46-D67, 12.3R12-S5, 12.3X48-D35, 14.1R8-S5/14.1R9, 14.1X53-D44/D50, 14.2R7-S7/14.2R8, 15.1R3, 15.1X49-D30, 15.1X53-D70. ↗
- ·The vulnerability is rooted in a use-after-free defect in older versions of PHP bundled with Junos OS J-Web; detections should be scoped to Juniper J-Web attack surface, not generic PHP deployments. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
mercurial: Improper length check in mpatch.c
vendor_redhat·2018-06-06·CVSS 7.5
CVE-2018-13348 [HIGH] CWE-20 mercurial: Improper length check in mpatch.c
mercurial: Improper length check in mpatch.c
The mpatch_decode function in mpatch.c in Mercurial before 4.6.1 mishandles certain situations where there should be at least 12 bytes remaining after the current position in the patch data, but actually are not, aka OVE-20180430-0001.
Package: mercurial (Red Hat Ansible Tower 3) - Not affected
Package: mercurial (Red Hat Enterprise Linux 6) - Not affected
Package: mercurial (Red Hat Enterprise Linux 7) - Not affected
Package: mercurial (Red Hat Enterprise Linux 8) - Not affected
Juniper
CVE-2018-0001: A remote, unauthenticated attacker may be able to execute code by exploiting a use-after-free defect found in older versions of PHP through injection
vendor_juniper·2018-01-10·CVSS 9.8
CVE-2018-0001 [CRITICAL] CWE-416 CVE-2018-0001: A remote, unauthenticated attacker may be able to execute code by exploiting a use-after-free defect found in older versions of PHP through injection
CVE-2018-0001: A remote, unauthenticated attacker may be able to execute code by exploiting a use-after-free defect found in older versions of PHP through injection of crafted data via specific PHP URLs within the context of the J-Web process. Affected releases are Juniper Networks Junos OS: 12.1X46 versions prior to 12.1X46-D67; 12.3 versions prior to 12.3R12-S5; 12.3X48 versions prior to 12.3X48-D35; 14.1 versions prior to 14.1R8-S5, 14.1R9; 14.1X53 versions prior to 14.1X53-D44, 14.1X53-D50; 14.2 versions prior to 14.2R7-S7, 14.2R8; 15.1 versions prior to 15.1R3; 15.1X49 versions prior to 15.1X49-D30; 15.1X53 versions prior to 15.1X53-D70.
Juniper
CVE-2018-0014: Juniper Networks ScreenOS devices do not pad Ethernet packets with zeros, and thus some packets can contain fragments of system memory or data from pr
vendor_juniper·2018-01-10·CVSS 4.3
CVE-2018-0014 [MEDIUM] CWE-200 CVE-2018-0014: Juniper Networks ScreenOS devices do not pad Ethernet packets with zeros, and thus some packets can contain fragments of system memory or data from pr
CVE-2018-0014: Juniper Networks ScreenOS devices do not pad Ethernet packets with zeros, and thus some packets can contain fragments of system memory or data from previous packets. This issue is often detected as CVE-2003-0001. The issue affects all versions of Juniper Networks ScreenOS prior to 6.3.0r25.
GHSA
GHSA-5h5m-f4w8-fr6m: A remote, unauthenticated attacker may be able to execute code by exploiting a use-after-free defect found in older versions of PHP through injection
ghsa_unreviewed·2022-05-14
CVE-2018-0001 [CRITICAL] CWE-416 GHSA-5h5m-f4w8-fr6m: A remote, unauthenticated attacker may be able to execute code by exploiting a use-after-free defect found in older versions of PHP through injection
A remote, unauthenticated attacker may be able to execute code by exploiting a use-after-free defect found in older versions of PHP through injection of crafted data via specific PHP URLs within the context of the J-Web process. Affected releases are Juniper Networks Junos OS: 12.1X46 versions prior to 12.1X46-D67; 12.3 versions prior to 12.3R12-S5; 12.3X48 versions prior to 12.3X48-D35; 14.1 versions prior to 14.1R8-S5, 14.1R9; 14.1X53 versions prior to 14.1X53-D44, 14.1X53-D50; 14.2 versions prior to 14.2R7-S7, 14.2R8; 15.1 versions prior to 15.1R3; 15.1X49 versions prior to 15.1X49-D30; 15.1X53 versions prior to 15.1X53-D70.
GHSA
Mercurial Improper Input Validation vulnerability
ghsa·2022-05-13
CVE-2018-13348 [HIGH] CWE-20 Mercurial Improper Input Validation vulnerability
Mercurial Improper Input Validation vulnerability
The `mpatch_decode` function in `mpatch.c` in Mercurial before 4.6.1 mishandles certain situations where there should be at least 12 bytes remaining after the current position in the patch data, but actually are not, aka OVE-20180430-0001.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2018-10894 keycloak: auth permitted with expired certs in SAML client
bugzilla·2018-07-09·CVSS 5.4
CVE-2018-10894 [MEDIUM] CVE-2018-10894 keycloak: auth permitted with expired certs in SAML client
CVE-2018-10894 keycloak: auth permitted with expired certs in SAML client
It was found that SAML authentication in Keycloak incorrectly authenticated expired certificates. A malicious user could use this to access unauthorized data or possibly conduct further attacks.
Discussion:
Acknowledgments:
Name: Benjamin Berg (Red Hat)
---
upstream patch: https://issues.jboss.org/secure/attachment/12439846/0001-KEYCLOAK-8163-Improve-SAML-validations.patch
attached to jira: https://issues.jboss.org/browse/KEYCLOAK-8163
---
This issue has been addressed in the following products:
Red Hat Single Sign-On 7.2 for RHEL 6
Via RHSA-2018:3592 https://access.redhat.com/errata/RHSA-2018:3592
---
This issue has been addressed in the following products:
Red Hat Single Sign-On 7.2 for RHEL 7
Via RHS
Bugzilla
CVE-2018-1042 CVE-2018-1043 CVE-2018-1044 CVE-2018-1045 moodle: Four security issues fixed in the latest release
bugzilla·2018-01-23·CVSS 6.5
CVE-2018-1042 [MEDIUM] CVE-2018-1042 CVE-2018-1043 CVE-2018-1044 CVE-2018-1045 moodle: Four security issues fixed in the latest release
CVE-2018-1042 CVE-2018-1043 CVE-2018-1044 CVE-2018-1045 moodle: Four security issues fixed in the latest release
MSA-18-0001: Server Side Request Forgery in the filepicker - CVE-2018-1042
By substituting the source URL in the filepicker AJAX request authenticated users are able to retrieve and view any URL. We classify this issue as serious because some cloud hosting providers contain internal resources that can expose data and compromise a server
https://moodle.org/mod/forum/discuss.php?d=364381
MSA-18-0002: Setting for blocked hosts list can be bypassed with multiple A record hostnames - CVE-2018-1043
Moodle setting "cURL blocked hosts list" was introduced in Moodle 3.2 to prevent access to specific addresses (usually internal) when server retrieves URLs requested by the user. PoC w
2018-01-10
Published