CVE-2024-8023
published 2024-08-21CVE-2024-8023: A vulnerability classified as critical has been found in chillzhuang SpringBlade 4.1.0. Affected is an unknown function of the file…
PriorityP357critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.64%
45.9th percentile
A vulnerability classified as critical has been found in chillzhuang SpringBlade 4.1.0. Affected is an unknown function of the file /api/blade-system/menu/list?updatexml. The manipulation leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bladex | springblade | <= 4.1.0 | — |
| chillzhuang | springblade | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.05.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2024-43796 express: Improper Input Handling in Express Redirects
bugzilla·2024-09-10·CVSS 4.7
CVE-2024-43796 [MEDIUM] CVE-2024-43796 express: Improper Input Handling in Express Redirects
CVE-2024-43796 express: Improper Input Handling in Express Redirects
Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.
Discussion:
This issue has been addressed in the following products:
Red Hat OpenShift Service Mesh 2.6 for RHEL 8
Red Hat OpenShift Service Mesh 2.6 for RHEL 9
Via RHSA-2024:7726 https://access.redhat.com/errata/RHSA-2024:7726
---
This issue has been addressed in the following products:
RHOSS-1.34-RHEL-8
Via RHSA-2024:8023 https://access.redhat.com/errata/RHSA-2024:8023
---
This issue has been addressed in the following products:
NETWORK-OBSERVABILITY-1.7.0-RHEL-9
Via RHSA-2024:8014 https://acce
Bugzilla
CVE-2024-8391 io.vertx:vertx-grpc-client: io.vertx:vertx-grpc-server: Vertx gRPC server does not limit the maximum message size
bugzilla·2024-09-04·CVSS 6.9
CVE-2024-8391 [MEDIUM] CVE-2024-8391 io.vertx:vertx-grpc-client: io.vertx:vertx-grpc-server: Vertx gRPC server does not limit the maximum message size
CVE-2024-8391 io.vertx:vertx-grpc-client: io.vertx:vertx-grpc-server: Vertx gRPC server does not limit the maximum message size
In Eclipse Vert.x version 4.3.0 to 4.5.9, the gRPC server does not limit the maximum length of message payload (Maven GAV: io.vertx:vertx-grpc-server and io.vertx:vertx-grpc-client).
This is fixed in the 4.5.10 version.
Note this does not affect the Vert.x gRPC server based grpc-java and Netty libraries (Maven GAV: io.vertx:vertx-grpc)
Discussion:
This issue has been addressed in the following products:
Red Hat build of Apache Camel for Quarkus 2.13
Via RHSA-2024:7052 https://access.redhat.com/errata/RHSA-2024:7052
---
This issue has been addressed in the following products:
RHOSS-1.34-RHEL-8
Via RHSA-2024:8023 https://access.redhat.com/errata/RHSA-20
2024-08-21
Published