For continuous coverage, we push out major Detectify security updates every two weeks, keeping our tool up-to-date with new findings, features and improvements sourced from our security researchers and Crowdsource ethical hacker community. Due to confidentially agreements, we cannot publicize all security update releases here but they are immediately added to our scanner and available to all users. This post highlights a few things that we have improved in the last two weeks.
CVE-2018-14912: cgit Path Traversal
A vulnerability in cgit was recently made public by Google Project Zero. After getting it as a submission through Detectify Crowdsource we implemented it as a module. More information about the issue can be found here: https://bugs.chromium.org/p/project-zero/issues/detail?id=1627
CVE-2018-5006: Adobe AEM SSRF via SalesforceSecretServlet
Adobe AEM, also called Adobe Experience Manager, has previously had a few known vulnerabilities. Frans Rosén, one of our security advisors, has done a presentation on this here: https://www.youtube.com/watch?v=_j9ZEIodMDs
However, a new SSRF was released recently, which in addition to all the other research has been implemented to the scanner.
Apache Hadoop RCE
Read more about the story around this vulnerability here: https://securityaffairs.co/wordpress/77565/malware/hadoop-zero-day-exploit-leaked.html
jQuery-File-Upload related vulnerabilities
The last of the three! See the following blog post: https://blog.detectify.com/2018/12/13/jquery-file-upload-a-tale-of-three-vulnerabilities/
A few of the other things implemented…
- CVE-2018-9845: Etherpad Authentication Bypass https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9845
- Exposed Docker configuration file
- Header-Based SSRF
- URL-based Authentication Bypass
Questions or comments on our latest security updates? Let us know in the section below.
Begin a scan for the latest vulnerabilities today. Start a free trial with Detectify here!
Already have an account? Login to check your assets.