December 8, 2023

The CISA has added 41 flaws to its Known Exploited Vulnerabilities Catalog, including recently addressed issues in the Android kernel (CVE-2021-1048 and CVE-2021-0920) and Cisco IOS XR (CVE-2022-20821).

The Cisco IOS XR flaw tracked as (CVE-2022-20821, with a CVSS score: of 6.5, is actively exploited in attacks in the wild, it resides in the health check RPM of Cisco IOS XR Software. An unauthenticated, remote attacker could trigger the issue to access the Redis instance that is running within the NOSi container.

Advertisements

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies must address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Some of the flaws added to the catalog in this turn are dated back to 2016, such as the issues affecting Apple (CVE-2016-4655, CVE-2016-4656, CVE-2016-4657), Microsoft (CVE-2016-0162, CVE-2016-3351, CVE-2016-3298) and Cisco Devices (CVE-2016-6366, CVE-2016-6367).

Other issues impact Google, Mozilla, Facebook, Adobe, and Webkit GTK software products, the vulnerabilities range from 2018 to 2021. Some of the issues have to be addressed by federal agencies by June 13, 2022, while the others need to be fixed by June 14, 2022.

Advertisements

Exploit list added to the Catalog

CVEVendor/ProjectProductVulnerability Name
CVE-2018-8611MicrosoftWindowsMicrosoft Windows Kernel Privilege Escalation Vulnerability
CVE-2018-19953QNAPNetwork Attached Storage (NAS)QNAP NAS File Station Cross-Site Scripting Vulnerability
CVE-2018-19949QNAPNetwork Attached Storage (NAS)QNAP NAS File Station Command Injection Vulnerability
CVE-2018-19943QNAPNetwork Attached Storage (NAS)QNAP NAS File Station Cross-Site Scripting Vulnerability
CVE-2017-0147MicrosoftSMBv1 serverMicrosoft Windows SMBv1 Information Disclosure Vulnerability
CVE-2017-0022MicrosoftXML Core ServicesMicrosoft XML Core Services Information Disclosure Vulnerability
CVE-2017-0005MicrosoftWindowsMicrosoft Windows Graphics Device Interface (GDI) Privilege Escalation Vulnerability
CVE-2017-0149MicrosoftInternet ExplorerMicrosoft Internet Explorer Memory Corruption Vulnerability
CVE-2017-0210MicrosoftInternet ExplorerMicrosoft Internet Explorer Privilege Escalation Vulnerability
CVE-2017-8291ArtifexGhostscriptArtifex Ghostscript Type Confusion Vulnerability
CVE-2017-8543MicrosoftWindowsMicrosoft Windows Search Remote Code Execution Vulnerability
CVE-2017-18362KaseyaVirtual System/Server Administrator (VSA)Kaseya VSA SQL Injection Vulnerability
CVE-2016-0162MicrosoftInternet ExplorerMicrosoft Internet Explorer Information Disclosure Vulnerability
CVE-2016-3351MicrosoftInternet Explorer and EdgeMicrosoft Internet Explorer and Edge Information Disclosure Vulnerability
CVE-2016-4655AppleiOSApple iOS Information Disclosure Vulnerability
CVE-2016-4656AppleiOSApple iOS Memory Corruption Vulnerability
CVE-2016-4657AppleiOSApple iOS Webkit Memory Corruption Vulnerability
CVE-2016-6366CiscoAdaptive Security Appliance (ASA)Cisco Adaptive Security Appliance (ASA) SNMP Buffer Overflow Vulnerability
CVE-2016-6367CiscoAdaptive Security Appliance (ASA)Cisco Adaptive Security Appliance (ASA) CLI Remote Code Execution Vulnerability
CVE-2016-3298MicrosoftInternet ExplorerMicrosoft Internet Explorer Messaging API Information Disclosure Vulnerability
CVE-2022-20821CiscoIOS XRCisco IOS XR Open Port Vulnerability
CVE-2021-1048AndroidKernelAndroid Kernel Use-After-Free Vulnerability
CVE-2021-0920AndroidKernelAndroid Kernel Race Condition Vulnerability
CVE-2021-30883AppleMultiple ProductsApple Multiple Products Memory Corruption Vulnerability
CVE-2020-1027MicrosoftWindowsMicrosoft Windows Kernel Privilege Escalation Vulnerability
CVE-2020-0638MicrosoftUpdate Notification ManagerMicrosoft Update Notification Manager Privilege Escalation Vulnerability
CVE-2019-7286AppleMultiple ProductsApple Multiple Products Memory Corruption Vulnerability
CVE-2019-7287AppleiOSApple iOS Memory Corruption Vulnerability
CVE-2019-0676MicrosoftInternet ExplorerMicrosoft Internet Explorer Information Disclosure Vulnerability
CVE-2019-5786GoogleChromeGoogle Chrome Use-After-Free Vulnerability
CVE-2019-0703MicrosoftWindowsMicrosoft Windows SMB Information Disclosure Vulnerability
CVE-2019-0880MicrosoftWindowsMicrosoft Windows Privilege Escalation Vulnerability
CVE-2019-13720GoogleChromeGoogle Chrome Use-After-Free Vulnerability
CVE-2019-11707MozillaFirefox and ThunderbirdMozilla Firefox and Thunderbird Type Confusion Vulnerability
CVE-2019-11708MozillaFirefox and ThunderbirdMozilla Firefox and Thunderbird Sandbox Escape Vulnerability
CVE-2019-8720WebKitGTKWebKitGTKWebKitGTK Memory Corruption Vulnerability
CVE-2019-18426Meta PlatformsWhatsAppWhatsApp Cross-Site Scripting Vulnerability
CVE-2019-1385MicrosoftWindowsMicrosoft Windows AppX Deployment Extensions Privilege Escalation Vulnerability
CVE-2019-1130MicrosoftWindowsMicrosoft Windows AppX Deployment Service Privilege Escalation Vulnerability
CVE-2018-5002AdobeFlash PlayerAdobe Flash Player Stack-based Buffer Overflow Vulnerability
CVE-2018-8589MicrosoftWin32kMicrosoft Win32k Privilege Escalation Vulnerability

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d