September 27, 2023

A zero-day vulnerability has been discovered in the Red Hat build of Quarkus, a full-stack, Kubernetes-native Java framework optimized for Java virtual machines and native compilation.

Tracked CVE-2022-4116, the flaw has a CVSS score of 9.8 and can be found in the Dev UI Config Editor, which is vulnerable to drive-by localhost attacks, potentially leading to remote code execution.

Exploiting the vulnerability is relatively straightforward and can be done by a threat actor without any privileges.

Advertisements

It doesn’t impact services running in production; it only impacts developers’ building services using Quarkus. If a developer running Quarkus locally visits a website with malicious JavaScript, JavaScript can silently execute code on the developer’s machine.

These may include the installation of a keylogger on the local machine to capture login information to production systems or to use GitHub tokens to modify source code.

Researchers stated Quarkus team released a fix for CVE-2022-4116 with version 2.14.2.Final and 2.13.5.Final long-term support (LTS) that requires the Dev UI to check the origin header so that it only accepts requests that contain a specific header set by the browser and not modifiable by JavaScript.

Tags:

Leave a Reply

You may have missed

BORN Canada latest victim of MoveIT data breach

September 27, 2023

Hardware Supply Chain Risk Assessment from CISA

September 27, 2023

Sony attack – Ransomed.vc claims responsibility

September 26, 2023

Chrome Zeroday – CVE-2023-4863 PoC Exploit Released

September 25, 2023

BlackCat adds Clarion to its Victim list

September 24, 2023

TheCyberThrone Security Week In Review – September 23, 2023

September 24, 2023
%d bloggers like this: