March 23, 2023

A zero-day vulnerability has been discovered in the Red Hat build of Quarkus, a full-stack, Kubernetes-native Java framework optimized for Java virtual machines and native compilation.

Tracked CVE-2022-4116, the flaw has a CVSS score of 9.8 and can be found in the Dev UI Config Editor, which is vulnerable to drive-by localhost attacks, potentially leading to remote code execution.

Exploiting the vulnerability is relatively straightforward and can be done by a threat actor without any privileges.

Advertisements

It doesn’t impact services running in production; it only impacts developers’ building services using Quarkus. If a developer running Quarkus locally visits a website with malicious JavaScript, JavaScript can silently execute code on the developer’s machine.

These may include the installation of a keylogger on the local machine to capture login information to production systems or to use GitHub tokens to modify source code.

Researchers stated Quarkus team released a fix for CVE-2022-4116 with version 2.14.2.Final and 2.13.5.Final long-term support (LTS) that requires the Dev UI to check the origin header so that it only accepts requests that contain a specific header set by the browser and not modifiable by JavaScript.

Tags:

Leave a Reply

You may have missed

Microsoft Snipping Tool Vulnerability

Microsoft Snipping Tool Vulnerability

March 23, 2023
Google Cloud Armor Advanced DDoS Protection

Google Cloud Armor Advanced DDoS Protection

March 22, 2023
BreachForums Curtains Down

BreachForums Curtains Down

March 22, 2023
Google blocks Pinduoduo App amid Security Concerns

Google blocks Pinduoduo App amid Security Concerns

March 22, 2023
Mandiant Report – Nation State Zero Day Exploits in 2022

Mandiant Report – Nation State Zero Day Exploits in 2022

March 22, 2023
Mispadu Banking Trojan

Mispadu Banking Trojan

March 22, 2023
%d bloggers like this: